Privacy Notice of Amplifai Oncology, Inc.
Data Controller
Amplifai Oncology, Inc., a Delaware corporation (the “Company”). The Company does not have an establishment in the European Union.
Data Protection Officer
The Company has not appointed a Data Protection Officer. For any inquiries regarding the processing of your personal data, please contact: gdpr@erkkel.hu.
Data Processing
| Categories of Personal Data Collected | Purposes of Protection | Legal Basis for Processing | Data Retention |
|---|---|---|---|
| Name | The Company is developing software designed for recruitment services. The purpose of data processing is to enable the Company to contact data subjects to provide them with further information. This information pertains to the status of the software development and the launch of the recruitment services. | Legal basis of the processing is your consent | 5 years |
| E-mail address | |||
| Title/position | |||
| Professional education | |||
| Professional specialization | |||
| Machine operation skills | |||
| LinkedIn profile |
EU Representative (Article 27 GDPR)
The Company has appointed Erkkel Solutions Kft. (seat: 2096 Üröm, Táborföld utca 4.; registration number: 13-09-231382), a company established in Hungary, as its representative in the European Union pursuant to Article 27 GDPR. The EU Representative acts as the Company’s point of contact for data subjects and supervisory authorities on all issues related to processing, and maintains the record of processing activities on behalf of the Company as required by Article 27(4) GDPR. Contact details: 2096 Üröm, Táborföld utca 4.; gdpr@erkkel.hu.
Special Categories of Personal Data
The Company does not request or intend to process special categories of personal data within the meaning of Article 9 GDPR.
Recipients of Personal Data
Your personal data may be disclosed to the following categories of recipients:
- Erkkel Solutions Kft., acting as our sub-processor for software development purposes;
- Microsoft Corporation (Microsoft Azure), acting as our sub-processor for certain services and infrastructure used by the Company. Data may be stored and processed on Azure services [regions: West Europe, Sweden Central], and support access may occur from the United States. The legal basis for any such transfers to the United States is your explicit consent under Article 49(1)(a) GDPR.
International Transfers of Personal Data - Transfer to the United States
Your personal data will be transferred to the United States of America. There is currently no adequacy decision adopted by the European Commission pursuant to Article 45 of the GDPR covering the recipient in the United States, and the Company has not implemented appropriate safeguards pursuant to Article 46 of the GDPR (such as Standard Contractual Clauses or Binding Corporate Rules) for this transfer.
The legal basis for this transfer is your explicit consent pursuant to Article 49(1)(a) of the GDPR.
The Company relies on the derogation set out in Article 49(1)(a) of the GDPR because the Company has never previously collected personal data from data subjects located in the European Union, and there is no defined timeline or plan for any future collection of such data. Given the occasional and non-recurring nature of the envisaged processing activity, the implementation of appropriate safeguards under Article 46 GDPR or the pursuit of an adequacy decision under Article 45 GDPR would be disproportionate in the circumstances.
The Company relies on Article 49(1)(a) GDPR only for occasional and non-repetitive transfers. Should EU-originating processing or transfers become regular, the Company will implement appropriate safeguards under Article 46 GDPR.
Explicit Consent to Transfer - Risk Acknowledgement
By providing your explicit consent below, you acknowledge and agree to the transfer of your personal data to the United States of America in the absence of an adequacy decision and in the absence of appropriate safeguards as described above.
In particular, you acknowledge that you have been informed of and understand the following risks associated with this transfer:
- The United States does not benefit from an adequacy decision by the European Commission, meaning that the European Commission has not determined that the United States provides a level of data protection essentially equivalent to that guaranteed within the European Union.
- No appropriate safeguards under Article 46 of the GDPR (such as Standard Contractual Clauses, Binding Corporate Rules, or an approved code of conduct) have been put in place to compensate for the absence of an adequacy decision.
- As a result of the above, your personal data, once transferred to the United States, may be subject to access by United States public authorities for surveillance, law enforcement, or national security purposes under United States law, and the legal remedies and procedural safeguards available to you in respect of such access may differ from, and may be less protective than, those available under EU law.
- Your rights as a data subject under the GDPR (including rights of access, rectification, erasure, restriction, data portability, and objection) may be more difficult to enforce against entities operating exclusively under United States jurisdiction.
By signing below or by ticking the relevant consent box, you confirm that you have read and understood the above information regarding the risks of the international transfer and that you explicitly consent to the transfer of your personal data to the United States of America under these conditions.
Automated Decision-Making and Profiling
The Company uses automated processing, including profiling within the meaning of Article 22 GDPR, to generate ranked recommendations of candidates for job opportunities. In particular, the system evaluates profiles (such as work experience, skills, education, location and availability) to produce a ranked list (e.g., a “top 3” list) for a human reviewer. A human user then reviews the recommendations and decides whom to contact with a job opportunity. Accordingly, decisions about whether you receive a job offer are not made solely by automated means.
Purpose: personalized mediation of job opportunities and candidate-role matching.
Underlying logic (meaningful information): the system ingests profile attributes, applies rules and/or machine-learning models to compute a relevance score against role requirements, and outputs a ranked recommendation list shown to a human reviewer. Thresholds or business rules may influence inclusion in the “top 3.”
Significance and envisaged consequences: the recommendations may influence which candidates are prioritized for human outreach about roles; however, final decisions about outreach and offers are made by a human reviewer.
You have the right to obtain human intervention, to express your point of view, and to contest a recommendation or decision influenced by profiling. You may do so by contacting gdpr@erkkel.hu with the subject line “ADM Request,” indicating whether you seek (i) human review of a recommendation affecting you, (ii) to present additional information or corrections to your profile, or (iii) to contest the outcome. The Company will ensure a human review without undue delay and, in any event, will respond within the timelines set out in the “Your Rights” section. You may also withdraw your consent to this profiling at any time, without affecting the lawfulness of processing before withdrawal.
Explicit consent for profiling and recommendations (Article 6(1)(a) and, where applicable, Article 22(2)(c) GDPR)
The Company applies safeguards including regular testing and monitoring of systems for accuracy and fairness and measures to minimize bias.
Security of Processing
The Company implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Article 32 GDPR), including access controls and least-privilege practices, encryption in transit and at rest where feasible, network and application logging and monitoring, vulnerability and patch management, and data minimization and retention controls, and an incident response process.
Your Rights
Under the GDPR, you have the following rights in relation to your personal data. To exercise any of these rights, please contact: gdpr@erkkel.hu. The Company will respond to your request without undue delay and in any event within one (1) month of receipt of the request. This period may be extended by two (2) further months where necessary, taking into account the complexity and number of requests. The Company will inform you of any such extension within one (1) month of receipt of the request, together with the reasons for the delay. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the Company may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.
Right of Access (Article 15 GDPR)
You have the right to obtain from the Company confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data together with the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from the Company rectification or erasure of personal data or restriction of processing of personal data concerning you or to object to such processing; the right to lodge a complaint with a supervisory authority; where the personal data are not collected from you, any available information as to their source; and the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you. Where personal data are transferred to a third country or to an international organisation, you have the right to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR relating to the transfer. The Company shall provide a copy of the personal data undergoing processing. For any further copies requested by you, the Company may charge a reasonable fee based on administrative costs.
Right to Rectification (Article 16 GDPR)
You have the right to obtain from the Company without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to Erasure (Article 17 GDPR)
You have the right to obtain from the Company the erasure of personal data concerning you without undue delay where one of the following grounds applies: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; you withdraw your consent on which the processing is based and there is no other legal ground for the processing; you object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR; the personal data have been unlawfully processed; the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Company is subject; or the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR. Where the Company has made the personal data public and is obliged to erase the personal data, the Company, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data. The right to erasure does not apply to the extent that processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise, or defence of legal claims.
Right to Restriction of Processing (Article 18 GDPR)
You have the right to obtain from the Company restriction of processing where one of the following applies: you contest the accuracy of the personal data, for a period enabling the Company to verify the accuracy of the personal data; the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; the Company no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise, or defence of legal claims; or you have objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the Company override yours. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise, or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. The Company will inform you before the restriction of processing is lifted.
Right to Data Portability (Article 20 GDPR)
You have the right to receive the personal data concerning you, which you have provided to the Company, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Company, where the processing is based on your consent pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR or on a contract pursuant to Article 6(1)(b) of the GDPR, and the processing is carried out by automated means. In exercising your right to data portability, you have the right to have the personal data transmitted directly from the Company to another controller, where technically feasible. The exercise of this right is without prejudice to the right to erasure and shall not adversely affect the rights and freedoms of others.
Right to Object (Article 21 GDPR)
Where personal data are processed on the basis of Article 6(1)(e) or (f) of the GDPR, you have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you. The Company shall no longer process the personal data unless the Company demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise, or defence of legal claims. Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, including profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Right to Withdraw Consent (Article 7(3) GDPR)
Where the processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before withdrawal. You shall be informed thereof before giving consent.
Right Not to Be Subject to Automated Decision-Making (Article 22 GDPR)
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except where such decision is necessary for entering into, or performance of, a contract between you and the Company, is authorised by Union or Member State law to which the Company is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or is based on your explicit consent. In the cases referred to above, the Company shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the Company, to express your point of view and to contest the decision.
Competent Supervisory Authority
The competent supervisory authority for the purposes of this processing may be either the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, “IMY”), Box 8114, 104 20 Stockholm, Sweden (website: www.imy.se) or - as our EU representative is established under Hungarian law - the Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság; “NAIH”), H-1055 Budapest, Falk Miksa utca 9-11, Hungary (website: www.naih.hu).
Right to Lodge a Complaint (Article 77 GDPR)
You have the right to lodge a complaint with the competent supervisory authority, in particular the IMY (as identified below) and/or NAIH (as identified below), if you consider that the processing of personal data relating to you infringes the GDPR.
Date of this Notice: 14.05.2026