Privacy Policy

Last updated: February 11, 2026

1. Controller

The data controller for Presskid is:

ampyre GmbH
Brunnenstraße 196
10119 Berlin, Germany

Email: hallo@ampyre.co
Managing Directors: Tolgay Azman & Henry Donovan

Presskid is accessible at https://app.presskid.co.

2. Overview

Presskid is an AI-assisted journalist discovery and media outreach platform for PR professionals. It enables users to find relevant journalists, generate personalised pitch emails, and send outreach emails using their own email account via Google OAuth (if they choose to connect it).

This privacy policy explains how we collect, use, store, and protect personal data in connection with the Presskid platform.

3. Data We Collect

3.1 Account & Profile Data (Presskid Users)

When you create an account, we collect:

  • Full name, email address
  • Job title and company name (if provided)
  • Profile settings (e.g., avatar URL, preferences)
  • Authentication data (hashed passwords and/or OAuth identifiers if you use social login)

3.2 Company & Project Data (Provided by Users)

Users may provide information to improve matching and pitch generation, including:

  • Company description, website, industry, size, and location
  • Narratives, keywords, topics, and notes you enter into the platform
  • AI-generated analysis derived from the above (e.g., suggested topics/keywords)

3.3 Usage & Analytics Data

We collect technical and usage information to operate, secure, and improve Presskid:

  • Feature usage (e.g., searches performed, profiles viewed, pitches generated)
  • Match history (journalist search queries and results shown)
  • Security logs (e.g., login attempts and timestamps)
  • Consent records and preference changes (e.g., analytics consent)

3.4 Email Integration Data (Google OAuth / Gmail)

If you connect a Google account to send outreach emails from within Presskid, we process data required to provide this functionality.

OAuth data we process:

  • OAuth tokens (stored encrypted)
  • Your Google account identifiers and basic profile information (email address and profile information) as returned by Google

Gmail data we process (for user-initiated outreach):

  • Recipient(s), sender address, subject line, timestamps
  • Message content while you compose/review/send in the UI (processed transiently)
  • Gmail message/thread identifiers and limited metadata as needed to support sending and user-requested workflow features (e.g., linking a sent email to an outreach entry)

We do not store email contents:

Email bodies are not stored by Presskid; they are processed only to compose emails in the UI and to transmit the message for sending. We do not use email content to build advertising profiles and we do not sell it.

Scopes requested:

When you connect Google, Presskid requests the following OAuth scopes:

  • https://www.googleapis.com/auth/userinfo.email
  • https://www.googleapis.com/auth/userinfo.profile
  • https://www.googleapis.com/auth/gmail.send
  • https://www.googleapis.com/auth/gmail.readonly

gmail.send allows Presskid to send pitch emails and follow-ups from your Gmail account at your request. gmail.readonly allows Presskid to read conversation threads (showing journalist replies) and fetch message metadata for proper email threading (In-Reply-To/References headers). Presskid does not modify labels, delete messages, or create drafts. Presskid does not demonstrate "general inbox reading" as a product feature and does not store email bodies.

You can revoke Presskid's access at any time by disconnecting Google in Presskid and/or via your Google account security settings.

3.5 Payment & Subscription Data

Subscription management is handled by our payment processor, Stripe, Inc. We store:

  • Subscription tier, status, and billing period
  • Stripe customer ID

We do not store credit card numbers, bank account details, or other payment instruments. These are processed and stored exclusively by Stripe.

3.6 Journalist & Media Data (Media Database)

Presskid maintains a database of journalist and media profiles compiled from:

  1. Publicly available professional sources, such as:
    • Author/byline pages, editorial staff pages, and professional profiles
    • Published articles and related metadata (e.g., title, URL, publication date)
  2. Professional data providers (business-to-business media data services) where we have an agreement to use the data.

We process, where available and relevant:

  • Name, professional role/title, publication/outlet
  • Professional contact details (e.g., email address) where publicly listed or provided by a professional data provider
  • Professional social media/profile links (e.g., LinkedIn, X/Twitter)
  • Published article metadata (titles, URLs, dates, short summaries)
  • Topics/beats and coverage patterns (derived from published work)
  • AI-generated embeddings and similarity signals derived from publicly available article text/metadata (see Section 5)

This data is not collected from or about Presskid users — it concerns media professionals whose information is publicly available in their professional context and/or provided by professional data services.

3.7 Cookies & Local Storage

We use the following categories:

  • Strictly necessary (always active): authentication/session cookies, security cookies, and essential preferences needed to run the platform.
  • Analytics (optional, consent-required): usage analytics to improve the platform. Only activated if you give explicit consent.
  • Marketing (optional, consent-required): not currently active. If enabled in the future, it will only be activated with your explicit consent.

You can manage your cookie preferences at any time through our cookie banner or your browser settings.

4. Legal Bases for Processing

We process personal data under the following legal bases pursuant to Art. 6(1) GDPR:

Purpose Legal Basis
Providing the Presskid platform (account, core features) Contract performance — Art. 6(1)(b)
AI-assisted journalist matching and pitch generation Contract performance — Art. 6(1)(b)
Sending outreach emails via connected Google account (OAuth/Gmail) Contract performance — Art. 6(1)(b)
Processing payments and subscriptions Contract performance — Art. 6(1)(b)
Transactional emails (password resets, security alerts) Contract performance — Art. 6(1)(b)
Maintaining journalist database from professional sources and providers Legitimate interest — Art. 6(1)(f)
Security measures (fraud prevention, login attempt tracking, abuse prevention) Legitimate interest — Art. 6(1)(f)
Error tracking and platform stability (Sentry) Legitimate interest — Art. 6(1)(f)
Analytics and platform improvement Consent — Art. 6(1)(a)
Marketing communications Consent — Art. 6(1)(a)

Regarding journalist/media data (Legitimate Interest — Art. 6(1)(f)): We have a legitimate interest in maintaining a database of media professionals compiled from professional public sources and professional data providers to enable our users to identify relevant journalists and improve relevance in media relations. The data subjects are media professionals acting in their professional capacity, and the data processed is limited to professional context information. We provide removal/objection options for affected individuals (see Section 11).

5. AI Processing

Presskid uses artificial intelligence for several core functions:

  • Journalist matching: We use vector embeddings to semantically match your company narratives/topics with journalist profiles and published articles.
  • Pitch generation: We generate personalised pitch emails based on your company information and the journalist's published work.
  • Company analysis: We analyse your inputs to generate insights, keywords, and topic mappings.

Important: No automated decision-making with legal or similarly significant effects (Art. 22 GDPR) takes place. AI-generated outputs (matches, pitches) are suggestions presented to users, who retain full control over whether and how to act on them.

When we send data to AI service providers for processing, we use their API services under contractual safeguards (e.g., DPAs). Where available under provider terms, API data submitted is not used to train models.

6. Third-Party Processors (Sub-Processors)

We engage the following sub-processors to operate Presskid:

Sub-Processor Purpose Location Safeguards
Supabase Inc. Database hosting, authentication EU (Frankfurt, Germany) DPA; EU hosting
Vercel Inc. Frontend hosting and CDN USA (with EU edge nodes) DPA; appropriate transfer safeguards
OpenAI Inc. AI processing (embeddings, pitch generation) USA DPA; appropriate transfer safeguards
Google LLC Google OAuth and Gmail API (sending outreach via user account) USA DPA; appropriate transfer safeguards
Resend Inc. Transactional email delivery (e.g., password resets) USA DPA; appropriate transfer safeguards
Stripe, Inc. Payment and subscription management USA (California) DPA; appropriate transfer safeguards
Functional Software Inc. (Sentry) Error tracking and performance monitoring USA DPA; appropriate transfer safeguards
Firecrawl Retrieval of publicly available article pages/metadata (where used) USA DPA; processes publicly available content

We may update this list from time to time. Material changes will be reflected in this policy.

7. International Data Transfers

Your primary data is stored in the European Union (Supabase, Frankfurt, Germany).

For sub-processors outside the EU/EEA, we ensure appropriate safeguards pursuant to Art. 44–49 GDPR, such as:

  • Adequacy decisions (where applicable)
  • Standard Contractual Clauses (SCCs)
  • Data Processing Agreements (DPAs) with technical and organisational safeguards

We regularly review transfer mechanisms and update them if regulatory circumstances change.

8. Data Retention

We retain personal data only as long as necessary for the purposes outlined in this policy:

Data Type Retention Period Auto-Deletion
User account data Duration of account + 30 days after deletion Yes
Usage tracking / match history Up to 365 days (configurable where available) Configurable
Email integration tokens Stored while connected; deleted on disconnect or account deletion Yes
Outreach entries (status/notes created by the user) Duration of account; removed on account deletion On account deletion
Login attempt logs 90 days Yes
Consent records Up to 3 years after last update (compliance/audit) No
Journalist profiles Retained while relevant and available from professional sources; reviewed periodically; removed on valid objection/deletion request No (review-based)
Payment/subscription data As required by applicable law No

9. Your Rights Under GDPR

9.1 Right of Access (Art. 15)

You may request confirmation of whether we process your personal data and obtain a copy of it.

9.2 Right to Rectification (Art. 16)

You may request correction of inaccurate personal data. You can also update most of your data directly in your account settings.

9.3 Right to Erasure (Art. 17)

You may request deletion of your personal data. We will process your request within a reasonable timeframe unless we have a legal obligation to retain certain data.

9.4 Right to Restriction of Processing (Art. 18)

You may request that we restrict processing of your data in certain circumstances.

9.5 Right to Data Portability (Art. 20)

You may request your personal data in a structured, machine-readable format where applicable.

9.6 Right to Object (Art. 21)

You may object to processing based on legitimate interest (Art. 6(1)(f)), including our processing of journalist data. We will cease processing unless we demonstrate compelling legitimate grounds.

9.7 Right to Withdraw Consent (Art. 7(3))

Where processing is based on consent (analytics, marketing), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

9.8 Right to Lodge a Complaint (Art. 77)

You have the right to lodge a complaint with a supervisory authority. The competent authority for ampyre GmbH is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59-61, 10555 Berlin
Email: mailbox@datenschutz-berlin.de
Web: www.datenschutz-berlin.de

10. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption in transit (TLS/HTTPS)
  • Encryption at rest for core storage (where supported by infrastructure)
  • Encryption of OAuth tokens at the application level
  • Access control and least-privilege principles
  • Authentication security and rate limiting
  • Audit logging for privacy-relevant actions (e.g., consent changes, deletion requests)

11. Information for Journalists (Data Subjects in Our Database)

If you are a journalist or media professional whose profile appears in the Presskid database:

11.1 What data we process and where it comes from

Your data was collected from:

  • Publicly available professional sources (published articles, news website bylines/author pages, editorial staff pages, public professional profiles), and/or
  • Professional media data providers from whom we license data.

11.2 Why we process this data

We process this data under legitimate interest (Art. 6(1)(f) GDPR) to facilitate media relations by helping PR professionals identify relevant journalists and understand coverage.

11.3 Sharing with Presskid users

We display journalist profiles (including professional contact details where available) to Presskid users. Presskid users may contact you using the contact details shown, including by sending emails from within Presskid via their connected Google account.

11.4 Your rights (including objection and removal)

You have the right to access, rectify, or request deletion of your profile, and you may object to our processing under Art. 21 GDPR. To exercise these rights, contact us at hallo@ampyre.co.

We do not sell journalist data to third parties. The data is used within the Presskid platform to connect PR professionals with relevant media contacts.

12. Google API Services User Data (Limited Use)

If you connect Google, Presskid's use and transfer of information received from Google APIs will comply with the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  1. Limited purpose: Presskid only uses Gmail data to provide user-facing features you explicitly request — sending pitch emails and follow-ups, displaying conversation threads with journalists, and detecting new replies. Gmail data is not used for any other purpose.
  2. No third-party transfers: Gmail data is not transferred to third parties, except as necessary to provide the features described above, to comply with applicable law, or for security purposes (e.g., investigating abuse).
  3. No human reading: No person at Presskid or ampyre GmbH reads your Gmail data, unless (a) you give explicit affirmative consent for a specific message, (b) it is necessary for security purposes such as investigating a bug or abuse, or (c) it is required by law.
  4. No prohibited uses: Gmail data is not used for serving advertisements (including retargeting, personalised, or interest-based advertising), creditworthiness determinations, lending qualifications, training AI or machine-learning models, or any purpose unrelated to Presskid's core functionality. Gmail data is never sold to third parties.

13. Children and Minors

Presskid is a B2B platform designed for professional use. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have collected data from a minor, we will delete it promptly.

14. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email or an in-app notification. The "Last updated" date at the top of this policy will always reflect the most recent revision. Continued use of Presskid after changes constitutes acceptance of the updated policy.

15. Contact

For any questions, requests, or complaints regarding this privacy policy or your personal data:

ampyre GmbH
Brunnenstraße 196
10119 Berlin, Germany
Email: hallo@ampyre.co

We aim to respond to data protection requests within a reasonable timeframe and in accordance with GDPR requirements.