Ambassador Privacy Policy

v.03.25.2026

Ambassador Privacy Policy

Revised: March 25, 2026

i2H, Inc. dba Ambassador (“Ambassador” or “we”, “us”, “our”) is a technology company that enables our clients to acquire, engage, and retain customers through advocacy programs, loyalty and engagement tools, AI-powered intelligence, automated incentive management, and communications across digital channels including online, mobile, email, SMS, and addressable TV.

This privacy policy (“Policy”) explains what kinds of information we collect and how Ambassador strives to collect, use and disclose information in a manner consistent with the laws of the countries in which we do business. This Policy applies to our data platform (the “Platform”) and our associated services (the “Service(s)”), including our AI-powered features such as Hiro (our AI orchestration layer), Agent Studio, predictive analytics, and the Context API, as well as our website located at https://getambassador.com (our “Website”). We are a data processing company and do not sell data.

PRIVACY PRACTICES FOR OUR WEBSITE AND BUSINESS OPERATIONS

Personally Identifiable Information (PII)

Ambassador collects Personally Identifiable Information (“PII”) from its Website when you choose to provide it to us. PII is any information that can be used to identify or locate a particular person or entity. This includes, but is not limited to: name, postal address, telephone number, or email address. For example, you may choose to send PII about yourself in an email, or by completing a form on the Website. Ambassador uses this information only to contact you to respond to your inquiry.

Non-Personally Identifiable Information

Ambassador also collects Non-Personally Identifiable Information (“Non-PII”) from visitors to the Website. Non-PII is information that cannot by itself be used to identify a particular person or entity, and may include your IP host address, pages viewed, browser type, Internet browsing and usage habits, Internet Service Provider, domain name, the time/date of your visit to this Website, the referring URL and your computer’s operating system. We reserve the right to aggregate information collected from visitors to the Website for any reasonable purpose, including publishing aggregate statistics about our Clients’ and/or Website’s visitors, counting and better understanding our site visitors and protecting our Website from security issues or fraud.

Cookies and other Tracking Technologies

Ambassador and our partners use cookies or similar technologies to analyze trends, administer the Website, and track users’ movements around the Website. You may also be able to control the use of cookies at the individual browser level.

Our third-party partners may use cookies or similar technologies on the Website in order to provide you advertising based upon your browsing activities on this and other websites. This practice is sometimes called interest-based-advertising. Some of these third parties enable us to advertise our products and services using information collected via the Website and/or to conduct analytics and remarketing based upon your visits to the Website. These cookies often involve the placement of a pseudonymous UID onto your browser which may be deemed a sale of information in certain jurisdictions, and may require your consent in other jurisdictions under applicable law. Where required, we will provide a notice and provide the ability to opt-out of such sales and/or obtain your consent for the placement of cookies. If you wish to learn more about interest-based advertising and understand the choices available to you, please visit https://aboutads.info/.

Third-Party Websites

The Website may contain links to and advertisements for websites operated by third parties whose privacy practices may differ from Ambassador policies. While the company endeavors to associate only with reputable entities, Ambassador cannot guarantee the privacy practices of other websites will reflect ours; we encourage you to check the privacy policies of all websites that you visit.

Mobile Messaging Privacy (SMS/MMS/RCS)

If you opt in to receive SMS, MMS, or RCS communications (“Mobile Messages”) from a Client or from Ambassador, we process your mobile phone number, message content (including any media), and related technical/delivery metadata solely to transmit and deliver Mobile Messages and operate the Services. Message frequency varies. Message & data rates may apply. You may opt out at any time by replying “STOP.” For help, reply “HELP” or contact us at security@getambassador.com.

No mobile information will be shared with third parties/affiliates for marketing or promotional purposes.

For clarity, this prohibition includes we do not sell, rent, or share Mobile Message opt-in data and consent with third parties/affiliates for marketing or promotional purposes.

Service Providers. We may share mobile information with third-party messaging providers (e.g., Twilio, Inc.) and telecommunications carriers strictly to transmit and deliver Mobile Messages on our behalf. These providers act as our processors/subprocessors and do not use mobile information for their own marketing purposes.

We honor standard opt-out keywords (e.g., “STOP”) and provide assistance via “HELP” consistent with carrier and CTIA expectations.

PRIVACY PRACTICES FOR OUR PLATFORMS AND SERVICES

Overview of the Ambassador Platform and Services

Ambassador is a customer-led growth Platform which enables our Clients to run referral, affiliate, partner, influencer, and advocate programs, loyalty and engagement programs, AI-powered customer intelligence, and automated communications on a single platform. The Platform and Services help Clients manage their relationship with affiliates, partners, influencers and advocates (“Ambassadors”) to enable Client to more effectively grow, retain, and engage their customer base.

When you register for our Services as either a Client or an “Ambassador” we require an email address that may be used for communications. Email messages may contain code that helps our systems collect certain Non-PII and use cookies and web beacons in connection with the Platform and Services in order to track your usage of these emails. We reserve the right to send you email regarding service announcements, administrative messages, and privacy policy and terms of use changes.

The data stored on our Platforms is used solely on behalf of each Client and we do not generally intermingle data across Clients unless directed to do so by Clients. Some Clients may choose to leverage both the Ambassador Platform in conjunction with our other Platforms and Services.

AI Services and Intelligent Features

AI-Powered Features. Our Platform includes AI-powered features that help our Clients grow and retain their customer base more effectively. These features include: (a) Hiro, our AI orchestration layer that coordinates intelligence across the Platform; (b) Agent Studio, which enables Clients to design and deploy AI agents that automate customer engagement workflows; (c) predictive analytics that forecast customer behavior such as churn risk, conversion likelihood, and segment affinity; (d) AI-generated content including email copy, SMS messages, and campaign recommendations; (e) programmatic audience building; and (f) the Context API, which enables Clients to access processed intelligence from their own data.

Information We Process for AI Services (as Processor for Clients). When our Clients use AI-powered features, we process the following categories of information on their behalf: (i) customer engagement data (clicks, conversions, referral outcomes, loyalty actions) used to generate predictions and recommendations; (ii) text inputs submitted by Clients or their contacts to AI features; (iii) behavioral and transactional data used for AI model training within the Client’s isolated environment; (iv) AI agent workflow data including actions taken, decisions made, and integration triggers; and (v) AI-generated outputs such as predictions, recommendations, content, and audience segments that may contain or be derived from personal information.

Client Ecosystem Isolation. Each Client’s data is processed by AI features within a logically isolated environment (the Client’s “Ecosystem”). We do not use one Client’s data to train, improve, or generate AI predictions, recommendations, or content for any other Client. AI agents configured by one Client cannot access another Client’s data. The intelligence that AI features build for a Client stays within that Client’s Ecosystem and belongs to that Client.

No Cross-Customer AI Training. We do not use personal information processed through AI Services for one Client to train AI models that serve other Clients. We do not sell AI-derived insights to third parties. The AI capabilities on our Platform are designed to serve each Client independently within their own Ecosystem.

Benchmarking (Opt-In Only). With a Client’s explicit opt-in consent, we may include their de-identified and aggregated data in industry benchmarking reports that help all Clients understand how their programs compare to peers. This benchmarking data is irreversibly anonymized, cannot be attributed to any individual Client, contact, or end user, and is presented only in aggregate form with a minimum of ten contributing clients per benchmark category. Clients may opt out of benchmarking at any time.

Automated Decision-Making. Some AI features on our Platform may involve automated processing of personal information that could produce recommendations or actions affecting end users (e.g., predictive churn scores, AI agent-triggered communications, or programmatic audience segmentation). Our Clients, as controllers of their data, are responsible for determining whether such processing requires notice to or consent from their end users under applicable law (including GDPR Article 22). We provide Clients with information about how our AI features process data to help them fulfill their transparency obligations.

Third-Party AI Providers. We use third-party AI and machine learning providers (such as large language model APIs) to power certain AI features. These providers act as our sub-processors and process personal information only to fulfill specific AI requests on behalf of our Clients. They are contractually prohibited from using Client data for their own model training or improvement, and they do not retain Client data beyond what is necessary to process each request. A list of our sub-processors, including AI providers, is available at https://trust.getambassador.com/subprocessors.

AI Data Retention. Data processed through AI features is retained in accordance with our standard data retention practices and Client instructions. AI agent configurations, workflow intelligence, and Client-specific model tuning are retained for the duration of the Client’s subscription and may be exported by the Client in machine-readable format upon termination. We delete Client-specific AI data from our active systems within ninety (90) days of a Client’s written termination request.

Messaging Services (SMS, MMS, RCS)

Messaging Functionality. Our Services include messaging functionality that enables our Clients to communicate with their end users through SMS (short message service), MMS (multimedia messaging service), and RCS (rich communication services). These Services may include one-way or two-way messaging and may involve the transmission of text, images, videos, files, and interactive content.

Information We Process (as Processor for Clients). In providing these Services, we process the following categories of information on behalf of our Clients: (i) phone numbers used to send and receive messages; (ii) message content, including text, images, videos, and files; (iii) technical and delivery metadata (such as timestamps, routing information, and delivery status); and (iv) end user responses in two-way communications.

Client Responsibility and Legal Basis. Clients are responsible for determining the lawful basis for sending messages to their end users (e.g., consent or legitimate interests) and for ensuring compliance with applicable laws and industry guidelines, including without limitation the U.S. Telephone Consumer Protection Act (TCPA) and CTIA messaging principles, the California Consumer Privacy Act (CCPA/CPRA) and other U.S. state privacy laws, and the EEA/UK General Data Protection Regulation (GDPR).

Opt-Outs and Help (CTIA/Carrier-Aligned). End users may opt out of receiving messages at any time by replying “STOP”. We honor standard equivalents including STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, QUIT. To re-subscribe (where permitted), end users may reply START, YES, or UNSTOP. For assistance, end users may reply “HELP” to receive help information. Message and data rates may apply. Message frequency varies. Carriers are not liable for delayed or undelivered messages. Clients are responsible for honoring opt-out requests promptly, maintaining appropriate suppression lists, and ensuring opt-out confirmations are sent where required.

Sensitive Information. Clients must not use the messaging features to request or transmit sensitive personal information (such as health, financial, biometric, or government ID data) unless legally permitted and properly safeguarded in accordance with applicable law and Client instructions.

Service Providers for Messaging. We use third-party providers, including Twilio, Inc., (“Twilio”) to deliver messaging Services. These providers act as our subprocessors and process personal information only to transmit and deliver communications on behalf of our Clients and subject to our instructions and agreements.

Data Retention and Security for Messaging. We retain messaging-related data only as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. Message content, including multimedia files, is generally retained only for transmission and delivery unless longer retention is required for troubleshooting, compliance, or at the written request of our Clients. We maintain appropriate technical and organizational measures, consistent with our SOC 2 Type II certification, to safeguard personal information processed through SMS, MMS, and RCS messaging.

Overview of Ambassador’s Connectivity Services

The Ambassador Connectivity and Context Services include data onboarding, linking, and distribution to companies and many of the players in the digital advertising industry to enable smarter targeting with more relevant messages and more accurate measurement. Onboarding is a service that loads 1st, 2nd and 3rd party data into the digital ecosystem (Customer Data Platform (CDP)), so it can be used for digital advertising purposes. The players include advertisers wishing to reach consumers, advertising supported websites, advertising supported apps, email marketing services, and addressable TV channels.

Today consumers interact with advertisers and brands through a variety of channels – offline and digital. This cross-channel interaction is known as “omni channel.” Ambassador services are used to support these interactions for several types of entities in the digital advertising industry, including consumer brands, companies that enable the delivery of advertising and marketing messages, and companies that provide consumer data and insights to brands to help them better understand their current and prospective customers. Brands are interested in understanding consumers anywhere: while online, while watching television, while using their mobile devices and virtually everywhere their customers are making purchasing decisions. All that requires lots of data. And Ambassador helps brands connect that data in order to help them make intelligent decisions.

PII and Digital Identifiers uses on the Platform across channels

Due to technical differences across the channels, Ambassador uses different approaches tailored specifically to each channel to provide our Connectivity Services. The common basis of these services is an ID that Ambassador assigns to an individual. The ID may be used in a personally identifiable state or in a manner that is not used to identify the individual, depending on the channel and the use.

Ambassador collects certain types of information in connection with our Connectivity Services. This includes personal data such as name, postal address, email address, and phone number if permitted by our partners and Clients through policy notices they have provided to consumers. We also collect other data such as IP address, mobile device ID, and browser and operating system type and version. In addition, we handle, process, and share this data with our marketing platform partners in the course of performing our services; however, we do not retain or use this data for our own internal business purposes unless permitted by our Clients.

Ambassador Cookie-based Connectivity Services

Connectivity Services for cookie-based integrations are based on a Ambassador ID and an Ambassador cookie that together identify a browser. The cookie containing the ID is set when a consumer clicks on an offer, reward, or survey, visits the website of one of our cookie match partners as a registered user, or when a consumer opens certain emails from a cookie match partner. Because match partners know the consumer, they enable Ambassador to recognize the consumer as well and set the Ambassador cookie containing the appropriate ID.

Ambassador cookies are set with an RLCDN.com name and expire from Ambassador’s system after 90 days unless they are renewed or refreshed. Unlike web “tracking” cookies, Ambassador cookies do not “track” users’ behavior across websites. Instead, Ambassador cookies are used to recognize an individual so that relevant ads and email marketing can be delivered to the intended recipient.

Ambassador Mobile Connectivity Services

Connectivity Services for mobile ID integrations are similar to cookie integrations except they use the mobile advertising ID assigned to the device instead of a cookie – namely the Apple ID for Advertising (IDFA) and the Android Advertising ID (AAID). We associate the Ambassador ID with the mobile ID just like we would associate the cookie. Ambassador links marketing platform partners, third-party data providers, and data from a brand to mobile devices through the Ambassador ID.

Ambassador Addressable TV Connectivity Services

Connectivity Services for addressable TV integrations are similar to online and mobile services except they use the subscriber ID assigned by the carrier to the set-top box instead of a cookie or a mobile ID. We associate the Ambassador ID with the subscriber ID just like we would associate the cookie or mobile ID.

Pseudonymization Processes

Ambassador may recognize an online, mobile or addressable TV user in two ways. First when our match partner shares personal data with us, or second when they share other information with us that is not used to identify individuals. When they share personal data, we can recognize a consumer on an identifiable basis. However, to preserve user privacy, we create a unique Ambassador ID when we combine it with other anonymous data. Ambassador values the preservation of consumer privacy, designing its systems and services to treat personal data and other information that is not used to identify individuals with utmost care.

ADDITIONAL INFORMATION ABOUT OUR PRIVACY PRACTICES

Updating and Deleting Your Information

Upon request, and as required under applicable law, Ambassador will provide you with information about whether we hold any of your data. If you’d like to update, correct, delete, port or deactivate any data that you have provided to the company on the Website or otherwise via our business operations, please send your request to security@getambassador.com, and Ambassador will process your request. We will respond to your request to access within a reasonable timeframe – for data subjects located in the EEA, that time frame will be 30 days and Ambassador will honor such requests as they pertain to personal data.

If your personal information has been processed through our AI features on behalf of one of our Clients, please direct your access, correction, deletion, or objection request to the relevant Client, who is the controller of your data. We will assist our Clients in fulfilling such requests as described in our Data Processing Addendum. Please note that while we can remove your personal information from active AI processing inputs, patterns or inferences derived from your data within pre-trained model weights may not be individually removable, and our obligations are limited to commercially reasonable efforts.

Choice Mechanisms

Ambassador wants to make sure you are informed of the privacy choices that are available to you. We require that our partners meet the same high standards we have. We contractually require that our match partners employ notice and choice mechanisms, and we work with other information service providers and our partners to assist them in following their respective industry standards. While we only process data as directed by our Clients with respect to the Platforms and Services, we believe the following information may be helpful.

Opt-out from Interest Based Advertising from third-party companies – Many of our partners that enable targeted advertising are members of one or more digital advertising industry self-regulatory programs. You may visit the Network Advertising Initiative (NAI), Digital Advertising Alliance (DAA) and European Digital Advertising Alliance (eDAA) opt-out tools to learn more.

Mobile Application Choices – Mobile operating systems (e.g., iOS and Android) offer opt-out choice mechanisms applicable to mobile applications and these choice mechanisms may be found via your mobile device settings.

CALIFORNIA DATA SUBJECTS

The California Consumer Privacy Act (the “CCPA”) provides additional privacy protections for California data subjects and users, including: (a) the right to see what data we have about you, your computer or device (i.e., the right to know), (b) the right to delete the data we have about you, your computer or device (i.e., the right to delete) and (c) the right to opt-out of the sale of data about you, your computer or device to certain third parties (i.e., the right to opt-out from sales of your information). We do not discriminate against you if you exercise any of the above rights. Moreover, we may not be able to honor a right if doing so would violate applicable law.

With respect to personal information processed through our AI features: we do not sell or share personal information processed through AI Services. We do not use personal information received from one Client to train AI models that serve other Clients. Our AI features process personal information solely to provide services to the specific Client on whose behalf it was collected, consistent with our role as a service provider under the CCPA.

If you are a Client or partner and have questions about your ability to see the data used to login to our systems, we ask that you direct your question to the person at Ambassador that owns the business relationship with your company. If you are a consumer and want to see what data we may have on behalf of one of our Clients, kindly reach out to that individual Client directly. Ambassador is contractually prohibited from honoring such requests without specific written instructions from the applicable Client.

If you want to see or delete any data we may have collected pursuant to our Website or internal business operations, you may access those rights with respect to Ambassador by sending us an email to security@getambassador.com.

As a California data subject, if you make a subject access request as set out in this policy, you are entitled to see and delete the personal information that we have about you. We will confirm your request within 10 days and make a good faith attempt to fulfill your request within 45 days.

INDIVIDUALS IN THE EEA, SWITZERLAND AND UNITED KINGDOM

Individuals located in the European Economic Area (the “EEA”) are granted additional privacy rights under the General Data Privacy Regulation (the “GDPR”). For example, an EEA, UK or Swiss individual who seeks access, or who seeks to correct, amend, port over and/or delete inaccurate data, or who wishes to limit the use and disclosure of their Personal Information, should send us an email.

If you are a Client or partner and have questions about your ability to see the data used to login to our systems, we ask that you direct your question to the person at Ambassador that owns the business relationship with your company. If you are a consumer and want to see what data we may have on behalf of one of our Clients, kindly reach out to that individual Client directly. Ambassador is contractually prohibited from honoring such requests without specific written instructions from the applicable Client.

If you want to see or delete any data we may have collected pursuant to our Website or internal business operations, you may access those rights with respect to Ambassador and its affiliated company by sending us an email to security@getambassador.com.

With respect to EEA data subjects, Personal Data includes pseudonymous data such as an IP address, a mobile advertising ID or a cookie ID.

Ambassador operates each of our Platforms and provides the Services as a “data processor” under the GDPR. That means Ambassador only processes data via the Platforms and Services as directed by our Clients and for no other purpose. We process certain Personal Data provided by Clients and partners under contractual necessity.

With respect to personal data processed through our AI features: Ambassador operates AI Services as a “data processor” under the GDPR. We process AI-related personal data only as directed by our Clients (controllers) and for no other purpose. We do not use personal data processed through AI Services for one Client to train AI models serving other Clients. Where AI features involve automated decision-making within the meaning of GDPR Article 22, our Clients (as controllers) are responsible for ensuring lawfulness, providing appropriate safeguards, and informing data subjects. We provide Clients with information about our AI processing to support their transparency obligations. Sub-processors used for AI Services (including large language model providers) are disclosed on our Subprocessor Page and are contractually prohibited from using Client personal data for their own purposes.

We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to security@getambassador.com.

Onward Transfer of Personal Data

Ambassador may share data with trusted agents, including PII. These third-party agents are prohibited by contract from using the information for purposes other than performing services for Ambassador. In the EEA, such companies are sometimes called “data processors;” in California, they are referred to as “service providers.” The types of service providers to which we share data include: (a) cloud computer and data storage providers, (b) companies offering tools to send emails and similar communications on our behalf, (c) website and b2b sales analytics providers, (d) customer relationship management and project management software providers, (e) customer billing systems partners, (f) outsourced computer programmers helping ensure our systems are operating properly, (g) auditing, debugging and security vendors, (h) marketing service providers, and (i) artificial intelligence and machine learning providers engaged to deliver AI features on our Platform (including large language model APIs), which are contractually prohibited from using Client data for their own model training or improvement and do not retain data beyond request-level processing.

For messaging Services, subprocessors may include telecommunications providers and messaging delivery platforms such as Twilio, engaged solely to transmit and deliver communications on our behalf and subject to our instructions. Notwithstanding the foregoing, end-user mobile information (including phone numbers, Mobile Message opt-in data and consent, and Mobile Message content) is not shared with third parties/affiliates for marketing or promotional purposes.

For AI Services, sub-processors may include large language model providers and machine learning inference services engaged to process data in connection with AI predictions, content generation, and other intelligent features. These providers act as our sub-processors and are contractually prohibited from: (a) using Client data for their own model training or improvement; (b) retaining Client data beyond request-level processing; and (c) commingling Client data with data from other sources. A current list of all sub-processors is available at https://trust.getambassador.com/subprocessors.

Ambassador may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements. Ambassador may also disclose your information to third parties when obligated to do so by law and in order to investigate, prevent, or take action regarding suspected, or actual prohibited activities, including but not limited to fraud and situations involving potential threats to the physical safety of any person.

Finally, Ambassador may transfer information, including any personally identifiable information, to a successor entity in connection with a corporate merger, consolidation, sale of assets, bankruptcy, or other corporate change. If Ambassador is involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified via a notice on our Website of any change in ownership or uses of your personal data, as well as any choices you may have regarding your personal data.

Data Retention

The data we store on the Platforms and utilize as part of our Services is non-sensitive personal data and not subject to any sector specific data retention requirements. We retain data on the Platforms as directed by our Clients and strongly encourage our Clients to retain data only for as long as is reasonably necessary.

Messaging-related data is retained only as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. Message content, including multimedia files, is generally retained only for transmission and delivery unless longer retention is required for troubleshooting, compliance, or at the written request of our Clients.

AI-related data is retained in accordance with Client instructions and our standard retention practices. AI agent configurations, workflow intelligence, and Client-specific model tuning are retained for the duration of the Client’s subscription. Upon termination, Clients may request export of their AI configurations in machine-readable format, and we will delete Client-specific AI data from active systems within ninety (90) days of written request. Data processed by AI sub-processors is not retained by those providers beyond the time necessary to process each individual request.

The data collected via our Website and our internal business operations is retained for up to 13 months after our last interaction with a particular data subject unless such data is required to be held longer under applicable law.

Ambassador cookies are set with a custom domain set by the Client and expire from Ambassador’s system after up to 1 year as determined by the Client unless they are renewed or refreshed.

Data Integrity, Purpose Limitation

We process information in a way that is compatible with and relevant for the purpose for which it was collected. To the extent necessary for those purposes, we take reasonable steps to ensure that any information in our care is accurate, complete, current and reliable for its intended use as described above.

ENFORCEMENT

Changes To This Privacy Policy

This Policy may be amended from time to time. When we do, we will also revise the “Last Updated” label above. We encourage you to periodically review this Privacy Policy to stay informed about how we are protecting the information we collect.

Privacy Questions and Complaints

Ambassador commits to resolve complaints about your privacy and our collection or use of your personal information. Persons who have inquiries or complaints regarding this privacy policy should contact us at security@getambassador.com with the word “Privacy Office” in the Subject Line.

You may contact our Data Protection Officer Mark Steffler at security@getambassador.com.

You may also contact us at:

Data Protection Officer/Legal

i2H, Inc. dba Ambassador

2212 Queen Anne Ave North, Suite 759

Seattle, WA, 98109