1. Our Commitment to Your Privacy
Agion ("we," "us," "our") is committed to protecting your privacy and handling your personal data in an open and transparent manner. This Privacy Policy explains how we collect, use, process, and safeguard your personal data in compliance with the General Data Protection Regulation (GDPR), the EU AI Act, and other applicable laws.
This policy applies to data we collect from visitors to our website, our customers, and any other individuals whose data we process in the course of our business.
2. The Data Controller
For the purposes of GDPR, the Data Controller is the entity that determines the purposes and means of processing personal data.
Agion is the Data Controller for:
- Data you provide when you visit our website (e.g., through contact forms, cookies).
- Data related to the management of our customer accounts (e.g., billing and contact information).
- Data collected for marketing and sales purposes.
Contact Details of the Data Controller
- Company:
- Agion Oy
- Address:
- Nummikatu 18-20, 90100 Oulu, Finland
- Privacy email:
- [email protected]
When you use our AI agent platform to process data you own, you are the Data Controller, and Agion acts as the Data Processor on your behalf. Our respective roles and responsibilities for this processing are governed by a separate Data Processing Agreement (DPA).
3. What Personal Data We Collect and Why
We process different categories of personal data for specific purposes, and we only do so when we have a lawful basis.
Account & Billing Data
- Examples
- Name, business email, phone number, billing address, payment details.
- Purpose
- To create and manage your account, provide our services, process payments, and communicate with you about your subscription.
- Lawful basis
- Performance of a contract (Art. 6(1)(b))
Platform Operational Data
- Examples
- System logs, IP addresses, audit trails, usage metadata.
- Purpose
- To secure the platform, monitor performance, prevent fraudulent activity, and provide customer support.
- Lawful basis
- Legitimate interest (Art. 6(1)(f)) to ensure the security and stability of our service.
Website & Marketing Data
- Examples
- Name, email, company name (from contact forms), cookie data, IP address.
- Purpose
- To respond to your inquiries, provide you with marketing communications (with your consent), and analyze website traffic to improve our site.
- Lawful basis
- Consent (Art. 6(1)(a)) for marketing; Legitimate interest (Art. 6(1)(f)) for website analytics and security.
Customer Content Data
- Examples
- Any personal data contained within the missions, workflows, tools, or other content you upload to our platform.
- Purpose
- To perform the services you have requested as part of your contract. We only process this data based on your documented instructions.
- Lawful basis
- As a Data Processor, we process this on your behalf. Your lawful basis as the Controller applies.
| Data Category | Examples | Purpose | Lawful Basis |
|---|---|---|---|
| Account & Billing | Name, business email, phone number, billing address, payment details. | To create and manage your account, provide our services, process payments, and communicate with you. | Performance of a contract (Art. 6(1)(b)) |
| Platform Operational | System logs, IP addresses, audit trails, usage metadata. | To secure the platform, monitor performance, prevent fraudulent activity, and provide support. | Legitimate interest (Art. 6(1)(f)) |
| Website & Marketing | Name, email, company name, cookie data, IP address. | To respond to inquiries, provide marketing communications, and analyze website traffic. | Consent (Art. 6(1)(a)); Legitimate interest (Art. 6(1)(f)) |
| Customer Content | Personal data in missions, workflows, tools, or content you upload. | To perform the services you have requested. We only process based on your documented instructions. | Data Processor on your behalf |
4. Data Sharing and Third Parties
Agion does not sell your personal data.
We use a limited number of third-party service providers (sub-processors) to help us deliver our services. These include cloud infrastructure providers and payment processors. We have contracts in place with these providers to ensure they protect your data to the same standard as we do.
A list of our current sub-processors is available upon request by emailing our privacy contact address. We will notify customers at least 30 days before making any changes to our list of sub-processors.
5. International Data Transfers
Our platform is cloud-agnostic and can be deployed in various regions (AWS, Azure, GCP). Where personal data is transferred outside of the European Economic Area (EEA), we ensure it is protected by implementing appropriate safeguards, primarily through the use of EU Standard Contractual Clauses (SCCs).
6. Data Security
We take the security of your data seriously and have implemented appropriate technical and organizational measures to protect it. These include:
- Encryption: Data is encrypted both in transit (using TLS) and at rest.
- Access Controls: We enforce strict role-based access controls to limit access to personal data to authorized personnel only.
- Immutable Logs: We maintain immutable audit logs to track access and changes to data, which are accessible to our customers.
7. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected.
- Customer Account Data: Retained for the duration of your subscription and for a subsequent period as required by law (e.g., for tax and accounting purposes).
- Operational Data: System logs are typically retained for a rolling period of 90 days, unless a longer period is required for security investigations.
- Customer Content Data: Retained for the duration of your subscription term, as defined in your agreement with us. Data is securely deleted upon contract termination.
8. Your Rights as a Data Subject
Under GDPR, you have the following rights regarding your personal data:
- Right to Access: You can request a copy of the personal data we hold about you.
- Right to Rectification: You can request that we correct any inaccurate or incomplete data.
- Right to Erasure: You can request that we delete your personal data.
- Right to Restrict Processing: You can request that we limit the processing of your data.
- Right to Data Portability: You can request to receive your data in a machine-readable format.
- Right to Object: You can object to us processing your data for our legitimate interests.
To exercise any of these rights, please contact us at [email protected].
You also have the right to lodge a complaint with a supervisory authority in your country of residence if you believe we have not processed your personal data in accordance with GDPR.
9. Breach Notification
In the unlikely event of a personal data breach that affects your data, Agion will notify you, as our customer (the Controller), without undue delay and in accordance with the terms of our Data Processing Agreement.
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. The "Last Updated" date at the top of this policy indicates when it was last revised. We encourage you to review this policy periodically.