Privacy Notice
Last updated: 24 May 2026
This Privacy Notice explains how AGENSIO AI collects, uses, stores and protects the personal data of users of the agensio.ai platform. We comply with Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR"), the French Data Protection Act (Loi Informatique et Libertes) and applicable national data protection laws.
1. Data controller
AGENSIO AI - SASU with share capital of EUR 1
SIREN: 102 258 076 - registered with the French RNE on 13/03/2026
Registered office: 4 Impasse Rémi Belleau, 44430 Le Loroux-Bottereau, France
Email: contact@agensio.fr
Director: Theo BOUCHET, President
2. Personal data we collect
- Identification: name, email, company name, VAT number, phone (optional)
- Connection / usage: IP address, browser, operating system, pages visited, login data, display preferences (light/dark theme)
- Transaction: subscription history, payment amounts and dates, Stripe identifier (no card data is stored by AGENSIO AI - PCI-DSS handled by Stripe)
- Data provided to AI agents: business data you submit (contacts, invoices, content, etc.), agent configurations and settings, interaction history
3. Legal bases and retention
| Purpose | Legal basis | Retention |
|---|---|---|
| User account management | Performance of contract (Art. 6(1)(b) GDPR) | Account lifetime + 3 years |
| Provision of the Services (AI agents) | Performance of contract (Art. 6(1)(b) GDPR) | Subscription term + 30 days |
| Invoicing and payment | Legal obligation (Art. 6(1)(c) GDPR) | 10 years (accounting obligation) |
| Transactional emails | Performance of contract (Art. 6(1)(b) GDPR) | Account lifetime |
| B2B direct marketing | Legitimate interest (Art. 6(1)(f) GDPR) | 3 years after last contact |
| Service analytics and improvement | Legitimate interest (Art. 6(1)(f) GDPR) | 25 months (anonymised data) |
| Analytics cookies | Consent (Art. 6(1)(a) GDPR) | 13 months maximum |
| Platform security | Legitimate interest (Art. 6(1)(f) GDPR) | 12 months |
4. Data recipients (processors)
Your personal data may be shared with the following processors, each bound by a data processing agreement (DPA) compliant with Article 28 GDPR. This list is kept up to date; any material change will be communicated to you.
| Processor | Role / purpose | Location |
|---|---|---|
| Supabase | Database hosting, authentication, file storage | EU (EU region) |
| Vercel | Web hosting and serverless functions | EU / United States (SCC + DPF) |
| Stripe | Payment and invoicing (PCI-DSS Level 1 certified) | EU / United States (SCC + DPF) |
| Resend | Transactional email delivery | United States (SCC + DPF) |
| Brevo | SMS sending and receiving (Debt Collection agent) | EU (France) |
| Twilio | Telephony (Receptionist agent) | United States (SCC + DPF) |
| Deepgram | Voice transcription (Receptionist agent) | United States (SCC) |
| ElevenLabs | Voice synthesis (Receptionist agent) | United States (SCC) |
| OpenAI | AI models (real-time content processing, zero data retention option enabled) | United States (SCC + DPF) |
| Anthropic | AI models (resilience fallback, zero data retention) | United States (SCC) |
| Outscraper | Sourcing of public business prospects (Leads agent) | United States (SCC) |
| OAuth authentication and Gmail/Calendar APIs (Secretary agent) | EU / United States (SCC + DPF) | |
| Microsoft | OAuth authentication and Outlook API (Secretary agent) | EU / United States (SCC + DPF) |
AGENSIO AI does not sell, rent or transfer any personal data to third parties for commercial purposes.
5. International transfers
Some processors listed above (in particular Vercel, Stripe, Resend, Twilio, Deepgram, ElevenLabs, OpenAI, Anthropic, Outscraper, Google, Microsoft) may process data outside the European Union, mainly in the United States. Where this is the case, transfers are governed by:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Art. 46 GDPR);
- The EU-US Data Privacy Framework where the processor is certified under it;
- Additional technical measures (encryption in transit and at rest, minimisation of data transmitted, "zero data retention" option with AI vendors).
6. Google API integration (Gmail, Calendar)
The Agensio Secretary agent may, at your explicit request and after your OAuth consent, access your Google Workspace account through the Google APIs. This section transparently explains how your Google data is handled.
6.1 OAuth scopes requested
https://www.googleapis.com/auth/gmail.modify— read, send, delete and manage the emails in your Gmail inbox (required for sorting, auto-reply, drafting and sending by the agent).https://www.googleapis.com/auth/calendar— read and manage your Google Calendar events (creating, modifying, deleting appointments).openid,email,profile— basic information about your Google account (name, email address) for identification.
6.2 Compliance — Google API Services User Data Policy & Limited Use
Agensio's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
6.3 How your Google data is used
Data obtained via the Google APIs is used only to:
- Display and summarise your emails and events in the Secretary agent interface;
- Allow the AI agent, at your explicit request, to draft replies, create drafts, send emails, or create/modify calendar events on your behalf;
- Automatically detect priority emails, deadlines and recurring contacts to provide you with an intelligent assistant.
We do NOT use your Google data to:
- Serve advertising, perform ad profiling or marketing personalisation;
- Train, improve or fine-tune generalised artificial intelligence models;
- Sell, rent or transfer this data to third parties;
- Carry out aggregated statistical analysis beyond what is strictly necessary to operate the Service for you.
6.4 Transfer of Google data to third parties
The content of your Google emails and events is transferred to third parties only in the following cases, strictly necessary to operate the Service:
- OpenAI (AI model provider): the content of emails or requests you process via the AI agent is sent to OpenAI solely to generate a real-time response. OpenAI is contractually committed to not using this data to train its models ("zero data retention" API option enabled). The data is retained by OpenAI only for as long as strictly necessary to process the request.
- Supabase (database): storage of summaries and metadata of synchronised emails, on servers located in the European Union (Supabase EU region).
- No other transfer is carried out without your explicit consent.
6.5 Storage and encryption of Google OAuth tokens
The OAuth access and refresh tokens issued by Google are encrypted at rest with the AES-256-GCM algorithm at the application level (in addition to the AES-256 disk encryption provided by Supabase). The encryption key is stored in a KMS-backed Vercel environment-variable vault and is never exposed to the client. A database-level constraint (PostgreSQL CHECK constraint) ensures no token can be inserted in plaintext, providing defence in depth.
6.6 Retention of Google data
- OAuth tokens: kept for as long as your Gmail/Calendar integration is active. Deleted immediately when you disconnect the account or delete your AGENSIO AI account.
- Synchronised email metadata (subject, sender, summary): kept to provide context to the agent. You can request their deletion at any time.
- Email content: not stored permanently. Retrieved on demand for processing, then not persisted beyond what is strictly necessary for your current request.
6.7 Revocation and deletion
At any time, you may:
- Disconnect your Google account from the Secretary agent interface (Settings → Integrations);
- Revoke the OAuth permissions from your Google account: myaccount.google.com/permissions;
- Request the complete deletion of all your Google data held by AGENSIO AI by emailing contact@agensio.fr.
Deletion is effective within 30 days at most, in accordance with GDPR requirements.
7. Data security
AGENSIO AI implements appropriate technical and organisational measures to protect personal data (Art. 32 GDPR):
- Encryption in transit (TLS 1.3 / HTTPS)
- Encryption at rest (AES-256)
- Secure authentication (OAuth 2.0 via Supabase Auth, MFA available)
- Least-privilege access to data
- Regular backups
- Access monitoring and logging
- Independent CASA Tier 2 audit (9.1/10 by TAC Security, April 2026)
8. Your rights
Under the GDPR, you have the following rights:
- Right of access (Art. 15): obtain confirmation that your data is processed and receive a copy.
- Right to rectification (Art. 16): correct inaccurate or incomplete data.
- Right to erasure (Art. 17): obtain deletion of your data, subject to legal retention obligations.
- Right to restriction (Art. 18): request restriction of processing in certain cases.
- Right to portability (Art. 20): receive your data in a structured, commonly used format.
- Right to object (Art. 21): object to the processing of your data on legitimate grounds, or to direct marketing.
- Right to withdraw consent (Art. 7(3)) at any time, where processing is based on consent.
- Right not to be subject to automated decision-making (Art. 22).
To exercise your rights, email contact@agensio.fr with a copy of an identity document. We will respond within one (1) month at most (Art. 12(3)).
9. Right to lodge a complaint
If you consider that the processing of your data does not comply with the applicable regulation, you may lodge a complaint with the supervisory authority of your country of residence. For data subjects in France, the competent authority is:
CNIL (Commission Nationale de l'Informatique et des Libertés)
3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
Web: www.cnil.fr
10. Cookies
For full information on the cookies used on the website, please consult our Cookie Notice.
11. Children's data
The Platform is not directed to persons under 18. AGENSIO AI does not knowingly collect data relating to minors. If we discover that a minor has provided personal data, we will delete it immediately.
12. Automated decision-making
AI agents perform automated processing but always allow human intervention, through supervision mode, manual override, and explicit confirmation for irreversible actions.
13. Changes and contact
AGENSIO AI may update this notice at any time. In the event of a material change, users will be informed by email or by a notification on the Platform. The date of the last update is shown at the top of this page.
AGENSIO AI — Data controller
4 Impasse Rémi Belleau, 44430 Le Loroux-Bottereau, France
Email: contact@agensio.fr