Privacy Notice

This Privacy Notice explains how AGENSIO AI collects, uses, stores and protects the personal data of users of the agensio.ai platform. We comply with Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR"), the French Data Protection Act (Loi Informatique et Libertes) and applicable national data protection laws.

1. Data controller

2. Personal data we collect

3. Legal bases and retention

PurposeLegal basisRetention
User account managementPerformance of contract (Art. 6(1)(b) GDPR)Account lifetime + 3 years
Provision of the Services (AI agents)Performance of contract (Art. 6(1)(b) GDPR)Subscription term + 30 days
Invoicing and paymentLegal obligation (Art. 6(1)(c) GDPR)10 years (accounting obligation)
Transactional emailsPerformance of contract (Art. 6(1)(b) GDPR)Account lifetime
B2B direct marketingLegitimate interest (Art. 6(1)(f) GDPR)3 years after last contact
Service analytics and improvementLegitimate interest (Art. 6(1)(f) GDPR)25 months (anonymised data)
Analytics cookiesConsent (Art. 6(1)(a) GDPR)13 months maximum
Platform securityLegitimate interest (Art. 6(1)(f) GDPR)12 months

4. Data recipients (processors)

Your personal data may be shared with the following processors, each bound by a data processing agreement (DPA) compliant with Article 28 GDPR. This list is kept up to date; any material change will be communicated to you.

ProcessorRole / purposeLocation
SupabaseDatabase hosting, authentication, file storageEU (EU region)
VercelWeb hosting and serverless functionsEU / United States (SCC + DPF)
StripePayment and invoicing (PCI-DSS Level 1 certified)EU / United States (SCC + DPF)
ResendTransactional email deliveryUnited States (SCC + DPF)
BrevoSMS sending and receiving (Debt Collection agent)EU (France)
TwilioTelephony (Receptionist agent)United States (SCC + DPF)
DeepgramVoice transcription (Receptionist agent)United States (SCC)
ElevenLabsVoice synthesis (Receptionist agent)United States (SCC)
OpenAIAI models (real-time content processing, zero data retention option enabled)United States (SCC + DPF)
AnthropicAI models (resilience fallback, zero data retention)United States (SCC)
OutscraperSourcing of public business prospects (Leads agent)United States (SCC)
GoogleOAuth authentication and Gmail/Calendar APIs (Secretary agent)EU / United States (SCC + DPF)
MicrosoftOAuth authentication and Outlook API (Secretary agent)EU / United States (SCC + DPF)

AGENSIO AI does not sell, rent or transfer any personal data to third parties for commercial purposes.

5. International transfers

Some processors listed above (in particular Vercel, Stripe, Resend, Twilio, Deepgram, ElevenLabs, OpenAI, Anthropic, Outscraper, Google, Microsoft) may process data outside the European Union, mainly in the United States. Where this is the case, transfers are governed by:

6. Google API integration (Gmail, Calendar)

The Agensio Secretary agent may, at your explicit request and after your OAuth consent, access your Google Workspace account through the Google APIs. This section transparently explains how your Google data is handled.

6.1 OAuth scopes requested

6.2 Compliance — Google API Services User Data Policy & Limited Use

Agensio's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

6.3 How your Google data is used

Data obtained via the Google APIs is used only to:

We do NOT use your Google data to:

6.4 Transfer of Google data to third parties

The content of your Google emails and events is transferred to third parties only in the following cases, strictly necessary to operate the Service:

6.5 Storage and encryption of Google OAuth tokens

The OAuth access and refresh tokens issued by Google are encrypted at rest with the AES-256-GCM algorithm at the application level (in addition to the AES-256 disk encryption provided by Supabase). The encryption key is stored in a KMS-backed Vercel environment-variable vault and is never exposed to the client. A database-level constraint (PostgreSQL CHECK constraint) ensures no token can be inserted in plaintext, providing defence in depth.

6.6 Retention of Google data

6.7 Revocation and deletion

At any time, you may:

Deletion is effective within 30 days at most, in accordance with GDPR requirements.

7. Data security

AGENSIO AI implements appropriate technical and organisational measures to protect personal data (Art. 32 GDPR):

8. Your rights

Under the GDPR, you have the following rights:

To exercise your rights, email contact@agensio.fr with a copy of an identity document. We will respond within one (1) month at most (Art. 12(3)).

9. Right to lodge a complaint

If you consider that the processing of your data does not comply with the applicable regulation, you may lodge a complaint with the supervisory authority of your country of residence. For data subjects in France, the competent authority is:

10. Cookies

For full information on the cookies used on the website, please consult our Cookie Notice.

11. Children's data

The Platform is not directed to persons under 18. AGENSIO AI does not knowingly collect data relating to minors. If we discover that a minor has provided personal data, we will delete it immediately.

12. Automated decision-making

AI agents perform automated processing but always allow human intervention, through supervision mode, manual override, and explicit confirmation for irreversible actions.

13. Changes and contact

AGENSIO AI may update this notice at any time. In the event of a material change, users will be informed by email or by a notification on the Platform. The date of the last update is shown at the top of this page.