The General Data Protection Regulation (GDPR) is a European Union regulation that strengthens data protection for individuals within the EU. At Agiled, we are committed to GDPR compliance and to protecting the privacy and rights of all our users, including those in the European Economic Area (EEA).

Our Role Under GDPR

As a Data Controller

When we collect and process your personal data to provide you with an Agiled account and related services (e.g., account registration, billing, communications), we act as the data controller. In this role, we determine the purposes and means of processing your personal data, and we are responsible for complying with GDPR obligations as a controller.

As a Data Processor

When you use Agiled to store and manage your business data — including your clients' personal information, employee data, or other records — we act as a data processor on your behalf. You (the customer) are the data controller for that data, and we process it only according to your instructions as defined in our Data Processing Agreement.

Lawful Basis for Processing

We process personal data on the following legal bases:

Contract Performance — Processing necessary to provide the Service you have requested (Article 6(1)(b))
Legitimate Interests — Processing necessary for our legitimate business interests, such as improving the Service, preventing fraud, and ensuring security (Article 6(1)(f))
Consent — Where you have given specific consent for processing activities, such as marketing communications (Article 6(1)(a))
Legal Obligation — Processing necessary to comply with applicable laws and regulations (Article 6(1)(c))

Your Rights Under GDPR

As a data subject in the EEA, you have the following rights:

Right of Access (Article 15)

You can request a copy of the personal data we hold about you, along with information about how it is being processed.

Right to Rectification (Article 16)

You can request that we correct inaccurate personal data or complete incomplete data.

Right to Erasure (Article 17)

You can request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purpose it was collected.

Right to Restriction (Article 18)

You can request that we restrict processing of your data in certain situations, such as when you contest the accuracy of the data.

Right to Data Portability (Article 20)

You can request your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

Right Not to Be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

To exercise any of these rights, please contact us at privacy@agiled.app. We will respond within 30 days of receiving your request.

International Data Transfers

When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) — We use EU-approved standard contractual clauses for data transfers to countries without an adequacy decision
Data Processing Agreement — Our DPA includes provisions for international data transfers in compliance with GDPR
Technical Measures — Encryption and access controls protect data regardless of where it is processed

Sub-Processors

We engage a limited number of sub-processors to help deliver the Service. Each sub-processor is carefully vetted and bound by contractual obligations that are consistent with our GDPR commitments. A list of our current sub-processors is available upon request.

Data Protection Officer

For GDPR-related inquiries, you may contact us at:

Email: privacy@agiled.app
Address: Agiled, ZTABS LLC, Massachusetts, United States

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
Notify affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms
Document all breaches, including facts, effects, and remedial actions taken

Further Information

For more details about how we handle your data, please review: