A
Agiliton

Agiliton CRM

Privacy Policy

Last updated: April 25, 2026

Limited Use Compliance

Agiliton CRM's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.:Agiliton CRM's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

GDPR + Limited UseWe do not use Google user data for advertising. We do not sell it. We do not allow human review except in narrow security/legal exceptions. We do not use it to train generalised AI models.

About this policy

Agiliton Ltd ("we", "us", "our") operates the Agiliton CRM platform ("the App") accessed via https://llb.agiliton.cloud, https://crm.livelovebaby.de, and tenant-specific subdomains. This policy explains what data we access, how we use it, and your rights.

This policy is the canonical privacy disclosure referenced from the Google OAuth consent screen during sign-in. Tenant-specific privacy notices may add additional details for end-customer interactions but do not override these core commitments.

1. Data we access

Identity (always, via OpenID Connect)

  • Name — displayed in the app's UI to identify you
  • Email address — used for account identification and operational notifications
  • Profile picture (URL only) — rendered as your avatar

This data never leaves your device and is not transmitted to our servers.

Google Drive (optional, only when you enable Drive sync)

  • Scope: drive.file — grants per-file access only to folders you explicitly select via the official Google Picker dialog. We cannot browse, list, or read any other files in your Drive.
  • What we read — the contents of files inside the picked folder(s), exported to text where possible (Google Docs/Sheets/Slides) or downloaded as-is (PDF, DOCX, images).

This data never leaves your device and is not transmitted to our servers.

Google Calendar (optional, only when you enable Calendar sync)

  • Scope: calendar.events + calendar.readonly — event metadata to display upcoming consultations on your dashboard.

2. How we use Google user data

  • Authentication — Identity claims sign you in. We store your email address and a per-tenant identifier; we do not store your Google password.
  • Knowledge-base indexing — Drive file contents are extracted, chunked, and embedded into a tenant-isolated vector index. Coaches use the index to answer client questions; contents are never shared between tenants.
  • AI processing — Embeddings and chunk text are sent to LLM providers (OpenRouter routing to Anthropic Claude, OpenAI, and Google models) under enterprise data-processing agreements with no-training-on-customer-data terms. No human at Agiliton or a model provider reviews your data routinely.

Limited Use exception list (when humans may access your data): (a) with your explicit consent, (b) for security/abuse investigation, (c) to comply with applicable law, (d) when aggregated and anonymised in a way that prevents linking back to identifiable users.

3. Sub-processors

  • Hetzner Cloud GmbH (Germany) — application and database hosting in EU data centres (Falkenstein, Nürnberg).
  • OpenRouter — LLM request routing on a no-retention plan; passes prompts to Anthropic / OpenAI / Google with their respective enterprise no-training terms.
  • Sentry — application error monitoring; Drive content is not included in error reports (request bodies are redacted).

We do not transfer Google user data outside this list. Signed Data Processing Agreements (DPAs) with each.

4. Data retention and deletion

  • Identity data — retained for the lifetime of your account; deleted within 30 days of account closure.
  • Drive embeddings — deleted within 24 hours of disconnecting the Drive integration in /admin/settings/google or removing the folder from synced-folders list.
  • OAuth tokens — stored encrypted at rest (AES-256-GCM) in Postgres; revoked on disconnect.
  • Backups — rolling 30-day encrypted backups; deletion requests propagate through the next backup rotation.

To request immediate deletion of all your data: email service@agiliton.eu from your account address. We respond within 5 business days.

5. Security

  • All connections are HTTPS (TLS 1.2+). HSTS enforced on *.agiliton.cloud and *.livelovebaby.de.
  • OAuth tokens encrypted at rest using a key managed in OpenBao.
  • Per-tenant database isolation; row-level access control enforced at the application layer.
  • Annual third-party security review by independent assessors.

6. Your GDPR rights (EU/EEA/UK/Switzerland)

  • Access (Art. 15) — download a copy of your data.
  • Rectification (Art. 16) — correct inaccurate data.
  • Erasure (Art. 17) — request deletion ("right to be forgotten").
  • Portability (Art. 20) — receive your data in a machine-readable format.
  • Restriction (Art. 18) and objection (Art. 21) — limit how we process your data.
  • Lodge a complaint — with a supervisory authority (e.g. the German BfDI).

Exercise any of these rights by emailing service@agiliton.eu.

7. Changes to this policy

We will post material changes on this page and update the "Last updated" date. For substantial changes affecting how Google user data is processed, we will provide at least 30 days' notice via in-app notification.

Contact

Controller and operator:

Agiliton Ltd
Email: service@agiliton.eu
Website: https://agiliton.eu