The controller responsible for data processing on this website and in connection with the AgenticOS platform is Agentic GmbH, Albert-Schweitzer-Str. 16F, 82152 Planegg / Martinsried, Germany. You can reach us by email at clients@agentic-advisory.com or by phone at +49 162 6836456. The managing director is Andreas Johannes Waldert. The company is registered under HRB 249658 at Amtsgericht München. Our VAT ID is DE407297849.
2. Overview
This Privacy Policy explains how Agentic GmbH ("we," "us," or "Agentic") collects, processes, and protects personal data in connection with our website at https://agentic-advisory.com ("Website"), the AgenticOS platform ("Platform"), and our managed services for AI agent deployment and operation ("Services").
We are committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the German Telecommunications-Telemedia Data Protection Act (TDDDG), and the EU Artificial Intelligence Act (EU AI Act).
3. Data Processing on the Website
3.1 Server Log Files
When you visit our Website, your browser automatically transmits certain technical data to our server. This includes your anonymized IP address, the date and time of access, pages visited and resources requested, your browser type and version, your operating system, and the referring URL. The legal basis for this processing is Art. 6(1)(f) GDPR, based on our legitimate interest in ensuring the technical functionality and security of the Website. Server log files are deleted after 30 days.
3.2 Contact Forms and Email
When you contact us via a contact form or email, we process the data you provide, such as your name, email address, company name, and message content, in order to respond to your inquiry. The legal basis is Art. 6(1)(b) GDPR, as processing is necessary for pre-contractual measures at your request. Inquiry data is retained for the duration of the business relationship and deleted thereafter unless longer retention is required by law, for example under German tax retention obligations of 6 or 10 years per §§ 147 AO and 257 HGB.
3.3 Cookies and Tracking
Our Website uses only technically necessary cookies that are required for the Website to function. We do not use tracking cookies, marketing pixels, or third-party analytics services that process personal data. The legal basis is § 25(2) TDDDG, under which technically necessary cookies do not require consent. If we introduce analytics or tracking tools in the future, we will update this Privacy Policy and obtain consent where required under § 25(1) TDDDG and Art. 6(1)(a) GDPR.
3.4 Hosting
Our Website is hosted by Framer B.V. (Amsterdam, Netherlands). Data processing takes place on servers within the European Union. Where data is transferred to third countries in connection with sub-processors used by the hosting provider, appropriate safeguards are in place, including EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.
4. Data Processing in Connection with the AgenticOS Platform
4.1 Account and Access Data
When a client or authorized user accesses the AgenticOS Platform, we process account data including name, email address, company name and role, login credentials (passwords are stored in hashed form only), and usage logs such as timestamps, features accessed, and configuration changes. The legal basis is Art. 6(1)(b) GDPR, as processing is necessary for the performance of our service agreement.
4.2 Client Operational Data
AgenticOS is designed so that AI agents deployed through our Platform operate within the client's own infrastructure. Client business data processed by agents remains in the client's environment. Agentic GmbH does not access, store, or process the client's operational business data unless explicitly agreed in writing for a specific purpose such as troubleshooting.
The client is the data controller for any personal data processed by AI agents within their operations. Agentic GmbH acts as a data processor only to the extent that we access client systems for maintenance, support, or monitoring purposes, and only under a separate Data Processing Agreement (DPA) pursuant to Art. 28 GDPR.
4.3 Monitoring and Performance Data
To provide our managed service, including technical management, model updates, and error resolution, we may collect and process agent execution logs (success/failure status, execution times, error codes), performance metrics (throughput, latency, resource utilization), and system health data. This data is technical in nature and does not contain client business data or personal data of the client's customers or employees, unless such data is included in error logs incidentally. We take technical measures to minimize the presence of personal data in monitoring logs.
The legal basis is Art. 6(1)(b) GDPR for the performance of our service agreement and Art. 6(1)(f) GDPR for our legitimate interest in maintaining service reliability.
4.4 Third-Party AI Model Providers
Depending on the specific deployment configuration agreed with the client, AI agents may utilize third-party AI model providers such as OpenAI, Anthropic, or others via API calls. The nature and scope of data sent to third-party providers depends on the specific agent configuration and use case. We inform the client during the scoping phase which third-party providers will be used. We select providers that offer appropriate data processing agreements and data protection commitments. Where possible, we offer configurations that minimize or eliminate the transmission of personal data to third-party model providers, for example through data anonymization, self-hosted models, or EU-based providers. The client's consent to the use of specific third-party providers is obtained as part of the service agreement before deployment.
A current list of sub-processors is maintained and provided to clients upon request or as part of the Data Processing Agreement.
5. Data Processing Agreement (DPA)
For clients using the AgenticOS Platform and managed services, we enter into a separate Data Processing Agreement (Auftragsverarbeitungsvertrag, AVV) in accordance with Art. 28 GDPR. The DPA specifies the subject matter and duration of processing, the nature and purpose of processing, the types of personal data and categories of data subjects, the obligations and rights of the controller (client) and processor (Agentic GmbH), technical and organizational measures (TOMs), sub-processor arrangements, and data deletion and return procedures. The DPA is provided to all clients prior to or at the time of entering into a service agreement.
6. EU AI Act Transparency
6.1 Nature of AI Systems
In accordance with the EU Artificial Intelligence Act (Regulation (EU) 2024/1689), we provide the following information. AgenticOS deploys AI-based agents that automate operational workflows. These agents may utilize large language models, machine learning algorithms, and rule-based automation to process data and execute tasks.
6.2 Human Oversight
All agents deployed through AgenticOS are designed with human oversight mechanisms. Critical workflow steps can be configured to require human review and approval before execution. Clients retain full control over the level of autonomy granted to any agent.
6.3 Risk Classification
We assess each AI agent deployment against the risk categories defined in the EU AI Act. Where an agent use case falls within the high-risk category as defined in Annex III of the EU AI Act, we apply additional requirements including risk management procedures, data governance and quality measures, technical documentation, record-keeping and logging, transparency and information provision to deployers, human oversight provisions, and accuracy, robustness, and cybersecurity measures. We support clients in fulfilling their obligations as deployers of AI systems under the EU AI Act.
6.4 Transparency of AI-Generated Outputs
Where AI agents produce outputs that are presented to individuals, such as reports, summaries, or classifications, clients are advised to ensure that recipients are informed that the content was generated or assisted by an AI system, in accordance with Art. 50 of the EU AI Act.
7. International Data Transfers
We process data primarily within the European Economic Area (EEA). Where data is transferred to countries outside the EEA, for example in connection with third-party AI model providers or infrastructure services, we ensure that appropriate safeguards are in place. These include EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR, adequacy decisions of the European Commission pursuant to Art. 45 GDPR, and Binding Corporate Rules where applicable pursuant to Art. 47 GDPR. We do not transfer personal data to third countries without appropriate legal safeguards.
8. Data Security
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, destruction, or alteration, in accordance with Art. 32 GDPR. These measures include encryption of data in transit (TLS) and at rest where applicable, access controls and role-based permissions, regular security assessments, incident response procedures, and employee training on data protection.
9. Your Rights as a Data Subject
Under the GDPR, you have the following rights with respect to your personal data. You have the right of access under Art. 15 GDPR to obtain information about whether and how your data is processed. You have the right to rectification under Art. 16 GDPR to have inaccurate data corrected. You have the right to erasure under Art. 17 GDPR to request deletion of your data, subject to legal retention obligations. You have the right to restriction of processing under Art. 18 GDPR to request that processing be restricted under certain conditions. You have the right to data portability under Art. 20 GDPR to receive your data in a structured, machine-readable format. You have the right to object under Art. 21 GDPR to object to processing based on legitimate interest. You have the right to withdraw consent under Art. 7(3) GDPR where processing is based on consent, and you may withdraw it at any time without affecting the lawfulness of prior processing.
You also have the right to lodge a complaint with a supervisory authority. The relevant authority for Agentic GmbH is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany. Their website is https://www.lda.bayern.de.
10. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless longer retention is required or permitted by law. Website server logs are deleted after 30 days. Contact form inquiries are retained for the duration of the business relationship and then deleted unless legally required to retain. Platform account data is retained for the duration of the service agreement plus 30 days and then deleted or anonymized. Monitoring and performance data is retained for 12 months on a rolling basis. Contractual and billing data is retained for 10 years in accordance with German commercial and tax law per §§ 147 AO and 257 HGB.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The current version is always available on our Website. Material changes will be communicated to platform users via email or in-platform notification.
12. Contact
For questions, requests, or complaints regarding data protection, please contact Agentic GmbH at clients@agentic-advisory.com or by phone at +49 162 6836456. Our address is Albert-Schweitzer-Str. 16F, 82152 Planegg / Martinsried, Germany.
