1. Introduction

Agaro Technologies LLC ("Agaro," "we," "us") builds applied AI systems for enterprise customers. We respect privacy as a discipline, not a slogan. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you visit our websites, request a consultation, or use a product or service we deliver.

If you are an end-user of an Agaro-built system deployed by an enterprise customer (for example, a voice agent or workflow assistant your employer or service provider uses), that customer — not Agaro — is the controller of your data. Their privacy notice governs that relationship. We act as a processor on their behalf and handle data only as instructed under a data processing agreement.

2. Scope of This Policy

This policy applies to:

Visitors to agaro.ai and any Agaro-operated subdomain.
Prospects who contact us through a form, email, phone, or scheduled call.
Customers and partners under a Master Services Agreement or Statement of Work.
Job applicants who apply through our careers channel.

It does not apply to systems we have built and delivered to enterprise customers that the customer operates independently. Those systems are governed by the customer's own privacy program and by the data processing terms in our agreement with that customer.

3. Information We Collect

3.1 Information you give us

Contact details — name, business email, phone, role, company, and country, when you complete a form or correspond with us.
Project details — the use case, systems, and constraints you share so we can scope work appropriately.
Account and billing information — for customers under contract, the legal entity, billing address, signatory, and tax identifiers required by accounting and compliance.
Application materials — for candidates, resume, work history, references, and any materials voluntarily submitted.

3.2 Information we collect automatically

Device & log data — IP address, browser and device type, referring URL, pages viewed, and timestamps. Standard server logs, retained 90 days by default for security and operational diagnostics.
Cookies & similar technologies — strictly necessary cookies to keep the site running, and privacy-respecting analytics to understand traffic patterns. We do not use cross-site advertising trackers.

3.3 Information from third parties

Business enrichment — public business directories and LinkedIn data used to verify a prospect's role and company before responding.
Subprocessors — operational metadata from infrastructure providers (hosting, email, calendar, payment) as needed to deliver the service.

4. How We Use Information

We use information for a defined set of business purposes:

To respond to inquiries and schedule consultations.
To deliver, support, and improve products and services under an active engagement.
To send transactional communications — service updates, security advisories, billing notices.
To run our business — accounting, audit, contract management, and dispute resolution.
To protect Agaro, our customers, and the public — fraud prevention, abuse detection, and security investigations.
To comply with legal obligations and respond to lawful requests.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not run advertising re-targeting against our visitors.

5. Legal Bases for Processing (EEA / UK)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

Contract — to enter into and perform a services agreement with your organization.
Legitimate interests — to operate, secure, and improve our business in ways you would reasonably expect (responding to a form you submit, securing our infrastructure, evaluating a candidate's fit).
Consent — for any optional communications or analytics where consent is the appropriate basis under local law.
Legal obligation — to comply with tax, accounting, audit, and regulatory requirements.

6. How We Share Information

We disclose information only in the following circumstances:

Subprocessors — vetted vendors that operate hosting, email, payment, and similar infrastructure on our behalf, under written data protection terms. A current list is available under NDA on request.
Professional advisors — auditors, attorneys, insurers, and accountants under confidentiality obligations.
Corporate transactions — in connection with a merger, acquisition, financing, or sale of assets, with notice and where required, an opportunity to object.
Legal & safety — when compelled by lawful process, to enforce our agreements, or to protect rights, property, or the safety of Agaro, our customers, or the public.

We will not voluntarily disclose customer content to a government authority without a valid legal demand and, where lawful, will notify the customer.

7. AI Systems & Model Training

We do not use customer content to train models we deploy for other customers. Tuning, configuration, evaluation data, and prompt sets developed inside an engagement stay scoped to that engagement.

Where we use foundation models from third-party providers (for example, OpenAI, Anthropic, or open-source equivalents), we configure those providers to respect zero data retention and no-training settings on customer content whenever they are offered. The current foundation-model configuration for each engagement is documented in the deployment runbook delivered to the customer.

If a customer asks us to use anonymized aggregate signals to improve their own deployment, that scope is defined in their agreement and stays within their tenant.

8. Security

We apply administrative, technical, and physical safeguards proportionate to the sensitivity of the data:

Encryption — AES-256 at rest, TLS 1.3 in transit, with modern cipher suites.
Access controls — least privilege, SSO via OIDC/SAML, MFA enforced for admin, RBAC scoped to engagement.
Tenant isolation — per-deployment logical separation, with per-tenant key material.
Logging — audit logs on system actions, retained per engagement policy and reviewed for anomalies.
Vulnerability management — continuous dependency scanning, prompt remediation of high-severity issues, and coordinated disclosure for reported vulnerabilities.

No system is perfectly secure. If you believe you have discovered a vulnerability in an Agaro service, please disclose it responsibly at info@agaro.ai.

9. Data Retention

We retain data only as long as necessary for the purpose collected:

Inquiry data — up to 24 months after last contact, then deleted or anonymized.
Customer content — for the duration of the engagement and any contractually agreed retention window after termination, then deleted or returned per the customer's instruction.
Server logs — 90 days by default, longer where required for security or legal hold.
Billing & tax records — for the retention period required by applicable tax and accounting law.
Application materials — up to 24 months for future opportunities, unless the candidate requests deletion.

10. International Transfers

Agaro is headquartered in the United States, and production hosting is US-region by default. Where customer requirements or local law require regional residency (for example, EU or UAE hosting), we configure deployments accordingly and document the residency in the engagement runbook.

For transfers of personal data from the EEA, UK, or Switzerland to the United States or another jurisdiction without an adequacy decision, we rely on the Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum, supplemented by technical and organizational measures.

11. Your Rights

Depending on where you live, you may have rights to:

Access the personal information we hold about you.
Correct inaccuracies or update incomplete information.
Delete personal information, subject to legal exceptions.
Restrict or object to certain processing.
Receive a copy of your information in a portable format.
Withdraw consent, where consent is the legal basis.
Lodge a complaint with a supervisory authority.

California residents have additional rights under the CCPA/CPRA, including the right to know, delete, correct, limit the use of sensitive information, and opt out of "sale" or "sharing" — we do not sell or share personal information as defined under California law.

To exercise any right, email info@agaro.ai. We will verify the request and respond within the timeframe required by applicable law. If we are acting as a processor for an enterprise customer, we will route your request to that customer and assist them as required.

12. Children's Privacy

Our services are designed for business use. We do not knowingly collect personal information from children under 16. If you believe a child has provided information to us, please contact us and we will delete it.

13. Changes to This Policy

We may update this policy from time to time. Material changes will be announced on this page and, where appropriate, communicated by email to active customers. The "Last updated" date at the top of this page reflects the most recent revision.

14. Contact Us

Questions, requests, or concerns:

Privacyinfo@agaro.ai

Securityinfo@agaro.ai

Legalinfo@agaro.ai

MailAgaro Technologies LLC, Washington, DC, USA

Privacy Policy