Privacy Policy

Last updated: July 9, 2026

This Privacy Policy explains how we collect, use, and protect your personal data when you use Agendaflow. We are committed to handling your data lawfully and transparently under the EU General Data Protection Regulation (GDPR) and Norwegian data protection law.

1. Who we are

Agendaflow is operated by Agendafix AS (org.nr. 937 071 280), a company registered in Norway. “Agendaflow” is the brand name under which we provide the service at agendaflow.com. In this policy, “we”, “us”, and “our” refer to Agendafix AS, the data controller for the personal data described below.

For any privacy question or to exercise your rights, contact us at hello@agendaflow.com.

2. What data we collect

  • Account data — your name and email address. Your email address is your account identifier.
  • Content you create — the agendas, sessions, blocks, comments, and any material you upload or generate while using the service.
  • Billing data — your subscription plan and status. All card payments are handled by Stripe; we never receive or store your full card number.
  • Technical logs — limited technical information such as request logs generated when you use the service, used to keep the service secure and reliable.

3. Why we process it (legal bases)

  • Performance of a contract — to create your account, provide the planning tools, store your content, and manage your subscription.
  • Legitimate interests — to keep the service secure, prevent abuse, and improve and maintain the product, balanced against your rights.
  • Consent — for optional marketing email, which we send via Loops.so only where you have opted in. You can withdraw consent at any time using the unsubscribe link or by emailing us.

4. AI processing

Agendaflow includes AI features that help you draft and refine agendas. When you actively use an AI feature, the relevant agenda content is sent to Anthropic’s API to generate the response. This processing happens only when you invoke an AI feature — your content is not sent to AI providers in the background.

Your content is not used to train AI models. When you use voice-brief features, the relevant audio and text are processed by ElevenLabs to provide the voice experience. When you use exercise search or AI-assisted agenda features, your search query is converted into an embedding via OpenAI to power semantic matching.

How long AI providers keep your content. AI providers process your content to generate the response. Under their API terms, they may retain inputs and outputs for up to 30 days for abuse monitoring, after which the data is deleted. Your content is never used to train AI models.

Uploaded files stay in the EU. Files you upload — for example a strategy document attached as pre-read material — are stored only in our EU database and are not sent to AI providers. What is sent when you actively use an AI feature is the text in your agenda blocks, notes, and briefs, and screenshots you submit through the brief flow.

5. Where your data lives

Your primary application data is stored in the EU, in Supabase’s Frankfurt (Germany) region. We use the following subprocessors to run the service:

  • Supabase — application database and authentication (EU / Frankfurt).
  • Vercel — application hosting and content delivery.
  • Stripe— payment processing. Card data is handled directly by Stripe and never touches Agendaflow’s servers.
  • Anthropic — AI processing of agenda content when you use AI features.
  • OpenAI — generates embeddings of search and AI-assist queries (semantic exercise search).
  • OpenRouter— failover routing for AI requests, used only if Anthropic is temporarily unavailable; requests still run on Anthropic’s Claude models but transit OpenRouter’s servers.
  • Google— renders in-app previews of uploaded Office documents (Word, Excel, PowerPoint) via Google’s document viewer.
  • ElevenLabs — voice features, when used.
  • Resend — transactional email (e.g. sign-in links, account notifications).
  • Loops.so — marketing email, where you have opted in.
  • PostHog — product analytics (EU / Frankfurt).

Some of these subprocessors (Anthropic, OpenAI, OpenRouter, Google, ElevenLabs, Vercel, Resend, and Loops.so) may process data in the United States. Where data is transferred outside the EU/EEA, we rely on the European Commission’s Standard Contractual Clauses as the transfer safeguard.

6. Data retention

We keep your account data and content for as long as your account is active. You can request deletion of your account and content at any time by contacting us. When content is deleted, it is removed from our active systems and purged from backups on a rolling basis as older backups age out. We may retain limited records where required for legal, tax, or accounting purposes.

7. Your rights

Under the GDPR, you have the right to:

  • access the personal data we hold about you;
  • request correction of inaccurate data (rectification);
  • request erasure of your data;
  • receive your data in a portable format;
  • object to certain processing;
  • lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet).

To exercise any of these rights, email hello@agendaflow.com.

8. Cookies and analytics

We use strictly necessary cookies — specifically, session cookies required to keep you signed in — and analytics cookies, described below. We do not use advertising cookies.

We use PostHog, a product analytics service, to understand how Agendaflow is used — for example, which features are used and where people encounter problems. PostHog is configured to store and process this data exclusively in the European Union (PostHog EU Cloud, hosted in Frankfurt). Analytics data includes pages visited, actions taken in the app (such as creating an agenda), your browser and device type, and — once you have an account — your email address as an identifier. We do not use session recording: we do not capture your screen, keystrokes, or the contents of what you write. We do not use analytics data for advertising, and we do not sell it or share it with third parties for their own purposes. Analytics cookies and similar identifiers are used solely to make this measurement work.

9. Changes to this policy

We may update this policy from time to time. When we do, we will update the date below. If we make material changes, we will notify you by email.

10. Contact

Agendafix AS · org.nr. 937 071 280 · Norway. Questions about this policy? Email hello@agendaflow.com.