Privacy Policy.
How theagency47 collects, uses, and protects personal data. Written for humans. Last updated 15 May 2026.
1. Summary
theagency47 ("we", "us", "our") is the controller of personal data collected through this website and during client engagements. We are based in the European Union and operate under the EU General Data Protection Regulation (GDPR). We collect the minimum data required to run our business honestly, we never sell it, and we delete it when it is no longer needed.
For client engagements, we typically act as a data processor on behalf of you (the controller). A Data Processing Agreement (DPA) is signed before any client data touches our systems.
2. Who we are
- Legal entity: theagency47 (sole proprietorship operated by Christos Papadimitriou), European Union
- Contact for data inquiries: privacy@theagency47.com
- Operational contact: hello@theagency47.com
3. What data we collect, and why
3.1 Website visitors
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Anonymous traffic stats (Google Analytics 4, only if you accept the cookie banner) | Understand which pages get read | Consent (Article 6(1)(a) GDPR) | 14 months on Google's servers; we view aggregates only |
| Form submissions (discovery call, AI Audit) | Respond to your inquiry and prepare for the call | Legitimate interest / pre-contractual | 3 years after last contact, then deleted |
| Email + message (direct email replies) | Respond to your inquiry | Legitimate interest | 3 years after last contact, then deleted |
3.2 Client engagements
During a paid engagement, we process client business data, documents, emails, CRM records, etc., to build, train, and operate the AI agents you have contracted us to deliver. Specifics:
- Scope: Defined in the signed Data Processing Agreement (DPA) and engagement contract
- Legal basis: Contract performance (we cannot deliver the service without processing this data)
- Retention: Operational data retained for the duration of the engagement plus 90 days for handover support; archive logs retained for 12 months unless DPA specifies otherwise; then deleted on request
- Sub-processors: See section 5
3.3 Discovery calls and audits
During discovery and AI Audit engagements, we take notes on your business processes for the purpose of proposal scoping. These notes are stored in our internal knowledge base for 90 days, then deleted unless you sign an engagement.
4. How we share data
We do not sell, rent, or trade personal data. We share it only with:
- Sub-processors, vendors that help us deliver the service (see section 5)
- Authorities, when required by law (e.g., tax authority, court order)
- Anonymous aggregates, public case studies are anonymized unless you give explicit written consent to attribution
5. Sub-processors
We use the following sub-processors. Each has been reviewed for GDPR compliance and has a signed DPA with us.
| Vendor | Purpose | Data location | DPA |
|---|---|---|---|
| Anthropic (Claude API) | Powers AI agents we build for clients | US / EU per Anthropic terms | Signed; 7-day API log retention; no model training on API data |
| Cloudflare | Website hosting and DDoS protection | Global edge; EU customer terms apply | Standard DPA; SCCs in place |
| GitHub | Source code repository for agents we build | US (Microsoft); EU customer terms apply | Standard DPA |
| Google Workspace | Email (hello@theagency47.com), document storage | EU customer terms apply | Standard DPA |
| Google Analytics 4 (Google LLC) | Website analytics, runs only with visitor consent (Google Consent Mode v2) | US / EU per Google terms | Standard DPA; SCCs in place; sets cookies only after consent; IP anonymization enabled. See § 8 below. |
| Cal.com | Discovery call scheduling | EU customer terms apply | Standard DPA; only name + email + timezone collected |
| Stripe (when applicable) | Payments | US/EU; PCI-DSS compliant | Standard DPA; SCCs in place |
We update this list when we add or remove a sub-processor. Material changes are communicated to active clients at least 30 days in advance, with a right of objection per the signed DPA.
6. International transfers
Some sub-processors (Anthropic, Cloudflare, GitHub) are headquartered outside the EU. Where data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) as the transfer mechanism. Anthropic-specific note: the Claude API supports zero-retention configuration which we enable where the client use case warrants.
7. Your rights under GDPR
If you are in the EU/EEA (and most other jurisdictions provide similar rights), you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate data
- Erase data ("right to be forgotten")
- Restrict processing
- Object to processing based on legitimate interests
- Portability, receive your data in a machine-readable format
- Withdraw consent at any time where consent was the legal basis
- Lodge a complaint with your national supervisory authority
To exercise any of these rights, email privacy@theagency47.com. We respond within 30 days.
8. Cookies and tracking
This website runs one analytics service, gated behind explicit consent. The default state is denied: no analytics cookies are set, no client identifier is created, and no usage data is sent until you accept on the cookie banner.
- Google Analytics 4, sets cookies (
_ga,_ga_XQR318XT35) used to distinguish users and sessions, only if you click Accept on the cookie banner. We run GA4 with IP anonymization. We use Google Consent Mode v2 with default statedeniedforanalytics_storage,ad_storage,ad_user_data, andad_personalization, meaning Google receives no pings about your visit until you grant consent.
Cookies that this site may set, and only after you accept:
| Cookie | Set by | Purpose | Duration |
|---|---|---|---|
_ga | Google Analytics | Distinguishes unique users | 2 years |
_ga_XQR318XT35 | Google Analytics | Maintains session state for our property | 2 years |
ta47_consent | theagency47 (this site) | Remembers your cookie banner choice so we do not ask again | Until you clear browser storage |
The ta47_consent value is stored in your browser's localStorage and never leaves your device. It contains only the string "granted" or "denied".
We do not run third-party advertising trackers, social media pixels, or session-replay tools.
If you book a call via Cal.com, the scheduling page may set additional cookies operated by Cal.com, see their privacy policy.
To change your choice at any time, click Cookie preferences at the bottom of any page on this site.
9. Security
We follow standard security practices:
- HTTPS-only (TLS 1.3) for all web traffic
- Two-factor authentication on all internal accounts
- Encrypted storage for client data (at rest and in transit)
- Principle of least privilege for sub-processor access
- Quarterly review of access permissions
- Documented incident response procedure (see section 10)
10. Data breach notification
In the unlikely event of a personal data breach, we notify the relevant supervisory authority within 72 hours and affected data subjects without undue delay in line with GDPR Article 33–34.
11. Children
theagency47 is a B2B service. We do not knowingly collect personal data from anyone under 16 years of age.
12. Changes to this policy
We update this policy when our practices change. Material updates are shown as a banner on the site for 30 days after publication. The "last updated" date at the top reflects the most recent revision.
13. Contact
Questions, requests, or complaints:
- Email: privacy@theagency47.com
- Operational: hello@theagency47.com
Plain-language note: this policy is written to be readable. The binding text is what is here. If something is unclear, ask us, we will explain.