Legal

Privacy Policy.

How theagency47 collects, uses, and protects personal data. Written for humans. Last updated 15 May 2026.

1. Summary

theagency47 ("we", "us", "our") is the controller of personal data collected through this website and during client engagements. We are based in the European Union and operate under the EU General Data Protection Regulation (GDPR). We collect the minimum data required to run our business honestly, we never sell it, and we delete it when it is no longer needed.

For client engagements, we typically act as a data processor on behalf of you (the controller). A Data Processing Agreement (DPA) is signed before any client data touches our systems.

2. Who we are

3. What data we collect, and why

3.1 Website visitors

DataPurposeLegal basisRetention
Anonymous traffic stats (Google Analytics 4, only if you accept the cookie banner)Understand which pages get readConsent (Article 6(1)(a) GDPR)14 months on Google's servers; we view aggregates only
Form submissions (discovery call, AI Audit)Respond to your inquiry and prepare for the callLegitimate interest / pre-contractual3 years after last contact, then deleted
Email + message (direct email replies)Respond to your inquiryLegitimate interest3 years after last contact, then deleted

3.2 Client engagements

During a paid engagement, we process client business data, documents, emails, CRM records, etc., to build, train, and operate the AI agents you have contracted us to deliver. Specifics:

  • Scope: Defined in the signed Data Processing Agreement (DPA) and engagement contract
  • Legal basis: Contract performance (we cannot deliver the service without processing this data)
  • Retention: Operational data retained for the duration of the engagement plus 90 days for handover support; archive logs retained for 12 months unless DPA specifies otherwise; then deleted on request
  • Sub-processors: See section 5

3.3 Discovery calls and audits

During discovery and AI Audit engagements, we take notes on your business processes for the purpose of proposal scoping. These notes are stored in our internal knowledge base for 90 days, then deleted unless you sign an engagement.

4. How we share data

We do not sell, rent, or trade personal data. We share it only with:

  • Sub-processors, vendors that help us deliver the service (see section 5)
  • Authorities, when required by law (e.g., tax authority, court order)
  • Anonymous aggregates, public case studies are anonymized unless you give explicit written consent to attribution

5. Sub-processors

We use the following sub-processors. Each has been reviewed for GDPR compliance and has a signed DPA with us.

VendorPurposeData locationDPA
Anthropic (Claude API)Powers AI agents we build for clientsUS / EU per Anthropic termsSigned; 7-day API log retention; no model training on API data
CloudflareWebsite hosting and DDoS protectionGlobal edge; EU customer terms applyStandard DPA; SCCs in place
GitHubSource code repository for agents we buildUS (Microsoft); EU customer terms applyStandard DPA
Google WorkspaceEmail (hello@theagency47.com), document storageEU customer terms applyStandard DPA
Google Analytics 4 (Google LLC)Website analytics, runs only with visitor consent (Google Consent Mode v2)US / EU per Google termsStandard DPA; SCCs in place; sets cookies only after consent; IP anonymization enabled. See § 8 below.
Cal.comDiscovery call schedulingEU customer terms applyStandard DPA; only name + email + timezone collected
Stripe (when applicable)PaymentsUS/EU; PCI-DSS compliantStandard DPA; SCCs in place

We update this list when we add or remove a sub-processor. Material changes are communicated to active clients at least 30 days in advance, with a right of objection per the signed DPA.

6. International transfers

Some sub-processors (Anthropic, Cloudflare, GitHub) are headquartered outside the EU. Where data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) as the transfer mechanism. Anthropic-specific note: the Claude API supports zero-retention configuration which we enable where the client use case warrants.

7. Your rights under GDPR

If you are in the EU/EEA (and most other jurisdictions provide similar rights), you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate data
  • Erase data ("right to be forgotten")
  • Restrict processing
  • Object to processing based on legitimate interests
  • Portability, receive your data in a machine-readable format
  • Withdraw consent at any time where consent was the legal basis
  • Lodge a complaint with your national supervisory authority

To exercise any of these rights, email privacy@theagency47.com. We respond within 30 days.

8. Cookies and tracking

This website runs one analytics service, gated behind explicit consent. The default state is denied: no analytics cookies are set, no client identifier is created, and no usage data is sent until you accept on the cookie banner.

  • Google Analytics 4, sets cookies (_ga, _ga_XQR318XT35) used to distinguish users and sessions, only if you click Accept on the cookie banner. We run GA4 with IP anonymization. We use Google Consent Mode v2 with default state denied for analytics_storage, ad_storage, ad_user_data, and ad_personalization, meaning Google receives no pings about your visit until you grant consent.

Cookies that this site may set, and only after you accept:

CookieSet byPurposeDuration
_gaGoogle AnalyticsDistinguishes unique users2 years
_ga_XQR318XT35Google AnalyticsMaintains session state for our property2 years
ta47_consenttheagency47 (this site)Remembers your cookie banner choice so we do not ask againUntil you clear browser storage

The ta47_consent value is stored in your browser's localStorage and never leaves your device. It contains only the string "granted" or "denied".

We do not run third-party advertising trackers, social media pixels, or session-replay tools.

If you book a call via Cal.com, the scheduling page may set additional cookies operated by Cal.com, see their privacy policy.

To change your choice at any time, click Cookie preferences at the bottom of any page on this site.

9. Security

We follow standard security practices:

  • HTTPS-only (TLS 1.3) for all web traffic
  • Two-factor authentication on all internal accounts
  • Encrypted storage for client data (at rest and in transit)
  • Principle of least privilege for sub-processor access
  • Quarterly review of access permissions
  • Documented incident response procedure (see section 10)

10. Data breach notification

In the unlikely event of a personal data breach, we notify the relevant supervisory authority within 72 hours and affected data subjects without undue delay in line with GDPR Article 33–34.

11. Children

theagency47 is a B2B service. We do not knowingly collect personal data from anyone under 16 years of age.

12. Changes to this policy

We update this policy when our practices change. Material updates are shown as a banner on the site for 30 days after publication. The "last updated" date at the top reflects the most recent revision.

13. Contact

Questions, requests, or complaints:

Plain-language note: this policy is written to be readable. The binding text is what is here. If something is unclear, ask us, we will explain.