AgileCase GDPR Policy
Your data is important to us, we treat it with the utmost respect.
AgileCase and the GDPR - Last Updated, 27th February 2026
AgileCase complies with the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where applicable, we also comply with the EU General Data Protection Regulation (EU GDPR).
The GDPR governs how organisations collect, use and protect personal data. As a UK-based software provider processing personal data on behalf of our customers, we recognise our responsibilities under applicable data protection law and have implemented appropriate technical and organisational measures to meet those obligations.
This page explains the respective roles of AgileCase and our customers under Data Protection Legislation and outlines how we approach international data transfers.
AgileCase as the Data Processor
When using AgileCase, customers may upload or input information into the Service that includes personal data relating to their own clients, service users or other individuals.
In these circumstances:
Data Transfers
Where personal data is transferred outside the United Kingdom or the European Economic Area (EEA), Data Protection Legislation requires that appropriate safeguards are in place.
The majority of AgileCase infrastructure is located within the United Kingdom and the EEA. Where we engage subprocessors or service providers that involve transfers of personal data outside these territories, we ensure that such transfers are made in accordance with applicable legal requirements.
AgileCase as the Data Controller
AgileCase acts as a Data Controller in respect of personal data that we collect directly, including information relating to users of our website and web application, customer contacts, billing contacts and prospective customers.
We process personal data as Data Controller where necessary:
Where we rely on legitimate interests as a lawful basis, these may include:
As a Data Controller, AgileCase is committed to respecting and facilitating the rights of individuals under Data Protection Legislation, including rights of access, rectification, erasure, restriction, objection and data portability.
If you have questions about how we process personal data in our capacity as Data Controller, please contact us at dpo@agilecase.com.
What is AgileCase doing for the GDPR
AgileCase implements and maintains appropriate technical and organisational measures designed to ensure that personal data is processed securely, lawfully and transparently.
Internal Processes, Security and Governance
We maintain internal policies and procedures to ensure compliance with Data Protection Legislation. This includes:
When engaging third-party service providers, we assess their security and privacy posture and require appropriate contractual protections. We limit the use of subprocessors where reasonably practicable and seek to use infrastructure located within the UK and EEA where appropriate.
Ability to action subject access requests
Where AgileCase acts as Data Processor, we assist our customers, as Data Controllers, in responding to Data Subject requests in accordance with Section 10 of our Terms and Conditions and applicable Data Protection Legislation.
Where AgileCase acts as Data Controller, individuals may contact us directly to exercise their statutory rights. Requests may be submitted via support@agilecase.com or the contact details provided in our Privacy Policy.
We respond to valid requests in accordance with applicable legal timeframes.
Documentation
Our Terms and Conditions and Privacy Policy set out the legal framework governing our relationship with customers and users, including data protection obligations. These documents are reviewed and updated from time to time to reflect changes in law, guidance and our services.
Training and awareness
AgileCase provides regular training and awareness programmes to employees regarding data protection, information security and confidentiality obligations.
All personnel with access to personal data are subject to confidentiality obligations and are trained on appropriate handling procedures. Data protection considerations are incorporated into onboarding processes and periodically refreshed.
AgileCase complies with the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where applicable, we also comply with the EU General Data Protection Regulation (EU GDPR).
The GDPR governs how organisations collect, use and protect personal data. As a UK-based software provider processing personal data on behalf of our customers, we recognise our responsibilities under applicable data protection law and have implemented appropriate technical and organisational measures to meet those obligations.
This page explains the respective roles of AgileCase and our customers under Data Protection Legislation and outlines how we approach international data transfers.
AgileCase as the Data Processor
When using AgileCase, customers may upload or input information into the Service that includes personal data relating to their own clients, service users or other individuals.
In these circumstances:
- The customer acts as the Data Controller, determining the purposes and means of processing personal data.
- AgileCase acts as the Data Processor, processing personal data on the customer’s documented instructions for the purpose of providing the Service.
- In accordance with the instructions set out in our Terms and Conditions;
- For the purpose of delivering and supporting the Service; and
- In compliance with applicable Data Protection Legislation.
Data Transfers
Where personal data is transferred outside the United Kingdom or the European Economic Area (EEA), Data Protection Legislation requires that appropriate safeguards are in place.
The majority of AgileCase infrastructure is located within the United Kingdom and the EEA. Where we engage subprocessors or service providers that involve transfers of personal data outside these territories, we ensure that such transfers are made in accordance with applicable legal requirements.
- The UK International Data Transfer Agreement (IDTA);
- The UK Addendum to the EU Standard Contractual Clauses;
- The European Commission’s Standard Contractual Clauses (2021 version);
- An adequacy decision issued by the relevant authority; or
- Other lawful transfer mechanisms recognised under applicable Data Protection Legislation.
AgileCase as the Data Controller
AgileCase acts as a Data Controller in respect of personal data that we collect directly, including information relating to users of our website and web application, customer contacts, billing contacts and prospective customers.
We process personal data as Data Controller where necessary:
- for the performance of a contract with you (Article 6(1)(b) UK GDPR);
- to comply with our legal obligations (Article 6(1)(c) UK GDPR), including accounting, taxation and regulatory compliance; and
- for our legitimate interests (Article 6(1)(f) UK GDPR), provided that such interests are not overridden by your rights and freedoms.
Where we rely on legitimate interests as a lawful basis, these may include:
- improving and developing our services;
- ensuring the reliability, integrity and security of our systems and infrastructure;
- preventing fraud, misuse or unauthorised access;
- responsible promotion and marketing of our services to business customers.
As a Data Controller, AgileCase is committed to respecting and facilitating the rights of individuals under Data Protection Legislation, including rights of access, rectification, erasure, restriction, objection and data portability.
If you have questions about how we process personal data in our capacity as Data Controller, please contact us at dpo@agilecase.com.
What is AgileCase doing for the GDPR
AgileCase implements and maintains appropriate technical and organisational measures designed to ensure that personal data is processed securely, lawfully and transparently.
Internal Processes, Security and Governance
We maintain internal policies and procedures to ensure compliance with Data Protection Legislation. This includes:
- mapping and reviewing data flows within our systems;
- applying principles of data minimisation and privacy by design;
- restricting access to personal data to authorised personnel on a need-to-know basis;
- maintaining audit logs and internal controls to support accountability obligations.
When engaging third-party service providers, we assess their security and privacy posture and require appropriate contractual protections. We limit the use of subprocessors where reasonably practicable and seek to use infrastructure located within the UK and EEA where appropriate.
Ability to action subject access requests
Where AgileCase acts as Data Processor, we assist our customers, as Data Controllers, in responding to Data Subject requests in accordance with Section 10 of our Terms and Conditions and applicable Data Protection Legislation.
Where AgileCase acts as Data Controller, individuals may contact us directly to exercise their statutory rights. Requests may be submitted via support@agilecase.com or the contact details provided in our Privacy Policy.
We respond to valid requests in accordance with applicable legal timeframes.
Documentation
Our Terms and Conditions and Privacy Policy set out the legal framework governing our relationship with customers and users, including data protection obligations. These documents are reviewed and updated from time to time to reflect changes in law, guidance and our services.
Training and awareness
AgileCase provides regular training and awareness programmes to employees regarding data protection, information security and confidentiality obligations.
All personnel with access to personal data are subject to confidentiality obligations and are trained on appropriate handling procedures. Data protection considerations are incorporated into onboarding processes and periodically refreshed.