Agylion Privacy Policy

1. Introduction

A/B Software Development Services is a sole proprietorship organized and existing under the laws of the Republic of the Philippines, operating under the brand name Agylion (“Agylion,” “we,” “our,” or “us”). We develop enterprise-focused software and AI solutions that help organizations improve workflows, training, and performance.

This Privacy Policy describes how Agylion collects, uses, stores, and discloses personal information when you interact with our website, products, or services, or when we communicate with prospective or current customers.

Our services are designed for business use and are not intended for individual consumers acting outside of an employment or business relationship with an organization.

2. Scope

This Privacy Policy applies to Agylion's marketing website and related public pages; our software products, including deployment-specific components made available to an Organization, such as a browser extension, web application, or other integration method specified in the applicable Enterprise Agreement; and communications between Agylion and prospective or current customers.

This Policy does not apply to third-party websites or services we may link to, which are governed by their own privacy policies.

3. Definitions

• "Organization" / "Customer" means the enterprise entity that has entered into an Enterprise Agreement with Agylion to use the Services.
• "End User" means an individual authorized by an Organization to use the Services, including sales representatives, trainees, managers, coaches, trainers, and administrators.
• "Services" means the products, software, and related support provided by Agylion under the applicable agreement.
• "Customer Content" means information, materials, recordings, transcripts, or data submitted to or generated within the Services by an Organization or its End Users.
• "Enterprise Agreement" means the master services agreement, order form, data processing agreement, or other written agreement between Agylion and an Organization governing that Organization's use of the Services, including its selected deployment model.
• "Customer Content" means information, materials, recordings, transcripts, or data submitted to or generated within the Services by an Organization or its End Users.
• "Personal Information" means information that identifies or relates to an identifiable individual.
• "Subprocessor" means a third-party service provider engaged by Agylion to process Personal Information or Customer Content on our behalf in order to deliver the Services.

4. Roles and Responsibilities

This Policy distinguishes between three parties: the Organization, which contracts for and controls use of the Services; End Users, individuals authorized by the Organization to use the Services; and Agylion, the software provider delivering the Services under the terms of the applicable Enterprise Agreement.

For Customer Content and End User data submitted through the Services, the Organization acts as the data controller (personal information controller, under the Data Privacy Act of 2012), and Agylion acts as a data processor, processing that data only under the Organization's instructions and the terms of its Enterprise Agreement.

For information Agylion collects for its own purposes, such as data about prospective customers and visitors to its public website, Agylion acts as the controller.

5. Information We Collect

• Account Information — name, work email address, organization name, job title, and authentication credentials.
• Usage Information — login timestamps, device and browser information, IP address, feature usage, session activity, error logs, and performance metrics.
• Billing Information — Agylion does not process payments through an automated online checkout. Fees for the Services are determined on a case-by-case basis and communicated to the Organization through quotations, proposals, or the applicable Enterprise Agreement.

6. Information Provided by Organizations

Organizations provide Agylion with the information needed to configure the Services for their deployment, including rosters of authorized End Users, organizational structure (such as manager-trainee relationships), and organization-specific reference materials used to build practice scenarios.

7. Customer Content

Customer Content includes uploaded reference materials and knowledge bases, configured practice scenarios and evaluation frameworks, voice recordings and transcripts from practice sessions, and any other business information an Organization submits to configure or use the Services.

Customer Content remains the property of the Organization that submitted it, unless otherwise expressly agreed in the applicable Enterprise Agreement. Agylion does not claim ownership of Customer Content.

Agylion is granted only a limited license to use Customer Content as necessary to provide, maintain, support, and improve the Services for the Organization.

Organizations are responsible for the accuracy and lawfulness of any Customer Content they or their End Users submit, including ensuring they have the right to submit any third-party information contained within it. Retention and deletion of Customer Content are addressed in Section 14.

8. AI Practice Sessions, Voice Recordings, and Transcripts

Depending on the deployment model specified in the Organization's Enterprise Agreement, End Users may access our platform through a browser extension, a web-based application, or another integration method made available to the Organization.

Practice sessions may involve voice recordings of simulated conversations. Depending on the deployment model, voice recordings are processed through our managed conversational AI infrastructure or, where a customer-managed deployment is contracted, through infrastructure operated within the Organization's own environment as described in that Organization's Enterprise Agreement. These recordings are not used by Agylion to identify individuals biometrically outside the scope of a specific practice session.

Transcripts generated from audio support scoring, coaching feedback, and analytics.

AI-generated coaching and readiness scores are intended to support, and not replace, human judgment about an End User's preparedness.

AI-generated summaries of session-level or team-level performance are provided for managers and administrators.

Agylion treats voice recordings and transcripts as Customer Content, governed by Section 7.

Organizations should avoid directing End Users to disclose health information, government identifiers, or other sensitive personal information during practice sessions beyond what is reasonably necessary for the scenario being practiced. Agylion does not request or intentionally collect sensitive personal information, as defined under the Data Privacy Act of 2012, through the Services.

Organizations in regulated industries may require additional contractual safeguards, such as a data protection impact assessment or supplementary data processing terms, which can be addressed in the applicable Enterprise Agreement.

9. How We Use Information

Subject to the deployment model and terms set out in the applicable Enterprise Agreement, Agylion uses the information described in this Policy to provide, operate, and maintain the Services; authenticate and authorize users; generate AI-powered coaching, feedback, and readiness scores; provide administrators and managers with team-level analytics; monitor, troubleshoot, and improve platform performance and reliability; provide customer support; maintain the security of the Services; communicate with Organizations and End Users about the Services; and comply with legal obligations.

Agylion does not sell Personal Information or Customer Content, and does not share it for cross-context behavioral advertising.

10. AI Services and Automated Processing

For managed cloud deployments and dedicated enterprise deployments, Agylion relies on the following AI and infrastructure providers, unless otherwise specified in the Organization's Enterprise Agreement: OpenAI (gpt-4o-mini), which processes conversation text, transcripts, and Customer Content to power coaching feedback, scoring, and conversation analysis; Agora, which provides the real-time infrastructure used to transmit and process voice audio during live practice sessions; and Microsoft Azure Text-to-Speech, which converts AI-generated text into the simulated voice used during practice sessions.

Where an Organization requires a customer-managed deployment, the specific AI providers and infrastructure used may differ, including the possible use of the Organization's own AI provider arrangements, and will be set out in that Organization's Enterprise Agreement or a deployment-specific addendum.

Agylion does not use Customer Content to train its own proprietary AI models without an Organization's explicit, separately documented permission.

Agylion' use of OpenAI is configured under OpenAI's API terms, which apply different data handling commitments than OpenAI's consumer-facing products. Organizations may request current information regarding our third-party AI provider configurations, including applicable data retention and training settings, as part of contracting or a security review.

AI-generated coaching feedback, readiness scores, and summaries are decision-support outputs generated by automated systems and may contain errors, omissions, or inaccuracies. They are not certified assessments of job performance and should not be used as the sole or determinative basis for employment decisions, such as hiring, promotion, compensation, or termination, without independent human review. Agylion recommends that Organizations incorporate human review into any process where AI-generated output materially affects an individual.

11. Data Sharing

Agylion shares information with subprocessors that help deliver the Services, as described in Section 12 and, where applicable, the Organization's Enterprise Agreement; professional advisors, such as accountants and legal counsel, under confidentiality obligations; authorities, where required by law, regulation, or legal process, or to protect the rights, safety, or property of Agylion, its customers, or others; and a successor entity, in the event of a sale, transfer, or reorganization of the business, subject to this Policy's protections continuing to apply to previously collected information.

Agylion does not otherwise disclose Personal Information or Customer Content to third parties for their own independent use.

12. Subprocessors

The table below reflects the Subprocessors used in Agylion managed cloud and dedicated enterprise deployments. Organizations using a customer-managed deployment, or requiring specific enterprise integrations, may have a different subprocessor footprint, which will be documented in the applicable Enterprise Agreement or deployment-specific documentation.

We also rely on a small set of third-party website tools for scheduling, email communications, analytics, and hosting. These services only process the data required to perform their limited function and do not use information for unrelated advertising or profiling.

A current Subprocessor list is available to Organizations upon request at hello@stellarsoftwares.com. Agylion will provide reasonable advance notice, or where required by the Organization's Enterprise Agreement, obtain prior written consent, before adding or replacing a material Subprocessor.

13. International Data Transfers

Agylion is based in, and currently focuses its business on, the Philippines. For managed cloud and dedicated enterprise deployments, some Subprocessors, including OpenAI, Agora, and Microsoft, operate infrastructure outside the Philippines, including in the United States and other countries. As a result, information may be transferred to, stored in, and processed in countries other than the Philippines.

Where such transfers are subject to the Data Privacy Act of 2012 or its Implementing Rules and Regulations, Agylion will implement contractual or other safeguards with its Subprocessors designed to maintain an appropriate level of protection for the transferred information.

Organizations with specific data residency requirements, including those in regulated sectors such as banking, healthcare, or government, may discuss dedicated or, where required in the future, customer-managed deployment options as part of their Enterprise Agreement.

14. Data Retention

Retention and deletion of Customer Content, account information, and usage logs are governed by the applicable Enterprise Agreement between Agylion and the Organization, including any deployment-specific or sector-specific retention schedules the Organization requires.

Where no specific timeframe is set out in the Enterprise Agreement, Agylion targets completion of deletion or export requests within thirty (30) days of the request, or of termination of the Enterprise Agreement, as a default, commercially reasonable practice.

15. Security Measures

For managed cloud and dedicated enterprise deployments, Agylion encrypts Customer Content and Personal Information both in transit and at rest, and implements the following measures: authentication and access controls; role-based access controls limiting access on a least-privilege basis; audit logging of access to sensitive systems and data; infrastructure monitoring for security and availability events; and due diligence review of Subprocessors before engagement, with contractual data protection obligations imposed on them.

Where an Organization requires a customer-managed deployment, security responsibilities are shared between Agylion and the Organization, as set out in the applicable Enterprise Agreement and any shared-responsibility documentation provided as part of that deployment.

Agylion maintains backup procedures that continue to be developed and enhanced as the platform scales. No method of transmission or storage is completely secure, and Agylion cannot guarantee absolute security. Agylion has not obtained third-party security certifications, such as SOC 2 or ISO 27001, as of the date of this Policy.

Agylion follows the following incident response process in the event of a suspected security incident:

1. Detect — any team member who discovers or is notified of a suspected security incident escalates it to Agylion' technical leadership.
2. Contain — technical leadership takes immediate steps to limit ongoing exposure, such as revoking compromised credentials or disabling affected systems.
3. Assess — leadership determines the scope of the incident, including which data and Organizations are affected and the likely root cause.
4. Notify — affected Organizations are notified without undue delay. Where the Data Privacy Act of 2012 requires notification to the National Privacy Commission and affected data subjects within a specific timeframe, Agylion will act consistently with that legal requirement.
5. Remediate and review — the underlying issue is addressed, and Agylion conducts an internal review to reduce the likelihood of recurrence.

For customer-managed deployments, Agylion will coordinate with the Organization's own incident response process as set out in the applicable Enterprise Agreement.

16. Customer Responsibilities

Organizations are responsible for providing End Users with appropriate notice that practice sessions may be recorded, transcribed, and evaluated using AI tools, consistent with applicable employment and privacy law; having a lawful basis to submit Personal Information of End Users or third parties to the Services; managing access permissions for their End Users and administrators; promptly notifying Agylion of any suspected unauthorized access to their account; not submitting sensitive personal information beyond what is reasonably necessary for a practice scenario; and where applicable, operating, securing, and maintaining infrastructure under a customer-managed deployment, as set out in the applicable Enterprise Agreement.

17. End User Rights

Subject to applicable law, individuals may have rights to request access to, correction of, or deletion of their Personal Information, to object to certain processing, or to request portability of their data. Because Organizations control most End User data as the data controller, End Users should direct such requests to their Organization's administrator in the first instance. Where appropriate, Agylion will support the Organization in fulfilling these requests, or will respond directly where Agylion acts as controller.

18. Organization Administrator Rights

Organization administrators may, consistent with the applicable Enterprise Agreement: request access to, export of, or deletion of their Organization's Customer Content; manage End User accounts, including provisioning and deactivation; and request information about Agylion' Subprocessors and data handling practices relevant to their Organization's compliance obligations.

19. Cookies and Analytics

This section describes analytics on Agylion' marketing website and standard cloud-hosted product experience. Organizations using a dedicated enterprise or customer-managed deployment may have a different or no analytics integration, as set out in their Enterprise Agreement.

Agylion uses PostHog to understand how its website and product are used, including page views; navigation and button clicks, including demo-request interactions; contact form submissions; traffic source and referral attribution; and anonymous session analytics.

Agylion does not collect personal or sensitive personal information through this analytics tooling, and session recording is disabled. Tracking is disabled by default and activates only if a visitor accepts the cookie banner. Visitors who do not accept the banner are not tracked. Organizations and End Users may also manage cookie preferences through their browser settings.

20. Children's Privacy

The Services are intended for business use by adult employees and representatives of Organizations and are not directed to, marketed to, or designed for individuals under 18 years of age. Agylion does not knowingly collect Personal Information from individuals under 18. If Agylion becomes aware that it has inadvertently done so, it will take steps to delete it.

21. Changes to this Privacy Policy

Agylion may update this Privacy Policy to reflect changes in its practices, technology, legal requirements, or the Services. For material changes affecting how Agylion processes Personal Information or Customer Content, Agylion will provide reasonable advance notice to Organizations by email or in-app notice. The "Last Updated" date above reflects the most recent revision.

22. Contact Information; Governing Law

Agylion is a sole proprietorship registered in the Republic of the Philippines.

Agylion has not designated a separate Data Protection Officer. Based on the current scale and nature of its processing activities, Agylion has determined that registration of its data processing systems with the National Privacy Commission is not currently required, and Agylion will reassess this determination as its operations grow. Privacy inquiries and data subject requests are handled directly by Agylion' leadership team and may be directed to hello@stellarsoftwares.com.

This Privacy Policy, and any matter arising from or relating to it, is governed by the laws of the Republic of the Philippines, including the Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations, as administered by the National Privacy Commission. Any dispute is subject to the jurisdiction of the competent courts of the Philippines.