Privacy and User Consent
We are committed to protecting your privacy and being transparent about how we collect, use and manage your personal information. This page explains your rights, how consent is handled, and how we use data to provide our services, communications and online experiences.
Privacy and User Consent
The Agile Business Consortium (“the Consortium”) collects personal data about the people we deal with while carrying out our business and delivering our services. As such, this Privacy Policy sets out to explain how any personal information about you will be processed and used by the Consortium. The Consortium undertakes to make use of your personal information only in the ways described in this policy, and in accordance with applicable data protection legislation and guidance.
About Us
The Agile Business Consortium develops and owns internationally recognised certifications supporting business agility including AgilePM and AgileBA. We support a global community of practitioners through certified qualifications, learning, and professional development.
If you have any queries with regard to this Privacy Policy, please contact us by email: [email protected]
For details regarding representative contact requirements under data protection regulations for the EEA and Switzerland, please refer to Representative Contact Summary (Data Protection) 2025. This document outlines our designated representatives for the EEA and Switzerland and their contact details.
Data We Collect and Process
In this section you will find
- Details about the personal data we collect and how we use it
- Our lawful basis for processing this data
- How long we keep this data
Where exact retention periods cannot be specified, retention will be determined based on legal obligations, business need, contractual requirements, dispute resolution, and regulatory expectations.
We will usually process your personal data because you have provided it to us, but in some cases, we may be provided with your personal data by a third-party (e.g. a member).
A) Visitors to our website
When someone visits our website (https://www.agilebusiness.org/), including our sub-pages and sub-domains, we may collect and process personal data, as follows:
| Purpose | Data | Lawful Basis | Retention Period |
| Web server management and logging | Browser, domain name, what web pages you visited (on our site), referral sites, IP address, time and duration of visit, device and OS details | Legitimate interests – ensuring the security, performance and proper functioning of our website and services. *We process this information under our legitimate interests in maintaining the security, integrity, and effective operation of our website and digital services. | N/A |
| Data collected if you use one of our online contact forms, chat, etc. | Name, contact details, nature of your enquiry | Contract | Will depend on the nature of the enquiry |
Use of AI-Assisted Technologies
We may use AI-assisted technologies and automated tools to support administrative activities, customer service, communications, analytics, content generation, fraud prevention, and operational efficiency.
These tools are used with appropriate human oversight and are not used to make solely automated decisions that have legal or similarly significant effects on individuals.
Where third-party AI service providers process personal data on our behalf, we ensure appropriate contractual, security, and data protection safeguards are in place.
You can find more information about our use of AI tools in our AI policy: (insert AI policy)
Our use of cookies
Occasionally we will send a ‘cookie’ to your device (we use the term “cookie” to collectively mean cookies, beacons, pixels and other technologies). A cookie is a small piece of data that is sent to your browser from a web server and stored on your device’s storage. A cookie cannot read data off your device or read cookie files created by other sites. Cookies do not damage your system.
We use cookies to identify which areas of our website you have visited or customized, so the next time you visit, those pages may be readily accessible. Data from cookies placed by the Consortium will not be used to keep track of visitors.
When you first visit our website, you will be shown our cookie banner. You can use this banner to accept, reject or change cookie settings. If you click the “Settings” button, you will be presented with options for the different types of cookies you can accept or reject. Once you have accepted or rejected cookies, you can always change your cookie settings by clicking the “C” symbol in the bottom left of the webpage.
You can also choose whether to accept cookies by changing the settings of your browser. You can set your browser to refuse all cookies or allow your browser to show you when a cookie is being sent. If you choose not to accept these cookies, your experience on our website and other websites may be diminished and some features may not work as intended.
It is lawful for us to use cookies that are necessary for the functioning of our website, but you have a choice regarding all other cookies. The lawful basis we rely on for processing cookie information is consent, provided via our cookie controls.
You should note that the cookies we use relate to third party services (e.g. Google Analytics) which may result in some information about your website visit being transferred to that third-party and processed outside the UK.
You can find more information about our use of cookies in our cookie policy: (insert cookie policy)
Links to third-party websites
The Consortium does not share any personal information you provide with the sites to which agilebusiness.org links, although agilebusiness.org may share aggregated data with such websites, for example, number of visitors to the site. Please check with those sites to determine their privacy policy.
B) If you contact us
| Purpose | Data | Lawful Basis | Retention Period |
| Email contact | Name, contact details, content of email | Contract | Will depend on the nature of the enquiry |
| Phone contact | Name, contact details, content of email | Contract | Will depend on the nature of the enquiry |
C) If you are a customer or member
| Purpose | Data | Lawful Basis | Retention Period |
| Customer registration | Name, contact details | Contract | Up to 6 years after an individual is no longer a customer |
| Access controls & authorisation, security | Name, contact details, user credentials, server information & logs | Contract | Up to 6 years after an individual is no longer a customer |
| Order fulfilment | Name, contact details | Contract | Up to 6 years after an individual is no longer a customer |
| Communications about professional status, purchases, bookings | Name, contact details, professional status | Contract | |
| Processing payments, fulfilling orders and returns | Name, contact details, purchase history, case information | Contract | Up to 6 years after an individual is no longer a customer |
| Respond to enquiries | Name, contact details | Contract | Will depend on the nature of the enquiry |
| Relationship services | Name, contact details, employer information, communication preferences, DOB, location data, profile photo, interests, social media handles, professional status, membership details | Contract | For as long as current customer or member |
| Respond to leads and opportunities | Name, contact details | Legitimate interest | For as long as qualified lead or opportunity |
| Marketing communications | Name, contact details, marketing preferences | Legitimate interest | For as long as subscribed, and then kept on suppression list |
| To identify connections with other customers or organisations | Name, contact details | Legitimate interest | Up to 6 years after an individual is no longer a customer |
| Analytics and analysis | Name, membership details | Legitimate interest | Up to 6 years after an individual is no longer a member |
D) If you hold a professional status and/or accreditation
| Purpose | Data | Lawful Basis | Retention Period |
| Management of professional status | Name, contact details, qualification information, application information, profile, CPD records | Contract | Up to 6 years after an individual is no longer a customer |
| Transactional communications about professional status | Name, contact details, professional status | Contract | Up to 6 years after an individual is no longer a customer |
E) If you purchase something from our Shopify site
If you purchase an item from our online bookstore Shopify site. When purchasing item(s) from our Shopify store, we will collect certain information for the purposes of dealing with your purchase. As such we rely on contract as our lawful basis for processing. Such information will include your name, contact details for order fulfilment and purchase history.
Upon purchase of a digital publication through our Shopify store, the file will be watermarked with non-identifying information, such as the order number, for tracking and verification purposes.
F) Events
Data collected for our online & in-person events
We often run online events in association with partners who sponsor or co-collaborate on these events. Where we do so, for the purposes of the event we will be joint controller with the partner.
As such, your registration details will be shared with the partner, who may contact you with information related to the joint project and/or their products and services. You may unsubscribe from our communications at any time. Please check third party privacy policies directly.
Where we act as joint controllers with event partners, we will define our respective responsibilities for compliance with data protection law. You may contact either party regarding your data protection rights.
If you register for, and attend, one of our events
| Purpose | Data | Lawful Basis | Retention Period |
| Management of events | Name, contact details, payment details (where relevant) | Contract | Up to 2 years after an event, unless required for other purposes |
| Health and safety | Any accessibility or dietary requirements | Legal obligation | Up to 2 years after an event, unless required for insurance purposes |
| Marketing | Name, contact details, marketing preferences | Consent, Legitimate Interest | For as long as you are subscribed and then retained on a suppression list |
Events and webinars may be recorded for educational, training, quality assurance, or promotional purposes. Where appropriate, attendees will be informed in advance.
We will only send electronic marketing communications where permitted by applicable law, including where you have provided consent or where we rely on soft opt-in or legitimate interests where appropriate.
If you speak at one of our events
| Purpose | Data | Lawful Basis | Retention Period |
| Management of events | Name, contact details | Contract | Up to 2 years after an event, unless required for future events |
| Health and safety | Any accessibility or dietary requirements | Legal obligation | Up to 2 years after an event, unless required for insurance purposes |
If you register to attend a training simulation
| Purpose | Data | Lawful Basis | Retention Period |
| Management of access to training simulation | Name, contact details, learning history/training records | Contract | Up to 2 years after an event, unless required for future events |
| Payment processing (where applicable) | Name, contact details, learning history, payment details (where applicable) | Contract | For the current year + 6 years, for tax purposes |
If you are the simulation trainer
| Purpose | Data | Lawful Basis | Retention Period |
| Management of access to training simulation | Name, contact details, learning history/training records | Contract | Up to 2 years after an event, unless required for future events |
G) Marketing
| Purpose | Data | Lawful Basis | Retention Period |
| Send marketing information & manage potential leads | Name, contact details, employer information, communication preferences, DOB, location data, profile photo, interests, social media handles, gender | Consent, Legitimate interest | For as long as lead or opportunity and not opted-out |
H) If you are a supplier or accredited delivery partner
Suppliers
| Purpose | Data | Lawful Basis | Retention Period |
| Administer and make payments for invoices | Name, contact details, organisation name, job title, bank details, VAT number | Contract | 6 years + current year |
Delivery partners
| Purpose | Data | Lawful Basis | Retention Period |
| Order fulfilment | Name, contact details | Contract | Up to 6 years after an individual is no longer a customer |
I) If you are a business contact
| Purpose | Data | Lawful Basis | Retention Period |
| Managing networking contacts | Name, contact details | Legitimate interest | For as long as a useful/relevant contact |
| To identify connections between customers and organisations | Name, contact details | Legitimate interest | Up to 6 years after an individual is no longer a customer |
J) If you are an employee
If you are an employee, you will be provided access to our employee privacy policy. This sets out how we handle employee personal data.
K) If you apply for a job
| Purpose | Data | Lawful Basis | Retention Period |
| Assessing and identifying appropriate candidates | Name, contact details, DOB, qualifications, employment history, interview notes, application, CV, references | Contract | For successful candidates will become part of HR record. If unsuccessful will keep up to 6 months after rejection |
| Equal opportunities monitoring | Ethnicity, disability | Legal obligation | Will remain with application during interview process then deleted if unsuccessful |
| Talent pool – future opportunities for unsuccessful candidates | Name, contact details, DOB, qualifications, employment history, interview notes, application, CV, references | Consent | Until consent is withdrawn, or up to 1 year |
Some of the personal data we process may constitute special category data under data protection law, such as information relating to health, disability, dietary requirements, ethnicity, or equality monitoring.
Where we process special category data, we will do so only where permitted under applicable law, including where:
- processing is necessary for employment, social security or social protection law obligations;
- processing is necessary for reasons of substantial public interest;
- processing is necessary to provide accessibility accommodations;
- or where explicit consent has been obtained where required
L) Our use of social media
We use various social media platforms. When we post information to our channels on those platforms, we do not process any personal information.
However, if you contact us via the platform, we will handle your information in the same way as we do if you were to email (see above). We may also, as a legitimate business interest, collect information from you from social media channels for the purposes of marketing our services to you (where it is lawful for us to do so), in which case we handle this information in the same way we do any other marketing information (see above).
Sharing Your Information
A) Third-party processors
We use a range of third-party service providers and professional advisers to support the operation of our organisation and delivery of our services. These may include providers of:
- customer relationship management (CRM) systems;
- website analytics and performance tools;
- marketing automation and email communication platforms;
- webinar and online event platforms;
- payment processing services;
- learning and membership management systems;
- cloud hosting and collaboration services;
- accounting, legal, HR, payroll, and administrative support services;
- IT support and cybersecurity services.
Where third-party providers process personal data on our behalf, we ensure appropriate contractual, technical, organisational, and international transfer safeguards are in place in accordance with applicable data protection law.
In all cases where we are using a third-party service or company, we will only provide the minimal amount of information for the purposes of delivering the service to us and to meet our requirements.
We always carry out due diligence against all our third-party suppliers for the purposes of ensuring their compliance with data protection, maintaining adequate security of your data and ensuring they apply adequate data protection principles to the processing of the data we supply. We also make sure a legally binding contract (sometimes called a Data Processing Agreement or DPA) is also in place to protect your data.
B) Our legal obligations to disclose information
If required to by law or in the good-faith belief that such action is necessary, the Consortium will disclose personal information to:
- Comply with a legal process served on the Consortium or to conform to the edicts of the law;
- Protect and defend the rights or property of the Consortium or visitors to agilebusiness.org
- Identify persons who may be violating the law, the legal notice or the rights of third parties,
- Cooperate with the investigations of alleged unlawful activities (e.g. handling requests for information from the police).
Security
The Consortium uses appropriate organisational and technical measures to protect personal data against unauthorised access, alteration, disclosure, loss or destruction. These measures may include access controls, encryption, authentication protections, monitoring, secure backup procedures, supplier due diligence, and staff confidentiality obligations.
Transfer of your Data Outside the UK
Due to the way we manage the Consortium, it’s members and provide its services it is possible your information may be processed outside the UK. If this is the case, we will always make sure the processing meets the strict criteria set out in UK data protection law. As such, if an adequacy regulation does not apply to the country where your data is processed, we will ensure an appropriate safeguard is in place such as standard contract clauses, and if required, carry out a transfer risk assessment.
Your Rights
In this Section, we have summarised the rights that you have under data protection law. Some of the rights are complex, and not all of the details have been included in our summaries. Accordingly, you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.
A) The right to access and portability
You have the right to confirmation as to whether or not we process your personal data and, where we do, access to the personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing the rights and freedoms of others are not affected, we will supply to you a copy of your personal data.
Your right to portability allows you to request a machine-readable format of the data you supplied to us and associated service logs (where we store them).
B) The right to rectification
You have the right to have any inaccurate personal data about you rectified and, taking into account the purposes of the processing, to have any incomplete personal data about you completed.
C) The right to erasure (or right to be forgotten)
Under some circumstances you may request us to delete your data from our systems. Where this is possible (e.g. we don’t have any legal purpose for continuing to process your data) we will erase it from our systems. If it’s not possible for us to delete your data, we will explain the reasons why.
D) The right to restrict our processing
In some circumstances you have the right to restrict the processing of your personal data. Those circumstances include, if you contest the accuracy of the personal data; processing is unlawful, but you oppose erasure; we no longer need the personal data for the purposes of our processing, but you require personal data for the establishment, exercise or defence of legal claims; and you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data. However, we will only otherwise process it: with your consent; for the establishment, exercise or defence of legal claims; for the protection of the rights of another natural or legal person; or for reasons of important public interest.
E) The right to object to our processing and to withdraw consent
You have the right to object to our processing of your personal data, if we are relying on our or a third party’s legitimate interest and you dispute those interests. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing to continue, which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.
You have the right to object to our processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes). If you make such an objection, we will cease to process your personal data for this purpose.
You have the right to object to our processing of your personal data for scientific or historical research purposes or statistical purposes on grounds relating to your particular situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Where we are processing your data and needed to ask your permission to do so, you are able to withdraw your consent at any time. If you wish to stop receiving our marketing emails you can do so, by clicking on the “unsubscribe” link at the bottom of the email or by contacting us.
F) Complaints
If you feel this privacy notice does not go far enough in explaining how we have used your personal data, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to [email protected].
If you want to make a complaint about the way we have processed your personal information, we’d rather you brought it to us in the first instance, but of course you can contact the Information Commissioner’s Office in their capacity as the statutory body that oversees data protection law in the UK – https://ico.org.uk/make-a-complaint/
More Information
For more information about your data rights and privacy or data protection in general visit the Information Commissioner’s Office website: https://ico.org.uk
Amendments to this Privacy Policy
We may update this policy from time to time by publishing a new version on our website. You should check this page occasionally to ensure you are happy with any changes to this policy. We will notify you of significant changes to this policy by email or on our website.
Last reviewed: 01 June 2026
Join our global community
Become a member today to access exclusive resources, network with industry leaders, and contribute to the future of business agility.
Are you in an organisation? Contact us to learn about organization membership.