Data Privacy Notice

Note that this document in provided for supporting english-speaking users, the legally binding document is the German document.

Data Processor

The responsible party for data processing within the meaning of Art. 4 No. 7 GDPR and other national data protection laws of the member states as well as other data protection regulations is the:

Gesellschaft für wissenschaftliche Datenverarbeitung mbH Göttingen
Burckhardtweg 4
37077 Göttingen
Göttingen, Germany
Tel: +49 (0) 551 39-30001
E-mail: support@gwdg.de
Website: www.gwdg.de

Represented by the managing director. The controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data.

Contact person / Data protection officer

Gesellschaft für wissenschaftliche Datenverarbeitung mbH Göttingen
Datenschutzbeauftragter
Burckhardtweg 4
37077 Göttingen
Göttingen, Germany
Phone: +49 (0) 551 39-30001
E-mail: support@gwdg.de

General information on data processing

Overview of the service

The ChatAI service consists of several components, particularly a web frontend and large language models in the backend. The frontend provides users with a web interface to directly enter user queries via a browser. Additionally, users can select their desired model and adjust certain settings. The frontend forwards all requests to the selected model backend. For data privacy reasons, a distinction is made between models hosted locally by the GWDG and external models provided by other vendors, with the latter being clearly marked as such. The backend is hosted via the GWDG’s SAIA platform, which receives all requests and forwards them to the appropriate model. In the case of external models, the requests—specifically, the history transmitted from the browser, including intermediate model texts, and any “memories” created by the user—are forwarded to the respective external provider. For self-hosted models, requests are processed solely on GWDG’s systems.

Additionally, users can activate so-called tools (“GWDG Tools” in the frontend, “Tools” in the OpenAI API) either through the frontend or via API. These tools intervene in user requests and provide a wide range of enhanced functionalities. Most of the offered tools utilize services provided by the GWDG. However, certain functionalities (e.g., web search) can only be delivered through external services, and these are marked in the frontend with a data privacy warning.

Service Components - Simplified Overview Service Components - Simplified Overview

Scope of the processing of personal data

We only process our users’ personal data to the extent necessary to provide a functional website and our content and services. The processing of personal data of our users takes place regularly only with the consent of the user (Art. 6 para. 1 lit. a GDPR). An exception applies in cases where prior consent cannot be obtained for factual reasons and the processing of the data is permitted by law.

Insofar we obtain consent from the data subject for processing operations involving personal data, Article 6 (1) lit. (a) of the EU General Data Protection Regulation (GDPR) is the legal basis for personal data processing.

When processing personal data that is necessary for the performance of a contract to which the data subject is party, Article 6 (1) lit. (b) GDPR is the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures.

Insofar as the processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Article 6 (1) lit. (c) GDPR is the legal basis.

Where the processing of personal data is necessary in order to protect the vital interests of the data subject or another natural person, the legal basis is Article 6 (1) lit. (d) GDPR.

If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 (1) lit. f DSGVO is the legal basis for the processing.

Use of the Chat-AI website (frontend)

Description and scope of data processing

Each time https://chat-ai.academiccloud.de/ is accessed, the system automatically collects data and information from the computer system of the accessing computer. The following data is collected in each case:

  • Date of access
  • Name of the operating system installed on the accessing device
  • Name of the browser used
  • Source system via which the access was made
  • The IP address of the accessing device

The data is also stored in the log files of our system. This data is not stored together with other personal data of the user. All Chat-AI data displayed in the browser is only stored on the client side in the user’s browser and is only transmitted to the server for the necessary processing when the user requests it, i.e. while the data is being processed by the backend models. After the end of a session in the browser, no more user input is available.

General use of models

Description and scope of data processing

For billing purposes, the following data is stored and logged on the GWDG server for each request:

  • Date of the request
  • user ID
  • Length of the request and response

This data is also stored in the log files of our system. This data is not stored together with other personal data of the user. Depending on whether locally hosted models or external models are used, slightly different data protection provisions apply. No liability can be accepted for the automatically generated answers. Answers may be completely incorrect, contain incorrect partial information or may have unlawful content.

Duration of storage

The billing data is stored for one year.

Use of self-hosted models

Description and scope of data processing

In order to use the models hosted by the GWDG, the user’s input/requests are processed on the GWDG’s systems. Protecting the privacy of user requests is of fundamental importance to us. For this reason, our service in combination with the self-hosted models does not store the contents of the requests (chat history), nor are requests or responses stored on a permanent memory at any time.

Duration of storage

The entries are only stored on the GWDG server during processing by the Large Language Models themselves, i.e. while the data is being processed on their own systems.

Use of external models from OpenAI

Description and scope of data processing

In order to use the OpenAI models, we send the respective request (user input) from our server to the Microsoft servers (external service provider). The following data is forwarded to fulfil the service

  • User request

Information about the users themselves is not forwarded by GWDG. However, the user’s enquiry is forwarded unfiltered, i.e. personal information contained in the enquiry itself is forwarded to the external service provider. The GWDG service is based on the Data Processing Addendum ( https://learn.microsoft.com/en-us/legal/cognitive-services/openai/data-privacy, https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA). This means that there is an adequacy decision in accordance with the European General Data Protection Regulation, but data transmission to third parties cannot be ruled out by GWDG.

The requests are anonymised by the GWDG servers and are send to the external service provider where they are only logged for up to 30 days in accordance with the Microsoft Data Processing Addendum in the event of an attempt at misuse, e.g. to create hate or sexualised content. This happens automatically if the backend detects an attempt at misuse. It cannot be ruled out that legitimate requests may be incorrectly categorised and logged as attempted abuse.

Possibility of objection and removal

The recording of the user’s input and the processing by Microsoft is mandatory for the provision of the external models. Consequently, there is no possibility for the user to object.

Use of Research Partner Models

Description and Scope of Data Processing

GWDG has research partners who host models externally on their compute resources. For this purpose, GWDG forwards the corresponding user request to the research partners. Information about the users themselves is not forwarded. However, the user requests are forwarded unfiltered, i.e. personal data contained in the request itself is forwarded to the research partners. The GWDG has a research contract with the relevant research partners. Corresponding models that are hosted by research partners are marked within the ChatAI web interface by a following “(Research Partner)”. The use of these models is at your own risk.

Use of models hosted at LUIS

Leibniz University IT Services (LUIS) operates an inference cluster as part of the KISSKI project, which host some large language models. These models are labelled with “LUIS” in the menu of the ChatAI service.

Description and scope of data processing

In order to use the models hosted by LUIS, the user’s input/requests are processed on the LUIS systems. Protecting the privacy of our users data is of fundamental importance to us. For this reason, our service, in combination with the models hosted at LUIS does not store the chat history nor are requests or answers stored on a permanent storage at any time.

Duration of storage

The input is only stored on the servers hosted by LUIS during processing of the language models, i.e., while a response to the request is being generated.

Use of Tools / GWDG Tools

Tools extend the capabilities and power of ChatAI, for example through internet search, vector databases, external MCP servers, or the generation of images, audio, etc. Unless explicitly stated otherwise, the tools provided are internal to GWDG. Web search and MCP server services are external services. Tools must be selected by users via opt-in in the frontend or requested through the API. The tools provided by GWDG are typically made known to the selected model, which then decides—based on the user request—whether to use one or multiple tools (e.g., when the user instructs the model to generate an image). In such cases, the tools are invoked with parameters dependent on the user request. The vector database (Arcana) is a special case. All tool activities are transparently displayed in ChatAI for users.

GWDG-Internal Tools

Description and Scope of Data Processing

GWDG-internal tools such as image generation receive model requests (e.g., “generate an audio output: ‘Hello Data Protection Officer’”), process them, and return the results to the models. At no point are requests or responses (including artifacts such as images) permanently stored; instead, responses and artifacts are immediately returned to the users.

Vector Database / RAG System / Arcana

The GWDG’s Arcana system provides users with a database that makes datasets searchable within ChatAI and uses them as references. The entire system is provided internally by GWDG and consists of a web UI—the RAG Manager—and an integration into ChatAI.

Description and Scope of Data Processing

Generally, a distinction is made between the role of the developer and that of the user. The developer provides contextual data used to build an index server-side. This index is persistent and stored, and can be used across multiple sessions and by multiple users. The index enables users to access a large language model that can leverage specific knowledge from the provided contextual data to answer individual user queries. To do this, the developer uploads data via the RAG Manager, where it is stored and indexed in various datasets called “Arcanas.” An Arcana can be shared with any number of users. Each user must know the name or ID of the Arcana. It is crucial to emphasize that any person with access to an Arcana can access the knowledge it contains.

The contextual data provided by developers is server-side indexed into an Arcana and secured with a password. The Arcana is then imported into the context of open-source models in ChatAI or exported via API, provided the user supplies an ID.

Duration of Storage

The contextual data provided by developers is stored permanently until explicitly deleted by the developers. User requests and responses continue to be stored only locally on the users’ client systems, as described in the section “Use of Self-Hosted Models.” The request exists solely on GWDG’s servers during processing.

External Tools

External tools are used to forward parts of the user request to third-party services. GWDG assumes no liability for the use of external tools!

Description and Scope of Data Processing

The external service provider (e.g., Google) receives the search request initiated by the model and returns the results of the web search as references. For external MCP servers, function arguments are passed. No additional information about users is transmitted, nor are details about user browsers or similar shared. If the model decides to use personally identifiable information entered by users—such as when instructed to search for a person online—this is precisely the intended functionality.

Duration of Storage

Information is not stored by GWDG. However, a search engine or MCP server may store the performed request issued by the LLM.

Rights of data subjects

You have various rights with regard to the processing of your personal data. We list them in the following, but there are also references to the articles (GDPR) and/or paragraphs (BDSG (2018)) which provide even more detailed information.

Right of access by the data subject (Article 15 GDPR; § 34 BDSG)

You may request confirmation from the controller whether we process personal data related to you. This includes the right to obtain access to information as to whether the personal data concerning you is transferred to a third country or to an international organisation.

Right to rectification (Article 16 GDPR)

You have a right of rectification and / or completion vis-à-vis the controller if the personal data processed related to you is inaccurate or incomplete. The controller must perform rectification immediately.

Right to erasure / “Right to be forgotten” / Right to restriction of processing (Article 17/18 GDPR; § 35 BDSG)

You have the right to request the immediately erase of your personal data from the controller. As an alternative, you may request to restrict the processing from the controller, whereby restrictions are referred to in the GDPR/BDSG under the articles and/or sections mentioned.

Notification obligation regarding rectification or erasure of personal data or restriction of processing (“Right to be informed”) (Article 19 GDPR)

If you have asserted the right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller is obligated to communicate such rectification or erasure of the data or restriction of processing to all recipients to whom the personal data concerning you has been disclosed, unless this proves impossible or involves disproportionate effort. You have the right vis-à-vis the controller to be informed about these recipients.

Right to data portability (Article 20 GDPR)

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. In addition to the scenarios presented in and provisions of the GDPR, it must be noted that portability of mass data / user data is limited to technical readability. The right to data portability does not include that the data created by the user in a proprietary format is converted by the controller into a commonly used, i.e. standardised format.

Right of objection (Article 21 GDPR; § 36 BDSG)

You have the right to object to the processing if this is based only on the controller weighing any interests (see Article 6 (1) lit. (f) GDPR). Right to withdraw consents in terms of data protection laws (Article 7 (3) GDPR) You have the right to withdraw your consent under data protection laws at any time. The withdrawal of consent does not affect the lawfulness of processing based on such consent before its withdrawal.

Right to complain to a supervisory authority (Article 77 GDPR)

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.