Data Privacy Notice

The following English translation of the “Datenschutzerklärung” is for information purposes only. Only the German version is legally binding.

I. Responsible for data processing

The responsible party within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other legal data protection provisions is:

Gesellschaft für wissenschaftliche Datenverarbeitung mbH Göttingen
Burckhardtweg 4
37077 Göttingen
Germany
Tel: +49 (0) 551 39-30001
E-Mail: support@gwdg.de
Website: www.gwdg.de

II. Contact person / Data protection officer

Gesellschaft für wissenschaftliche Datenverarbeitung mbH Göttingen
Datenschutzbeauftragter
Burckhardtweg 4
37077 Göttingen
Germany
E-Mail: support@gwdg.de

III. Description and scope of data processing

Scope of application in the case of individual agreements

In the event of a conflict between these data protection provisions and the terms of one or more agreement(s), e.g. an order processing agreement concluded with GWDG, the terms of such agreement(s) shall always prevail. Cardinal obligations always take precedence over these general provisions. In case of doubt, you can find out from your institute which data protection guidelines apply to you.

Service Overview

ImageAI is an AI-based image generation service. The HPC (High Performance Computing) architecture is utilised by the ImageAI service, which uses the FLUX.1 [schnell] model to generate images from user data. The user data remains secure. The user-friendly web interface allows users to use the service very intuitively and create the desired image very quickly.

The main component of this service is image generation, which can be accessed via the web interface.

User authentication takes place via SSO. Data protection and security aspects of this internal service are critical as they utilise the GWDG clusters for inference.

Usage of the Image AI website

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer.

In order to use the Image AI services hosted by the GWDG, user input/requests are collected from the website and processed on the HPC resources. Protecting the privacy of user requests is of fundamental importance to us. For this reason, our service does not store your prompt or generated images, nor are requests or responses stored on a permanent memory at any time. The number of requests per user and the respective time stamps are recorded so that we can monitor the use of the system and perform billing. The following data is stored to fulfill the service:

  • Date of access
  • Name of the operating system installed on the accessing device
  • Name of the browser used
  • Source system via which the access was made
  • The IP address of the accessing device
  • The data is also stored in the log files of our system. This data is not stored together with other personal data of the user.

All Image-AI data displayed in the browser is only stored in the user’s browser on the client side and is only transmitted to the server for the necessary processing when the user requests it, i.e. while the data is being processed by the backend models. After the end of a session in the browser, the user input is not stored any more.

Data processing when creating accounts

When creating an account, the so-called “double opt-in” procedure is used. This means that after your registration, we send you an e-mail to the e-mail address you provided, which contains a link that you must call to confirm the creation of this account.

The following data, in addition to the above, is stored when an account is created:

  • E-mail address
  • Name and first name
  • Mobile phone number (if provided)
  • Date and time of the times of registration and confirmation

The following data can optionally be provided by you after the account has been created:

  • Additional e-mail address(es)
  • Salutation and title
  • Date of birth
  • Additional telephone number(s)
  • Postal address(es)
  • Security-specific settings (security questions and answers; two-factor authentication)

Each time you log in with an existing account on our website, our system automatically collects further data on the basis of previously mentioned information. The following data is collected during actions in the logged-in state:

  • Date of access
  • Purpose or action on the website (e.g. changing/re-setting passwords; failed log-on attempts etc.)
  • Name of the operating system installed on the accessing device
  • Name of the used browser
  • Source system via which the access was made
  • The IP address of the accessing device, with the last two bytes masked before the first storage (example: 192.168.xxx.xxx). The abbreviated IP address cannot be associated with the accessing computer.
  • An estimate of the location of the accessing client based on the IP address

IV. Purpose of the data processing

We only process our users’ personal data to the extent necessary to provide a functional website and our content and services.

The recording of user input via our website and the processing of user input on our HPC system is necessary in order to be able to generate a response using the selected Image AI service.

The data is stored in log files to ensure the functionality of the website. The data also helps us to optimise the website and ensure the security of our IT systems. The data is not used for marketing purposes in this context.

The processing of our users’ personal data only takes place regularly with the user’s consent. An exception applies in cases where prior consent cannot be obtained for factual reasons and the processing of the data is permitted by law.

As we obtain the consent of the data subject for the processing of personal data, Art. 6 para. 1 lit. a EU General Data Protection Regulation (GDPR) serves as the legal basis.

When processing personal data that is necessary for the fulfilment of a contract to which the data subject is a party, Art. 6 para. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures.

Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.

In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis.

If the processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for the processing.

VI. Retention period and mandatory data

The input is only stored on the GWDG server during the inference process itself. After the end of a session in the browser, the user’s entries are no longer available. In addition, a log is kept which contains the number of requests per user and the respective time stamps. The logs are stored for one year in accordance with GWDG guidelines. The collection of data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility for the user to object.

VII. Rights of data subjects

You have various rights with regard to the processing of your personal data. We list them in the following, but there are also references to the articles (GDPR) and/or paragraphs (BDSG (2018)) which provide even more detailed information.

Right of access by the data subject (Article 15 GDPR; § 34 BDSG)

You may request confirmation from the controller whether we process personal data related to you. This includes the right to obtain access to information as to whether the personal data concerning you is transferred to a third country or to an international organization.

Right to rectification (Article 16 GDPR)

You have a right of rectification and / or completion vis-à-vis the controller if the personal data processed related to you is inaccurate or incomplete. The controller must perform rectification immediately.

Right to erasure / “Right to be forgotten” / Right to restriction of processing (Article 17/18 GDPR; § 35 BDSG)

You have the right to request the immediately erase of your personal data from the controller. As an alternative, you may request to restrict the processing from the controller, whereby restrictions are referred to in the GDPR/BDSG under the articles and/or sections mentioned.

Notification obligation regarding rectification or erasure of personal data or restriction of processing (“Right to be informed”) (Article 19 GDPR)

If you have asserted the right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller is obligated to communicate such rectification or erasure of the data or restriction of processing to all recipients to whom the personal data concerning you has been disclosed, unless this proves impossible or involves disproportionate effort. You have the right vis-à-vis the controller to be informed about these recipients.

Right to data portability (Article 20 GDPR)

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. In addition to the scenarios presented in and provisions of the GDPR, it must be noted that portability of mass data / user data is limited to technical readability. The right to data portability does not include that the data created by the user in a proprietary format is converted by the controller into a commonly used, i.e. standardized format.

Right of objection (Article 21 GDPR; § 36 BDSG)

You have the right to object to the processing if this is based only on the controller weighing any interests (see Article 6 (1) lit. (f) GDPR). Right to withdraw consents in terms of data protection laws (Article 7 (3) GDPR) You have the right to withdraw your consent under data protection laws at any time. The withdrawal of consent does not affect the lawfulness of processing based on such consent before its withdrawal.

Right to withdraw consent for data processing (Article 7 (3) GDPR)

You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Right to complain to a supervisory authority (Article 77 GDPR)

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority for the processing of personal data conducted by GWDG is the following:

Landesbeauftragte für den Datenschutz Niedersachsen
Postfach 221, 30002 Hannover
E-Mail: poststelle@lfd.niedersachsen