Data Privacy Notice

The following English translation of the “Datenschutzerklärung” is for information purposes only. Only the German version is legally binding.

Responsible for data processing

The responsible party within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other legal data protection provisions is:

Gesellschaft für wissenschaftliche Datenverarbeitung mbH Göttingen
Burckhardtweg 4
37077 Göttingen
Germany
Tel: +49 (0) 551 39-30001
E-Mail: support@gwdg.de
Website: www.gwdg.de

Contact person / Data protection officer

Gesellschaft für wissenschaftliche Datenverarbeitung mbH Göttingen
Datenschutzbeauftragter
Burckhardtweg 4
37077 Göttingen
Germany
E-Mail: support@gwdg.de

General information on data processing

Scope of the processing of personal data

We only process personal data of our users insofar as this is necessary to provide a functional website and our content and services.

As a matter of principle, we only process personal data of our users to the extent that this is necessary to provide a functional website and our content and services. The processing of personal data of our users is regularly carried out only with the consent of the user. An exception applies in those cases in which obtaining prior consent is not possible for actual reasons and the processing of the data is permitted by legal regulations.

Insofar we obtain consent from the data subject for processing operations involving personal data, Article 6 (1) lit. (a) of the EU General Data Protection Regulation (GDPR) is the legal basis for personal data processing.

When processing personal data that is necessary for the performance of a contract to which the data subject is party, Article 6 (1) lit. (b) GDPR is the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures.

Insofar as the processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Article 6 (1) lit. (c ) GDPR is the legal basis.

Where the processing of personal data is necessary in order to protect the vital interests of the data subject or another natural person, the legal basis is Article 6 (1) lit. (d) GDPR.

If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 (1) lit. f DSGVO is the legal basis for the processing.

Data protection notice on the use of Voice AI services

Description and scope of data processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer.

In order to use the Voice AI services hosted by the GWDG, user input/requests are collected from the website and processed on the HPC resources. Protecting the privacy of user requests is of fundamental importance to us. For this reason, our service does not store your audio file or BBB conversation, nor are requests or responses stored on a permanent memory at any time. The only exception is the BBB transcription, which is written in Etherpad and uses local MySQL, and >500 MB audio transcription results in our s3 storage, both of which will be deleted after 30 days. The number of requests per user and the respective time stamps are recorded so that we can monitor the use of the system and perform billing. The following data is stored to fulfill the service:

  • Date of access
  • Name of the operating system installed on the accessing device
  • Name of the browser used
  • Source system via which the access was made
  • The IP address of the accessing device
  • The data is also stored in the log files of our system. This data is not stored together with other personal data of the user.

Data processing when creating accounts

When creating an account, the so-called “double opt-in” procedure is used. This means that after your registration, we send you an e-mail to the e-mail address you provided, which contains a link that you must call to confirm the creation of this account.

The following data, in addition to the above, is stored when an account is created:

  • E-mail address
  • Name and first name
  • Mobile phone number (if provided)
  • Date and time of the times of registration and confirmation

The following data can optionally be provided by you after the account has been created:

  • Additional e-mail address(es)
  • Salutation and title
  • Date of birth
  • Additional telephone number(s)
  • Postal address(es)
  • Security-specific settings (security questions and answers; two-factor authentication)

Each time you log in with an existing account on our website, our system automatically collects further data on the basis of previously mentioned information. The following data is collected during actions in the logged-in state:

  • Date of access
  • Purpose or action on the website (e.g. changing/re-setting passwords; failed log-on attempts etc.)
  • Name of the operating system installed on the accessing device
  • Name of the used browser
  • Source system via which the access was made
  • The IP address of the accessing device, with the last two bytes masked before the first storage (example: 192.168.xxx.xxx). The abbreviated IP address cannot be associated with the accessing computer.
  • An estimate of the location of the accessing client based on the IP address

The legal basis for temporary storage of data and the log files is Article 6 (1) lit. (f) GDPR.

Purpose of the data processing

The recording of user input via our website and the processing of user input on our HPC system is necessary in order to be able to generate a response using the selected Voice AI service. The storage in log files is done to ensure the functionality of the website. In addition, the data helps us to optimize the website and to ensure the security of our IT systems. An evaluation of the data for marketing purposes does not take place in this context. These purposes also constitute our legitimate interest in data processing pursuant to Article 6 (1) lit. (f) GDPR.

Retention period

The input is only stored on the GWDG server during the inference process itself. After the end of a session in the browser, the user’s entries are no longer available. In addition, a log is kept which contains the number of requests per user and the respective time stamps. The logs are stored in accordance with GWDG guidelines.

Objection and elimination option

The collection of data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility for the user to object.

Rights of data subjects

You have various rights with regard to the processing of your personal data. We list them in the following, but there are also references to the articles (GDPR) and/or paragraphs (BDSG (2018)) which provide even more detailed information.

Right of access by the data subject (Article 15 GDPR; § 34 BDSG)

You may request confirmation from the controller whether we process personal data related to you. This includes the right to obtain access to information as to whether the personal data concerning you is transferred to a third country or to an international organization.

Right to rectification (Article 16 GDPR)

You have a right of rectification and / or completion vis-à-vis the controller if the personal data processed related to you is inaccurate or incomplete. The controller must perform rectification immediately.

Right to erasure / “Right to be forgotten” / Right to restriction of processing (Article 17/18 GDPR; § 35 BDSG)

You have the right to request the immediately erase of your personal data from the controller. As an alternative, you may request to restrict the processing from the controller, whereby restrictions are referred to in the GDPR/BDSG under the articles and/or sections mentioned.

Notification obligation regarding rectification or erasure of personal data or restriction of processing (“Right to be informed”) (Article 19 GDPR)

If you have asserted the right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller is obligated to communicate such rectification or erasure of the data or restriction of processing to all recipients to whom the personal data concerning you has been disclosed, unless this proves impossible or involves disproportionate effort. You have the right vis-à-vis the controller to be informed about these recipients.

Right to data portability (Article 20 GDPR)

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. In addition to the scenarios presented in and provisions of the GDPR, it must be noted that portability of mass data / user data is limited to technical readability. The right to data portability does not include that the data created by the user in a proprietary format is converted by the controller into a commonly used, i.e. standardized format.

Right of objection (Article 21 GDPR; § 36 BDSG)

You have the right to object to the processing if this is based only on the controller weighing any interests (see Article 6 (1) lit. (f) GDPR). Right to withdraw consents in terms of data protection laws (Article 7 (3) GDPR) You have the right to withdraw your consent under data protection laws at any time. The withdrawal of consent does not affect the lawfulness of processing based on such consent before its withdrawal.

Right to withdraw consent for data processing (Article 7 (3) GDPR)

You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Right to complain to a supervisory authority (Article 77 GDPR)

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority for the processing of personal data conducted by GWDG is the following:

Landesbeauftragte für den Datenschutz Niedersachsen
Postfach 221, 30002 Hannover
E-Mail: poststelle@lfd.niedersachsen

Terms of Use (Recommendation)

AGBs | Terms and Conditions for Voice-AI

1. Introduction

1.1 Welcome to our Voice-AI Service (the “Service”). By using the Service, you agree to comply with and be bound by the following terms and conditions (“Terms”). The Terms govern the business relationship between the platform operator (hereinafter referred to as the ‘Platform Operator’) and the users (hereinafter referred to as the ‘Users’) of VoiceAI.

1.2 Platform Operator is the GWDG; Gesellschaft für wissenschaftliche Datenverarbeitung mbH Göttingen.

1.3 The Terms apply as of in the version valid at the time of registration of Users. The Platform Operator might update those Terms anytime in the future.

1.4 Please read these Terms carefully before using the Service. By using the Service you aknowledge that you have read and agreed on these Terms.

2. Service Description

2.1 The Service refers to the Application Programming Interface (VoiceAI API) provided by the Platform Operator (GWDG) to signed-in Users of AcademicCloud as set out following.

2.2 The Service provides Users with the ability to:

  1. Translate Voice Streams: Utilize AI technology to translate the voice streams into text in various languages.
  2. Take Down Notes from Meeting: Automatically generate written notes from user’s voice input from online meetings using AI technology.

2.3 Service Specification: The Service is composed of two main parts:

  • Handling Uploaded Audio: This part processes audio files uploaded by users.
  • Handling Streaming Audio from BBB: This part captures and processes streaming audio from BigBlueButton (BBB).

We provide a web server via the GWDG ESX service that hosts a WebUI. Users can log in via SSO and interact with the system through a user interface. The web frontend connects to a Chat AI Kong, which then connects to an HPC proxy and subsequently to a functional account via SSH. Kong is responsible for managing these connections.

Kong Gateway is a cloud-native API gateway that acts as a reverse proxy to manage, configure, and route requests to APIs. It is designed for hybrid and multi-cloud environments, optimized for microservices and distributed architectures. Kong provides the necessary flexibility and scalability to handle the API traffic efficiently.

The functional account can only execute a single command, “cloud_interface.sh”, which is a bash script that uses curl to send a REST request to a compute node.

For audio streaming, the bot joins the room as a listener, notifies BBB participants of the recording, captures audio via WebRTC, and sends the audio frames through the aforementioned procedure. A proxy handles WebSocket (WS) connections necessary for streaming audio.

WebSocket is used because it provides a persistent, two-way communication channel over a single TCP connection, which is essential for real-time audio streaming.

An Uvicorn server with the model runs on the respective computing node to calculate the result. This HTTP connection only takes place within the isolated HPC network. The server on the compute node responds with a stream back to the web service running in the cloud via the active SSH connection. The response is written in Etherpad Lite. Etherpad Lite is an open-source, real-time collaborative editor that allows multiple users to edit documents simultaneously in their browsers.

Info

For billing purposes, logs are written on the HPC login node, recording the username, timestamp, and inference ID at the beginning and end of each request. Similarly, on the cloud/ESX server, the username, email address, and timestamp for each request are logged.

If many requests are received, several computing nodes are required to send the responses in time. An automatic scaling mechanism has been implemented to determine the number of simultaneous requests within the last 5 seconds and adjust the number of compute nodes accordingly. If necessary, new jobs are sent to Slurm. This is monitored by scheduler.py, which is executed during the SSH-Keep Alive.

3. User Responsibilities

3.1 By using the Service, you agree to:

  • provide accurate and lawful voice inputs for processing by the Service.
  • ensure that your use of the Service does not violate any applicable laws, regulations, or rights of others.
  • ensure that the use is pursuant to these Terms, in conjunction to the Terms of Use of Academic Cloud, where your specific rights and obligations are stipulated. The latter can be found here: AcademicCloud | Terms of Use.
  • not misuse the Service in any way that could harm, disable, overburden, or impair the Service.

4. AI Output

4.1 By using the Service you are aware that the output is AI-generated. The Service uses advanced Artificial Intelligence (AI) technology to translate voice inputs and generate written notes.

4.2 However, the AI-generated outputs may not always be accurate, complete, or reliable. You acknowledge and agree that:

  • The AI translation and note-writing features are intended to assist users but should not be solely relied upon for critical tasks.
  • The accuracy of the AI-generated content may vary depending on factors such as the quality of the voice input, language complexity, and context.
  • The risk of ‘Hallucinations’ is present in the Service, such as in most AI-Systems that perform generalized and various tasks. In this sense, the responses generated by AI might contain false or misleading information presented as facts.
  • Human oversight and control measures by your side are deemed necessary to ensure that the output is reliable and that it corresponds to your input prompt.

5. Privacy and Data Security

5.1 We are committed to protecting your privacy. By using the Service, you agree to our collection, use, and storage of data in accordance with our Privacy Policies.

5.2 You can find the GWDG Data Protection Notice as well as the Academic Cloud Privacy Notice here:

6. Intellectual Property

6.1 We own all intellectual property rights in the Service, including but not limited to software, AI algorithms, trade secrets and generated content. You are granted a limited, non-exclusive, non-transferable license to use the Service for its intended purposes.

6.2 Users are required to adhere to copyright and proprietary notices and licenses, preventing the unauthorized distribution or reproduction of copyrighted content. We reserve the right to remove or block any content believed to infringe copyrights and to deactivate the accounts of alleged offenders.

7. Liability of Users of Service

7.1 The Users are liable for all damages and losses suffered by the Platform Operator as a result of punishable or unlawful use of the Service or of the authorization to use the Service, or through a culpable breach of the User’s obligations arising from these Terms.

7.2 Users shall also be liable for damage caused by use by third parties within the scope of the access and usage options granted to them, insofar as they are accountable for this third-party use, in particular if they have passed on their login credentials to third parties.

7.3 If the Platform Operator is held liable by third parties for damages, default or other claims arising from unlawful or criminal acts of the Users, the Users shall indemnify the Platform Operator against all resulting claims. The Platform Operator shall sue the Users if the third party takes legal action against the Platform Operator on the basis of these claims.

7.4 Users shall be solely liable for the content they upload and generate themselves (User-generated-content) through the use of VoiceAI. In this sense, Platform Operator does not bear any liability for violations of law occurring by such content.

8. Liability of Platform Operator

8.1 The Platform Operator does not guarantee that the Service will function uninterrupted and error-free at all times, neither expressly nor implicitly, and hereby rejects this. The loss of data due to technical faults or the disclosure of confidential data through unauthorized access by third parties cannot be excluded.

8.2 The Platform Operator is not liable for the contents, in particular for the accuracy, completeness or up-to-date validity of information and data or of the output; it merely provides access to the use of this information and data.

8.3 The Platform Operator maintains a mere technical, automatic and passive stance towards the content contributed by Users and does not play any active role in controlling, initiating or modifying that content and therefore cannot be held liable for cases where such content is unlawful.

8.4 The Platform Operator shall only be liable in the event of intent or gross negligence by its employees, unless material duties are culpably breached, compliance with which is of particular importance for achieving the purpose of the contract (cardinal obligations). In this case, the liability of the Platform Operator is limited to the typical damage foreseeable at the time of conclusion of the mutual contract of use, unless there is intent or gross negligence.

8.5 Any administrative accountability towards the Platform Operator remains unaffected by the above provisions.

8.6 User claims for damages are excluded. Exempted from this are claims for damages by users arising from injury to life, physical integrity, health or from the breach of essential contractual obligations (cardinal obligations), as well as liability for other damages based on an intentional or grossly negligent breach of duty by the platform operator, its legal representatives or vicarious agents. Essential contractual obligations are those whose fulfillment is necessary to achieve the objective of the contract.

9. Termination We reserve the right to suspend or terminate your access to the Service at any time, without notice, for any reason, including but not limited to your breach of these Terms.

10. Changes to Terms We may modify these Terms at any time. Any changes will be effective immediately upon posting the revised Terms. Your continued use of the Service after the posting of changes constitutes your acceptance of the modified Terms.

11. Final Provisions

11.1 The Terms shall remain binding and effective in their remaining parts even if individual parts are legally invalid. The invalid parts shall be replaced by the statutory provisions, where applicable. However, if this would constitute an unreasonable burden for one of the contracting parties, the contract as a whole shall become invalid.

11.2 If you have any questions about these Terms, please contact us at:

Gesellschaft für wissenschaftliche Datenverarbeitung mbH Göttingen
Burckhardtweg 4
37077 Göttingen
Deutschland
Tel.: +49 551 39-30001
E-Mail: support@gwdg.de
  • By using the Service, you acknowledge that you have read, understood, and agree to be bound by these Terms.

AI_Compliance (Recommendation): Display an AI-Info Notice in the User-Interface

Info

To demonstrate compliance with the Transparency Obligation of Art 50(1) of AI Act = adequately inform the User that content is AI generated ▌information can either be provided in the Terms, or even better within the User-Interface itself = highest level of Transparency demonstrated, as the average user will understand it.

e.g., VoiceAI may display inaccurate info, including wrongful translations or inaccurate notes, so double-check its responses. Check the Terms and the Privacy Notice. e.g., AI-generated content. VoiceAI can make mistakes. Check important info.

Impressum