for Chatbot Use (GDPR-Compliant)
1. Controller
Name and contact details of the data controller in accordance with Art. 4 No. 7 GDPR
Steinbeis Transferzentrum – Digital Expertise
Prof. Dr. Markus Weinberger
Hölderlinstr. 6a
85080
Email: markus.weinberger@digitalexpertise.eu
2. Purpose of Processing
We operate an automated dialogue system (chatbot) on our server, which processes user input to generate appropriate responses. This service is intended to provide information on a specified subject.
3. Categories of Personal Data
When using the chatbot, the following categories of data may be processed:
- User input (which may contain personal data if entered voluntarily)
- Metadata (e.g., timestamp, session ID)
IP addresses are not logged.
4. Legal Basis for Processing
Processing is based on Art. 6(1)(f) GDPR (legitimate interests), particularly the interest in providing an efficient and modern communication channel.
If the chatbot is used for the performance of a contract or pre-contractual measures, processing is additionally based on Art. 6(1)(b) GDPR.
5. Data Storage
Chat content is stored only temporarily (in memory) and is automatically deleted after the session ends. There is no permanent storage of chat data.
6. Data Sharing / Third-Country Transfers
To generate responses, user input is transmitted to a language model service hosted by Microsoft Azure OpenAI.
This service is provided by:
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA
Processing takes place on servers located within the EU. Microsoft acts as a data processor under Art. 28 GDPR.
A Data Processing Agreement (DPA) has been concluded with Microsoft, and Standard Contractual Clauses (SCCs) of the European Commission are in place.
7. Hosting Provider
The n8n instance is hosted on servers provided by Strato AG, Pascalstraße 10, 10587 Berlin, Germany.
A Data Processing Agreement pursuant to Art. 28 GDPR is also in place with Strato.
8. Data Subject Rights
Under the GDPR, you have the following rights:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object to processing (Art. 21 GDPR)
You may contact us at: [Data Protection Officer’s Email]
9. No Automated Decision-Making
There is no automated decision-making within the meaning of Art. 22 GDPR. Chatbot responses are intended solely for informational purposes.
10. Changes to This Privacy Policy
We reserve the right to amend this privacy policy to comply with legal requirements or to reflect changes to our services.