Privacy Notice

Privacy Notice

1. Scope

We take the protection of your personal data very seriously and treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy notice. With this privacy notice we inform you about the nature, scope and purpose of the personal data collected, used and processed by us. Furthermore, you will be informed about your rights by means of this privacy notice, which applies to all websites, applications, services or tools of Data Assessment Solutions GmbH (together: “Services”), in which reference is made to this privacy notice, regardless of how you access or use these services, including access via mobile devices.

Persons under the age of 16 are not permitted to use this website under consent to the storage of cookies in accordance with Art. 8 GDPR, as long as there is no legally valid consent of the legal representatives for the consent to data processing. The same applies to the subscription to our newsletter, the use of the live chat function on this website and our contact form by under 16 year olds. In addition, we point out that our offer is aimed exclusively at business customers.

Responsible for purposes of the General Data Protection Regulation (GDPR), other applicable data protection laws in the Member States of the European Union and other provisions with data protection character is the Data Assessment Solutions GmbH, Misburger Str. 81b, 30625 Hannover, Tel.: +49 511 47402330 E-Mail: info@data-assessment.com, website: www.data-assessment.com. The company’s data protection officer is Dr. Stephan Glaschak (e-mail: glaschak@data-assessment.com).

2. What Personal Data do we collect and what is the data used for?

Definition of Terms

Personal data is information about a specific or identifiable natural person. A determinable natural person is a person who can be identified directly or indirectly by means of a characteristic. A characteristic may be a name, an identification number, location data or an online identifier or specific information on the physical, physiological, genetic, mental, economic, cultural or social identity of this natural person. Not personal data is data that is anonymous or aggregated and can no longer be used to identify a particular natural person, whether in combination with other data or otherwise.

Website

The use of our website is possible without providing personal data. However, every time a website is accessed, our Internet service provider collects a series of general data and information that is temporarily stored in the log files of the web server. For example, the browser types and versions used are recorded, as well as the operating system used by the accessing system, the web page from which an accessing system accesses our website (called referrer), the sub-web pages accessed via an accessing system on our website, the date and time of access to the web page, an Internet Protocol (IP) address, the accessing system’s Internet service provider, and other similar data and information used in the event of attacks on our information technology systems.

When processing this general data and information no conclusions are drawn on the data subject. Rather, this information is needed to properly deliver the contents of our website and to provide law enforcement authorities with the information needed for law enforcement in the event of a cyberattack. The anonymous data of the server log files are stored separately from all personal data provided by an affected person.

Products

Data Assessment Solutions GmbH is a German provider of software solutions and related services. With decídalo, we distribute a SaaS industry solution for IT services and consulting companies. In addition to comprehensive skills and CV management for the company’s own employees, the software also offers the option of managing reference projects. In addition, resource management maps the staffing process right through to time recording and provides various aggregated views.

Additionally we recently launched decidalo Free, a lightweight CV management solution that integrates with Microsoft 365 and other cloud platforms to take skills from existing documents, emails, external databases, or chats and link them to an existing decidalo license as needed, adding and evaluating skills, projects, and skill needs via Azure Open AI Services.

In the course of providing our SaaS applications, we only collect and process the data that is absolutely necessary for operating the platform. The legal basis is the provision of contractually agreed services, authorization and access control and, if applicable, the. Provision of service and maintenance services by agreement as part of the performance of the contract pursuant to Art. 6 para. 1 lit. b GDPR.

The customer is the responsible party within the meaning of Art. 4 No. 7 GDPR with regard to the use of our SaaS applications, i.e. the collection, processing and use of data of its users as well as the collection, processing and use of personal data within the scope of the decídalo account for which it is responsible. The central component of the database linked to decídalo or decidalo Free is the skill profiles of the customer’s own employees. It is the customer’s responsibility to obtain any necessary declarations of consent from those affected and to inform them of their rights and obligations under data protection law.

The data records collected with decídalo or decídalo Free are stored in the Azure Cloud and are not passed on to third parties. Only the account owner or users authorized by the account owner and our support department have access to the database. The data records of an account are irretrievably deleted after the end of the respective contractual relationship.

Contact Form, E-Mail Inquiries

If you send us inquiries via the contact form on our website or by e-mail or in any other way, your details, including the contact details provided by you, will be stored in order to process the request and in case of follow-up questions. This information is always provided by you on a voluntary basis. We will not share your information without your consent. Please note that data transmission over the Internet (for example, when communicating via e-mail) may have security vulnerabilities. A complete protection of data from access by third parties is therefore not possible.

Newsletter

If you would like to receive our free newsletter, we need an e-mail address from you, in addition, the IP address of the calling computer as well as the date and time of registration are stored during the initial registration. You can optionally enter your first and last name for personalized addressing. Further data is not collected. We use this data exclusively for the newsletter dispatch and do not pass it on to third parties. You may revoke your consent to the storage of data, the e-mail address and its use for sending the newsletter at any time, for example via the corresponding link in the newsletter.

Newsletter-Tracking

Our newsletters contain so-called counting pixels. A counting pixel is a miniature graphic that is embedded in such emails that are sent in HTML format to enable log file recording and log file analysis. This allows a statistical evaluation of the success or failure of online marketing campaigns. Using the embedded pixel, we can detect if and when an e-mail was opened by the recipient and which links in the e-mail were called. Such personal data collected via the counting pixels contained in the newsletters are stored and evaluated anonymously in order to optimize the delivery of newsletters and to better adapt the content of future newsletters to the interests of the recipient. This personal data will not be disclosed to third parties. Affected persons are at any time entitled to revoke the separate declaration of consent made via the double-opt-in procedure. After revocation, this personal data will be deleted by us. A deregistration from the receipt of the newsletter automatically we indicate as a revocation.

Customers

Under an existing agreement, we additionally use personal information to fulfill your contract and to provide you with our services, or to fulfill our legal obligations. This includes, for example, the processing of payments and account management, the operation, the assessment and improvement of our services, the safeguarding and functionality of our services, the contact with you in the course of contract execution or other measures in the context of customer service. For these reasons, we can contact you by email, telephone or post.

Applicants

We process personal data of applicants for the processing of application procedures. The processing is usually done by electronic means, e. g. if an applicant submits application documents by e-mail to us. If we conclude a contract of employment with an applicant, the transmitted data will be stored for the purpose of the employment relationship in compliance with the legal requirements.

3. Do we pass on Personal Data?

A transfer of data to third parties without your consent takes place only if we are legally obliged to do so or if this is necessary for the fulfillment of the contract and serves our legitimate interests, unless your rights and freedoms prevail. In order to reconcile our interests with your rights, we have introduced appropriate control mechanisms. We may transfer your personal data to the following third parties and for the following purposes:

External service providers

We pass on personal data to external service providers who assist us in our operations to provide technical, sales, financial or logical services to us or assist us in preventing, detecting, containing and investigating potentially unlawful acts, compliance with our legal obligations, enforcing our Terms and Conditions, defending legal claims, bill collection, affiliate and rewards schemes and other business operations.

When we disclose personal information to external providers, this is solely on the basis of an agreement that limits the processing of such personal information by the outside provider to the purposes required to fulfill the contractual obligations to us. In doing so, the external provider is obliged to take appropriate security measures with regard to this data. External providers are in no way entitled to disclose personal data that they receive from us.

Government agencies

We pass on personal data to law enforcement agencies, government agencies, or legally authorized third parties on request for information or in connection with a preliminary investigation or suspected criminal offense, unlawful act or other act that may give rise to legal liability for us, you or another user. In such cases, we will only disclose information relevant to the investigation or request for information, such as: Name, location, zip code, phone number, email address or IP address.

Transmission to third countries

Processing of personal data in a third country by us or on our behalf takes place only in the legally and contractually permissible framework and in the presence of the special conditions of Art. 44 et seq. GDPR. Processing then takes place on the basis of specific guarantees, such as the officially recognized level of data protection or in compliance with officially recognized special contractual obligations (so-called “EU Commission standard contractual clauses”), supported by an individual risk assessment.

Legal successor, group companies

In the event of a merger with another company or a takeover by another company, we may share information with that company in accordance with our privacy notice. If such an event occurs, we will require the new merged entity to comply with the statutory data protection regulations with respect to your personal information. If your personal information is collected, used, shared or stored for any purpose not mentioned in this document, you will be informed in advance of the processing of your data for these new purposes.

4. How long do we retain Personal Data?

The storage of personal data is based on the respective statutory retention periods. After expiration of the respective deadline, the corresponding data will be deleted, provided that a) the data is no longer required to fulfill the contract and b) you have not explicitly agreed to an extended retention period and c) deletion does not conflict with any other legitimate interests of our company. Other legitimate interest in this sense could be justified, for example, by a burden of proof in a procedure under the General Equal Treatment Act (AGG) when applying for a job.

5. How do we use cookies and tracking technologies?

Cookies

Some of these websites use so-called cookies. Cookies do not harm your computer and do not contain viruses. Cookies serve to make our offer more user-friendly, effective and secure. By using cookies, we can provide you with more user-friendly services that would not be possible without the cookie set-up and make it easier for you to use our website. Cookies are small text files that are stored on your computer and stored by your browser. Most of the cookies we use are so-called “session cookies”. They are automatically deleted after your visit. Other cookies remain stored on your device until you delete them.

Depending on the intended use and function, we divide cookies into the following categories:

  1. Technically necessary cookies (mandatory cookies) to ensure the technical operation and basic functions of our website. These types of cookies are used, for example, to maintain your settings while you navigate the website; or they can ensure that important information is retained throughout the session (e.g. login, shopping cart).
  2. Marketing cookies to tailor the content of our website to your needs and to further optimize our products by storing information about you that results from your use.

The legal basis for the use of technically necessary cookies is based on our legitimate interest in the technically faultless operation and smooth functionality of our website in accordance with Art 6 Paragraph 1 lit. f GDPR. Our website cannot function properly without these cookies. The use of statistics and marketing cookies requires your consent in accordance with Art 6 para. 1 lit. a GDPR. You can revoke your consent to the use of cookies in accordance with Art 7 para. 3 GDPR at any time for the future. The consent is voluntary. If it is not granted, no disadvantages will arise.

You can prevent the setting of cookies through our and other websites at any time by means of a corresponding setting of the Internet browser used and thus permanently contradict the setting of cookies. Furthermore, you can delete already set cookies at any time via an internet browser or other software programs. This is possible in all common internet browsers. Disabling cookies may restrict the functionality of this website.

Borlabs Cookie – Consent Tool Extension (“Cookies”)

This website uses the WordPress plugin “Borlabs Cookie” as content management tool. These are scripts that are implemented on a website and ensure that certain cookies are only activated after a check mark has been placed. At the same time they inform about the cookies used and document what the user has selected. The use of a content management tool is considered a technically necessary tool and therefore does not require the explicit consent of a website user. Further information on the tool can be found at https://de.borlabs.io/borlabs-cookie/.

Social Plugins from Facebook, LinkedIn, Xing, Instagram, Twitter

Our website uses so-called social plugins (“plugins”) from the social networks Facebook, LinkedIn and Xing as well as the microblogging services Instagram and Twitter. These services are provided by the companies Facebook Inc., LinkedIn Corporation, Xing AG, Instagram LLC. and Twitter Inc. (“Providers”).

Facebook is operated by Facebook Inc, 1601 S. California Ave, Palo Alto, CA 94304, USA. An overview of the Facebook plugins and their appearance can be found here: https://developers.facebook.com/docs/plugins

LinkedIn is operated by LinkedIn Corporation, 2029 Stierlin Court Mountain View, CA 94043, USA. LinkedIn Corporation is a subsidiary of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA. For data protection matters outside of the USA, LinkedIn Ireland, Privacy Policy Issues, Wilton Plaza, Wilton Place, Dublin 2, Ireland, is responsible. Further information on LinkedIn plug-ins can be found at https://developer.linkedin.com/plugins.

XING is operated by Xing AG, Gänsemarkt 43, 20354 Hamburg, Germany. Information on the Xing plug-ins can be found at https://dev.xing.com/

Instagram is operated by Instagram LLC, 1601 Willow Road, Menlo Park, CA 94025, USA (“Instagram”). Instagram LLC is a subsidiary of Facebook Inc, 1601 S. California Ave, Palo Alto, CA 94304, USA. An overview of the Instagram buttons and their appearance can be found here: https://en.instagram-brand.com/assets/icons

Twitter is operated by Twitter Inc, 1355 Market St, Suite 900, San Francisco, CA 94103, USA (“Twitter”). An overview of the Twitter buttons and their appearance can be found here: https://about.twitter.com/en_us/company/brand-resources.html

If you call up a page of our website that contains such a plugin, your browser establishes a direct connection to the servers of the corresponding operator. The content of the plugin is transmitted by the respective provider directly to your browser and integrated into the page. Through the integration of the plugin, the respective provider receives the information that your browser has called up the corresponding page of our website, even if you do not have a profile or are not logged in. This information (including your IP address) is transmitted by your browser directly to a server of the provider in Europe or the USA and stored there. If you are logged in to one of the services, the respective provider of this service can directly assign the visit to our website to your respective profile.

When you interact with the plugins, for example, by clicking the “Like”, “+1”, “Twitter” or “Instagram” button, the corresponding information is also sent directly to a server of the provider and stored there. The information is also published in the respective social network or account and displayed to your contacts. Our company usually has no influence on the amount of data that the providers collect using these plugins. The purpose and scope of the data collection and the further processing and use of the data by the providers as well as your rights and setting options for the protection of your privacy can be found in the data protection notices of the providers.

Data protection information from Facebook: http://www.facebook.com/policy.php

Data protection information from LinkedIn: https://www.linkedin.com/legal/privacy-policy.

Data protection information from Twitter: https://twitter.com/privacy

Data protection information from Instagram: https://about.meta.com/brand/resources/instagram/icons/

Data protection information from XING: https://privacy.xing.com/en/privacy-policy

If you do not want Facebook, LinkedIn, Xing, Instagram, or Twitter to associate the information collected through our website directly with your profile in their respective service, you must log out of the respective service before visiting our website. You can also completely prevent the loading of the plugins with add-ons for your browser, e.g. with the script blocker „NoScript“ (http://noscript.net/).

Google Ads

Our website has Google Ads integrated. The operating company is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA. The purpose is to promote our website by displaying interest-relevant advertisements on third-party websites and in the search results of the Google search engine. If a person reaches our pages via a Google advertisement, a so-called conversion cookie is stored on their system (for cookies, see the explanations above). A conversion cookie loses its validity after thirty days and does not serve to identify the person concerned. However, it can be used to track which subpages have been accessed on our site. In addition, the data and information collected is used by Google to compile visit statistics for our website, which are used by us to determine the total number of users who were referred to us via Ads ads, to determine the success or failure of the respective ads and to optimize our ads for the future. Neither our company nor other Google Ads advertisers receive information from Google that could be used to identify individuals.

Whenever you visit our Internet pages, personal data including the IP address of the Internet connection used may be transmitted to Google in the USA and stored there on Google servers. Google may pass this data on to third parties. As described above, the setting of cookies by our website can be generally prevented at any time by means of a corresponding setting of the Internet browser used and thus the setting of cookies can be permanently rejected. Such a setting of the Internet browser used would also prevent Google from setting a conversion cookie on the system of the visitor to a website. In addition, a cookie already set by Google Ads can be deleted at any time via the Internet browser or other software programs. It is also possible to object to interest-related advertising by Google. For this purpose, the link https://www.google.de/settings/ads must be called up from every internet browser used and the desired settings must be made there. Further information and the valid data security regulations of Google can be called up under  https://www.google.de/intl/de/policies/privacy.

LinkedIn Conversion Tools: Insight Tag and Event Pixel

Our website uses the “Insight Tag” and “Event Pixel” conversion tools from LinkedIn Ireland Unlimited Company, a subsidiary of LinkedIn Corporation, 1000 West Maude Avenue, Sunnyvale CA 94085, USA. These tools create cookies in your web browser that allow the collection of information including the following: IP address, device and browser characteristics and page events (e.g., page views). This data is encrypted, anonymized within seven days and the anonymized data is deleted within 90 days. LinkedIn does not share any personal information with us, but provides anonymous reports about the website’s target audience and ad performance. We may use this information to display targeted advertising outside of our website without identifying you as a website visitor. LinkedIn also provides us with aggregated and anonymous reports of ad activity and information about how you interact with our site. In addition, LinkedIn offers the ability to retarget through the Insight Tag. For more information about LinkedIn’s privacy practices, please refer to the LinkedIn privacy policy at https://www.linkedin.com/legal/privacy-policy.

LinkedIn members may opt-out of having their personal information used for promotional purposes in their account settings by clicking the following link (“Opt-out”): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Google Analytics

This website uses functions of the web analytics service Google Analytics. Provider is Google Inc., 1600, Amphitheatre Parkway Mountain View, CA, 94043, USA. The purpose of the Google Analytics component is to analyze visitor flows on our website. Among other things, Google uses the data and information obtained to evaluate the use of our website, to compile for us online reports showing the activities on our websites, and to provide other services related to the use of our website.

Google Analytics uses “cookies” for this purpose. These are text files that are stored on your computer and that allow an analysis of the use of the website by you. The information generated by cookies about your use of this website is usually transmitted to a Google server in the USA and stored there. For more information about how to handle user data on Google Analytics, see the Google Privacy Notice: https://support.google.com/analytics/answer/6004245?hl=de

You can prevent the storage of cookies by a corresponding setting of your browser software; however, we point out that in this case you might not be able to fully use all functions of this website you may also prevent the collection by Google of the cookie-generated data related to your use of the Website (including your IP address) and the processing of such data by Google, by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de

Objecting to the collection of data

You can prevent the collection of your data by Google Analytics by clicking on the following link. An opt-out cookie will be set to prevent your data from being collected on future visits to this site: Disable Google Analytics.

We use the function “activation of IP anonymization” on this website. Your IP address will be shortened and anonymized by Google if your access to our website is from a Member State of the European Union or from another state party to the Agreement on the European Economic Area. Your IP address detected by Google Analytics will not be merged with other data provided by Google.

We fully implement the strict requirements of the German data protection authorities when using Google Analytics. Additional information and Google’s privacy policy can be found at: https://www.google.de/intl/de/policies/privacy/ and at http://www.google.com/analytics/terms/de.html

Google reCAPTCHA

On our website, we use the reCAPTCHA service of Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”). This serves the purpose of distinguishing input by a human or by automated, machine processing. In the background, Google collects and analyses usage data that is used by reCaptcha to distinguish regular users from bots. For this purpose, your input is transmitted to Google and used there. In addition, the IP address and, if applicable, other data required by Google for the reCAPTCHA service will be transmitted to Google. This data is processed by Google within the European Union and, if necessary, also in the USA. The processing is carried out on the basis of Art. 6 (1) (f) of the European Data Protection Act (GDPR) for the legitimate interest of protecting our website from automated spying, misuse and SPAM. You have the right to object to this processing of your personal data based on Art. 6 (1) f GDPR at any time for reasons that arise from your particular situation. You can find more information on Google reCAPTCHA and the associated data protection declaration at https://www.google.com/recaptcha/intro/android.html as well as https://www.google.com/privacy.

Google Remarketing

This website uses the remarketing function of Google Inc. (“Google”). This function is used to present interest-related advertisements to visitors to the website as part of the Google advertising network. The website visitor’s browser stores so-called “cookies” on your computer for this purpose (for cookies, see the explanations above). These pages may then display advertisements to the visitor that relate to content previously viewed by the visitor on websites that use Google’s remarketing feature. According to Google, it does not collect any personal data during this process. However, if you do not want Google’s remarketing function to work, you can always deactivate it by making the appropriate settings at http://www.google.com/settings/ads.

Manage WP

We manage this website with the help of the tool ManageWP. The provider is GoDaddy.com WP Europe, Trg republike 5, 11000 Belgrade, Serbia (hereinafter ManageWP).

With ManageWP, we can monitor the security and performance of our website and make automatic backups. ManageWP therefore has access to all website content, including our databases. ManageWP is hosted on the provider’s servers.

The use of ManageWP is based on Art. 6 para. 1 lit. f GDPR. As the website operator, we have a legitimate interest in protecting our website as effectively as possible against cyberattacks. Insofar as a corresponding consent was requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR; the consent can be revoked at any time.

The data transfer is based on the standard contractual clauses of the EU Commission supported by an individual risk assessment. Data protection information on this plugin can be found at https://www.wordfence.com/help/general-data-protection-regulation/ and  https://managewp.com/privacy bzw. https://managewp.com/blog/managewp-and-gdpr-compliance.

Wordfence – WordPress Security Plugins

We have integrated Wordfence as a WordPress security plugin on this website. The provider is Defiant Inc, Defiant, Inc, 800 5th Ave Ste 4100, Seattle, WA 98104, USA (hereinafter Wordfence).

Wordfence serves to protect our website from unwanted access or malicious cyberattacks. For this purpose, our website establishes a permanent connection to Wordfence’s servers so that Wordfence can compare its databases with the accesses made to our website and block them if necessary.

The use of Wordfence is based on Art. 6 para. 1 lit. f GDPR. As the website operator, we have a legitimate interest in protecting our website as effectively as possible against cyberattacks. Insofar as a corresponding consent was requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR; the consent can be revoked at any time.

The data transfer to the USA is based on the standard contractual clauses of the EU Commission supported by an individual risk assessment. Data protection information on this plugin can be found at https://www.wordfence.com/help/general-data-protection-regulation/.

YouTube

This website has integrated components from YouTube. YouTube is an internet video portal that allows video publishers to post video clips and other users to view, rate and comment on them for free. The operating company of YouTube is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA. Information about YouTube plugins you find at: https://developers.google.com/youtube.

Each time a single page of this website is accessed on which a YouTube component (YouTube video) has been integrated, the Internet browser on the visitor’s information technology system is prompted by the respective YouTube component to download a representation of the corresponding YouTube component from YouTube. As part of this technical process, YouTube and Google may obtain information about which specific subpage of our website was visited by the respective person. This information is collected by YouTube and Google and may be assigned to the respective YouTube account of the person concerned.

YouTube and Google receive information through the YouTube component that someone has visited our site whenever that person is logged into YouTube at the same time as they visit our site, regardless of whether they click on a YouTube video or not. If such transmission of this information to YouTube and Google is not intended by the person concerned, he or she may prevent such transmission by logging out of his or her YouTube or Google account before accessing our website.

The data protection regulations published by YouTube, which can be accessed at https://www.google.de/intl/de/policies/privacy, provide information about the collection, processing and use of personal data by YouTube and Google.

Zendesk – Live Chat

We use live chat software „Zopim Chat“ from Zendesk, Inc., based in 1019 Market Street in San Francisco, USA, on our website. The software uses cookies to enable personal entertainment through a live chat on the site. The user remains anonymous. Thus, the data collected is not used to personally identify visitors and they are not merged with personal data of a username. Personal data, such as Name, email address, etc., are only used if they are voluntarily provided and will be automatically deleted after the chat, unless consent for further use has explicitly been granted. Zendesk’s privacy policy can be found at https://www.zendesk.de/company/agreements-and-terms/privacy-policy//.

6. Integration of Azure OpenAI Services for conversational AI in decídalo

In this section, we would like to inform you about how we use Azure OpenAI Services as part of our SaaS solutions. We attach great importance to the protection of your personal data and would like to explain to you transparently how we integrate these services and which data protection aspects are taken into account.

Our SaaS solution decídalo Free uses Azure OpenAI Services to offer our customers high-quality conversational AI services based on Microsoft Azure. These services allow users to interact with an AI-driven application to perform specific tasks or obtain information. Azure OpenAI operates on OpenAI GPT-3 and GPT-4, Codex and DALL-E models and is provided and operated by Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dubin 18, Ireland and provided within Azure. There is no integration of Azure OpenAI Services into the decídalo SaaS solution and there are currently no plans to do so.

Data processing and transmission

As part of using the conversational AI services, text messages or input are sent to Azure OpenAI Services. The processing of this data takes place on Microsoft Azure servers. When communicating with Azure OpenAI Services, certain data, including entered text, may be transferred to Microsoft Azure to perform AI processing. There is no transfer to third parties beyond this.

Data storage und usage

The Open AI models implemented in our SaaS solution decídalo Free are stateless, i.e. no records of previous interactions are kept; each interaction request is processed entirely on the basis of the information directly associated with it. No user input or AI suggestions are stored in the model or on any servers; neither we nor Microsoft have access to AI communications. The optionally available decídalo Teams Chat App uses an extended Azure Open AI model that enables the customer to access an existing database via chat and to concretize or refine chat inputs based on previous AI responses via a Microsoft Teams integration.

Individual functionalities require that the interaction with the AI is stored for a limited period of time. The data store where customer prompts (inputs) and completions (outputs) are stored is logically separated by customer on the Azure OpenAI resource in the customer’s Azure tenant (each request includes the resource ID of the individual user’s Azure OpenAI resource). The stored data is not shared with third parties and is automatically deleted after 3 months.

Microsoft guarantees that all customer prompts (inputs) and completions (outputs), all embeddings and training data are NOT available to other customers, NOT available to OpenAI, NOT used to improve OpenAI models, NOT used to improve any Microsoft or 3rd party products or services and are NOT used for automatically improving Azure OpenAI models for use in our resource. Our fine-tuned Azure OpenAI models are available exclusively for the use of us and our Customers.

Legal basis for processing

The processing of your data in connection with the use of the conversational AI services is carried out in accordance with Art. 6 (1) lit. f GDPR on the basis of our legitimate interests to provide you with an optimized and personalized user experience.

Security measures

We have implemented appropriate technical and organizational security measures to protect the confidentiality and integrity of your data. Microsoft Azure also implements stringent security measures to protect the data processed in connection with Conversational AI Services.

The Azure OpenAI Service is fully controlled by Microsoft; Microsoft hosts the OpenAI models in Microsoft’s Azure environment and the Service does NOT interact with any services operated by OpenAI (e.g. ChatGPT, or the OpenAI API). The AI we use was generated with randomly generated test data, neither existing nor future real customer data is used to train the AI model.

Rights of data subjects

In the context of the processing of your data in connection with the Conversational AI Services, you have the right of access, rectification, deletion and objection. You can find more information about your rights in our general section “Data subject rights” in point 7 in this privacy notice.

The use of the AI functionality within decídalo Free as well as the usage of the decidalo Teams Chat App is voluntary and optionally; the Client may waive its use by not using the corresponding suggestion generation functionality (esp. text generation).

For more information on privacy issues related to the use of Azure OpenAI Services, Microsoft provides the following pages: https://learn.microsoft.com/de-de/azure/ai-services/openai/faq and https://learn.microsoft.com/de-de/legal/cognitive-services/openai/data-privacy. Microsoft’s fundamental principles for accountability in the development and use of AI can be found at https://www.microsoft.com/de-de/ai/responsible-ai.

Contact

If you have any questions or concerns about the use of Conversational AI Services or data processing as part of our SaaS solution, please feel free to contact our privacy team.

7. What options and rights do you have with regard to the processing of Personal Data?

Legal basis

Unless the legal basis is explicitly stated in the individual case, the following applies: The legal basis for obtaining consent is Article 6 (1) lit. a and Art. 7 GDPR, the legal basis for the processing for the fulfillment of our services and the execution of contractual measures as well as the answer to inquiries is Art. 6 para. 1 lit. b GDPR, the legal basis for processing to fulfill our legal obligations is Art. 6 (1) lit. c GDPR, and the legal basis for processing for the protection of our legitimate interests is Article 6 (1) lit. f GDPR.

Newsletter

You have the right to revoke your consent to receive the newsletter at any time. For revocation, there is a corresponding link in each newsletter. Furthermore, there is the possibility to unsubscribe at any time directly by phone, e-mail or mail from the newsletter dispatch.

Rights

According to Art. 15 GDPR, you also have the right to information on the type, scope and purpose of the stored personal data, the right of correction pursuant to Art. 16 GDPR, the right to cancellation under Art. 17 GDPR, the right to restriction of processing according to Art. 18 GDPR, the right to object in accordance with Art. 21 GDPR and the right of data transferability under Art. 20 GDPR. With regard to the right to information and the right to erase, the restrictions under §§ 34 and 35 BDSG apply. In addition, a right of appeal to a data protection supervisory authority pursuant to Art. 77 GDPR combined with § 19 BDSG applies. If you wish to exercise your rights, contact us via the contact details provided. Upon your request, we will delete your personal information as far as this is possible under your contract and in accordance with applicable law.

Effects

If you ask us to cease all or part of the processing of your personal information, or if you revoke your consent (if applicable) to the use or disclosure of your personal information for the purposes set out in this privacy notice, we may be unable to provide you all services. Please note that this does not automatically release you from payment obligations under existing contracts.

8. How do we protect your Personal Data?

Your personal information is protected by technical and organizational security measures to minimize risks associated with their loss, misuse, unauthorized access, unauthorized disclosure and alteration. For this purpose, we use firewalls and data encryption, as well as physical access restrictions for our data processing facilities and data access authorization controls and other security measures. Subcontractors are obliged to comply with data protection regulations in accordance with Art. 28 (4) GDPR. Further information is available upon request.

9. Miscellaneous

We may revise this privacy notice at any time by publishing the amended version on this website.  If you have any further questions, please do not hesitate to contact us.