With the following privacy policy, we would like to inform you about how we process your personal data in accordance with the European General Data Protection Regulation (GDPR). The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our web app.

1. Responsibilities

The independent controller within the meaning of the GDPR for the processing for the provision and operation of the Knowledge Bots software in terms of data protection law is:

Blockbrain GmbH

Marienstraße 37

70178 Stuttgart

Email: security@theblockbrain.ai

2. The independent controller within the meaning of the GDPR for the other processing by the Knowledge Bots software in terms of data protection law is your employer.

3. Data Protection Officer

You can reach our data protection officer as follows:

SECJUR GmbH
Steinhöft 9
20459 Hamburg

Email: dsb@secjur.com;

You can contact our data protection officer directly at any time with any questions or suggestions regarding data protection and the exercise of your rights.

4. Definition of Terms

This privacy policy is based on the terms of the GDPR. For the sake of simplicity, we would like to explain some important terms in this context:

• Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Data subject means any identified or identifiable natural person whose personal data are processed by the controller.
• Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
• Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

5. Data for the Provision of the Website and the Creation of Log Files

If you use this website for purely informational purposes, without otherwise transmitting data to us (e.g. by registering or using the contact form), we collect technically necessary data via server log files, which are automatically transmitted to our server, including:

• Date and time of access
• IP address
• Hostname of the accessing computer
• Page visited on our website
• Amount of data transferred
• Information about the browser type and the version used
• Operating system
• Access status (e.g. whether the website could be accessed without any problems or whether an error message occurred)
• Use of website functions (to identify suspicious activities such as spam or brute-force attacks)
• Frequency of access to our website (to detect suspicious activities such as bots or spam)

The temporary storage of the data is necessary for the duration of a website visit in order to be able to display our website to you. This processing is technically necessary to ensure the functionality of the website and the security of the information technology systems and to identify any cases of misuse. The legal basis for the processing is therefore Art. 6 Para. 1 S. 1 lit. f GDPR to guarantee the provision, security and stability of our website.

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. When providing the website, this is the case when the respective session has ended. The log files are stored for a maximum of 48 hours, directly and exclusively accessible to administrators, for security reasons (e.g. to investigate misuse or fraud). After that, they are only indirectly available via the reconstruction of backup tapes and are permanently deleted after a maximum of four weeks.

We use Datadog EU, a service of Datadog Inc., 620 8th Ave, 45th Fl, New York, NY 10018, USA, to process technical logs. The data is processed in Datadog EU data centers, which are located on AWS infrastructure in Frankfurt, Germany. The European Commission has issued an adequacy decision pursuant to Art. 45 Para. 3 GDPR for the EU-U.S. Data Privacy Framework. On the basis of this decision, data transfers to organizations based in the USA that are certified accordingly are permitted. Datadog is certified under the EU-U.S. Data Privacy Framework. Information on data protection can be found here.

For more information and a copy of the security, please contact info@theblockbrain.ai.

6. Registration/Creation of User Account for the Use of Chatbots

In order to be able to use the Blockbrain Knowledge Bots web app on a subdomain, registration is mandatory.

In addition, there is also the option of integrating the bots into your own websites or tools via an API connection. In this case, registration is not mandatory.

We process the following personal data during registration:

• Email address Name
• User ID

The purpose of the processing is to carry out the authentication and to manage your user account.

The legal basis for data processing in the context of pre-contractual measures and for the fulfillment of the contract is Art. 6 Para. 1 S.1 lit. b GDPR.

We delete your personal data as soon as they are no longer required to achieve the purpose for which they were collected. As part of the registration for the use of chatbots, this is generally the case when you have deleted your account via the account settings.

Blockbrain uses the ZITADEL service provided by CAOS AG, Lerchenfeldstrasse 3, 9014 St. Gallen, Switzerland, to provide our authentication service and for identity verification. The data is processed on the AWS infrastructure with data centers in Frankfurt, Germany. An adequacy decision of the Commission pursuant to Art. 45 Para. 3 GDPR is available. Information on data protection can be found here.

7. Log-in via Single Sign-On

To make it easier for you to access our web app, we offer you the option of logging in via single sign-on with your Google or Microsoft account. This login process allows you to use the same account that you already use for other services from these providers.

If you choose to log in via single sign-on, we will retrieve some information from your chosen provider. This information usually includes your name, your email address and possibly your profile picture. This information is used by us to verify your account and grant you access to our web app. We do not store any further personal data from your provider.

The legal basis for this processing is your prior consent in accordance with Art. 6 Para. 1 S. 1 lit. a GDPR, alternatively Art. 6 Para. 1 S.1 lit. b GDPR, if your employer instructs us to only allow login via single sign-on.

However, please note that data protection and data processing in connection with the use of single sign-on are subject to the data protection regulations of your chosen provider. We would therefore like to point out that we have no influence on the way in which your chosen provider collects and processes your personal data. We therefore strongly recommend that you read the data protection declarations of the respective provider to find out how your personal data is handled.

Further information on data protection at Microsoft can be found in the Microsoft Privacy Policy.

Further information can be found in the respective privacy notices from Google.

8. Use of Chatbots

In order for the bots to be able to generate answers to user inquiries based on company-specific documents, such documents must first be uploaded into a self-compiled knowledge database. This is intended to enable the chatbots to increase operational efficiency and provide customized support based on the individual needs of the company. The chatbots are designed to communicate with you like a natural conversational partner. Natural Language Processing (NLP) technology basically enables the generation of natural language in response to natural language.

The bots do not initially request any personal data, but only process such data if you independently provide such data during a conversation.

The following personal data is processed:

• User content: We collect personal data contained in the inputs, file uploads or messages provided to the chatbots
• Communication information: The content of all messages you send
• Log data: IP address (anonymized), browser type and settings, date and time of communication

The purpose of the processing is to answer specific questions, analyze processes and automate simple processes based on the self-created knowledge database.

The legal basis for the data processing, the fulfillment of pre-contractual measures and the contract in accordance with Art. 6 Para. 1 S.1 lit. b GDPR.

We delete or anonymize your personal data as soon as they are no longer required to achieve the purpose for which they were collected and there are no legal retention obligations to the contrary. As part of the use of chatbots, this is generally the case when you have deleted your account via the account settings.

The chatbot is provided by Blockbrain and the following external service providers:

Microsoft Azure AI, a service of Microsoft Deutschland GmbH, Branch Office Germany, Walter-Gropius-Strasse 5 80807 Munich, Germany. Blockbrain uses Microsoft Azure AI to provide AI models for chatbots, including generating responses and integrating text documents into the knowledge database. The servers are located in the Microsoft Azure data centers in Frankfurt am Main, Germany and Paris, France. This ensures that all data is stored and processed within EU borders, ensuring compliance with EU data protection laws. Information on data protection can be found here.

Vertex AI, a service of Google Cloud EMEA Limited, Velasco Clanwilliam Place Dublin 2, Ireland. Blockbrain uses Vertex AI to provide AI models for chatbots, including generating responses and integrating text documents into the knowledge database. The data processing takes place in the Google Cloud data centers in NDC-Baustelle EXYTE, 63457 Hanau and Rue des Roseaux, 7331 Saint-Ghislain, Belgium. This ensures that all data is stored and processed within EU borders, ensuring compliance with EU data protection laws. Information on data protection can be found here.

The use of AI models from third-party providers on our platform is subject to strict data protection guidelines. Your chat histories and all provided or generated data will be treated confidentially. Third-party providers do not use your data to train their AI models or for any other purpose other than to fulfill your specific request.

The ability to upload documents into your own knowledge database and manage them is provided by Blockbrain and the following service providers:

Amazon Web Services, a service of Amazon Web Services EMEA, SARL, Branch Office Germany, Marcel-Breuer-Str. 12, 80807 Munich, Germany. The data processing takes place in AWS data centers in Frankfurt and Rüsselsheim, Germany. Information on data protection can be found here.

Blockbrain uses the database software MongoDB Atlas, a service of MongoDB, Ltd., Building 2 Number One Ballsbridge, Shelbourne Rd, Ballsbridge, Dublin 4, D04 Y3X9, Ireland. Our use of MongoDB takes place on the AWS infrastructure, whose databases are located in data centers in Frankfurt and Rüsselsheim, Germany. This ensures that all data is stored within EU borders and in compliance with EU data protection laws. Information on data protection can be found here.

9. Quality Control and Further Development of the Bots

Blockbrain is constantly working to improve the chatbots. For this purpose, Blockbrain also uses data from the use of the chatbots, provided that you agree to this or would like to actively provide feedback for improvement. In these cases, Blockbrain is the controller for the processing of your personal data and no longer your employer.

9.1. Further Development of the User Experience

To improve the chatbot services, Blockbrain analyzes the chat histories with you if you have previously consented to this. This happens, for example, through a consent window when you first use the bots, where you can give your consent via a checkbox. This also enables the further development of the chatbots and constant quality control.

For this purpose, your IP address and all other personal information in connection with the user account that can identify you as a natural person are first anonymized. User content that should contain names or similar, however, remains part of the chat history.

The purpose of the processing is to improve the bots in order to be able to provide you with even better functions. The purpose of this processing is to identify patterns and trends in the interactions in order to optimize our bots. By analyzing communication patterns and user requests, the responsiveness and accuracy of the bots can be improved in order to offer you an even more efficient and targeted user experience. This approach enables Blockbrain to continuously develop new functions and refine existing ones without disclosing individual user data. No personal data is transmitted to third-party providers such as Microsoft Azure AI or OpenAI. The use of AI models from third-party providers on our platform is subject to strict data protection guidelines. Your chat histories and all provided or generated data will be treated confidentially. You retain full control over who has access to this data and how long it is stored. Third-party providers do not use your data to train their AI models or for any other purpose other than to fulfill your specific request.

The following personal data is processed:

• User content: We collect personal data contained in the inputs, file uploads or messages provided to the chat bots
• Communication information: The content of all messages you send
• Log data: IP address (anonymized), browser type and settings, device type, time zone, crash information of the web app, date and time of communication

To ensure the security of your data, Blockbrain works with providers who use ‘Encryption at Rest’ for all user content and communication information that is uploaded and processed on the chatbot platform. ‘Encryption at Rest’ is a crucial security process in which your data is protected by advanced encryption technology. This process transforms all data into an unreadable form that can only be decrypted using a special key – a random string of characters that is treated confidentially. This method is considered the most effective way to secure data that is physically stored in digital form on our servers.

By implementing this high level of encryption, Blockbrain ensures that your sensitive files and documents are secure from unauthorized access, data leaks and physical theft. Only authorized persons with the appropriate key can access this data, making it unusable for anyone else.

The legal basis for the data processing is your consent within the meaning of Art. 6 Para. 1 S. 1 lit. a GDPR.

Blockbrain deletes your personal data that they collect in connection with the further development of the bots as soon as they are no longer required to achieve the purpose for which they were collected.

9.2. Customer Feedback

You have the opportunity to give Blockbrain your feedback by filling out customer inquiries. Depending on the instrument, Blockbrain processes the following personal data:

• First and last name (optional)
• Email address
• Date and time of the request
• IP address (anonymized)
• Content of the communication

The purpose of the processing is to collect feedback and improve Blockbrain’s products.

The legal basis for conducting surveys is Blockbrain’s legitimate interest in accordance with Art. 6 Para. 1 S. 1 lit. f GDPR to constantly improve its product with the help of your feedback.

Blockbrain deletes your personal data as soon as they are no longer required to achieve the purpose for which they were collected. In the context of feedback, this is usually the case when it can be inferred from the circumstances that the specific matter has been conclusively processed.

Blockbrain also uses canny.io, a service of Canny Inc, 831 N Tatnall St Suite M #140, Wilmington, DE 19801, USA, to collect user feedback. In addition to registering with an email address and password, it is also possible to use the single sign-on process with Facebook, Google or Github. Personal data is transferred to the USA in this process. The European Commission has issued an adequacy decision pursuant to Art. 45 Para. 3 GDPR for the EU-U.S. Data Privacy Framework. On the basis of this decision, data transfers to organizations based in the USA that are certified accordingly are permitted. Canny Inc. is not certified under the EU-U.S. Data Privacy Framework. To ensure an adequate level of data protection at the recipient of your personal data, we have concluded standard contractual clauses of the European Commission for the protection of personal data in accordance with Art. 46 Para. 1, 2 lit. c GDPR with this. Information on data protection can be found here. For more information and a copy of the security, please contact info@theblockbrain.ai.

10. Workshops and Consulting

Blockbrain offers a range of workshops and consulting services to help you effectively use and customize the Knowledge Bots. These include:

Practical workshops: Here, Blockbrain will provide you with the knowledge and skills you need to optimally use and customize the Knowledge Bots. These workshops are designed to be flexible to suit different user groups – from technical developers to administrators.

Consulting and individual support: In individual consulting sessions and regular check-ins, Blockbrain supports you in identifying and prioritizing your specific use cases. Blockbrain also offers expert support for executives to increase their efficiency in their daily work.

For the registration and execution of these workshops, Blockbrain processes your name, email address and the data you voluntarily provide.

The purpose of the processing is to offer you an optimal product experience and to be able to fully use the bot functionalities.

The legal basis for data processing, the fulfillment of pre-contractual measures and the contract in accordance with Art. 6 Para. 1 S.1 lit. b GDPR.

Blockbrain deletes your personal data that we collect in connection with the execution of workshops as soon as they are no longer required to achieve the purpose for which they were collected. This is typically the case when:

After completion of the workshop: As soon as the workshop is completed and there are no further queries or clarifications from your side.

Feedback evaluation: After the feedback that you gave Blockbrain as part of the workshop has been evaluated and implemented. This includes the implementation of suggestions for improvement or the answering of your questions.

Follow-up and support: As soon as all follow-up measures or support requests that arise after the workshop have been fully processed and completed.

Blockbrain’s data protection practices aim to store your data only for as long as is necessary to achieve these specific purposes, whereby Blockbrain always ensures compliance with applicable data protection laws and guidelines.

Blockbrain uses the following third-party services to conduct the workshops and consulting services:

Google Meet, a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Information on data protection can be found here.

Google Drive, a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Information on data protection can be found here.

11. Cookie Banner

When you visit our website or a subpage for the first time and it contains cookies, a “cookie banner” will be displayed to you. There you will be informed about the individual cookies that we use. You can find out about each individual cookie with regard to the name, the provider, the purpose of the processing and the storage period.

With our cookie banner, we inform you about the specific cookies we use. In addition, we give you the opportunity to decide whether you want to consent to the setting of non-essential cookies. You can also allow us to use non-essential cookies and reverse this decision there. The following are processed:

• Usage data (e.g. visited websites, time of access)
• Meta and communication data (e.g. IP address)
• Preferences (e.g. your preferred language or the region in which you are located)
• Statistics (e.g. how visitors interact with the website, collected anonymously)

The legal basis for the use of the cookie banner is Art. 6 Para. 1 S. 1 lit. f GDPR. We have an overriding legitimate interest in using the cookie banner, which enables us to obtain the legally required consent for the use of non-essential cookies and to comply with our obligation to provide information regarding the cookies.

The cookie banner stores the preferences until you reset or adjust them. The cookie banner is provided by the provider Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark.

12. Use of Cookies

12.1. General Information

13. We use cookies on our website. These are text files that are automatically created by your browser and stored on your IT system when you visit our site. Cookies transmit certain information to the entity that sets the cookie. It is not possible to run programs or transmit viruses to your device by using cookies.
    If you do not want to use cookies, you can disable them in the settings.

From a legal point of view, a distinction must be made between necessary and non-essential cookies.

12.2. Necessary Cookies

We use necessary cookies. These are cookies that are technically required to provide all functions of our website. The legal basis for the data processing is our legitimate interest within the meaning of Art. 6 Para. 1, S. 1 lit. f GDPR. We have an overriding legitimate interest in being able to offer our services technically flawlessly. The legal basis for the use of cookies towards our contractual partners who use services contractually owed by us via our website is Art. 6 Para. 1, S. 1 lit. b GDPR, the provision of our contractual services.

12.3. Non-essential Cookies

We also use non-essential cookies (e.g. analysis cookies). These are cookies that are not technically required. We use them to understand your behavior on our website and to improve our offer. The legal basis for the data processing is your consent in accordance with Art. 6 Para. 1 S. 1 lit. a GDPR. The cookies are only set after you have given your consent via our “cookie banner”.

Blockbrain uses Google Analytics for analysis cookies, a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Information on data protection can be found here.

Blockbrain uses Datadog EU for preferences and statistics cookies, a service of Datadog Inc., 620 8th Ave, 45th Fl, New York, NY 10018, USA. The data is processed in Datadog EU data centers, which are located on AWS infrastructure in Frankfurt, Germany. Datadog is certified under the EU-U.S. Data Privacy Framework. Further information on data protection can be found here. For more information and a copy of the security, please contact info@theblockbrain.ai.

12.4. Storage Period

With regard to the storage period, the following types of cookies are distinguished:

• Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user leaves an online offer and closes his end device (e.g. browser or mobile application).
• Permanent cookies: Permanent cookies remain stored even after the end device is closed. For example, the login status can be saved or preferred content can be displayed directly when the user visits a website again. Likewise, the data collected with the help of cookies can be used for reach measurement. Unless we provide users with explicit information on the type and storage period of cookies (e.g. as part of obtaining consent), users should assume that cookies are permanent and that the storage period can be up to two years.

For more information, please refer to the information we provide in the cookie banner.

13. Transmission of Personal Data

As part of our processing of personal data, it may happen that the personal data is transmitted to other recipients or disclosed to them. The recipients of this personal data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and, in particular, conclude corresponding contracts or agreements with the recipients of your personal data that serve to protect your personal data.

14. Deletion of Data

The personal data processed by us will be deleted in accordance with the statutory provisions as soon as the consent granted for processing is revoked or other permissions cease to apply (e.g. if the purpose of processing this personal data has ceased to exist or they are no longer required for the purpose). If the personal data are not deleted because they are required for other and legally permissible purposes, their processing will be restricted to these purposes. This means that the personal data will be blocked and not processed for other purposes. This applies, for example, to personal data that must be stored for commercial or tax reasons or whose storage is necessary for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person.

Our data protection notices also contain further information on the storage and deletion of personal data, which take precedence for the respective processing operations.

15. Your Rights as a Data Subject

As a data subject, you have various rights under the GDPR, which arise in particular from Articles 15 to 21 GDPR. If you want to exercise one of your rights, please contact us via the contact addresses given above or our data protection officer.

15.1. Right to Object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions. Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

15.2. Right to Information

You have the right to request confirmation as to whether personal data concerning you are being processed and to access to the personal data and further information and a copy of the personal data in accordance with the statutory provisions.

15.3. Right to Rectification

You have the right, in accordance with the statutory provisions, to request the completion of personal data concerning you or the correction of incorrect personal data concerning you.

15.4. Right to Erasure and Restriction of Processing

You have the right to request that we erase personal data concerning you without undue delay where one of the grounds provided by law applies and where processing or storage is not necessary.

15.5. Restriction of Processing

You have the right to request that we restrict processing where one of the legal requirements is met.

15.6. Right to Data Portability

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format in accordance with the statutory provisions or to request the transfer of those data to another controller.

15.7. Right of Revocation in the Case of Consent

You have the right to revoke granted consents at any time.

15.8. Complaint to Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the provisions of the GDPR.

16. Amendment And Update of the Privacy Policy

We will adapt the privacy policy as soon as the changes to the data processing carried out by us make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g. consent) or other individual notification.

If we further develop our website and our offers or if legal or official requirements change, it may be necessary to change this data protection notice. You can access the current data protection notice here at any time.

Status: September 2024