Knowledge Bots (SaaS)

With this Privacy Notice, we inform you how we process your personal data in accordance with the European General Data Protection Regulation (GDPR). This Privacy Notice applies to all processing of personal data carried out by us, including in the course of providing our services. Further details are set out in the respective Data Processing Agreement (DPA). As a business partner or potential customer please use our Trustcenter (https://trust.theblockbrain.ai.) for further information. Trustcenter (https://trust.theblockbrain.ai.)

  1. Responsibility

Responsible in the sense of the GDPR is:

Blockbrain GmbH

Marienstraße 37

70178 Stuttgart

E-Mail: security@theblockbrain.ai

  1. The Tenant is the independent controller within the meaning of the GDPR for any other processing carried out by the Knowledge Bots Software under data protection law.
  2. Data Protection Officer

You can reach our data protection officer as follows:

SECJUR GmbH
 Steinhöft 9
 20459 Hamburg

Email: dsb@secjur.com;

You can contact our data protection officer directly at any time with all questions and suggestions regarding data protection and the exercise of your rights.

  1. Definitions

This Privacy Notice is based on the terminology of the GDPR. To facilitate understanding, we explain key terms below:

  • Personal data: Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • Data subject: Any identified or identifiable natural person whose personal data are processed by the controller(s).
  • Processing: Any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  • Recipient: A natural or legal person, public authority, agency or other body to which personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry under Union or Member State law are not regarded as recipients.
  • Third party: A natural or legal person, public authority, agency or body other than the data subject, the controller, the processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
  1. Data for the Provision of the Website and Creation of Log Files

When you use this website for purely informational purposes, without otherwise transmitting data to us (e.g., by registering or using the contact form), we collect, via server log files, technically necessary data that are automatically transmitted to our server, including:

  • Date and time of access
  • IP Adress
  • Hostname of the accessing device
  • Page visited on our website
  • Data volume transferred
  • Information about the browser type and version used
  • Operating system
  • Access status (e.g., whether the website was accessed without issues or whether an error occurred)
  • Use of website functions (to identify suspicious activities such as spam or brute-force attacks)
  • Frequency of access to our website (to detect suspicious activities such as bots or spam)

Temporary storage of the data is necessary for the course of a website visit to display the website to you. This processing is technically required to ensure the functionality of the website and the security of IT systems, and to detect potential misuse. The legal basis is Article 6(1)(f) GDPR, to guarantee the provision, security, and stability of our website.

Data are deleted as soon as they are no longer necessary to achieve the purpose of their collection. For the provision of the website, this is the case when the respective session ends. Log files are retained for up to 48 hours, directly accessible only to administrators for security reasons (e.g., to investigate misuse or fraud). Thereafter, they are only indirectly available via reconstruction from backup tapes and are permanently deleted after a maximum of four weeks.

We use Datadog EU, a service provided by Datadog Inc., 620 8th Ave, 45th Fl, New York, NY 10018, USA, to process technical logs. Data are processed in Datadog EU data centers located on AWS infrastructure in Frankfurt, Germany. The European Commission has adopted an adequacy decision under Article 45(3) GDPR for the EU–U.S. Data Privacy Framework. On this basis, transfers to U.S.-based organizations that are appropriately certified are permissible. Datadog is certified under the EU–U.S. Data Privacy Framework.

For further information and a copy of the security, please contact info@theblockbrain.ai.

  1. Registration / Creation of User Account for Using Chatbots

To use the Blockbrain Knowledge Bots web app on a subdomain, registration is mandatory.

In addition, you can integrate the bots into your own websites or tools via an API connection. In this case, registration is not mandatory.

We process the following personal data during registration:

  • Email address, Name
  • User-ID

The purpose of processing is to perform authentication and manage your user account.

The legal basis for processing in the context of pre-contractual measures and for the performance of the contract is Article 6(1)(b) GDPR.

We delete your personal data as soon as they are no longer necessary for the purposes for which they were collected. For registration to use chatbots, this is generally the case when you have deleted your account via the account settings.

For the provision of our authentication service and identity verification, Blockbrain uses the ZITADEL service provided by CAOS AG, Lerchenfeldstrasse 3, 9014 St. Gallen, Switzerland. Data are processed on AWS infrastructure with data centers in Frankfurt, Germany. An adequacy decision by the European Commission pursuant to Article 45(3) GDPR is in place (see Adequacy Decision: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32000D0518). the Commission pursuant to Art. 45(3) GDPR is available. Information on data protection can be found hier.

  1. Log-in via Single Sign-On

To facilitate access to our web app, we offer Single Sign-On (SSO) using your Google or Microsoft account. This allows you to use the same account you already employ for other services from these providers.

If you choose to log in via single sign-on, we will retrieve some information from your chosen provider. This information usually includes your name, email address, and possibly your profile picture. We use this information to verify your account and grant you access to our web app. We do not store any other personal data from your provider.

The legal basis for this processing is your prior consent in accordance with Art. 6 (1) (a) GDPR, or alternatively Art. 6 (1) (b) GDPR if your employer instructs us to enable login only via single sign-on.

Data Retrieved via SSO
– Name
– Email address
– Profile image (where applicable)
These details are used to verify your account and grant access to our web app. We do not store any additional personal data from your provider.

Legal Basis
Your prior consent pursuant to Article 6(1)(a) GDPR; alternatively,
Article 6(1)(b) GDPR where your employer instructs us to enable login exclusively via SSO.

Third-Party Policies
Please note that privacy and data processing in connection with SSO are governed by your chosen provider’s privacy policies. We have no influence over how your provider collects and processes your personal data. We strongly recommend reviewing the provider’s privacy notices: here

  1. Use of Cookies

8.1. General Information

We use cookies on our website. These are text files that your browser automatically creates and stores on your device when you visit our site. Through cookies, certain information is transmitted to the party that sets the cookie. Cookies cannot run programs or transmit viruses to your device.
If you do not wish cookies to be used, you can disable them in the settings.

From a legal perspective, a distinction is made between necessary and non-necessary cookies.

8.2. 8.2. Necessary Cookies

We use necessary cookies. These are technically required to provide all functions of our website. The legal basis for the data processing is our legitimate interest pursuant to Article 6(1)(f) GDPR. We have an overriding legitimate interest in offering our services in a technically flawless manner. The legal basis for the use of cookies in relation to our contractual partners who use services owed by us via the website is Article 6(1)(b) GDPR (performance of our contractual obligations).

8.3. 8.3. Storage Duration

With respect to storage duration, the following types of cookies are distinguished:

  • Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user leaves the online service and closes their browser or mobile application.
  • Persistent cookies: Persistent cookies remain stored even after the browser/app is closed. For example, the login status can be retained or preferred content can be displayed directly when the user revisits a website. Data collected via cookies may also be used for audience measurement. Unless we explicitly inform users about the type and storage duration of cookies (e.g., when obtaining consent), users should assume that cookies are persistent and may be stored for up to two years.
  1. 9Disclosure and Transfer of Personal Data

In the course of processing personal data, it may occur that such data are transferred to other recipients or disclosed to them. Recipients may include, for example, service providers tasked with IT functions or providers of services and content integrated into a website.
In such cases, we comply with legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your personal data that are designed to protect your personal data.

  1. 10. Deletion of Data

We delete the personal data we process in accordance with statutory requirements as soon as the consent given for processing is withdrawn or other legal permissions cease to apply (e.g., when the purpose for processing no longer exists or the data are no longer necessary for that purpose). If personal data are not deleted because they are required for other and legally permissible purposes, their processing is restricted to those purposes. This means the personal data are blocked and not processed for other purposes. This applies, for example, to personal data that must be retained for commercial or tax law reasons, or whose storage is necessary for the establishment, exercise or defence of legal claims, or to protect the rights of another natural or legal person.

Our Privacy Notice also contains further details on the retention and deletion of personal data that prevail for the respective processing activities.

  1. Your Rights as a Data Subject

As a data subject, you have various rights under the GDPR, in particular those arising from Articles 15 to 21 GDPR. To exercise any of your rights, please contact us via the contact details provided above or our Data Protection Officer.

11.1. 11.1. Right to Object

You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you that is based on Article 6(1)(e) or (f) GDPR; this also applies to profiling based on those provisions. Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing; this also applies to profiling insofar as it is related to such direct marketing. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

11.2. 11.2. Right of Access

You have the right to obtain confirmation as to whether personal data concerning you are being processed and, where that is the case, access to such personal data, along with further information and a copy of the personal data, in accordance with statutory requirements.

11.3. 11.3. Right to Rectification

You have the right, in accordance with statutory requirements, to obtain the completion of incomplete personal data concerning you or the rectification of inaccurate personal data concerning you.

11.4. 11.4. Right to Erasure and Restriction of Processing

You have the right to obtain the erasure of personal data concerning you without undue delay where one of the statutory grounds applies and insofar as processing or storage is not required.

11.5. 11.5. Restriction of Processing

You have the right to obtain restriction of processing from us where one of the statutory conditions applies.

11.6. 11.6. Right to Data Portability

You have the right to receive the personal data concerning you that you have provided to us, in a structured, commonly used and machine-readable format, or to request their transmission to another controller, in accordance with statutory requirements.

11.7. 11.7. Right to Withdraw Consent

You have the right to withdraw consent at any time.

11.8. 11.8. Complaint to a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

  1. 12. Changes and Updates to this Privacy Notice

We will update this Privacy Notice whenever changes to our processing activities make this necessary. We will inform you if such changes require your cooperation (e.g., consent) or any other individual notification.

If we further develop our website and services, or if legal or regulatory requirements change, it may be necessary to amend this Privacy Notice. You can access the current Privacy Notice on this page at any time.

Last updated: September 2025