Privacy Policy for the Use of Generative AI Systems by Open Hippo GmbH

Open Hippo prioritizes the protection of your privacy and the security of your personal data.

This Privacy Policy is designed to help you understand how we collect and process your personal data when using our chat platform and API services or contact us. We believe that you have the right to control your personal data. As such, we have outlined the various rights you have regarding your personal data, including your right to object to certain uses, and your right to access, update, or delete your data.

1. Definitions

"Open Hippo" or "We": refers to Open Hippo GmbH, a German entity registered at the Register Court of Augsburg under Register Number HRB 39923, with its corporate seat at Garmischer Allee 15, 86438 Kissing, Germany.

"User", "Customer" or "You": refers to any person who subscribes to, accesses, or uses Our Services.

"Privacy Policy": refers to this document describing the Processing activities carried out by Open Hippo as Data Controller. This Privacy Policy covers the Processing activities relating to Your use of Our Services.

"Processing": refers to any operation relating to Your Personal Data (for instance: collection, use, access, transfer, deletion, etc.).

"Personal Data" or "User Data": refers to any data that directly or indirectly relates to You.

"Data Controller": refers to the person who makes decisions about Your Personal Data. For instance, the Data Controller decides which Personal Data to collect, where to store such data, for how long, etc.

2. Who is responsible for data protection?

Open Hippo is responsible for handling your personal data. In accordance with Article 37 of the German Federal Data Protection Act, Open Hippo is not obliged to designate a Data Protection Officer. Due to Open Hippo's location, the competent data protection supervisory authority is the Bavarian State Office for Data Protection Supervision. For current contact information, please refer to their website: https://www.lda.bayern.de.

3. What Personal Data do we collect and why?

Following the principle of data minimization, we aim to reduce the collected data to a minimum. However, personal data is collected when using our chat platform and API services and when you contact Open Hippo.

3.1 What personal data is collected when using our chat platform and API services?

When you use our chat platform and API services, your IP address, browser information, timestamp, and comparable information are saved as part of the server logs. We process server logs on the basis of our legitimate interest to ensure the security and proper functioning of our services. This data is not processed for any other purposes.

3.2 What happens to my data when I contact you in writing?

When you contact us in writing by mail or email we process your personal data on the basis of our legitimate interest to respond to your inquiries. The data you provide when contacting us remains with us until you request deletion, revoke your consent for storage, or the purpose for data storage no longer applies, for example after your request has been processed. Mandatory statutory provisions – especially retention periods – remain unaffected.

4. Who do we forward your Personal Data to?

4.1 Google

We have a legitimate interest in maintaining professional email communication with you as our customer and in conducting video conferences efficiently. To achieve this, we use Google Workspace, a product provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Workspace includes services such as Gmail for business email, Google Meet for video conferencing, and other collaboration tools. When you communicate with us via email or participate in a video conference, your personal data (such as your email address, name, and potentially your image and voice during video calls) may be processed through these services.

Google has committed to processing your personal data solely in accordance with our instructions as the customer, as outlined in the GDPR-compliant data processing agreements. For more information on Google's GDPR compliance, please visit: https://cloud.google.com/privacy/gdpr

Please note that Google is a US-based company, and data may be transferred to and processed in countries outside the EU. To ensure data protection-compliant processing, we have concluded a comprehensive data processing agreement with Google. This agreement governs how Google may process data on our behalf and includes strict data protection and security measures. You can review this agreement at: https://cloud.google.com/terms/data-processing-addendum/

5. What external services do we use?

5.1 AWS Infrastructure

During our beta testing phase, we utilize Amazon Web Services (AWS) infrastructure to ensure the scalability, reliability, and security of our chat platform and API services. AWS provides a robust and secure environment that allows us to efficiently manage and process data. AWS is committed to compliance with the General Data Protection Regulation (GDPR), offering services and resources to help customers comply with GDPR requirements. Specifically, AWS allows customers to select services that store and process customer data exclusively within the EU, ensuring compliance with EU data protection standards. AWS has implemented Standard Contractual Clauses (SCCs) and other safeguards to facilitate GDPR-compliant data transfers and processing. For more detailed information on AWS's GDPR compliance and data processing agreements, you can refer to the AWS GDPR Center and the AWS Data Processing Addendum.