Privacy policy

1. introduction

We take the protection of your personal data very seriously. When processing data, we comply with the provisions of the Austrian Data Protection Act (DSG), the EU General Data Protection Regulation (GDPR) and the Telecommunications Act 2021 (TKG 2021). Appropriate data security measures are taken to ensure the security of the processed data and to ensure that it is properly processed and not made accessible to unauthorized persons.

This privacy policy explains how your data is processed when you use our AI co-advisor.

Further information on the general data processing of 4conform GmbH can be found in our general privacy policy: https://4conform.com/datenschutzerklaerung/

2. person responsible for data processing

Responsible for the processing of your data is:
4conform GmbH,
Feldkirchner Straße 136,
9020 Klagenfurt am Wörthersee

You can reach us by e-mail at:
hello@4conform.com

3. purpose and scope of data processing by the AI Co-Consultant

The AI Co-Consultant based on OpenAI processes your input to answer your queries and provide digital consulting services in the form of answers.

3.1 What data is processed?

• Text entries: All content, including the type of questions asked, that you enter while using the AI Co-Advisor.
• Usage data: Log data, in particular timestamp and IP address as well as device type, browser and operating system used, if technically necessary.

3.2 Legal basis

The processing is carried out on the basis of Art. 6 para. 1 lit. b GDPR for the fulfillment of a contract. The use of the AI co-advisor is only possible by our customers. In addition, legitimate interests to increase data security as well as the storage of data for law enforcement and logging may justify the processing of data (in particular usage data) on our part.

4. data transmission to transmission recipients

4.1 INTRANET Software & Consulting GmbH

We work together with INTRANET Software & Consulting GmbH, Lannerweg 54, A-9201 Krumpendorf to provide our AI Co-Consultant. INTRANET Software & Consulting GmbH is an external processor that processes the personal data as stated under 3.1 in accordance with our instructions and takes appropriate measures to protect your data. Data processing is carried out using the GPT software “BubbleGPT” and is operated on a server in the Federal Republic of Germany.

4.2 OpenAI Ireland Ltd

In addition, the text input pre-processed by the AI Co-Consultant will be transferred to OpenAI Liffey Trust Centre 117-126 Sheriff Street Upper, Dublin 1 DUBLIN, D01 YC43 Ireland with registration number 737350. This is a sub-processor who also processes your data in accordance with our instructions and takes appropriate measures to protect your data. An order processing agreement has been concluded between us and OpenAI as the legal basis for the transfer to OpenAI.

Note: Please note that we do not transmit any personal data (e.g. usage data) to OpenAI. Users are advised that they are responsible for the data they enter and may not transmit any sensitive, personal or confidential data unless they have the corresponding legal basis. The user is responsible for this data under data protection law.

4.3 Data transfer from OpenAI to the USA

OpenAI has its corporate headquarters in the USA and it is therefore possible that data within the OpenAI group of companies may be transferred to the USA for processing. This transfer takes place on the basis of the EU standard contractual clauses pursuant to Art. 46 para. 2 lit. c GDPR in order to ensure an adequate level of data protection. OpenAI undertakes to ensure that your data is processed in accordance with the applicable data protection laws.

5. security and protection of your data

5.1 General information

We and our processors use a range of technical and organizational measures to protect your personal data from unauthorized access, loss or misuse. These measures include:

• Encrypted transmission: Your data is transmitted to OpenAI via encrypted connections (e.g. TLS) to ensure security during data transmission.
• Access restrictions: Only authorized persons have access to your data to prevent unauthorized use.
• Data security at OpenAI: OpenAI employs extensive security measures, including strict access controls, regular security audits and monitoring of systems to detect and defend against potential threats.

5.2 SOC 2 Certification of OpenAI

OpenAI is certified according to SOC 2 Type II. This certification confirms that OpenAI complies with high standards in the area of information security. SOC 2 (Service Organization Control 2) is a recognized audit framework that verifies compliance with strict criteria to ensure security, availability, processing integrity, confidentiality and privacy. This means that OpenAI is regularly assessed by independent auditors to ensure that its data protection and security measures meet industry standards.

Through these security measures, including SOC 2 certification, OpenAI ensures that your data is protected in accordance with the applicable data protection regulations.

6. Storage duration

6.1 General information on the retention periods for usage data and text entries

If you independently collect or enter personal data against our terms of use, this actively entered data will only be stored for as long as is necessary for the processing of your inquiries or entries and the fulfillment of the processing purpose of the response by the KI-Co consultant. As soon as your data is no longer required, we will delete it, unless statutory retention periods require longer storage.

6.2 Storage period at INTRANET Software & Consulting GmbH

In addition to point 6.1, the above-mentioned personal data will only be stored by our processor for as long as is necessary to process your requests and fulfill the purpose of processing the response. As soon as your data is no longer required, our processor will delete it, unless statutory retention periods require longer storage.

Usage data is stored for two months for logging purposes, unless statutory retention periods require longer storage.

6.3 Storage duration with OpenAI

OpenAI generally stores the data processed via the API for a limited period of 30 days in order to improve the performance and security of the services. Once the requests have been processed, the data is either anonymized or deleted in accordance with OpenAI’s privacy policy. OpenAI follows strict data retention and deletion policies to ensure that data is not kept longer than necessary and that data protection regulations are complied with. OpenAI is committed to retaining personal data for an extended period of time only when necessary to comply with legal or regulatory requirements.

6.4 Our responsibility in connection with the storage period

As the provider, we retain control over the data and its deletion in accordance with the agreements with OpenAI. As a user, you are asked to check before entering personal data whether it is necessary for the use of the AI co-advisor or whether you have the appropriate authorization to minimize the amount of personal data.

7. Your responsibility when using the AI Co-Consultant

You are responsible for the content of your entries. Avoid entering personal, sensitive or confidential information.

8. your rights

8.1 You have the following rights under the GDPR and the DPA:

• Right to information: Information about your data stored by us.
• Right to rectification: Correction of incorrect data.
• Right to erasure: erasure of your data.
• Right to restriction of processing.
• Right to data portability.
• Right to object: Objection to the processing of your data on grounds of legitimate interest.

8.2 Assertion of your rights

To assert your rights under the General Data Protection Regulation, please contact us as follows:

by e-mail to hello@4conform.com or

by post to 4conform GmbH, Feldkirchner Straße 136, 9020 Klagenfurt am Wörthersee.

If it is not possible for us to identify you on the basis of the data provided and transmitted in this context, please have a copy of an official photo ID ready or enclose it for clear identification of your person.

In order to process your request as efficiently and quickly as possible, please indicate in your request the factual context in which you suspect that your personal data will be used.

9. right of appeal to the supervisory authority

If you believe that the processing of your data violates the GDPR or the DSG, you can complain to the Austrian Data Protection Authority:

Austrian Data Protection Authority
Barichgasse 40-42
1030 Vienna

E-mail: dsb@dsb.gv.at

10. changes to the privacy policy

We reserve the right to change this privacy policy. Changes will be announced on our website.

Status: November 2024