DATA PRIVACY POLICY

  1. GENERAL REMARKS AND PRINCIPLES OF DATA PROCESSING

The protection of your privacy and your personal information is an important matter to us. According to Art. 4 No. 2 GDPR, processing of personal data (e.g., data collection, recording, organization, storage, sorting, retrieval, use, transmission, erasure or destruction of information such as your first name and surname, your address, your telephone number, your email address, but also your IP address) always requires a legal basis or your consent. Processed personal data must be deleted as soon as the purpose underlying the processing has been fulfilled and there is no longer a legal obligation to archive the data.

You can find information about how your personal data is treated when visiting our website here. We must collect personal data about you to provide the functions and services available on our website.

We also explain to you the nature and scope of the respective data processing, the purpose underlying it and the corresponding legal basis as well as the respective storage period.

This privacy policy only applies to this website. It does not apply to other websites of third parties to which we merely refer via a hyperlink. We cannot assume any liability for the confidential treatment of your personal data on the websites operated by such third parties as we do not have any influence on whether these operators comply with the requirements of data protection laws. Please find the information on the way your personal data is treated by these operators directly on these websites.

See below for the contact data of the applicable controllers and data protection officers.

  1. CONTROLLERS

The controller who bears responsibility for processing personal data on this website is (see the imprint):

Gretchen AI GmbH, Luisenstr. 17, 16547 Birkenwerder b. Berlin,
Email: hello at gretchen-ai.com  

  1. DATA PROTECTION OFFICER

The data protection officer of Gretchen AI GmbH is available to answer any questions on data protection at datenschutz at gretchen-ai.com

  1. COLLECTION OF GENERAL DATA AND INFORMATION

a) NATURE AND SCOPE OF DATA PROCESSING

In the case of mere informational use of the website, i.e. if you do not register or otherwise transmit information to us, we only collect the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure stability and security (legal basis is Art. 6 para. 1 p. 1 lit. f GPDR):

  • the type of browser used and its version;
  • the operating system used by the system accessing the website;
  • the site from which the system accessing our website originated its request (referrer sites);
  • the pages of our website that the system accessing our website accesses;
  • the date and time of day our website is accessed;
  • the internet protocol address (IP address);
  • the internet provider of the system accessing our website;
  • other similar data and information that serves to defend against cyberattacks to our IT systems.

b) PURPOSE AND LEGAL BASIS

In principle, any processing of personal data is prohibited by law and only permitted if the data processing falls under one of the following justifications:

  • Art. 6 (1) p. 1 lit. a GPDR (consent): If the data subject has voluntarily, in an informed manner and unambiguously indicated by a statement or other unambiguous confirmatory act that he or she consents to the processing of personal data relating to him or her for one or more specific purposes;
  • Art. 6 (1) p. 1 lit. b GPDR: If the processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the data subject’s request;
  • Art. 6 (1) p. 1 lit. c GPDR: If the processing is necessary for compliance with a legal obligation to which the controller is subject (e.g., a legal obligation to keep records);
  • Art. 6 para. 1 p. 1 lit. d GPDR: If the processing is necessary to protect vital interests of the data subject or another natural person;
  • Art. 6 (1) p. 1 lit. e GPDR: If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
  • Art. 6 (1) p. 1 lit. f GPDR (Legitimate Interests): If the processing is necessary to protect legitimate (in particular legal or economic) interests of the controller or a third party, unless the conflicting interests or rights of the data subject prevail (in particular if the data subject is a minor).

Furthermore, the storage of information in the terminal equipment of you as an end user, as well as access to information already stored in your terminal equipment, will only take place after you have given your consent pursuant to Section 25 (1) TDDDG, unless such consent is dispensable pursuant to Section 25 (2) TDDDG. For the processing operations carried out by us, we indicate the applicable legal basis in each case below. Processing may also be based on several legal bases.

c) DURATION AND STORAGE

Unless an explicit storage period is specified below, your personal data will be deleted or blocked as soon as the purpose or legal basis for the storage no longer applies. In principle, your data will only be stored on our servers in Germany, subject to any forwarding that may take place in accordance with the regulations in No. 7.

However, storage may take place beyond the specified time in the event of a (threatened) legal dispute with you or other legal proceedings, or if storage is provided for by legal regulations to which we are subject as the responsible party (e.g. § 257 HGB, § 147 AO). If the storage period prescribed by the legal regulations expires, the personal data will be blocked or deleted unless further storage by us is necessary and there is a legal basis for this.

  1. DATA TRANSFER TO THIRD PARTIES

As with any larger company, we also use external domestic and foreign service providers (e.g. for IT, logistics, telecommunications, sales and marketing) to handle our business transactions. These service providers only act on our instructions and are contractually obligated to comply with the data protection provisions pursuant to Art. 28 GPDR.

  1. DATA TRANSFER TO A THIRD COUNTRY

In the event that we process your data in a third country (i.e., a country outside of the European Union (EU) or the European Economic Area (EEA)) or this occurs within the framework of using the services of a service provider or when disclosing or transferring your data to third parties, such processing will only be performed to fulfill our (pre-)contractual duties, on the basis of your consent, due to a legal obligation or in the pursuit of our legitimate interests. Subject to applicable legal or contractual permissions, we only process data or have it processed in a third country if the criteria of Art. 44 et seq. GDPR are met. Some third countries are certified by the European Commission as having a level of data protection comparable to the EEA standard through so-called adequacy decisions (a list of these countries and a copy of the adequacy decisions can be obtained here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en). However, in other third countries to which personal data may be transferred, there may not be a consistently high level of data protection due to a lack of legal provisions. If this is the case, we ensure that data protection is adequately guaranteed. This is possible through binding company regulations, standard contractual clauses of the European Commission for the protection of personal data, certificates or recognized codes of conduct. With regard to the individual services, we will inform you at the appropriate point see No. 6 about the requirements for data transfer to third countries. Please contact our data protection officer (see No. 3)) if you would like to receive more detailed information on this.

  1. COOKIES

We use cookies on our websites. Cookies are small text files that are assigned to the browser you are using and stored on your hard drive by a characteristic string of characters and through which certain information flows to the body that sets the cookie. Cookies cannot execute programs or transfer viruses to your computer and therefore cannot cause any damage. They serve to make the Internet offer as a whole more user-friendly and effective, i.e. more pleasant for you.

Cookies can contain data that make it possible to recognize the device used. In some cases, however, cookies only contain information on certain settings that cannot be related to a specific person. However, cookies cannot directly identify a user.

A distinction is made between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored beyond the individual session. With regard to their function, a distinction is made between cookies:

  • Technical cookies: these are mandatory in order to navigate the website, use basic functions and ensure the security of the website; they do not collect information about you for marketing purposes, nor do they store which web pages you have visited;
  • Performance cookies: these collect information about how you use our website, which pages you visit and, for example, whether errors occur during website use; they do not collect information that could identify you – all information collected is anonymous and is only used to improve our website and find out what interests our users;
  • Advertising cookies, targeting cookies: these are used to provide the website user with tailored advertising on the website or offers from third parties and to measure the effectiveness of these offers; advertising and targeting cookies are stored for a maximum of 13 months;
  • Sharing cookies: these are used to improve the interactivity of our website with other services (e.g. social networks); sharing cookies are stored for a maximum of 13 months.

Any use of cookies that is not absolutely technically necessary constitutes data processing that is only permitted with your explicit and active consent pursuant to Art. 6 (1) p. 1 lit. a DSGVO. This applies in particular to the use of advertising, targeting or sharing cookies. In addition, we will only share your personal data processed through cookies with third parties if you have given your explicit consent to do so pursuant to Art. 6 (1) p. 1 lit. a DSGVO. In the following, we name the legal bases in connection with the respective service.

Other services are also used on our websites that do not use cookies, but through other technologies, such as Javascript codes, web beacons, tags, other identifiers supported by AI-based technology that read data from or store data in visitors’ terminal devices.

  1. SERVICES IN DETAIL

a) WEBSITE ANALYSIS WITH GOOGLE SITE KIT

Our website utilizes Google Site Kit, a plugin that integrates various Google services to analyze and enhance our website’s performance. Through Site Kit, we have integrated the following services: (1) Google Analytics: We use Google Analytics to collect and analyze data about website traffic and user behavior. This includes information such as your IP address, browser type, pages visited, and time spent on the site. This data helps us understand how users interact with our website and improve its functionality; (2) Google AdSense: Our website displays ads provided by Google AdSense. AdSense may use cookies to display personalized ads based on your interests and previous interactions; (3) Google Tag Manager: We employ Google Tag Manager to manage and implement marketing tags on our website efficiently. This service may collect aggregated data to monitor the performance of various tags. By using these services through Google Site Kit, we collect information about your interactions with our website. This data is processed to:

            •           Analyze website traffic and user behavior to improve user experience.

            •           Display relevant advertisements through Google AdSense.

            •           Manage and optimize marketing tags via Google Tag Manager.

These services may use cookies and similar tracking technologies to collect and store information about your device and usage patterns. You can control the use of cookies through your browser settings and other tools. For more details on how Google uses data when you use our partners’ sites or apps, please visit Google’s Privacy Policy.

B) PROCESSING OF PERSONAL DATA IN THE COURSE OF USAGE OF SOCIAL NETWORKS

As part of its public relations work, Gretchen AI maintains online profiles within the following social networks:

• X of X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA with a branch office at One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland

• LinkedIn of LinkedIn Ireland Unlimited Company (Wilton Place, Dublin 2, Irland)

• Instagram c/o Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland),

• YouTube, LLC 901 Cherry Ave. San Bruno, CA 94066 USA,

in order to inform the users active there about Gretchen AI and to enter into an exchange with them. The references are indicated on our website by a link to our profile on the corresponding social networks. No social plug-ins are used.

We would like to point out that the conditions of use of the services mentioned and linked on our homepage and their operators are not subject to the control of Gretchen AI and that you use them on your own responsibility. These services and their operators store and process personal data of their users (including IP address, the application used, details of the end device, including the device ID and application ID, information on websites accessed, your location and your mobile phone provider). The data collected about you when using the services will be processed by X Corp. and LinkedIn in accordance with their own guidelines and may be transferred to countries outside the European Union. This data is assigned to the data of your respective account or profile, if you have set one up. Gretchen AI has no influence on the data collection and its further usage by the social networks. For example, there is no knowledge of the extent to which, where and for how long the data is stored, to what extent the networks comply with existing deletion obligations, what evaluations and links are made with the data and to whom the data is passed on. Please refer to the respective privacy policy of X and LinkedIn to find out which rights and setting options you have to protect your privacy:

https://x.com/en/privacyhttps://www.linkedin.com/legal/privacy-policy

https://help.instagram.com/581066165581870/?helpref=hc_fnavhttps://policies.google.com/privacy

X and LinkedIn share your personal data with their processors and third-party service providers that are located outside the European Economic Area (EEA), where they set their own cookies, such as Google LLC. These process the personal data obtained in this way for their own purposes, e.g. analysis and marketing as well as your usage behavior on external and their own websites. Profiling is also not excluded.

The personal data collected from you and those of third-party providers are transmitted to servers managed by Twitter or LinkedIn, which are mostly located in the USA. Following the discontinuation of the EU-US Privacy Shield, a transfer of data to the USA can at best be based on standard contractual clauses issued by the EU Commission and further guarantees. Although the transfer of personal data is based on standard contractual clauses, this does not rule out the possibility that the U.S. security authorities, which are equipped with comprehensive powers, can access your personal data at any time and without any reason. This applies even if the servers are located in Europe. You have no effective legal remedies against this.

You can limit the processing of your data in the general settings of your X account as well as in the section Privacy and security. In addition, you can restrict X access to contact and calendar data, photos, location data etc. on mobile devices (smartphones, tablet computers) in the settings there. However, this is dependent on the operating system used. For more information on these matters, please visit the following X support pages:

https://help.x.com/en/safety-and-security/x-privacy-settings

  1. YOUR RIGHTS

You have the right at all times

  • to revoke any consent you may have given pursuant to Art. 7 (3) GDPR. As a consequence, any processing of your data based on your consent may no longer be continued, to obtain information about your personal data in accordance with Art. 15 GDPR. In particular, you have the right to obtain information about the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipient to whom the personal data have been or will be disclosed, the envisaged period for which the personal data will be stored, the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing, the right to lodge a complaint with a supervisory authority, where the personal data are not collected from the data subject, any available information as to their source, the existence of automated decision-making, including profiling and details thereon;
  • to rectify or complete inaccurate personal data stored by the controller in accordance with Art. 16 GDPR without undue delay;
  • to obtain from the controller the erasure of personal data in accordance with Art. 17 GDPR, provided that the processing of your personal data is not required for the exercise of the freedom of expression and information, to meet a legal obligation, reasons of public interest or to establish, exercise or defend against legal claims;
  • to obtain from the controller a restriction of the processing of personal data pursuant to Art. 18 GDPR, provided you contest the accuracy of your personal data, the processing is unlawful but you oppose the erasure of the personal data and request the restriction of their use instead and the controller no longer needs the personal data but you require the data to establish, exercise or defend against legal claims or you object to processing pursuant to Article 21(1);
  • pursuant to Art. 20 GPDR to receive the personal data which you provided in a structured, commonly used and machine-readable format and to transmit those data to another controller;
  • object to the processing pursuant to Art. 21 GPDR, provided that the processing is based on Art. 6 (1) p. 1 lit. e or lit. f GPDR. This is particularly the case if the processing is not necessary for the performance of a contract with you. Unless it is an objection to direct marketing, when exercising such an objection, we ask you to explain the reasons why we should not process your data as we have done. In the event of your justified objection, we will review the factual situation and either discontinue or adapt the data processing or show you our compelling reasons worthy of protection on the basis of which we will continue the processing; To exercise your right to object, simply send an e-mail to datenschutz at gretchen-ai.com.
  • in accordance with Art. 7 (3) GPDR, to revoke your consent given once (also before the GPDR came into force, i.e. before 25.5.2018) – i.e. your voluntary will, made understandable in an informed manner and unambiguously by means of a declaration or other unambiguous confirming act, that you agree to the processing of the personal data in question for one or more specific purposes – at any time vis-à-vis us, if you have given such consent. This has the consequence that we may no longer continue the data processing, which was based on this consent, for the future and
  • to lodge a complaint with a supervisory authority pursuant to Art. 77 GPDR. Generally, you can contact the supervisory authority of your habitual residence or workplace or to the jurisdiction in which we have our registered office.