Privacy Policy KI-Toolbox

Data Protection Notice Pursuant to Article 13 of the General Data Protection Regulation (GDPR)

The following information provides you with an overview of how your personal data is processed and of your rights under data protection law. According to Article 4(1) of the EU General Data Protection Regulation (GDPR), personal data refers to any information relating to an identified or identifiable natural person.

Overview

  1. Data Controller and Data Protection Commissioner (od. Officer)
  2. General Information on the “KI-Toolbox” Service
  3. General Information on the Use of Models (LLM)
  4. Specific Information on the Use of Self-Hosted Models Only
  5. Specific Information on the Use of External Models
  6. Legal Basis
  7. Your Rights

Content Information

1. Data Controller and Data Protection Commissioner (od. Officer)

The data controller within the meaning of the GDPR (Art. 4(7)) and other data protection regulations is:

Karlsruhe Institute of Technology (KIT)
Kaiserstrasse 12, 76131 Karlsruhe
Germany
Phone: +49 721 608-0
Fax: +49 721 608-44290
Email: info∂kit.edu

The Karlsruhe Institute of Technology is a corporation governed by public law. It is represented by the respective President. You can contact our Data Protection Commissioner (od. Officer) at datenschutzbeauftragte∂kit.edu or at the mailing address with the addition “The Data Protection Commissioner (od. Officer).”

2. General Information About the KI-Toolbox Service

Description and Definition of the Scope of Data Processing

The KI-Toolbox consists of several components, in particular a web front end and Large Language Models (LLMs) in the back end. The front end provides users with a web interface for entering user queries. Users can also select the LLM and configure settings. The front end forwards all queries to the selected LLM. For data protection reasons, a distinction is made between:

  • open-source LLMs hosted locally at KIT itself and
  • external LLMs from third-party providers.

In the web interface, the LLMs are labeled as either local (self-hosted) or external models.
We process our users’ personal data only to the extent necessary to provide a fully functional service as well as our content and services.

Each time the KI-Toolbox is accessed (regardless of whether a local or externally hosted LLM is used), the system automatically collects data and information from the computer system of the accessing device.

The following data is collected in every case:

  • Date of access
  • Name of the operating system installed on the accessing device
  • Name of the browser used
  • Source system through which access occurred
  • IP address of the accessing device

The data is stored in our system’s log files. This data is not stored together with any other personal data of the user.

Retention period: Personal data is stored for as long as necessary to fulfill the purpose for which it was collected. The data is deleted after seven days at the latest.

Legal basis: The legal basis for processing this data is Art. 6(1)(e) and (3)(b) of the GDPR in conjunction with § 4 of the LDSG or § 20(1) of the KITG in conjunction with § 12(1) of the LHG.

Login to the KI-Toolbox is performed via the identity management system using your KIT account. When a new user logs in for the first time, the KI-Toolbox stores the first and last name, the email address in the format <ACCOUNT>@kit.edu, and a unique identifier. To grant permissions via groups, membership in specific groups is also transferred and stored (groups whose names begin with “SCC-openwebui-group-”). Group memberships are transferred with each login.

3. General Information on the Use of Models (LLMs)

Depending on whether locally hosted LLMs or external LLMs are used, in addition to this general information and descriptions (which apply to both types of use), specific information regarding specific data processing activities is also available, and different data protection regulations apply. For more information, see “Use of Self-Hosted Models” (Section 4) and “Use of External Models” (Section 5).

Description and Specification of the Scope of Data Processing

For billing purposes and to optimize our services, the following data is stored on our server for each request made to an LLM:

  • Date and time of the request
  • User ID
  • Selected model
  • Length of the request and response (tokens)
  • Cost information (if available)

This data is not stored together with other personal data of the user (in particular, chat history).

Input data (chats) and uploaded files are stored on KIT servers (regardless of whether a locally hosted or externally hosted LLM is used) and are uniquely assigned to the user; they are not accessible to other users per se (private use). Users may, if they wish, make their data or files available to other users (via the web interface or the integrated interface or API).

Retention period: Data used for billing purposes and service optimization is stored on KIT servers for one year.

Data entered by users or uploaded files are stored for a maximum of one year, but can be deleted by the users themselves at any time via the KI-Toolbox. Data and files that can no longer be assigned to a user (e.g., due to a user leaving KIT and the resulting deactivation of their KIT account) are deleted within 24 hours at the latest.

4. Specific Information Regarding the Use of Self-Hosted Models

Recipients: For open-source LLMs hosted at KIT, requests are processed exclusively on KIT servers. To use models hosted at KIT, users’ requests and responses are processed solely on KIT systems and are not forwarded to external services.

5. Specific Information on the Use of External Models

Recipients: In the case of external LLMs, requests—including the chat history to date—are forwarded to the external providers.
To use external models, we forward users’ requests from our server to Microsoft Azure or the Google Cloud Platform. This data is processed exclusively within the EU at Azure or Google data centers.

The following data is forwarded to fulfill this purpose:

  • User requests

Information about the users themselves is not shared. However, user requests are forwarded unfiltered, meaning that any personal information contained in the request itself is shared with the external service provider.

The implementation of the KI-Toolbox is strictly governed by the Microsoft Data Processing Addendum (https://learn.microsoft.com/en-us/legal/cognitive-services/openai/data-privacy, https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) and the Google Data Processing Addendum (https://cloud.google.com/terms/data-processing-addendum).

An adequacy decision in accordance with the European General Data Protection Regulation (GDPR) has been issued for Microsoft and Google. Data transfers to third parties cannot be ruled out.

Addendum regarding retention period: The anonymized requests sent by KIT to the external service provider are logged for up to 30 days, in accordance with the Data Processing Addenda, exclusively in the event of an attempted abuse, e.g., to create hateful or sexualized content. This occurs automatically when the backend detects an attempted abuse. However, it cannot be ruled out that legitimate requests may be mistakenly classified as attempted abuse and logged.

6. Legal Basis

When used in an employment context, the legal basis is Article 6(1)(e) and (3) of the GDPR in conjunction with § 3a and § 15 of the Baden-Württemberg State Data Protection Act (LDSG), as the data processing is necessary for the performance of the employment relationship.

When used for KIT’s university-related tasks, the legal basis is derived from Article 6(1)(e) and (3)(b) of the GDPR in conjunction with Section 3a of the LDSG and Section 12 of the Act of Baden-Württemberg on Universities and Colleges (LHG) in conjunction with Sections 2, 20 of the KIT Act.

When used to fulfill KIT’s other tasks, the legal basis is Article 6(1)(e) and (3)(b) of the GDPR in conjunction with § 3a and § 4 of the LDSG in conjunction with § 2 of the KIT Act.

7. Your Rights

With regard to the personal data concerning you, you have the following rights vis-à-vis us:

  • Right to withdraw your consent with future effect, provided that the processing is based on consent pursuant to Article 6(1), first subparagraph, letter a of the GDPR (Article 7(3) of the GDPR)
  • Right to confirmation as to whether data concerning you is being processed, and to access the processed data, to receive further information about the data processing, and to obtain copies of the data (Article 15 of the GDPR)
  • Right to have inaccurate or incomplete data rectified or completed (Article 16 of the GDPR)
  • Right to the immediate erasure of data concerning you (Article 17 of the GDPR)
  • Right to restriction of processing (Article 18 of the GDPR)
  • Right to receive the data in a structured, commonly used, and machine-readable format, provided that the processing is based on consent pursuant to Article 6(1), first subparagraph, letter a, or Article 9(2), letter a, or on a contract pursuant to Article 6(1), first subparagraph, letter b (Article 20 of the GDPR)
  • Right to object to the future processing of data concerning you, provided that the data is processed in accordance with Article 6(1)(e) or (f) of the GDPR (Article 21 of the GDPR)

You also have the right to lodge a complaint with the supervisory authority regarding KIT’s processing of your personal data (Article 77 of the GDPR). The supervisory authority with respect to KIT within the meaning of Article 51(1) of the GDPR is, pursuant to Section 25(1) of the LDSG: The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg (https://www.baden-wuerttemberg.datenschutz.de/).

Effective as of: July 1, 2026