Privacy Policy KI.Toolbox

Privacy Policy According to Article 13 of the General Data Protection Regulation (GDPR)

The Privacy Policy is to provide information on the processing of your personal data in connection with this website and on your rights according to data protection legislation. According to Article 4, No. 1 of the EU General Data Protection Regulation (GDPR), personal data are all data that can be related to an identified or identifiable natural person.

Overview

  1. Controller and Data Protection Commissioner
  2. General information on the KI.Toolbox service
  3. General information for the use of models (LLM)
  4. Specific information on the use of self-hosted models only
  5. Specific information on the use of external models at Microsoft Azure
  6. Legal basis
  7. Your rights

Content

1. Controller and Data Protection Commissioner

According to the GDPR (Article 4, No. 7) and other data protection regulations, the controller is: 

Karlsruhe Institute of Technology (KIT)
Kaiserstrasse 12, 76131 Karlsruhe
Germany
Phone: +49 721 608-0
Fax: +49 721 608-44290
E-mail: info∂kit.edu

Karlsruhe Institute of Technology is a public corporation represented by its President. Our Data Protection Commissioner can be contacted at datenschutzbeauftragte∂kit.edu or by ordinary mail with “Die Datenschutzbeauftragte” (the Data Protection Commissioner) being indicated on the envelope.

2. General information on the KI.Toolbox service

Description and designation of the scope of data processing

The KI.Toolbox consists of several components, in particular a web frontend and large language models (LLM) in the backend. The frontend offers users a web interface to enter user requests. The LLM can also be selected and settings made. The frontend forwards all requests to the selected LLM. For data protection reasons, a distinction is made between

  • open source LLMs hosted locally by KIT itself and
  • external LLMs from third-party providers.

The LLMs are marked in the web interface as either local (self-hosted) or external models.
We process our users' personal data only to the extent necessary to provide a functional service and our content and services.

Each time the KI.Toolbox is accessed (regardless of whether a local or externally hosted LLM is used), the system automatically collects data and information from the computer system of the accessing computer.

The following data is collected in each case:

  • Date of access
  • Name of the operating system installed on the accessing device
  • Name of the browser used
  • Source system via which the access was made
  • IP address of the accessing device

The data is stored in the log files of our system. This data is not stored together with other personal data of the user.

Storage period: The personal data is stored for as long as is necessary to achieve the purpose for which it was collected. The data will be deleted after seven days at the latest.

Legal basis: The legal basis for the processing of this data is Art. 6 para. 1 lit. e, para. 3 lit. b GDPR in conjunction with § 4 LDSG or § 20 para. 1 KITG in conjunction with. § Section 12 para. 1 LHG.

You can log in to the KI.Toolbox via the identity management system using your KIT account. When a new user logs in for the first time, the KI.Toolbox saves their first and last name, email address in the form <account>@kit.edu, and a unique identifier. To grant rights via groups, the group membership of certain groups is also transmitted and saved (groups whose name begins with "SCC-openwebui-group-"). The group memberships are transferred during each login process.

3. General information for the use of models (LLM)

Depending on whether locally hosted LLMs or external LLMs are used, in addition to this general information and descriptions (which apply to both types of use), there is also specific information on specific data processing. Further information on this can be found under "Use of self-hosted models" (section 4) and "Use of external models with Microsoft Azure" (section 5).

Description and designation of the scope of data processing

For billing purposes and service optimization, the following data is stored on our server for each request to an LLM

  • Date and time of the request
  • User ID
  • Selected model
  • Length of the request and response (tokens)
  • Cost information (if available)

This data is not stored together with other personal data of the user (in particular chat history).

Data entered (chats) and uploaded files (regardless of whether a local or externally hosted LLM is used) are stored on KIT servers and are uniquely assigned to the user and are not accessible to other users per se (private use). Users can make their data or files available to other users on request (via the web interface or the integrated interface or API).

Storage period: The data used for billing purposes and service optimization is stored on servers at KIT for one year.

Data entered by users or uploaded files are stored for a maximum of one year, but can be deleted at any time by the users themselves in the KI.Toolbox at an earlier point in time. Data and files that can no longer be assigned to a user (e.g. due to a user leaving KIT and the associated deactivation of the KIT account) are deleted after 24 hours at the latest.

4. Specific information only for the use of self-hosted models

Recipients: In the case of open source LLMs hosted at KIT, the requests are only processed on KIT servers. In order to use the models hosted at KIT, the requests and responses from users are processed exclusively on KIT systems and are not forwarded to external services.

5. Specific information on the use of external models at Microsoft Azure

Recipients: In the case of external LLM, the requests, including the previous progress in the current chat, are forwarded to the external providers.
To use external models, we forward the users' requests from our server to Microsoft Azure. This data is processed in Azure data centers in Germany and Sweden. In exceptional cases, processing may also take place in other data centers within Europe.

The following data is forwarded for fulfillment:

  • Requests from users

Information about the users themselves is not passed on. However, the user's request is forwarded unfiltered, i.e. personal information contained in the request itself is forwarded to the external service provider.

The realization/implementation of the AI toolbox is mandatorily based on the Data Processing Addendum(https://learn.microsoft.com/en-us/legal/cognitive-services/openai/data-privacy, https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA).

An adequacy decision has been made with Microsoft in accordance with the European General Data Protection Regulation. Data transfer to third parties cannot be ruled out.

Addition to the storage period: The anonymized requests sent by KIT to the external service provider are only logged for up to 30 days in accordance with the Microsoft Data Processing Addendum in the event of an attempt at misuse, e.g. to create hate or sexualized content. This happens automatically if the backend detects an attempt at abuse. It cannot be ruled out that legitimate requests may be incorrectly interpreted as an attempt at abuse and logged.

6. Legal basis

When used in an employment context, the legal basis is Article 6(1)(e) and (3) of the GDPR in conjunction with Section 15 of the Baden-Württemberg State Data Protection Act (LDSG), as data processing is necessary for the performance of the employment relationship.

When used for university tasks of KIT, the legal basis is Article 6(1)(e), (3)(b) GDPR in conjunction with Section 12 of the State Higher Education Act in conjunction with Sections 2 and 20 of the KIT Act.

When used to fulfill the other tasks of KIT, the legal basis results from Article 6 (1) (e), (3) (b) GDPR in conjunction with Section 4 of the State Data Protection Act (LDSG) in conjunction with Section 2 of the KIT Act.

7. Your rights

As regards your personal data, you have the following rights:

  • Right to withdrawal of your consent with effect for the future, if processing is based on a consent according to Art. 6, par. 1, sub-par. 1, lit. a GDPR (Art. 7, par. 3 GDPR),
  • right to confirmation as to whether data about you are processed and right to information about the data processed and to further information about data processing as well as right to obtain copies of the data (Art. 15 GDPR),
  • right to rectification or completion of incorrect or incomplete data (Art. 16 GDPR),
  • right to immediate erasure of your personal data (Art. 17 GDPR),
  • right to restriction of processing (Art. 18 GDPR),
  • right to portability of the data in a structured, common, and machine-readable format, provided that processing is based on a consent according to Art. 6, par. 1, sub-par. 1, lit. a or Art. 9, par. 2, lit. a GDPR or on an agreement according to Art. 6, par. 1, sub-par. 1, lit. b GDPR (Art. 20 GDPR),
  • right to object to the future processing of your personal data, if the data are processed according to Art. 6, par. 1, lit. e or f GDPR (Art. 21 GDPR).

In addition, you have the right to complain about the processing of your personal data by KIT with its supervisory authority (Art. 77 GDPR). According to Art. 25, par. 1 LDSG, the supervisory authority of KIT according to Art. 51, par. 1 GDPR is: Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (Baden-Württemberg State Commissioner for Data Protection and Freedom of Information) (https://www.baden-wuerttemberg.datenschutz.de/, in German).

Updated: 23.10.2025