~

DATA PROTECTION

Für Deutsch Hier klicken

Last updated: 05 February 2026

 

 1. Controller

 

AboutSomethinK UG (haftungsbeschränkt)

 

Leipziger Str. 49

10117 Berlin, Germany

Phone: +49 (0) 173 5467885

  

Contact for data protection:

Tilman Scheel

E-Mail: tilman.scheel{at}aboutsomethink.org

 

Commercial Register: District Court Charlottenburg / Berlin

HRB 277295 B

  

If you wish to object to the collection, processing or use of your data by us in accordance with this data protection policy as a whole or for individual measures, you can address your objection to the above-mentioned responsible body.

You can save and print this privacy policy at any time.

 

2. Scope of this Privacy Policy

 

This Privacy Policy applies to:

 

  • the AI chatbot provided by us (including technical provisioning/hosting) that will be integrated into library websites (Section A)
  • an optional feedback form in the chatbot (section B)
  • our website at www.aboutsomethink.org (Section C)

If you use the chatbot on a library’s website, the privacy policy of the respective library also applies. There you will find information on the integration of the chatbot, any cookies/consent mechanisms used by the library and library-specific processing.

  

3. Role distribution: Library and us

 

Depending on the processing process, the library and we may take on different roles under data protection law:

 

a) Library as controller

 

For the provision of the chatbot as part of the library’s website (e.g. information and recommendations on media holdings, service questions or document queries), the library processes data as the controller. 

 

b) We as independent controllers

Insofar as we process data for our own purposes (in particular IT security, error analysis/troubleshooting, abuse prevention, quality assurance/product improvement on the basis of stored rated chats/feedback), we act as independent controllers for this.

There is no joint responsibility between the respective library and us (Art. 26 GDPR).

 

Where do you direct your rights requests?

  • For processing in the library’s area of responsibility: to the library.
  • For processing within our area of responsibility: to us (contact details above).
  • If you contact us and the library is responsible (or vice versa), we will forward your request to the extent necessary.

 

A. AI chatbot on library websites

 

4.What data do we process with the chatbot?

 

a) Content inputs and conversation data

  • Text inputs from users (prompts)
  • Responses generated by the chatbot
  • Session metadata, if applicable (e.g., timestamp, session ID)

 

b) Technical access data (server/log data)

  • Date/time of access, resources accessed
  • Fault/diagnostic data

 

Important note: Please do not enter any personal data (e.g. health data) or information from third parties in free text entries. 

  

5. Purposes of processing

 

  • Provision of the chatbot and its functions (answers to library collections, service requests, document requests) 
  • Operation, Stability, Security, and Abuse Detection
  • Error analysis, support and further development/quality assurance

 

6. Legal basis

 

Depending on the distribution of roles (No. 3), the following may be considered in particular:

  • Art. 6 para. 1 lit. f GDPR (legitimate interest in secure, stable operation, abuse prevention, error analysis, quality improvement)
  • Art. 6 (1) (b) GDPR (insofar as the use is to be classified as a service/provision of services to the library or users – typically by the library)

 

7. Storage time in the chatbot

 

Chats that have not been rated are generally not stored permanently, but are only processed for a short time if necessary (e.g. for session execution/error analysis).

 

  • The storage period of unrated chats is determined by the library. Unless otherwise specified by the library, a default of 14 days applies on our site; then unrated chats are deleted.
  • Server/security logs: up to 14 days.
  • Rated chats: see section B.

 
8. Recipients / Categories of Recipients

 

Hosting/data center service providers as well as infrastructure and maintenance service providers: 

 

  • Hosting/data center service providers, infrastructure and maintenance service providers (home country: Germany)
  • Processors for AI components (embeddings/chat). (Country of residence depending on the provider: EU, e.g. France (Mistral), or USA (google, OpenAI)

Recipients are contractually obliged to guarantee the data protection requirements (esp. Art. 28 GDPR, if order processing exists). 

 

 For the creation of embeddings (e.g. for semantic search in catalog/metadata) and/or for the execution of the chat, we use external AI service providers – depending on the configuration – in particular Google, OpenAI or Mistral AI.

 

Depending on the configuration and purpose, content inputs (prompts), contextual information (e.g. relevant catalogue excerpts) and technical metadata are transmitted to the respective service provider insofar as this is necessary for the provision of the AI function.

 

In the case of providers based or processed in the USA, a transfer to a third country takes place. In this case, appropriate safeguards are used (e.g. EU-U.S. Data Privacy Framework, where applicable, and/or standard contractual clauses) as well as supplementary technical and organisational measures.

 

The service providers process data according to their contractual conditions and security measures. Further information can be found in the data protection declarations and, if applicable, data processing supplements (DPA) of the respective providers.

 

 9. Automated decisions

The chatbot generates answers automatically. There is no automated decision with legal effect or similarly significant impairment within the meaning of Art. 22 GDPR.

 

B. Feedback form and storage of rated chats

 

10. What data do we process when we receive feedback?

 

When users rate the chat and leave a message, we process:

  • Evaluation (e.g. thumb)
  • Free text feedback

Chat history of the rated chat (content + replies)

  • Technical metadata (time, library ID)

The feedback form refers to this privacy policy.

  • The submission of feedback is voluntary. If you don’t give feedback, you won’t suffer any disadvantages; chatbot use remains possible.

   

11. Purposes

 

  • Quality control and improvement of the chatbot (e.g. detection of incorrect answers, optimization of content/rules)
  • Handling user feedback and support cases

 

12. Legal basis

 

  • Art. 6 (1) (f) GDPR (legitimate interests in quality assurance, product safety, support and abuse prevention).

 

13. Note on the use of third-party AI providers in the context of rated chats/feedback

 

To the extent that evaluated chat histories and feedback are processed for quality assurance, further processing can – depending on the setup – be carried out by the data subject under No. 8 (e.g. to analyse incorrect answers or to improve retrieval/response quality). The role and contract constellations described there as well as the references to the data protection declarations of the providers also apply here.

 

Storage Duration (Feedback & Rated Chats)

 

  • Rating data, feedback and rated chat histories: 6 months or until the purpose is achieved, then deleted/anonymized.
  • Support/error cases: equivalent to 12 months or after completion of the process.

 

C. Our Website and Google Analytics

  

15. Website-Hosting und Server-Logs

 

When you visit our website, we process the usual technical data (esp. IP address, date/time, page accessed, user agent, referrer, error codes) to deliver the website, ensure security and fix errors.

 

Legal basis: Art. 6 para. 1 lit. f GDPR.

We do not use cookies beyond Google Analytics.

Storage period: 14 days.

 

16. Google Analytics

 

We use Google Analytics (GA4) to measure reach and analyze website usage.

 

Processed data (typical): Usage data (page views, click paths, device/browser info, approximate region), cookie/ID information, if applicable, interaction data.

 

Legal basis: Consent (Art. 6 para. 1 lit. a GDPR) via a cookie/consent banner, provided that cookies/IDs are set or read for analysis purposes. Without consent, no analytics tracking takes place (or is configured accordingly). You can withdraw or change your consent at any time via the cookie/consent settings (e.g. via a “Cookie Settings” link on the website, if available).

 

Recipient: Google Ireland Limited (EU) and, if applicable, Google LLC (USA) as affiliated companies in the context of the provision.

 

Third country transfer: When using Google Analytics, a transfer to the USA (e.g. to Google LLC) may take place. Appropriate safeguards are used for this purpose (e.g. EU-U.S. Data Privacy Framework, where applicable, and/or Standard Contractual Clauses), depending on your configuration and the mechanisms in place at any given time.

 

Storage period: 12 months.

 

D. Rights of data subjects

 

Insofar as we are controllers, you have the right under the GDPR in particular to:

 

Right to lodge a complaint: You have the right to complain to a data protection supervisory authority about the processing of your personal data (Art. 77 GDPR). In particular, the supervisory authority of your habitual place of residence, your place of work or the place of the alleged infringement is responsible.

 

Obligation to provide: Certain technical data are automatically processed for visiting our website (see section 16). In order to use the chatbot, your entries must be processed (see section 4). The submission of feedback is not mandatory (see point 11).

 

  • Information (Art. 15), Rectification (Art. 16), Erasure (Art. 17), Restriction (Art. 18)
  • Data portability (Art. 20)
  • Objection to processing on the basis of Art. 6 para. 1 lit. f (Art. 21)
  • Withdrawal of consent (Art. 7 para. 3)

 

To exercise your rights, it is sufficient to send a message to the contact details under no. 1.

 

E. Cooperation with libraries

 

If you use the chatbot on a library website, you will find in the library’s privacy policy in particular:

 

  • who is primarily responsible for the chatbot use there,
  • what consents (e.g. cookies/tracking/optional storage) the library may obtain,
  • how you can assert rights directly against the library.

 

Our privacy policy supplements this information for the processing operations in our area of responsibility (e.g. storage of rated chats/feedback, security/error analysis and our own website).

 

F. Changes to this Privacy Policy

 

We will update this Privacy Policy if features, processes, or legal bases change.