Privacy Policy

With the following privacy policy, we aim to inform you about the types of your personal data (hereinafter referred to as „data“) that we process, for what purposes, and to what extent. This privacy policy applies to all data processing operations we carry out, both in providing our services and particularly on our websites, mobile applications, and within external online presences such as our social media profiles (collectively referred to as „online offering“).

The terms used are not gender-specific.

Effective: June 2024

Contents

1. Introduction
2. Overview of Processing
3. Contact Data Protection Officer
4. Relevant Legal Basis
5. Transmission and Disclosure of Personal Data
6. Data Processing in Third Countries
7. Use of Cookies
8. Provision of the Online Offering and Web Hosting
9. Web Analytics, Monitoring, and Optimization
10. Social Media Presences
11. Plugins and Embedded Functions and Content
12. Deletion of Data
13. Changes and Updates to the Privacy Policy
14. Rights of Data Subjects

Distributed AI Research Institute
Fiscal sponsor: Code for Science & Society
1423 Broadway #123, Oakland, CA 94612
mila@dair-institute.org

Overview of Processing

The following overview summarizes the types of processed data, their purposes, and the affected individuals.

Types of Processed Data

• Inventory data (e.g., names)
• Content data (e.g., entries in online forms, entries during registration for the internal user area)
• Contact data (e.g., email, phone numbers)
• Meta/communication data (e.g., device information, IP addresses)
• Usage data (e.g., visited websites, interest in content, access times)

Categories of Affected Individuals

• Communication partners
• Users (e.g., website visitors, online service users, network participants as registered users)

Purposes of Processing

• Provision of our online offering and user-friendliness
• Conversion measurement (measuring the effectiveness of marketing activities)
• Feedback (e.g., collecting feedback via online form)
• Contact requests and communication
• Reach measurement (e.g., access statistics, recognition of returning visitors)
• Security measures
• Tracking (e.g., interest-/behavior-based profiling, use of cookies) with separate consent
• Management and response to inquiries

Relevant Legal Basis

The following provides the legal basis under the General Data Protection Regulation (GDPR) on which we process personal data. Please note that in addition to the GDPR regulations, national data protection requirements in your or our country of residence and domicile may apply. If more specific legal bases are applicable in individual cases, we will inform you about them in the privacy policy.

• Consent (Art. 6 para. 1 sentence 1 lit. a GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR) – Processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract.
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National Data Protection Regulations in Germany

In addition to the GDPR regulations, national data protection regulations in Germany apply. This includes, in particular, the Federal Data Protection Act (BDSG), which contains specific regulations on the right to access, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission as well as automated decision-making in individual cases including profiling. It also regulates data processing for employment purposes (§ 26 BDSG). Furthermore, the Telecommunications-Telemedia Data Protection Act (TTDSG) includes regulations on the storage and reading of information on end-user devices (§ 25 para. 1 sentence 1 TTDSG), primarily concerning data collection and storage processes. Additionally, state data protection laws of individual federal states may apply.

Transmission and Disclosure of Personal Data

In the course of our data processing activities, it may happen that data is transmitted to other entities, companies, legally independent organizational units, or persons or disclosed to them. Recipients of this data may include IT service providers or providers of services and content that are integrated into a website. In such cases, we comply with the legal requirements and conclude appropriate contracts or agreements that serve to protect your data with the recipients of your data.

We use WordPress as the CMS from Automattic to manage the content of our website. WordPress.com commits to compliance with the GDPR. WordPress provides secure communication facilities between your browser and our server and uses cookies for basic internet applications. Cookies from WordPress do not collect IP addresses or personal or sensitive information. The information stored by cookies is not sent to WordPress or third parties.

Data Processing in Third Countries

If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)), or if the processing takes place within the scope of using third-party services or the disclosure or transmission of data to other persons, entities, or companies, this only occurs in accordance with legal requirements.

Subject to express consent or contractual or legally required transmission, we process or allow the data to be processed only in third countries with a recognized data protection level, contractual obligation through so-called standard protection clauses of the EU Commission, in the presence of certifications or binding internal data protection regulations (Art. 44 to 49 GDPR, information page of the EU Commission: EU Commission).

Use of Cookies

Cookies are text files containing data from visited websites or domains and are stored by a browser on the user’s computer. A cookie primarily serves to store information about a user during or after their visit within an online offering. Stored information may include language settings on a website, login status, a shopping cart, or the point at which a video was watched. The term cookies also includes other technologies that perform the same functions as cookies (e.g., when user information is stored using pseudonymous online identifiers, also referred to as „user IDs“).

The following cookie types and functions are distinguished:

• Temporary cookies (also: session or session cookies): Temporary cookies are deleted at the latest after a user has left an online offering and closed their browser.
• Permanent cookies: Permanent cookies remain stored even after closing the browser. For example, the login status can be saved, or preferred content can be displayed directly when the user visits a website again. Similarly, user interests used for reach measurement or marketing purposes can be stored in such a cookie.
• First-party cookies: First-party cookies are set by us.
• Third-party cookies: Third-party cookies are mainly used by advertisers (so-called third parties) to process user information.
• Necessary (also: essential or strictly necessary) cookies: Cookies may be necessary for the operation of a website (e.g., to store logins or other user inputs or for security reasons).
• Statistics, marketing, and personalization cookies: Furthermore, cookies are usually used for reach measurement and when user interests or behaviors (e.g., viewing certain content, using functions, etc.) are stored in a user profile. Such profiles are used to show users content that corresponds to their potential interests. This process is also known as „tracking,“ i.e., following the potential interests of users. As far as we use cookies or „tracking“ technologies, we inform you separately in our privacy policy or in the context of obtaining consent.

Processing of Cookie Data Based on Consent

On our website, we use WordPress to obtain consent for the storage of certain cookies and to document it in compliance with data protection regulations.

Processed Data Types:

• Usage data (e.g., visited websites, interest in content, access times)
• Meta/communication data (e.g., device information, IP addresses)

Affected Individuals:

• Users (e.g., website visitors, online service users)

Legal Basis:

• Consent (§ 25 para. 1 sentence 1 TTDSG)
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR)

Provision of the Online Offering and Web Hosting

To provide our online offering securely and efficiently, we use the services of a web hosting provider, from whose servers (or servers they manage) the online offering can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage space, and database services as well as security services and technical maintenance services.

The data processed in the context of providing

the hosting offering can include all information related to the users of our online offering that arises in the context of usage and communication. This regularly includes the IP address, which is necessary to deliver the contents of online offerings to browsers, and all entries made within our online offering or from websites.

The provision of webspace is carried out on our behalf by:

STRATO AG
Otto-Ostrowski-Strasse 7
10249 Berlin, Germany

Collection of Access Data and Log Files

We (or our web hosting provider) collect data on every access to the server (so-called server log files). The server log files can include the address and name of the retrieved websites and files, date and time of retrieval, transmitted data volume, report on successful retrieval, browser type and version, the user’s operating system, referrer URL (the previously visited page), and generally IP addresses and the requesting provider.

The server log files can be used for security purposes, e.g., to avoid overloading the servers (especially in the case of misuse attacks, such as DDoS attacks) and to ensure the stability of the servers.

Processed Data Types:

• Content data (e.g., entries in online forms)
• Usage data (e.g., visited websites, interest in content, access times)
• Meta/communication data (e.g., device information, IP addresses)

Affected Individuals:

• Users (e.g., website visitors, online service users)

Legal Basis:

• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR)

Web Analytics, Monitoring, and Optimization

Web analytics (also known as „reach measurement“) serves the evaluation of visitor streams of our online offering and can include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, recognize at what time our online offering or its functions or contents are most frequently used or invite reuse. Similarly, we can understand which areas need optimization.

In addition to web analytics, we can also use test procedures to test and optimize different versions of our online offering or its components.

For these purposes, so-called user profiles can be created and stored in a file (so-called „cookie“) or similar procedures can be used with the same purpose. These details can include viewed content, visited websites, and used elements and technical details such as the browser used, the computer system used, and information on usage times. If users have consented to the collection of their location data, these can also be processed depending on the provider.

IP addresses of users are also stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. Generally, in the context of web analytics, A/B testing, and optimization, no clear user data (such as email addresses or names) are stored but pseudonyms. This means that we and the providers of the used software do not know the actual identity of the users, but only the data stored in their profiles for the respective procedures.

Legal Basis:

If we ask users for their consent to use third-party providers, the legal basis for processing data is consent. Otherwise, the data of the users are processed based on our legitimate interests (i.e., interest in efficient, economical, and recipient-friendly services). In this context, we would also like to point out the information on the use of cookies in this privacy policy.

Processed Data Types:

• Usage data (e.g., visited websites, interest in content, access times)
• Meta/communication data (e.g., device information, IP addresses)

Affected Individuals:

• Users (e.g., website visitors, online service users)

Purposes of Processing:

• Reach measurement (e.g., access statistics, recognition of returning visitors)
• Tracking (e.g., interest-/behavior-based profiling, use of cookies)
• Conversion measurement (measuring the effectiveness of marketing activities)
• Profiling (creating user profiles)

Security Measures:

• IP masking (pseudonymization of the IP address)

Legal Basis:

• Consent (Art. 6 para. 1 sentence 1 lit. a GDPR)
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR)

Used Services and Service Providers:

Google Analytics 4

If you have given your consent, Google Analytics 4, a web analytics service provided by Google LLC, is used on this website. The responsible entity for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland („Google“).

Recipients

Recipients of the data are/can be:

• Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as processor according to Art. 28 GDPR)
• Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
• Alphabet Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA

Third Country Transfer

For the USA, the European Commission adopted its adequacy decision on July 10, 2023. Google LLC is certified under the EU-US Privacy Framework. As Google servers are distributed worldwide, and a transfer to third countries (e.g., to Singapore) cannot be entirely ruled out, we have also concluded the EU standard contractual clauses with the provider.

Social Media Presences

We maintain online presences within social networks and process data of users within this context to communicate with active users there or to offer information about us.

We point out that data of users can be processed outside the European Union. This can pose risks for users because, for example, it could make it more difficult for users to enforce their rights.

Additionally, data of users within social networks are generally processed for market research and advertising purposes. For example, based on the user behavior and resulting interests of the users, usage profiles can be created. These usage profiles can, in turn, be used to display advertisements within and outside the networks that presumably match the users‘ interests. For these purposes, cookies are usually stored on the users‘ devices, where the usage behavior and interests of the users are stored. Furthermore, data can be stored in the usage profiles regardless of the devices used by the users (especially if the users are members of the respective platforms and logged in).

For a detailed presentation of the respective processing forms and the opt-out options, we refer to the privacy policies and information of the operators of the respective networks.

In the case of information requests and the assertion of data subject rights, we also point out that these can be most effectively asserted with the providers. Only the providers have access to the data of the users and can directly take appropriate measures and provide information. Should you still need assistance, you can contact us.

Processed Data Types:

• Inventory data (e.g., names, addresses)
• Contact data (e.g., email, phone numbers)
• Content data (e.g., entries in online forms)
• Usage data (e.g., visited websites, interest in content, click behavior, access times)
• Meta/communication data (e.g., device information, IP addresses)

Affected Individuals:

• Users (e.g., website visitors, online service users)

Purposes of Processing:

• Contact requests and communication
• Tracking (e.g., interest-/behavior-based profiling, use of cookies)
• Remarketing

Legal Basis:

• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR)

Used Services and Service Providers:

• Instagram: Social network; Service provider: Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA, parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA; Website: Instagram; Privacy policy: Instagram Privacy Policy.
• LinkedIn: Social network; Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Website: LinkedIn; Privacy policy: LinkedIn Privacy Policy; Opt-out: LinkedIn Opt-out.
• X: Social network; Service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland, parent company: X Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; Privacy policy: X Privacy Policy, (Settings) X Settings.

Plugins and Embedded Functions and Content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as „third-party providers“). These can be, for example, graphics, videos, or social media buttons and posts (collectively referred to as „content“).

The integration always requires that the third-party providers of this content process the IP address of the users, as they could not send the content to their browser without the IP address. The IP address is, therefore, necessary for displaying this content or functions. We strive to use only such content whose respective providers use the IP address solely for delivering the content. Third-party providers can also use so-called pixel tags (invisible graphics, also known as „web beacons“) for statistical or marketing purposes. Through the „pixel tags,“ information such as visitor traffic on the pages of this website can be evaluated. The pseudonymous information can also be stored in cookies on the users‘ device and contain technical information about the browser and operating system, referring websites,

visit time, and other details about the use of our online offering, as well as being linked with such information from other sources.

Legal Basis:

If we ask users for their consent to use third-party providers, the legal basis for processing data is consent. Otherwise, the data of the users are processed based on our legitimate interests (i.e., interest in efficient, economical, and recipient-friendly services). In this context, we would also like to point out the information on the use of cookies in this privacy policy.

Processed Data Types:

• Usage data (e.g., visited websites, interest in content, access times)
• Meta/communication data (e.g., device information, IP addresses)
• Inventory data (e.g., names, addresses)
• Contact data (e.g., email, phone numbers)
• Content data (e.g., entries in online forms)

Affected Individuals:

• Users (e.g., website visitors, online service users)
• Communication partners

Purposes of Processing:

• Provision of our online offering and user-friendliness
• Performance of contractual services and customer service
• Security measures
• Management and response to inquiries
• Contact requests and communication
• Direct marketing (e.g., by email)
• Tracking (e.g., interest-/behavior-based profiling, use of cookies)
• Interest-based and behavioral marketing
• Profiling (creating user profiles)

Legal Basis:

• Consent (Art. 6 para. 1 sentence 1 lit. a GDPR)
• Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR)
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR)

Used Services and Service Providers:

• Peertube Videos: Video content; Headquarters: Association Framasoft, c/o Locaux Motiv, 10 bis, rue Jangot, 69007 LYON, FRANCE

Deletion of Data

The data processed by us will be deleted in accordance with legal requirements as soon as their allowed consents are revoked, contractual relationships are terminated, or other permissions cease (e.g., if the purpose for processing this data no longer exists or they are not required for the purpose). If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. This means the data will be locked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons or whose storage is necessary for asserting, exercising, or defending legal claims or protecting the rights of another natural or legal person.

Further information on the deletion of personal data can also be found in the individual privacy notices of this privacy policy.

Changes and Updates to the Privacy Policy

We ask you to regularly inform yourself about the content of our privacy policy. We adapt the privacy policy as soon as the changes in the data processing activities we carry out make this necessary. We will inform you as soon as the changes require a cooperation act on your part (e.g., consent) or other individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that the addresses may change over time and ask you to check the information before contacting us.

Rights of Data Subjects

As a data subject, you have various rights under the GDPR, which primarily arise from Articles 15 to 21 GDPR:

• Right to Object: You have the right to object at any time to the processing of your personal data, which is based on Art. 6 para. 1 lit. e or f GDPR, for reasons arising from your particular situation; this also applies to profiling based on these provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing; this also applies to profiling, to the extent it is related to such direct marketing.
• Right to Withdraw Consent: You have the right to withdraw any consent given at any time.
• Right of Access: You have the right to request confirmation as to whether data concerning you is being processed and to information about this data as well as further information and a copy of the data in accordance with legal requirements.
• Right to Rectification: You have the right to request the completion or rectification of incorrect data concerning you in accordance with legal requirements.
• Right to Erasure and Restriction of Processing: You have the right to request the immediate deletion of data concerning you or alternatively, in accordance with legal requirements, to request the restriction of data processing.
• Right to Data Portability: You have the right to receive the data concerning you that you have provided to us in a structured, commonly used, and machine-readable format in accordance with legal requirements or to request its transmission to another controller.
• Right to Lodge a Complaint with a Supervisory Authority: You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you believe that the processing of personal data relating to you infringes the GDPR.