Privacy Notice for KI:connect@H-BRS

1. Responsible body

Controller pursuant to Art. 4(7) GDPR for processing personal data in connection with the use of KI:connect@H-BRS is:

Hochschule Bonn-Rhein-Sieg (H-BRS)
Grantham-Allee 20
53757 Sankt Augustin
Tel.: +49 2241 865 0
Email: info@h-brs.de

Represented by:
the President of Bonn-Rhein-Sieg University of Applied Sciences

2. Data protection officer

Dr Martin Eßer
Email: datenschutzbeauftragte@h-brs.de

If you have any questions about data protection, please contact the H-BRS Data Protection Coordinator:

Manfred Höffken
Tel.: +49 2241 865 9683
Email: manfred.hoeffken@h-brs.de

3. Description of the service

KI:connect@H-BRS is an interface that gives students and employees of H-BRS access to various generative artificial intelligence models.

The interface is technically operated by RWTH Aachen University. Users log in with their H-BRS credentials; direct registration with external AI providers is not required.

H-BRS integrates both commercial and freely available AI models via its own interfaces (APIs). The commercial models include the GPT model family (OpenAI L.L.C., USA). Freely available models are operated by the Gesellschaft für wissenschaftliche Datenverarbeitung mbH Göttingen (GWDG) on behalf of H-BRS. The model used is selected by the users within the interface.

H-BRS remains the Controller pursuant to Art. 4(7) GDPR.

Further information on the use of KI:connect@H-BRS can be found in the Terms of use.

4. Purposes of processing

Personal data is processed in order to:

• enable access to generative AI models,
• verify user authorisation,
• store conversations (chats) for technical purposes and enable them to be continued,
• record usage statistics and assign cost element IDs,
• ensure secure and data protection-compliant operation.

Inputs (prompts) are first transmitted to RWTH Aachen University, which processes them on behalf of H-BRS and forwards them in pseudonymised form to the provider of the AI model selected by the user. The generated responses (completions) are returned to the interface via the same technical route.

Neither RWTH Aachen University nor any of the providers of the AI models use the prompts or completions for training, optimisation or analysis purposes.

5. Categories of personal data

The following data is processed during use:

1. Registration and account data

This data is collected during registration via MIA, the identity provider (IDP) of H-BRS, and is used for authentication, authorisation and billing of use:

• IDP-specific, unique, persistent ID for the person (generated by the identity provider),
• University email address, first and last name,
• Role/group and type of affiliation with H-BRS  (e.g. students, employees),
• IP address and session cookie for authentication and technical session management only.

This data is processed by RWTH Aachen University on behalf of H-BRS.

A technical link between this data and the prompts or outputs mentioned below would be possible in principle, but is expressly prohibited by contract and is not technically implemented.

2. Data from prompts and completions

These are text entries made by users (prompts) and the responses generated by the AI models (completions).

The prompts are transmitted to the provider of the AI model selected by the user in pseudonymised form via the interface, so that this provider cannot directly assign the content to a specific person.

However, depending on how it is used, this data may contain personal data if users voluntarily include personal details (e.g. their name, role or other identifying characteristics) in a prompt.

This data is processed solely for the purpose of generating the desired output. It is not used for training or optimisation purposes by any of the providers of the AI models.

3. Metadata (anonymised usage data)

This includes technical data that is necessary for the functioning and evaluation of the service, such as:

• anonymous conversation and cost element IDs,
• time stamps of use,
• number of tokens processed,
• model name,
• usage costs.

This metadata does not allow any conclusions to be drawn about individual persons and is used exclusively for statistical and billing purposes. Additional identification of the data subject is technically impossible, as assignment data and references are stored strictly separately and secured against subsequent linking by technical and organisational measures.

The provision of the aforementioned personal data is necessary for the use of AI:connect@H-BRS. Without this data, it is not possible to use the service for technical and organisational reasons.

6. Legal basis for processing

Personal data is processed for the purpose of performing the tasks of H-BRS in teaching, research, study, transfer and administration in accordance with Art. 6 (1) (e) GDPR in conjunction with § 3 (1), § 8 (7) and § 25 (1) HG NRW (Hochschulgesetz of North Rhine-Westphalia) and § 18 (1) DSG NRW (Data Protection Act of North Rhine-Westphalia).

7. Recipients of the data

The recipients of the data you provide are exclusively the institutions involved in the provision of services:

• Bonn-Rhein-Sieg University of Applied Sciences (H-BRS) – responsible body within the meaning of Art. 4 No. 7 GDPR.
  Within the university, access is granted exclusively to the IT Service (IT-S) to the extent necessary for technical operation, integration and user support.
• RWTH Aachen University – Processor on behalf of H-BRS in accordance with Art. 28 GDPR.
  RWTH operates the state-wide portal KI:connect.nrw, performs authentication via the MIA interface, pseudonymises user IDs, processes technical metadata and forwards requests (prompts) to the selected language models.
• Gesellschaft für wissenschaftliche Datenverarbeitung mbH Göttingen (GWDG) – Processor on behalf of H-BRS in the context of the use of free models.
  GWDG provides the freely hosted language models available within KI:connect@H-BRS (e.g. Mixtral, Qwen, Meta LLaMA), processes the transmitted requests and returns the generated results.
  Transmission takes place exclusively via H-BRS’s licensed API access through the RWTH interface and in pseudonymised form; it is not possible to trace the data back to individual persons.
• OpenAI L.L.C. (or OpenAI Ireland Limited) – Processor on behalf of H-BRS in the context of the use of commercial models.
  OpenAI provides the commercial GPT models available within AI:connect@H-BRS, processes the transmitted requests and returns the generated results.
  Here, too, transmission takes place exclusively via H-BRS’s licensed API access through the RWTH interface and in pseudonymised form; it is not possible to trace the data back to individual persons.

8. Third country transfer

Third country transfers are carried out exclusively within the framework of the use of the API interface licensed by H-BRS from OpenAI, L.L.C. (USA). Processing via the H-BRS-licensed OpenAI API is based on the EU Standard Contractual Clauses, the EU-US Data Privacy Framework certification, and a completed Transfer Impact Assessment. Nevertheless, a residual risk for your data cannot be completely ruled out, particularly due to differing legal requirements in third countries.

When using the models operated by GWDG, no transfer to third countries takes place, as processing is carried out exclusively within the European Union.

9. Retention period and deletion

Personal data is generally only processed for as long as the user is affiliated with the university or has active access to AI:connect@H-BRS. After the end of the user relationship or upon request, this data will be anonymised or deleted within 30 days.

The texts entered via the interface (prompts) and the generated outputs (completions) can be deleted by the users themselves at any time. If no active deletion takes place, the content will be automatically removed after 14 days at the latest.

Technical and pseudonymised usage data, such as cost element IDs, timestamps or token numbers, are only stored for statistical and billing purposes. This metadata remains stored until the end of the respective billing period and is deleted after 386 days at the latest.

To ensure the security and confidentiality of your data, numerous technical and organisational protective measures are used, in particular:

• Transport encryption of all data transfers (TLS 1.2/1.3)
• Strict separation and pseudonymisation of usage and identity data
• Access restrictions and regular staff training
• Logging and monitoring of all accesses in accordance with the current state of the art
• Regular data protection and IT security audits

10. Rights of the data subject

In accordance with Art. 15 ff. GDPR, data subjects have the right to:

• information about the personal data concerning them,
• correction of inaccurate data,
• deletion (‘right to be forgotten’),
• restriction of processing,
• objection to processing,
• data portability.

To exercise these rights, simply send an informal request to: datenschutzbeauftragte@h-brs.de.

In addition, you have the right to lodge a complaint with the competent supervisory authority:

State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (LDI NRW), Kavalleriestraße 2–4, 40213 Düsseldorf

11. Automated decision-making

No automated decision-making, including profiling, takes place in accordance with Art. 22 GDPR.

12. Further information

H-BRS has no access to the content of individual chats. Users are responsible for the content they enter and the use of the results generated.

The entry of third-party personal data is prohibited. Use of the service is permitted for official purposes only.

For the safe and responsible use of the service, we recommend observing the Checklist: Permissible and Responsible Use of AI Systems.

This privacy notice reflects the data protection requirements as of October 2025. It is regularly adapted to legal, technical or organisational changes. The current version can always be found on this this website.