Privacy Policy

Privacy Policy

1. Data Protection at a Glance

General Information

The following overview explains what happens to your personal data when you visit this website. “Personal data” means any information that can identify you. Full details can be found in the policy below.

Data Collection on This Website

Who is responsible for data processing on this website?

Data processing is carried out by the website operator. The operator’s contact details are provided in the section Information on the Controller.

How do we collect your data?

Some data you provide directly (for example, via a contact form). Other data is collected automatically—or with your consent—by our IT systems when you visit the site. This is primarily technical data (e.g., browser, operating system, time of access) and is collected as soon as you enter the website.

What do we use your data for?

Some data is collected to ensure the website functions without errors. Other data may be used to analyze user behavior. If contracts can be initiated or concluded via the website, the transmitted data is also processed for offers, orders, or other service-related requests.

What rights do you have regarding your data?

You have the right to obtain, at any time and free of charge, information about the origin, recipients, and purposes of your stored personal data. You also have the right to request rectification or deletion of this data. If you have given consent to processing, you can withdraw it at any time with effect for the future. Under certain conditions, you may request restriction of processing. You also have the right to lodge a complaint with a competent supervisory authority.

You can contact us at any time about these rights or any other questions regarding data protection.

2. Hosting

We host this website with the following provider:

IONOS

The provider is IONOS SE, Elgendorfer Str. 57, 56410 Montabaur (“IONOS”). When you visit our website, IONOS collects various log files, including your IP address. For details, please see IONOS’s privacy policy: https://www.ionos.de/terms-gtc/terms-privacy.

The use of IONOS is based on Art. 6(1)(f) GDPR. We have a legitimate interest in the most reliable presentation of our website possible. Where consent is requested, processing takes place exclusively on the basis of Art. 6(1)(a) GDPR and Section 25(1) TDDDG, insofar as consent includes the storage of cookies or access to information on the user’s device (e.g., device fingerprinting) within the meaning of the TDDDG. Consent can be withdrawn at any time.

Data Processing Agreement

We have concluded a data processing agreement (DPA) with the provider named above. This contract, required by data protection law, ensures that the provider processes website visitors’ personal data only in accordance with our instructions and in compliance with the GDPR.

3. General Notes and Mandatory Information

Privacy

We take the protection of your personal data very seriously. We treat your data confidentially and in accordance with statutory data protection rules and this privacy policy.

When you use this website, various personal data is collected. This policy explains what data we collect, what we use it for, and for what purposes.

Please note that data transmission over the internet (e.g., email communication) may have security gaps. Complete protection of data from third-party access is not possible.

Information on the Controller

The controller responsible for data processing on this website is:

Marcel Butschle Campus Esslingen Stadtmitte Room: S 10.222 Kanalstraße 33 73728 Esslingen

Phone: +49 151 29018946 Email: marcel.butschle@hs-esslingen.de

The controller is the natural or legal person who, alone or jointly with others, determines the purposes and means of processing personal data (e.g., names, email addresses).

Storage Duration

Unless a more specific retention period is stated in this policy, your personal data remains with us until the purpose for processing no longer applies. If you request deletion or withdraw your consent, your data will be deleted unless we have other legally permissible reasons for retention (e.g., tax or commercial law obligations). In the latter case, deletion takes place after those obligations expire.

If you have consented to processing, we process your personal data on the basis of Art. 6(1)(a) GDPR and, where special categories of data pursuant to Art. 9(1) GDPR are processed, on the basis of Art. 9(2)(a) GDPR. In the case of express consent to the transfer of personal data to third countries, processing is also based on Art. 49(1)(a) GDPR. If you have consented to the storage of cookies or to access to information on your device (e.g., via device fingerprinting), processing additionally occurs under Section 25(1) TDDDG. Consent may be withdrawn at any time. If your data is required to fulfill a contract or to carry out pre-contractual measures, we process it on the basis of Art. 6(1)(b) GDPR. We also process data where necessary to fulfill a legal obligation (Art. 6(1)(c) GDPR) or on the basis of our legitimate interests (Art. 6(1)(f) GDPR). Information on the relevant legal basis in each case is provided in the sections below.

Recipients of Personal Data

In the course of our business, we work with various external parties. In some cases, transmitting personal data to these parties is necessary. We disclose personal data only when required to fulfill a contract, when we are legally obliged to do so (e.g., to tax authorities), when we have a legitimate interest pursuant to Art. 6(1)(f) GDPR, or when another legal basis permits the transfer. When using processors, we disclose personal data only on the basis of a valid data processing agreement. In the case of joint processing, a joint processing agreement is concluded.

Many data processing operations are possible only with your express consent. You can withdraw consent at any time. The lawfulness of processing carried out before the withdrawal remains unaffected.

Right to Object to Processing in Special Cases and to Direct Marketing (Art. 21 GDPR)

IF PROCESSING IS BASED ON ART. 6(1)(E) OR (F) GDPR, YOU HAVE THE RIGHT, ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION, TO OBJECT AT ANY TIME TO THE PROCESSING OF YOUR PERSONAL DATA; THIS ALSO APPLIES TO PROFILING BASED ON THOSE PROVISIONS. THE RELEVANT LEGAL BASIS FOR PROCESSING IS SET OUT IN THIS POLICY. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR PERSONAL DATA UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS, AND FREEDOMS OR THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE, OR DEFENSE OF LEGAL CLAIMS (ART. 21(1) GDPR).

IF YOUR PERSONAL DATA IS PROCESSED FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO SUCH PROCESSING; THIS ALSO APPLIES TO PROFILING INSOFAR AS IT IS RELATED TO DIRECT MARKETING. IF YOU OBJECT, YOUR PERSONAL DATA WILL NO LONGER BE USED FOR DIRECT MARKETING PURPOSES (ART. 21(2) GDPR).

Right to Lodge a Complaint with a Supervisory Authority

In the event of violations of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement. This right exists without prejudice to other administrative or judicial remedies.

Right to Data Portability

You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract provided to you or to a third party in a commonly used, machine-readable format. If you request direct transfer to another controller, this will occur only where technically feasible.

Access, Rectification, and Erasure

Within the scope of applicable law, you have the right at any time to free access to your stored personal data, its origin and recipients, and the purpose of processing, and, where applicable, the right to rectification or erasure. You can contact us at any time regarding this and other questions concerning personal data.

Right to Restriction of Processing

You have the right to request restriction of processing. You can contact us at any time for this purpose. The right exists in the following cases:

  • If you contest the accuracy of your personal data stored by us, we usually need time to verify this. For the duration of verification, you have the right to request restriction of processing.
  • If the processing is unlawful, you may request restriction instead of erasure.
  • If we no longer need your personal data but you need it for the establishment, exercise, or defense of legal claims, you have the right to request restriction instead of erasure.
  • If you have objected under Art. 21(1) GDPR, a balancing of interests must be carried out. Until it is determined whose interests prevail, you have the right to request restriction of processing.

If processing is restricted, such data—apart from storage—will be processed only with your consent or for the establishment, exercise, or defense of legal claims, for the protection of the rights of another natural or legal person, or for reasons of important public interest of the European Union or a Member State.

SSL/TLS Encryption

For security and to protect the transmission of confidential content—such as orders or requests—you send to us as the website operator, this site uses SSL/TLS encryption. You can recognize an encrypted connection by the change in the browser’s address line from “http://” to “https://” and by the lock symbol.

When SSL/TLS encryption is active, data you transmit cannot be read by third parties.

Objection to Promotional Emails

We hereby object to the use of contact data published in the context of legal notice obligations for the purpose of sending unsolicited advertising and information materials. The operators of these pages expressly reserve the right to take legal action in the event of unsolicited advertising information, for example via spam emails.

4. Data Collection on This Website

Cookies

Our website uses cookies. Cookies are small data packets that do not harm your device. They are stored either temporarily for the duration of a session (session cookies) or permanently (persistent cookies) on your device. Session cookies are deleted automatically after your visit. Persistent cookies remain stored until you delete them yourself or your browser deletes them automatically.

Cookies can be set by us (first-party cookies) or by third parties (third-party cookies). Third-party cookies enable the integration of certain third-party services within websites (e.g., payment processing cookies).

Cookies have various functions. Many are technically necessary because certain website functions would not work without them (e.g., a shopping cart or video display). Other cookies may be used to analyze user behavior or for advertising purposes.

Cookies that are necessary to carry out the electronic communication process, to provide certain functions you request (e.g., a shopping cart), or to optimize the website (e.g., audience measurement) (“necessary cookies”) are stored on the basis of Art. 6(1)(f) GDPR unless another legal basis is specified. The website operator has a legitimate interest in storing necessary cookies to ensure the technically error-free and optimized provision of services. Where consent to the storage of cookies and comparable recognition technologies has been requested, processing is based exclusively on such consent (Art. 6(1)(a) GDPR and Section 25(1) TDDDG); consent can be withdrawn at any time.

You can set your browser to inform you about the use of cookies, to allow cookies only in specific cases, to exclude them in certain cases or in general, and to enable automatic deletion when you close the browser. If cookies are disabled, some website functions may be limited.

Which cookies and services are used on this website can be found in this privacy policy.

Contact Form

If you send us inquiries via the contact form, we store the information you provide, including your contact details, for the purpose of processing the inquiry and for follow-up questions. We do not share this data without your consent.

Processing is based on Art. 6(1)(b) GDPR if your request is related to the fulfillment of a contract or is necessary to carry out pre-contractual measures. In all other cases, processing is based on our legitimate interest in effectively handling inquiries (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR), where requested; consent can be withdrawn at any time.

The data you enter in the contact form remains with us until you request deletion, withdraw your consent to storage, or the purpose for storage no longer applies (e.g., once your inquiry has been handled). Mandatory statutory provisions—especially retention periods—remain unaffected.

Web3Forms

Our contact form uses Web3Forms for form submission and delivery. When you submit the contact form, your data (name, email address, subject, and message) is transmitted to Web3Forms’ servers for processing and forwarding to us via email.

For more information about Web3Forms’ data handling, please visit: https://web3forms.com/privacy

Inquiries by Email, Telephone, or Fax

If you contact us by email, telephone, or fax, we store and process your inquiry, including all personal data arising from it (e.g., name, inquiry), for the purpose of handling your request. We do not share this data without your consent.

Processing is based on Art. 6(1)(b) GDPR if your request is related to the fulfillment of a contract or is necessary to carry out pre-contractual measures. In all other cases, processing is based on our legitimate interest in effectively handling inquiries (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR), where requested; consent can be withdrawn at any time.

The data you send to us via contact inquiries remains with us until you ask us to delete it, withdraw your consent to storage, or the purpose for storage no longer applies (e.g., once your request has been handled). Mandatory legal provisions—particularly statutory retention periods—remain unaffected.

5. AI Agent Service

Use of the AI-powered Chat Agent

Our website provides access to an AI-powered chat agent at agent.experimentaldesignhub.com (the “Agent”). When you use the Agent, the text you enter (prompts) and the Agent’s responses are processed to generate answers and to maintain the conversation context within your current session. You do not need to provide personal data to use the Agent; any personal information you include in your messages is provided voluntarily. The legal basis is our legitimate interest in providing a help/chat service (Art. 6(1)(f) GDPR); where non-essential analytics or similar technologies are used on the Agent site, processing additionally takes place based on your consent (Art. 6(1)(a) GDPR and § 25(1) TDDDG).

OpenAI as our processor

To generate responses, we transmit your prompts (and the minimal technical metadata necessary to deliver the service) to OpenAI via its API. OpenAI processes this data solely on our instructions and under a Data Processing Addendum (DPA). OpenAI does not use data submitted through the API to train its models by default.

International data transfers and safeguards

Depending on your location and our configuration, processing by OpenAI may occur in the European Union or in third countries (e.g., the United States). Where data is transferred outside the EEA, we rely on appropriate safeguards, including the EU Standard Contractual Clauses (SCCs), and—where applicable—OpenAI’s participation in recognized transfer frameworks. In addition, OpenAI offers EU data residency for eligible API workloads, allowing processing and storage in Europe for supported endpoints.

Retention

  • By us (controller): We do not create long-term user profiles from Agent interactions. Conversation content is not stored by us beyond what is necessary to operate the session and troubleshoot service stability; routine application and security logs may contain technical metadata (e.g., timestamps, IP address) and are retained only as long as necessary for security and auditing (Art. 6(1)(f) GDPR).
  • By OpenAI (processor): Under OpenAI’s standard API terms, inputs and outputs may be retained for up to 30 days for abuse monitoring and service integrity, after which they are deleted unless OpenAI is legally required to retain them.

Your choices and rights

You may avoid entering personal data in prompts. You can exercise your GDPR rights (access, rectification, erasure, restriction, objection, and portability) regarding Agent interactions by contacting us via the details in this policy. If consent is used on the Agent site for non-essential technologies, you can withdraw it at any time with effect for the future.