Privacy Policy

Last updated: 8 April 2026

This is the English translation of our German privacy notice (Datenschutzerklärung). ChipMates gemeinnützige GmbH is a German company, so the German version is legally authoritative. We provide this English version so English-speaking users can read the notice in their own language. If anything differs, the German version prevails.

Preamble

With this privacy notice we want to explain to you which types of your personal data (also referred to below simply as "data") we process, for which purposes, and to what extent. This notice applies to all processing of personal data carried out by us, both in the provision of our services and in particular on our websites, in mobile applications, and within external online presences such as our social media profiles (collectively the "online offering").

The terms used are not gender-specific.

Contents
* Preamble
* Controller
* Overview of processing
* Relevant legal bases
* Security measures
* International data transfers
* Rights of data subjects
* Cookies and local storage
* Provision of the online offering and web hosting
* AI-powered chat service
* Audio service
* Bot protection (Cloudflare Turnstile)
* Conversion measurement (Google Ads)
* Reach measurement
* Processors

Controller

ChipMates gemeinnützige GmbH
represented by Michael Strasser
Schusterstr. 50
79098 Freiburg im Breisgau, Germany
Email: [email protected]

No data protection officer has been appointed, as the legal requirements for this are not met (Sect. 38 BDSG, the German Federal Data Protection Act).

Overview of processing

The following overview summarizes the types of data processed and the purposes of their processing, and refers to the data subjects.

Types of data processed:
* Contact data
* Content data
* Usage data
* Meta, communication, and procedural data

Categories of data subjects:
* Communication partners
* Users

Purposes of processing:
* Contact requests and communication
* Security measures
* Management of and response to inquiries
* Feedback
* Provision of our online offering and usability
* Information technology infrastructure

Relevant legal bases

Relevant legal bases under the GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection rules in your or our country of residence or establishment may apply. Should more specific legal bases be relevant in an individual case, we will inform you of these in this privacy notice.

  • Consent (Art. 6(1)(a) GDPR)
  • Performance of a contract and pre-contractual requests (Art. 6(1)(b) GDPR)
  • Legitimate interests (Art. 6(1)(f) GDPR)

National data protection rules in Germany: In addition to the data protection rules of the GDPR, national data protection rules apply in Germany. This includes in particular the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG). The BDSG contains special rules on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, transmission, and automated decision-making in individual cases including profiling. Data protection laws of the individual federal states may also apply.

Application of the GDPR and the Swiss FADP: This privacy notice serves to provide information both under the Swiss Federal Act on Data Protection (Swiss FADP) and under the General Data Protection Regulation (GDPR). For this reason, please note that, due to the broader territorial application and for clarity, the terms of the GDPR are used. In particular, instead of the terms "processing" of "personal data", "overriding interest", and "particularly sensitive personal data" used in the Swiss FADP, the terms "processing" of "personal data", "legitimate interest", and "special categories of data" used in the GDPR are used. The legal meaning of the terms is, however, still determined in accordance with the Swiss FADP where the Swiss FADP applies.

Security measures

We take appropriate technical and organizational measures in accordance with the legal requirements to ensure a level of protection appropriate to the risk. These measures cover in particular safeguarding the confidentiality, integrity, and availability of data.

The measures include controlling physical and electronic access to the data, safeguarding availability and segregation, and establishing procedures for exercising data subject rights, erasing data, and responding to threats to the data.

TLS/SSL encryption (https): To protect users' data, we use TLS/SSL encryption. This ensures the secure transmission of data between our website and the user's browser.

International data transfers

Where we process data in a third country (outside the EU or the EEA), this is done only in accordance with the legal requirements.

Data transfers to third countries take place only where the level of data protection has been recognized by an adequacy decision, through standard contractual clauses, explicit consent, or in the context of legally required transfers.

EU-US Trans-Atlantic Data Privacy Framework: Certain companies in the USA provide a recognized level of data protection through the Data Privacy Framework (DPF), which has been recognized as safe within the scope of an adequacy decision.

Rights of data subjects

As a data subject, you have various rights under the GDPR, including:

  • Right to object (Art. 21 GDPR): You have the right, on grounds relating to your particular situation, to object to the processing of your data based on Art. 6(1)(f) GDPR (legitimate interest). This concerns in particular processing for security and rate-limiting purposes.
  • Right to withdraw consent
  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR) and restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

Erasing your data: Because all chat data is stored exclusively locally on your device (encrypted in IndexedDB), you can remove it completely at any time by clearing your browser data. Server-side erasure is not necessary, as we do not store chat content on our servers.

Competent supervisory authority: The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg, Lautenschlagerstraße 20, 70173 Stuttgart, Germany, www.baden-wuerttemberg.datenschutz.de.

Cookies and local storage

We do NOT use tracking, analytics, or marketing cookies. The only cookie use is by Cloudflare (__cf_bm), a technically necessary security cookie for bot protection and firewall (Sect. 25(2) No. 2 TDDDG, the German Telecommunications-Digital-Services Data Protection Act). This cookie is set automatically by Cloudflare and requires no consent.

Provision of the online offering and web hosting

We process users' data in order to provide our online services. For this purpose we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.

Types of data processed:
* Usage data

Data subjects:
* Users

Legal bases:
* Legitimate interests (Art. 6(1)(f) GDPR)

Web hosting: The website is delivered via Cloudflare Pages (Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA) as a content delivery network. Cloudflare is certified under the EU-US Data Privacy Framework (DPF). When delivering the static website files (HTML, CSS, JavaScript), IP addresses are recorded in Cloudflare access logs. No chat content, audio data, or other user data is processed via Cloudflare Pages.

Audio servers: For voice processing (TTS/STT) we operate our own servers at Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Locations: Falkenstein and Nuremberg, Germany. Hetzner's privacy policy: https://www.hetzner.com/legal/privacy-policy.

Data is collected on the basis of Art. 6(1)(f) GDPR. The operator has a legitimate interest in the technically error-free presentation and reliable provision of the service.

AI-powered chat service

Our chat service uses artificial intelligence (AI) to generate educational content. The following data is processed:

Data processed:

  • Your chat inputs (text messages to the AI assistant)
  • Technical data (hashed IP address, timestamp, browser identifier)
  • Language setting

Purpose of processing: Provision of the AI-powered educational service (Art. 6(1)(b) GDPR, performance of a contract).

Processors:

  • Nebius B.V. (Netherlands), processing in eu-north1 (Finland, EEA). Purpose: AI inference (text generation) in the free mode. No data retention (Zero Data Retention enabled). No training on user data. The data processing agreement is integrated into the Nebius terms of use.
  • OpenRouter, Inc. (USA). Purpose: API routing for AI inference in BYOK mode (bring your own key). Users provide their own API key, which is stored exclusively locally in the browser. OpenRouter forwards requests to the selected AI provider. Privacy policy: https://openrouter.ai/privacy.
  • Cloudflare, Inc. (USA), processing predominantly in Europe. Purpose: API proxy, security (WAF, bot protection), rate limiting. The data processing agreement is available in the Cloudflare dashboard. EU Cloud Code of Conduct compliance mark.

Storage period: Chat content is NOT stored on our servers. AI responses are streamed directly to your browser. Security logs (only when blocked by the content filter) are retained for up to 90 days in anonymized form (IP hashed). Rate-limit counters are stored for 24 hours (IP hashed).

Note: Please do not enter personal data (name, address, phone number, email, bank details) into the chat.

Audio service (speech synthesis and speech recognition)

For speech output (text-to-speech) and speech input (speech-to-text) we use our own servers in Germany:

  • Location: Hetzner GEX130, Falkenstein and Nuremberg, Germany
  • Data processing exclusively in Germany
  • Voice data is transmitted for processing and deleted immediately after conversion
  • Voice input is not recorded or stored
  • Audio data is transmitted directly from the browser to the Hetzner servers (no third party involved)

Minors / users under 16

Pursuant to Art. 8 GDPR in conjunction with Sect. 8 BDSG, persons under 16 require the consent of a parent or guardian to use the chat service insofar as personal data is processed.

We have implemented the following protective measures:

  • Age confirmation before first use of the chat
  • Notice of the requirement for parental consent
  • Technical content safeguarding (multi-layered content filtering)
  • Youth Protection Officer appointed (see Imprint)

Technically necessary storage

We do NOT use tracking, analytics, or marketing cookies. The following technically necessary storage takes place on your device (Sect. 25(2) No. 2 TDDDG):

  • Chat history and conversations (IndexedDB, encrypted with AES-256-GCM, exclusively local on your device)
  • Language setting (localStorage)
  • Consent to the terms of use (localStorage)
  • Age confirmation (localStorage)
  • Session data (sessionStorage, deleted when the tab is closed)
  • Cloudflare security cookies (__cf_bm): technically necessary for bot protection and WAF

You can remove all locally stored data completely at any time by clearing your browser data.

Processors

Provider Purpose Location
Cloudflare, Inc. CDN, WAF, API proxy, bot protection Edge (EU-prioritized)
Nebius B.V. AI inference (free mode) eu-north1, Finland (EEA)
OpenRouter, Inc. AI inference (BYOK mode) USA (depending on the selected model)
Hetzner Online GmbH Audio servers (TTS/STT) Falkenstein + Nuremberg, Germany

Bot protection (Cloudflare Turnstile)

To protect against automated abuse we use Cloudflare Turnstile, a bot-protection service from Cloudflare, Inc. This loads an external script from challenges.cloudflare.com. Turnstile works in invisible mode (no CAPTCHA) and generates a security token to verify that the request comes from a real user. No personal data is transmitted to Cloudflare beyond the technically necessary connection.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) in the security and integrity of the service.

Conversion measurement (Google Ads, only with your consent)

If you reach our website via a Google ad, the URL contains a click identifier (gclid). The gclid is an identifier issued by Google per click. Because Google can link it to your click and, where applicable, to your Google account, we treat it as personal data, not as an anonymous identifier.

The gclid is stored in your browser's sessionStorage (not a cookie). It is bound to the browser tab. A transfer to Google takes place exclusively if you give your explicit consent. This consent is offered only to visitors who arrive via a Google ad, and it is optional. Without consent, nothing is transmitted to Google.

With your consent, we transmit the gclid on certain events (profile creation, selecting a learning mode, using a Council) server-side via the Google Ads Conversion API, so that the ad can be matched to a conversion (no JavaScript tracker, no pixel on the website). What is transmitted: the gclid, the triggered event (as a conversion action), a value, a currency, a timestamp, and an order ID (gclid plus event, for de-duplication). Neither the selected figure nor your country code, no conversation content, and no other personal data is transmitted. We do not store the gclid permanently on our systems.

The recipient is Google (Google Ireland Limited and Google LLC, USA). A transfer to the USA may take place. Google is certified under the EU-US Data Privacy Framework.

Legal basis: Your consent (Art. 6(1)(a) GDPR and Sect. 25(1) TDDDG). You can withdraw your consent at any time with effect for the future, in Settings under "Privacy" via "Withdraw ad-measurement consent". Withdrawal deletes the stored gclid.

Reach measurement

We count an anonymous counter per server-side counted activity (for example a started chat, a started or completed playback of a story, teaching, prism, or council, a page view). Only structural labels are recorded: the endpoint used, the selected figure, the selected mode, the language (en or de), and the 2-letter country code derived at the Cloudflare edge (two-letter ISO code, for example DE or XX for unknown). No IP addresses are stored in analytics records, no user profiles are built, no cookies are set, and no source or channel label is stored. There is no recognition across sessions.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) in measuring the effectiveness of our nonprofit public outreach. The purely aggregate, anonymous measurement falls below the threshold of personal data under Recital 26 GDPR. Sect. 25 TDDDG does not apply to the measurement itself, as no information is stored on or read from your device as part of the counting. Locally stored information that is technically necessary for operating the app (for example the language setting, a session UUID for rate limiting) is exempt under Sect. 25(2) TDDDG.

Note on music used

Some of the music used on this website was created with the AI-based music generation platform Udio. The music files are delivered as static files from our servers. No data is transmitted to Udio or other third parties during playback. Further music tracks are properly licensed (see Imprint for music credits).

Dispute resolution

We are not willing or obliged to participate in dispute resolution proceedings before a consumer arbitration board.

Start Exploring