Datenschutzerklärung – AI Fair Use Org

Valid from: 10.10.2025 - Version: v1.1

Person responsible

Authorised representative(s): Marco Meid, owner

2. Purposes, legal basis and storage period

2.1 Website operation & log files

When our website is accessed, technically necessary data is processed (IP address, date/time, URL, referrer, user agent). The legal basis is Art. 6 para. 1 lit. f GDPR (legitimate interest in secure and stable provision). Log files are usually deleted after 30 days.

2.2 Contact

If you contact us by email/telephone/form, we will process your details to deal with your enquiry. The legal basis is Art. 6 para. 1 lit. b GDPR (contract/initiation) or lit. f (general enquiries). Storage period: until completion of the enquiry and statutory retention periods.

2.3 Cookies & Consent

We only use technically necessary cookies. Non-essential cookies are only set with your consent (Art. 6 para. 1 lit. a GDPR in conjunction with §25 TTDSG).

2.4 Contractual services

Data of members, interested parties and donors are processed for the fulfilment of the contract (Art. 6 para. 1 lit. b GDPR).

3. Self-audit / label request and publication

Companies can use our "AIFU Self-Audit" online form to carry out a self-assessment of their use of AI and compliance with ethical and legal standards. By submitting the self-audit, a contractual relationship is established between the submitting company and AI Fair Use regarding the assessment, award and possible publication of the AIFU label.

Processed data:
Company name, name and contact details of the contact person (e-mail address, telephone number if applicable), country, audit parameters (AI input rate, AI output rate, Human Oversight Index, transition rate, provenance score, compliance score), comments and voluntary information in explanatory fields or links.

Purposes of the processing:

Carrying out and analysing the self-audit,
Creation of the AIFU score and a preliminary or final label,
Storage and maintenance of the audit results as part of the contractual relationship,
Communication with the participating company,
Optional publication of company data and label results in the public AIFU database (including company name, country and score values),
Ensuring transparency and traceability in terms of ethically responsible AI use.

Legal basis:
The processing takes place on the basis of

Art. 6 para. 1 lit. b GDPR (contract fulfilment in the context of the audit and label award) and
Art. 6 (1) (f) GDPR (legitimate interest in the transparent evaluation of AI use and the promotion of ethical AI practices). The label results will be published within the framework of this contractual relationship. Any further use (e.g., for marketing purposes) will only take place with separate consent in accordance with Art. 6 (1) (a) GDPR.

Storage period:
Self-audit data will be stored for the duration of the contractual relationship and up to three years after expiration or revocation of the label, provided that statutory retention periods or proof obligations exist.
Anonymized or aggregated audit data may be permanently stored and published for statistical, transparency, or research purposes.

Recipients:
Internally responsible employees of the AI Fair Use Org as well as technical service providers (hosting, IT support, database maintenance if necessary).
Data will not be passed on to third parties outside of the described purpose.

Publication in the AIFU database:
After completion of the self-audit and a positive assessment, the company name, country, and the relevant score values (AI-IQ, AI-OQ, HOI, TR, PS, CS) can be published in the public AIFU label database on our website.
Personal contact details of individuals will not be published.

Transfer to third countries:
If external AI tools or cloud services outside the EEA are used for the audit evaluation, transmission will only take place on the basis of appropriate guarantees (e.g. EU standard contractual clauses and additional technical protection measures).

4. Newsletter

E-mail notification system

Description of data processing

We offer a notification system on our website that allows you to register for e-mail notifications for certain categories of posts. We collect and process the following data for this purpose:

E-mail address
Selected contribution categories
Dispatch type (e.g. daily or weekly summary)
Date of registration
Date of confirmation

Registration takes place via a double opt-in procedure. After registering, you will receive an e-mail with a confirmation link. Only after your confirmation will the registration be finalised. This serves to ensure that you have actually registered.

Purpose and legal basis

Your e-mail address and other data provided by you will be processed solely for the purpose of providing the requested notifications.

The legal basis for the processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR.

Storage duration

Your data will be stored as long as you are registered for the notifications. After unsubscribing via the unsubscribe function, your data will be deleted immediately after confirmation of the link in the opt-out e-mail. If you send us an informal message, your data will be deleted within 14 days, unless legal regulations require longer storage. If you would like to unsubscribe, please use the unsubscribe function in "Notify me" at the bottom of this page.

Passing on the data

Your data will not be passed on to third parties and will only be used for sending the notifications.

The e-mail notification system serves exclusively as a supplementary service. We accept no liability for the complete, correct or timely delivery of notifications. Technical faults, in particular with the e-mail service provider, the Internet connection or spam filters, may prevent delivery. The non-delivery of notifications does not give rise to any claims against the provider.

The notification system does not release registered users from the obligation to regularly check the website for current content.

5. Recipients & Processors

We only pass on personal data if this is permitted by law. Recipients may include IT service providers, hosting providers, email and newsletter service providers, payment and dispatch service providers or consultants. We conclude contracts with processors in accordance with Art. 28 GDPR.

Category	Company	Country	Legal basis
Hosting	Strato GmbH, Otto-Ostrowski-Straße 7, 10249 Berlin	Deutschland/EU	Art. 6 Abs. 1 lit. f/b DSGVO
Newsletter	AI Fair Use Org (siehe oben)	Deutschland/EU	Art. 6 Abs. 1 lit. a DSGVO; SCC

6. Transfers to third countries

If data is transferred to third countries (outside the EEA), we ensure suitable guarantees, e.g. EU standard contractual clauses and additional measures (e.g. encryption).

7. Your rights

Information (Art. 15 GDPR)
Rectification (Art. 16 GDPR)
Deletion (Art. 17 GDPR)
Restriction (Art. 18 GDPR)
Data portability (Art. 20 GDPR)
Objection to processing on the basis of legitimate interests (Art. 21 GDPR)
Revocation of consent given with effect for the future (Art. 7 para. 3 GDPR)
Complaint to a supervisory authority (Art. 77 GDPR)

7.1 Supervisory authority

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI), Gustav-Stresemann-Ring 1, 65189 Wiesbaden.

8. Security

We take appropriate technical and organisational measures (TOM) to secure your data (e.g. encryption, access controls, backups, authorisation concepts) in accordance with Art. 32 GDPR. In the event of data protection incidents, we inform data subjects and authorities in accordance with Art. 33/34 GDPR.

9. Use of AI tools

If we use AI-supported services for internal support (e.g. text drafts, translations), we only process the data necessary for the purpose and - if a third country transfer takes place - on the basis of suitable guarantees. Personal content is anonymised or pseudonymised where possible. Fully automated decision-making within the meaning of Art. 22 GDPR does not take place.

10. Obligation to provide / Profiling

The provision of personal data is generally not required by law. Without certain information, however, there may be restrictions on the use of services (e.g. sending the newsletter). Profiling for marketing purposes only takes place with consent.

11. Changes

We will adapt this privacy policy if the legal situation, services or processing changes. The current version is available at https://ai-fair-use.org/datenschutz.

Links: Contact