Information according to the EU General Data Protection Regulation for processing personal data This sheet contains information about the processing of your personal data in a scientific study at the Max Planck Institute for Intelligent Systems, campus Stuttgart.
The Max-Planck Society for the Advancement of Science (MPG e.V.) processes personal data in accordance with current data protection regulations. Your data are not published by us or disclosed to unauthorized third parties. Collection and use of your data in human studies is described below.
The responsible office according to the European General Data Protection Regulation (EU GDPR, Art. 13, §1, Letter a) and other national data protection laws, BDSG (German Federal Data Protection Act) and further data protection regulations is the
Max-Planck-Gesellschaft zur Förderung der Wissenschaften e.V. (MPG e.V.)
Hofgartenstraße 8
D-80539 München
Phone: +49 (89) 2108-0
Contact form: https://www.mpg.de/kontakt/anfragen/
Internet: https://www.mpg.de
If you require information about what data is stored, its correction or deletion, or have questions concerning the use of your personal data please contact
Ass. jur. Heidi Schuster
Hofgartenstraße 8
D-80539 München
Phone: +49 (89) 2108-1554
Email: datenschutz@mpg.de
The Study Leader is responsible for compliance of the data processing with data protection regulations. The contact information of the Study Leader is on your copy of the Declaration of Consent under Data Protection.
Test person data are collected for the organization of scientific of scientific studies and are exclusively used for the recruiting process and the analysis of the experiment at the Max Planck Institute for Intelligent Systems. Data is used for the following purposes:
personal data is only used for the above-mentioned purposes and to the extent required to attain these purposes. Data for accounting purposes will be processed separately from data taken for research purposes.
Your personal data is stored according to EU GDPR Art. 6, Subsection 1, Letter (a) and Art. 9 subsection 2, Letter (a) based on your consent to the processing of personal data for specific purposes.
In general, original scientific data must be archived for 10 years which includes personal data of participants in pseudonymized form. Long-term studies may require a longer duration. If you cancel your registration for an experiment, your personal data will be deleted immediately. Data for accounting purposes will be stored for 10 years.
In any case you may contact
datenschutz@is.mpg.de
or the aforementioned contact persons to have your personal data deleted.
The following personal data of test persons may be stored and processed within the scope of an experiment:
Study-related personal data are only evaluated for for scienfic purposes and are stored separately from other personal data which may identify the test person as an individual. The data obtained as result of the experiment or analysis is anonymized and cannot be related to an individual. Data recorded within a study may be processed for a future analysis in an institute laboratory. Study-related data in anonymized form may be used for scientific research work and may be published in a scientific journal in anonymized form. Access to study-related personal data is only granted for authorized employees and scientists who have obliged themselves in writing to observing data protection regulations. This obligation persists also after an employment or contract period.0
For scientific analysis purposes study-related data may be sent to cooperation partners within the realm of EU GDPR jurisdiction and to cooperation partners outside the EU GDPR in anonymized form. This includes countries with data protections levels different from the GDPR.
As part of this study, user-submitted prompts and associated interaction data are sent to third-party AI model providers for processing. All model endpoints are accessed through Microsoft Azure (Azure AI Foundry / Azure OpenAI Service), which acts as the data processor. Depending on the models selected during a session, user prompts may be forwarded to the following companies:
Several open-weight models are also used in this study (including DeepSeek, Llama, Mistral, Ministral, and Kimi). These models are hosted and executed entirely on Microsoft Azure infrastructure. No user data is transmitted to the original model developers for these open-weight models.
The list of models and providers may change over the course of the study. User prompts are transmitted to providers solely for the purpose of generating model responses as part of the study and are not used beyond this scope by the study organizers. Each provider's own data processing practices are governed by their respective privacy policies. For reference, Microsoft's privacy statement is available at https://privacy.microsoft.com/privacystatement.
Your use of the Platform is governed by the Terms of Use, which include the acceptable use policy, prohibitions on crawling, scraping, and model distillation, rate limits (500 requests per user account and per IP address within each 24-hour window), and the enforcement measures that may be taken in case of violations. Please review the Terms of Use in full before using the Platform.
This platform uses Matomo, an open-source web analytics tool, to collect anonymised usage statistics such as page views, referral sources, and general navigation patterns. The Matomo instance is hosted entirely on infrastructure operated by the Max Planck Institute in Tübingen (piwik.tuebingen.mpg.de). No analytics data is transferred to any third party. All data remains on institute servers within the European Union.
Matomo is configured to respect user privacy in compliance with the GDPR. IP addresses are anonymised before storage. If you have enabled "Do Not Track" in your browser, Matomo will respect this setting and will not track your visit. You may also opt out of analytics tracking via the cookie consent banner.
The legal basis for this processing is Art. 6(1)(f) GDPR (legitimate interest in understanding platform usage to improve the study) and, where analytics cookies are used, Art. 6(1)(a) GDPR (your consent via the cookie consent banner).
To protect the Platform against automated abuse — in particular the mass creation of fake accounts by bots and scripted clients, which would distort the scientific data collected in this study — the account registration form is protected by Cloudflare Turnstile, a privacy-focused CAPTCHA alternative operated by Cloudflare, Inc. (101 Townsend Street, San Francisco, CA 94107, USA).
When you open the registration form, your browser loads the Turnstile widget from Cloudflare and runs a number of non-intrusive checks in the background to assess whether the request originates from a human or from an automated system. In most cases this happens without any action on your part; occasionally you may be asked to confirm a checkbox. To perform this assessment, Cloudflare processes technical information such as your IP address, browser and device characteristics, and behavioural signals from your interaction with the page. According to Cloudflare, Turnstile does not use this information for advertising or cross-site tracking and does not rely on tracking cookies for this purpose.
If the check is passed, your browser receives a single-use token. This token is transmitted to our server together with your registration, and our server confirms its validity with Cloudflare before an account is created. The token itself does not identify you, and no personal data beyond the technical information described above is shared with Cloudflare for this purpose. Turnstile is only active on the registration form; it is not loaded while you browse the Platform or submit prompts.
Because Cloudflare is a company based in the United States, this processing may involve a transfer of personal data to the USA. Such transfers are safeguarded by appropriate measures, in particular the EU-U.S. Data Privacy Framework and/or the European Commission's Standard Contractual Clauses. The legal basis for this processing is Art. 6(1)(f) GDPR (our legitimate interest in protecting the Platform and the integrity of the collected research data against automated abuse, spam, and fraud). Cloudflare's privacy policy is available at https://www.cloudflare.com/privacypolicy/.
The platform uses the following cookies:
Essential cookies are required for the basic operation of the platform and cannot be disabled. Analytics cookies are only set if you consent via the cookie consent banner. For more information on functionality and analytics cookies, please refer to the cookie consent banner displayed when you first visit the platform.
The Max Planck Institute for Intelligent Systems uses technical and organizational measures to protect your personal data against accidental or malicious manipulation, loss, destruction, or access by unauthorized persons. Security measures are permanently adapted to the actual technological and organizational standards. If a special IT-system is used to organize and administer personal test person data, the operation and administration of this system will be based on EU GDPR Art. 6, Subsection 1, Letter (b) in order to fulfill contractual obligations. Personal data stored on this system will not be combined with or related to other data collected during the operation of this IT-system.
Right to withdraw your consent: GDPR article 7 / §83 SGB X
The legal basis for the processing of personal data is laid down in chapter 2, Art. 6, Letter 1 of the GDPR of the EU. If the data processing is based on your explicit consent (letter a), you are entitled to withdraw your consent any time with immediate effect for the future. This is of particular importance for test persons involved in human studies.
Right of getting access to processed data: GDPR article 15 / §83 SGB X
Within the rules laid out by European and German legislation data owners have the right to request information as to whether an agency or business is processing your personal data. A data owner may further request information about personal data stored by an agency or business, their origin, further recipients, and the purpose of the data processing.
Right to correction of inaccurate data: GDPR article 16 / §84 SGB X
Data owners have the right to request correction of incorrectly stored or processed personal data.
Right to deletion of personal data: GDPR article 17 / §84 SGB X
Within the rules laid out by European and German legislation data owners have the right to request immediate deletion of personal data stored or processed by an agency or business.
Right to restrict data processing: GDPR article 18 / §84 SGB X
Within the rules laid out by European and German legislation a data owner has the right to request that agencies or businesses restrict the processing of personal data.
Right to data portability for one's own personal data: GDPR article 20
The data owner has the right to receive personal data that has been provided to an agency or business in a structured, commonly used and machine readable format and transfer them to another agency or business without being hindered by the agency or business these data have been received from.
Right to object against the processing of personal data: GDPR article 21 / §84 SGB X
Depending on the personal situation the data owner has the right to object against data processing by an agency or business for certain purposes, e.g., scientific or historical research or statistical purposes as laid out in GDPR article 89.
Right to complain: GDPR article 77
The data owner has the right to file a complaint with a supervising authority if the owner considers that storing or processing of personal data is in conflict with the rules laid out in the GDPR.
The responsible data protection supervising authority for the Max Planck Society is:
Bayrisches Landesamt für Datenschutzaufsicht (BayLDA)
PO Box 606, 91511 Ansbach
Phone: +49 (0) 981 53 1300
Telefax: +49 (0) 981 53 98 1300
Email: poststelle@lda.bayern.de