AITEZA Logo

Data privacy

Privacy Policy as of: June 2026

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

weyer data engineering gmbh

Schillingsstraße 329, 52355 Düren, Germany

Email: info@weyer-data-engineering.com

Phone: +49 (0) 2421 69091 0

2. Contact for Data Protection Inquiries

The appointment of a data protection officer is not legally required. For data protection inquiries, please contact the following point of contact:

Cihangir Günbay (Information Security Officer / ISO)

weyer data engineering gmbh, Schillingsstraße 329, 52355 Düren, Germany

Email: data-privacy@aiteza.ai Phone: +49 (0) 2421 69091 0

3. General Information on Data Processing

We collect personal data only to the extent necessary to provide our services or when you voluntarily provide such data to us. Personal data means any information relating to an identified or identifiable natural person (Art. 4 No. 1 GDPR).

4. Purposes of Data Processing

We process your data for the following purposes:

  • Provision, operation, and improvement of our website and the AITEZA platform
  • Authentication and management of your user account
  • Processing of your inputs (prompts, uploaded documents) for the provision of the AI-supported service
  • Responding to inquiries submitted via the contact form
  • Sending information, provided you have expressly consented thereto
  • Ensuring IT security and system stability
  • Compliance with legal obligations

5. Legal Bases for Processing

The processing of your personal data is based on the following legal bases:

  • Art. 6(1)(a) GDPR (Consent): Insofar as you have given us consent to the processing, e.g., for receiving newsletters.
  • Art. 6(1)(b) GDPR (Performance of a contract): Insofar as the processing is necessary for the performance of a contract or for the implementation of pre-contractual measures, in particular for the provision of the AITEZA platform.
  • Art. 6(1)(c) GDPR (Legal obligation): Insofar as we are subject to a legal obligation, e.g., tax law retention obligations.
  • Art. 6(1)(f) GDPR (Legitimate interests): Insofar as the processing is necessary to protect our legitimate interests. Our legitimate interests lie in particular in ensuring IT security, fraud prevention, improving our services, and enforcing legal claims.

6. Server Log Files

Each time our website or platform is accessed, the following data is automatically collected by the web server:

  • IP address of the requesting device
  • Date and time of access
  • Name and URL of the page accessed
  • Amount of data transferred
  • Browser type and version
  • Operating system
  • Referrer URL

This data is processed exclusively to ensure smooth operation and to maintain IT security. The legal basis is Art. 6(1)(f) GDPR. Log files are automatically deleted after 30 days.

7. Cookies and Similar Technologies

Our website uses only technically necessary cookies or comparable technologies, insofar as this is required for the operation of the website, login, and authentication. The use is based on §25(2) TDDDG (German Telecommunications Digital Services Data Protection Act) and, insofar as personal data is processed, on the basis of Art. 6(1)(b) and (f) GDPR. We do not use analytics or marketing cookies. Statistical analysis of website usage is carried out, if applicable, via a cookieless web analytics service. Further information can be found in the following section.

8. Web Analytics with Plausible Analytics

For statistical analysis of the use of our website, we use Plausible Analytics in the cloud version. Plausible Analytics is a privacy-friendly web analytics service that operates without cookies, without persistent identifiers, without IP address storage, and without user-related profiles.

The processing is carried out for reach measurement, technical optimization of our website, and improvement of our offering. In particular, information about pages accessed, referrers, browsers used, operating systems, device types, as well as date and time of access is processed in aggregated form. Recognition of individual users, cross-device tracking, or profiling does not take place.

IP addresses are not processed or stored in connection with Plausible Analytics. Processing of IP addresses occurs exclusively within the scope of server log files pursuant to Section 6.

The legal basis of the processing is Art. 6(1)(f) GDPR. Our legitimate interest lies in the privacy-friendly analysis of the use of our website, reach measurement, and optimization of our online offering.

Plausible Analytics is used as an external service provider. Insofar as personal data is processed on our behalf, this is carried out on the basis of a data processing agreement pursuant to Art. 28 GDPR. Further information on data processing by Plausible Analytics can be found at plausible.io/privacy.

9. User Account / Registration

The use of the AITEZA platform requires the creation of a user account. In this process, we collect:

  • First and last name
  • Email address
  • Company affiliation
  • Password (stored in encrypted form)

The legal basis is Art. 6(1)(b) GDPR (performance of a contract). The data is stored for the duration of the contractual relationship and beyond in accordance with statutory retention periods.

10. AI-Specific Data Processing

The AITEZA platform processes text inputs (prompts), uploaded documents, and chat histories using AI models. The following principles apply:

  • Processing in controlled infrastructure: User inputs and documents are processed either in our controlled infrastructure or via the external AI services named in Section 11, depending on the model selected. Our own SaaS and demo infrastructure for hosting and locally operated models is operated in the Google Cloud region europe-west3 (Frankfurt, Germany).
  • No training with your data: Your inputs and documents are not used for training AI models.
  • Storage duration of chat histories: Chat histories are stored for the duration of your active use to enable you to access previous conversations. You can delete individual histories at any time. After deletion of the user account, all histories are irrevocably deleted within 30 days.
  • No access by third parties: Only those technical systems and service providers that are necessary for the provision of the respectively selected function have access to your inputs or uploaded documents. The specific service providers and processing locations are set out in Section 11.

The legal basis for the processing required for the use of the platform is Art. 6(1)(b) GDPR. Insofar as individual processing operations are based on other legal bases, this is indicated separately in the respective sections.

11. Hosting, Processors, and AI Service Providers

Our demo platform and website are operated in an infrastructure controlled by us. For the hosting and operation of the platform, we use Google Cloud EMEA Limited as a processor pursuant to Art. 28 GDPR. The storage and processing of usage and login data takes place exclusively in the Google Cloud region europe-west3 (Frankfurt, Germany).

Part of the AI processing takes place locally with internally operated models within our own Kubernetes environment. No external processors are used for this local model operation.

Insofar as users select external AI models or AI API services within the AITEZA platform, the processing of the data required for this purpose takes place exclusively for the provision of the respectively requested AI function. The AI service providers used act as processors pursuant to Art. 28 GDPR, insofar as they process personal data on behalf of and under the instructions of weyer data engineering gmbh.

In the context of AI API usage, the following data categories may in particular be processed:

  • Text inputs of the user, in particular prompts, questions, work instructions, and other inputs in the AITEZA platform
  • Uploaded or user-provided documents and file contents, insofar as these are processed for the selected AI function
  • Chat histories and conversation contents, insofar as these are necessary for the continuation or contextualization of a request
  • Technical metadata, in particular timestamps, session information, model and API information, and technical log data for the provision, security, and traceability of the processing
  • User and account information, insofar as these are necessary for authentication, authorization, tenant assignment, or technical provision of the platform

The purpose of processing by the AI service providers used is exclusively the execution of the AI inference triggered by the user, i.e., the technical processing of inputs to generate a response, summary, analysis, structuring, or other output within the AITEZA platform.

Processing for the AI service providers' own purposes does not take place. In particular, inputs, uploaded documents, chat histories, and other user content are not used for training, further development, or improvement of the AI models of the service providers used. Use of the processed content for model training, product improvement, or profiling by the AI service providers is contractually excluded.

The processing is carried out on the basis of data processing agreements pursuant to Art. 28 GDPR. These regulate in particular the subject matter and duration of the processing, the nature and purpose of the processing, the types of data processed, the categories of data subjects, the technical and organizational measures, instruction rights, confidentiality obligations, and the use of any sub-processors. The service providers used may only process personal data within the scope of the contractually agreed purposes and instructions.

The respective AI service providers used, their purpose, processing location or region, and their role as processor pursuant to Art. 28 GDPR are set out in the following overview:

Processor Purpose Location Role

Google Cloud EMEA Limited Hosting and operation of the demo instance, Kubernetes infrastructure, storage and processing of usage and login data europe-west3, Frankfurt, Germany Processor pursuant to Art. 28 GDPR

Gemma (Google), locally operated Local model processing in our own Kubernetes environment europe-west3, Frankfurt, Germany Internal model operation; no external processor

Google Gemini 2.5 Pro External AI functions via API europe-west4, Eemshaven, Netherlands Processor pursuant to Art. 28 GDPR

Google Gemini 2.5 Flash External AI functions via API europe-west3, Frankfurt, Germany Processor pursuant to Art. 28 GDPR

Claude via AWS Bedrock External AI functions via API eu-central-1, Frankfurt, Germany Processor pursuant to Art. 28 GDPR

ChatGPT / OpenAI via Microsoft Azure External AI functions via API Germany West Central, Frankfurt am Main, Germany Processor pursuant to Art. 28 GDPR

Mistral Large 3 via Mistral Cloud External AI functions via API Paris, France Processor pursuant to Art. 28 GDPR

Hetzner Online GmbH Current document processing / hosting, until migration to Google nbg1, Nuremberg, Germany Processor pursuant to Art. 28 GDPR

Plausible Cookieless web analytics, reach measurement, and technical optimization of the website EU/EEA Processor pursuant to Art. 28 GDPR

We have concluded data processing agreements pursuant to Art. 28 GDPR with all processors.

12. Data Transfers to Third Countries

According to the current technical and contractual configuration, the processing of personal data via the hosting, platform, analytics, and AI services used takes place within the European Union or the European Economic Area. The service providers used are contractually obligated to restrict processing to the agreed processing locations.

A transfer of personal data to a third country does not take place as a matter of principle. Should a transfer or access from a third country nevertheless be required in individual cases, this will only occur on the basis of the respectively applicable safeguards pursuant to Art. 44 et seq. GDPR, in particular on the basis of an adequacy decision of the European Commission or appropriate standard contractual clauses.

13. Disclosure of Data to Third Parties

Personal data is only disclosed to external parties insofar as this is legally permissible, in particular for the performance of a contract, due to legal obligations, or when using processors pursuant to Art. 28 GDPR. Processors used process personal data exclusively on the basis of contractual agreements and under the instructions of weyer data engineering gmbh. Further information on the service providers used can be found in Section 11.

14. Storage Duration

We store your personal data only for as long as is necessary for the respective processing purpose. Unless a more specific storage period is stated in this privacy policy, personal data is generally deleted after 30 days.

Excluded from this are data that are necessary for the authentication, management, and provision of the user account. These data are stored for the duration of the existence of the respective user account. If the user account is deleted or closed, the personal data stored for this purpose will be deleted, unless statutory retention obligations apply.

Uploaded documents and file contents provided by the user are stored until the user deletes them or the associated user account is closed. If the user account is closed, the uploaded documents and associated file contents will be deleted, unless statutory retention obligations apply.

Chat histories are stored for the duration of active use of the user account to enable access to previous conversations. Users can delete individual chat histories at any time. After deletion or closure of the user account, stored chat histories will be deleted within 30 days, unless statutory retention obligations apply.

Prompts, AI inputs, AI outputs, temporary processing data, and technical processing data are generally deleted after 30 days, unless they are part of a stored chat history, a dataroom, or another platform function used by the user.

Insofar as technical index, search, or vector data is generated from uploaded documents, these are deleted together with the underlying document, but no later than upon closure of the associated user account.

Statutory retention obligations remain unaffected. Relevant retention periods arise in particular from:

  • § 147 AO (German Fiscal Code) (tax law: up to 10 years)
  • § 257 HGB (German Commercial Code) (commercial law: up to 6 years)

15. SSL/TLS Encryption

We take appropriate technical and organizational measures to protect personal data against loss, manipulation, unauthorized access, and unauthorized disclosure. These include in particular transport encryption via TLS, role-based access controls, tenant separation, logging of security-relevant events, protection of uploaded documents, regular data backups, and organizational authorization concepts. The measures are selected and continuously reviewed taking into account the state of the art, the nature, scope, and purposes of the processing, and the respective risk.

16. Automated Decision-Making and Profiling

No automated decision-making within the meaning of Art. 22 GDPR takes place that produces legal effects concerning you or similarly significantly affects you. The AI-supported processing within AITEZA serves exclusively for information preparation and assistance. The content generated is to be reviewed by the user on a professional basis; final decisions are always made by the user themselves. Profiling does not take place.

17. Your Rights

You have the following rights with regard to your personal data:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR) – You have the right to object at any time, on grounds relating to your particular situation, to the processing of your data based on Art. 6(1)(f) GDPR.
  • Right to withdraw consent (Art. 7(3) GDPR) – Insofar as you have given consent to data processing, you may withdraw this consent at any time with effect for the future. The lawfulness of the processing carried out until the withdrawal remains unaffected.

To exercise your rights, please contact our data protection contact point (see Section 2).

18. Obligation to Provide Personal Data

The provision of personal data is neither legally nor generally contractually required. However, for the use of the AITEZA platform and for certain functions, in particular registration, authentication, and the use of selected AI functions, the provision of certain data is necessary. Without this data, no user account can be created or the respective function cannot be provided.

19. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data by us (Art. 77 GDPR). The supervisory authority responsible for us is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)

Postfach 20 04 44, 40102 Düsseldorf

Phone: +49 (0) 211 38424-0

Email: poststelle@ldi.nrw.de

20. Currency and Amendment of this Privacy Policy

This privacy policy is as of June 2026. We reserve the right to amend this privacy policy as necessary to adapt it to changed legal situations, official requirements, or changes to our services. The current version can always be found on our website.

AITEZA Logo
linkedInyoutube
DocumentationData privacy CareerImprintweyer group

We are a member of

Allianz CybersicherheitKI Bundesverband

A company of the

Ⓒ 2026 weyer data engineering