Privacy Policy
AI Chatbot KARLA
1. Data Controller
The entity responsible for data processing in connection with the AI chatbot KARLA is:
Steinbeis Transfer Center for Digital Media and Communication, Johannisbeerweg 13
69469 Weinheim
Represented by: Dr. Gerald Lembke
2. Data Protection Officer
If you have any questions about data protection or exercising your rights, please contact our
External Data Protection Officer:
Ina Schöne, Certified AI Officer, Certified Data Protection Auditor (TÜV Rheinland), Certified
Data Protection Officer with IT Security Certification from TÜV Rheinland
14 Erfurter Street, 99867 Gotha
Phone: +49 (0) 179 292 0615
Email: kontakt@datenschutzspezialistin.de
3. Purpose of this Privacy Policy
This Privacy Policy informs you about the processing of personal data when using the AI-powered chatbot KARLA. KARLA is a freely accessible chatbot that provides users with information about public services offered by the city and region of Karlsruhe and assists them in planning visits and trips to the region. Using the chatbot does not require registration or a user account.
4. Purpose of Data Processing
The KARLA chatbot is designed to provide automated tourist information about the city and region of Karlsruhe. Users can use the chatbot to obtain information about attractions, events, restaurants, accommodations, and other public services, and to plan their stays and trips to the region on their own.
5. Legal basis for processing
The processing is carried out on the basis of Article 6(1)(f) of the GDPR (legitimate interest). Our legitimate interest is to provide users with easy, efficient, and up-to-date access to public information about the city and region of Karlsruhe and to make it easier for them to plan their stays and trips independently.
6. Collection and Processing of Personal Data
6.1 Principle of Data Minimization
The KARLA chatbot is designed so that no personal data is collected, stored, or processed. Neither names, email addresses, phone numbers, IP addresses, nor any other personal data of users is collected or stored.
6.2 Automatic Deletion of Personal Data
If users do enter personal data into the chatbot’s input field, this data is processed solely for the purpose of generating a real-time chatbot response and is neither stored nor logged afterward. The data is not stored permanently or linked to individual users.
6.3 No storage of chat histories
Chat histories between users and the KARLA chatbot are not saved. Once the conversation ends, the chat content is no longer accessible and is not archived.
6.4 Not for use in AI training
The content entered via the chatbot is not used to train AI models or for any other purposes related to the further development of artificial intelligence.
7. Cookies and Tracking Technologies
The KARLA chatbot does not use cookies, tracking technologies, analytics tools, or similar methods. User behavior is not tracked. No profiles are created, and no data is collected for advertising purposes.
8. Technologies and Services Used
The technologies and services described below are used to operate the KARLA chatbot. All services are configured so that no personal data of users is transmitted to third parties or stored.
8.1 Flowise (Self-Hosted)
Flowise is an open-source platform for creating AI-powered workflows and chatbots. Flowise is hosted on our own server in Germany (self-hosted). No data is transferred to the manufacturer or to third parties when using Flowise.
Attribute Specification
Provider: FlowiseAI (open source)
Self-hosted mode on your own server
Server location: Germany (Netcup)
Disclosure of data to third parties: No
8.2 OpenAI (Embeddings)
The chatbot uses OpenAI embedding models for semantic search and the processing of knowledge content. Embeddings are mathematical vector representations of text that enable user queries to be matched with relevant information based on content. The OpenAI Embedding API is accessed via RequestyAI’s EU gateway, ensuring that processing takes place within the European Union. OpenAI does not use data transmitted via the API to train its models.
Attribute Specification
Provider: OpenAI, L.L.C., San Francisco, USA
Function: Creation of text embeddings
Routing via the RequestyAI EU Gateway (Frankfurt)
Data usage for training: No
For more information: https://openai.com/enterprise-privacy/
8.3 Firecrawl
Firecrawl is used as a technical tool for collecting and processing publicly available web content in order to provide the chatbot’s knowledge base with up-to-date tourism information. Only publicly available information is processed. Personal data of chatbot users is not transmitted to Firecrawl.
Attribute Specification
Provider: Firecrawl (Mendable Inc.)
Public Web Content Collection Feature
Processing of personal user data: No
For more information: https://www.firecrawl.dev/privacy-policy
8.4 mytoubiz API (Experience Karlsruhe)
The chatbot is connected via an API interface to the mytoubiz platform, which provides tourism data for the city and region of Karlsruhe. This interface is used exclusively to retrieve publicly available tourism information, such as events, attractions, and special offers. No personal data of chatbot users is transmitted to mytoubiz.
Attribute Specification
Provider: Karlsruhe Erleben / mytoubiz Function: Provision of tourism data
Transfer of personal user data: No
8.5 Anthropic (language model)
The language model used is provided by Anthropic, PBC (San Francisco, USA). It is accessed exclusively via the RequestyAI EU gateway (AWS Bedrock, eu-west-1 region, Ireland). No data is transferred to third countries, and the model provider does not store any queries.
9. Hosting and Server Location
The KARLA chatbot is hosted on a dedicated server provided by Netcup GmbH. The server is located in a data center in Germany and is fully subject to the provisions of the GDPR and the German Federal Data Protection Act (BDSG).
Attribute Specification
Web hosting provider Netcup GmbH
Server Type: Netcup XXL
Server location: Germany
Applicable data protection laws: GDPR, BDSG
10. Transfer of Data to Third Countries
Personal data is not transferred to third countries (countries outside the European Economic Area). All services and infrastructure used are configured so that data processing takes place exclusively within the European Union or the European Economic Area.
11. Recipients of personal data
Since no personal data is collected or stored, no personal data is disclosed to third parties. The services listed in Section 8 do not receive any personal data from chatbot users.
12. Retention period
Since no personal data is collected or stored, there is no need to specify a retention period. Chat histories are not stored. If personal data is entered by mistake, it is deleted immediately and automatically.
13. Your Rights as a Data Subject
Even though no personal data is collected when using the KARLA chatbot, we would like to inform you of your fundamental rights under the GDPR. In the unlikely event that personal data is processed, you have the following rights:
Right of access (Art. 15 GDPR): You have the right to request information about whether we process your personal data and, if so, what personal data we process.
Right to rectification (Art. 16 GDPR): You have the right to request the rectification of inaccurate personal data or the completion of incomplete personal data.
Right to erasure (Art. 17 GDPR): You have the right to request the erasure of your personal data, provided that the legal requirements are met.
Right to restriction of processing (Art. 18 GDPR): You have the right to request that the processing of your personal data be restricted.
Right to data portability (Art. 20 GDPR): You have the right to receive the personal data concerning you in a structured, commonly used, and machine-readable format.
Right to object (Art. 21 GDPR): You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data carried out on the basis of Art. 6(1)(f) GDPR.
Right to lodge a complaint with a supervisory authority (Art. 77 GDPR): You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data. The supervisory authority responsible for us is:
The State Commissioner for Data Protection and Freedom of Information in Baden-Württemberg
20 Lautenschlagerstraße, 70173 Stuttgart
Phone: +49 711 615541 0
Email: poststelle@lfdi.bwl.de
Website: https://www.baden-wuerttemberg.datenschutz.de
14. Note on the Use of Artificial Intelligence
The KARLA chatbot uses artificial intelligence (AI) based on large language models to understand natural language queries and generate appropriate responses. The AI-powered responses are based on a curated knowledge base containing tourist information about the city and region of Karlsruhe. Despite careful preparation of the knowledge base, the chatbot’s responses may contain inaccuracies. The chatbot’s responses do not constitute legally binding information.
In accordance with Regulation (EU) 2024/1689 (AI Regulation / AI Act), we would like to inform you that you are interacting with an AI-powered system. The chatbot KARLA is classified as a low-risk AI system, as it provides only publicly available tourism information and does not make decisions that have legal or similarly significant implications for users.
15. Changes to this Privacy Policy
We reserve the right to amend this Privacy Policy as necessary to bring it into line with changes in the legal framework or to reflect changes to the chatbot service or data processing. The most current version of this Privacy Policy is always available via the chatbot or the associated website.
16. Contact
If you have any questions about this privacy policy or about data protection in connection with the KARLA chatbot, please contact:
Steinbeis Transfer Center for Digital Media and Communication, Johannisbeerweg 13
69469 Weinheim
Contact person: Dr. Gerald Lembke
or to our Data Protection Officer:
Ina Schöne 14 Erfurter Street 99867 Gotha
Phone: +49 179 292 0615
Email: kontakt@datenschutzspezialistin.de
This Privacy Policy was created in March 2026