Privacy Policy

How we handle your data

Published

April 1, 2026

1. Introduction

Welcome! This Privacy Policy explains how we collect, use, share, and protect information in relation to our AI Chatbot service (the “Chatbot”) provided on this website. All other services are not covered by this policy.

We are committed to protecting your privacy. This policy outlines our practices concerning the data processed when you interact with our Chatbot. By using the Chatbot, you agree to the collection and use of information in accordance with this policy.

2. Data Controller

The data controller responsible for your personal data is:

Beyond Simulations GmbH
Am Eich 9d
22113 Oststeinbek
Germany

Email: info@beyondsimulations.com

3. Information We Collect

When you interact with our Chatbot, we collect and process the following types of information:

  • Chat Interactions: The questions, prompts, and text you submit to the Chatbot (“Prompts”) and the responses generated by the Chatbot (“Responses”). Unless you enable private mode (see below), full message content is stored in our database. We do not ask for or store personal identifiers such as your name or email address alongside chat interactions.
  • Pseudonymized User Identifiers: We derive a user identifier by computing a one-way SHA-256 hash of your IP address. This hash cannot be reversed to recover your IP address, but it allows us to group interactions from the same source within a session.
  • Technical Data: We automatically collect technical information associated with your interaction, including timestamps, session identifiers, trace and span identifiers (for request tracing), the AI model used, token counts, and response latency in milliseconds. This data is processed and stored on our self-hosted server at Hetzner in Germany.
  • Usage Data: We collect aggregated and anonymized data about how the Chatbot is used, including error rates and performance metrics, to monitor and improve the service.
  • Rate Limiting Data: We temporarily store your IP address and request count in server memory to enforce rate limits (50 requests per minute for chat, 5 attempts per minute for admin login). This data is held only in memory and is lost when the server restarts.

Private Mode

Our Chatbot supports a private mode. When enabled by the client application, your message content is replaced with [private] in our logs. Technical metadata (timestamps, token counts, model name, latency) is still recorded, but the actual text of your Prompts is not stored.

4. How We Use Your Information

We use the collected information for the following purposes:

  • To Provide and Operate the Chatbot: To receive your Prompts, process them using AI models, and deliver Responses back to you.
  • To Route Requests: To manage communication between our Chatbot interface and the underlying AI models via our backend services.
  • For Service Improvement: To analyze usage patterns, troubleshoot issues, and enhance the Chatbot’s performance and capabilities.
  • For Security and Monitoring: To maintain the security of our service, enforce rate limits, prevent misuse, and monitor for potential abuse.
  • To Comply with Legal Obligations: To meet any applicable legal or regulatory requirements.

6. Data Sharing and Third Parties

To provide the Chatbot service, your data is processed by the following parties and infrastructure:

  • Hetzner Online GmbH (Infrastructure Provider): Our backend server and database are self-hosted on servers provided by Hetzner Online GmbH, located in Germany. Hetzner acts as a data processor providing the infrastructure. All chat interaction data, technical logs, and application data are stored on these servers.
  • Mistral AI (LLM Provider): We use Mistral AI as the large language model provider to generate Responses to your Prompts. When your Prompts are processed, they are sent to Mistral AI’s API. Mistral AI processes this data according to their own terms of service and privacy policy. According to Mistral’s data processing terms, data sent via their API is not used for training purposes.

We do not share personal identifiers such as your name or email with third-party services through the Chatbot interaction, unless you voluntarily include such information in your Prompts.

We encourage you to review Mistral AI’s privacy policy for details on how they handle data.

7. Data Flow

The following describes how your data flows through our systems:

  1. You submit a Prompt through the Chatbot interface running in your web browser.
  2. The Prompt is sent via HTTPS to our Rust backend server hosted at Hetzner in Germany.
  3. The backend derives a pseudonymized user identifier (SHA-256 hash of your IP address) and logs the interaction to our PostgreSQL database (unless private mode is enabled).
  4. The backend forwards your Prompt to our Mistral adapter service (also hosted at Hetzner), which translates the request and sends it to the Mistral AI cloud API.
  5. The Response from Mistral AI is returned through the same chain and delivered to your browser.

All communication between your browser and our servers, and between our servers and Mistral AI, is encrypted via HTTPS/TLS.

8. Data Storage, Security, and Retention

  • Storage: Chat interaction data (Prompts, Responses, technical metadata) is stored in a PostgreSQL database on our Hetzner server in Germany. Session data (authentication state) is stored only in server memory and is lost when the server restarts.
  • Security: We implement technical and organizational measures to protect your data, including HTTPS encryption for all data in transit, hashed and salted password storage (Argon2), restricted access to backend systems, and rate limiting to prevent abuse.
  • Retention: We retain chat interaction data and technical logs for the duration of the current academic semester. Data may be retained longer if required for troubleshooting, security purposes, or legal obligations. We periodically review and delete data that is no longer needed.

9. Your Data Protection Rights

Under the EU General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

  • Right to Access (Art. 15 GDPR): You can request information about whether and which personal data we process about you.
  • Right to Rectification (Art. 16 GDPR): You can request correction of inaccurate or incomplete data.
  • Right to Erasure (Art. 17 GDPR): You can request the deletion of your personal data under certain conditions.
  • Right to Restrict Processing (Art. 18 GDPR): You can request the limitation of how we process your data under certain conditions.
  • Right to Data Portability (Art. 20 GDPR): You can request that we transfer the data we have collected to another organization, or directly to you, under certain conditions.
  • Right to Object (Art. 21 GDPR): You can object to our processing of your personal data based on legitimate interests.
  • Right to Withdraw Consent (Art. 7(3) GDPR): If processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or the place of the alleged infringement.

To exercise any of these rights, please contact us using the details provided in Section 2. We may need to verify your identity before processing your request. We will respond to your request within one month of receipt.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new policy on this page and updating the date at the top. We encourage you to review this policy periodically.