Alan Documentation

English

German

English

German

Appearance

Privacy Notice for the Use of Alan Services

Thank you for using our AI-based Alan services. With the following privacy notice, we would like to inform you, as the controller, which types of your personal data (hereinafter referred to as “data”) we process, for what purposes, and to what extent. For readability and accessibility, we use the generic masculine form regardless of gender (m/f/x).

Note:

If you use our Alan services as an authorized user (e.g., as an employee) of our contracting partner (e.g., your employer), we act solely as a processor within the meaning of Art. 28 GDPR. In such cases, the sole legal basis is the data processing agreement we have concluded with our contracting partner (your employer). In this case, we do not process personal data for our own purposes, but exclusively on the instructions of our contracting partner (your employer). The sole controller within the meaning of the GDPR is therefore the company that has granted you the corresponding usage rights and for which we process personal data only in accordance with instructions. If you have questions regarding data processing (e.g., the legal basis your employer relies on or the purpose of processing), please contact them directly.
Where we refer below to legal bases and purposes of processing, these relate exclusively to the scenario in which we ourselves are the controller (and not a processor for our contracting partner) within the meaning of the GDPR.

1. Name and Address of the Controller

Who the controller is depends, among other things, on how you use Alan. If you are our contracting partner, the controller within the meaning of the GDPR is us, namely:

Comma Soft AG
represented by the Executive Board, Benjamin Schulte
Pützchens Chaussee 202-204a
53229 Bonn
Tel. +49 228 9770 0
Email alan@comma-soft.com

Responsible within the meaning of the GDPR.

2. Name and Address of the Data Protection Officer

Our Data Protection Officer is:

Frank Becher
Pützchens Chaussee 202-204a
53229 Bonn
Tel. +49 228 9770 0
Email Frank.Becher@comma-soft.com or Datenschutz@comma-soft.com

3. General Information on Data Processing

3.1. Scope of Processing Personal Data

As a controller, we collect and use personal data of our users only to the extent necessary to provide our Alan services and deliver our performance, where processing is permitted by law, or where you have given your consent. We do not carry out any automated decision-making or profiling.

3.2. Legal Bases for Processing Personal Data

Where we obtain consent from the data subject for processing operations, Art. 6(1)(a) GDPR serves as the legal basis.

Where processing of personal data is necessary for the performance of a contract to which the data subject is party, Art. 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations necessary for pre-contractual measures.

Where processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Art. 6(1)(c) GDPR serves as the legal basis.

Where processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, and these interests are not overridden by the interests or fundamental rights and freedoms of the data subject, Art. 6(1)(f) GDPR serves as the legal basis.

3.3. Data Erasure and Storage Duration

Personal data of the data subject will generally be deleted or blocked as soon as the purpose of storage no longer applies. Storage may take place beyond this if provided for by the European or national legislator in EU regulations, laws, or other provisions to which the controller is subject. Data will also be blocked or deleted when a storage period prescribed by the aforementioned regulations expires, unless further storage is necessary for the conclusion or performance of a contract.

3.4. Recipients of the Data

3.4.1. Comma LLM

When using our Comma Soft Large Language Models (Comma Soft LLM), the recipients of the data are exclusively us as the provider of Alan and our cloud provider based in Germany (unless expressly agreed otherwise, this is T-Systems International GmbH, Hahnstraße 43 d, D-60528 Frankfurt am Main), which processes your data for us within the EU/EEA and in accordance with our instructions. This provider is a processor with whom we have concluded a corresponding data processing agreement.

3.4.2. Third-Party LLM

A transfer of data to third countries occurs only if and to the extent our contracting partner has commissioned us to connect a third-party LLM and the user has actively selected it for use. Within Alan, we clearly indicate whether and which third-party LLM has been activated and whether a data transfer may take place. In this case, the recipient of the data is the respective third-party provider.

3.4.3. Tools

If tools such as internet search are used, data is shared with the service provider that provides the functionality or part of it. If the tools are not used, there is no “silent” data transfer. Providers of certain tools may also be located in a third country. We have data processing agreements or arrangements with these providers that include the Standard Contractual Clauses. Tools must be enabled in individual cases by (customer) administrators. The following tools are available in detail:

  • Internet search BRAVE; Brave, Inc.; San Francisco; USA

Data is transmitted only if the tool has been activated by (customer) administration and the user has consented to the transfer in the individual case.

4. Data Processing When Connecting Third-Party LLMs

If, at the express request of our contracting partner, we integrate a language model from a third-party provider (e.g., OpenAI, Anthropic, etc.) into Alan as a contractual service, we assume no responsibility for the selection of the third-party LLM or for data processing carried out there. We are expressly not a contracting party and/or client of this third-party LLM. The third party is therefore not a sub-processor in relation to us, but a processor for our contracting partner, or possibly a joint or separate controller with them. It is the responsibility of our contracting partner to assess and monitor the data protection compliance of these third-party LLMs. Our service, when connecting a third-party LLM, is limited solely to providing an interface to the third-party LLM and secure transport encryption to the third party in order to enable a connection between Alan and the third-party LLM. The connection requires active selection of the third-party LLM by the user.

Which language model is active and being used is displayed to the user in the input field. In addition, a visual indicator appears if external models or services are being used.

Notice regarding data transfer to the USA or other third countries:

If the user relies on a third-party LLM within Alan, we point out that, depending on the provider, data processing by the third party may take place in a third country outside the EU/EEA (e.g., the USA). These countries may not guarantee a level of data protection comparable to that of the EU. For example, US companies are currently - despite an adequacy decision - obliged to disclose personal data to security authorities without you, as the data subject, being able to take legal action against this. It therefore cannot be ruled out that US authorities (e.g., intelligence services) may process, analyze, and permanently store your data processed in the context of using the third-party LLM for monitoring purposes. We have no influence over these processing activities.

The privacy notices of OpenAI and Anthropic, if integrated, can be found here:

5. Contract Conclusion / Contract Execution

5.1. Description and Scope of Data Processing

Use of our services requires the conclusion of a contract. For this purpose, we process the following “contract data”:

  • Name and address of the company and its legal representatives
  • Contact persons
  • First and last name of contact persons
  • Telephone number
  • Email address
  • Billing address
  • VAT ID

5.2. Legal Basis for Data Processing

The legal bases for storing the aforementioned data are Art. 6(1)(b) GDPR (contract), Art. 6(1)(c) GDPR (legal obligation), and Art. 6(1)(f) GDPR.

5.3. Purpose of Processing / Legitimate Interest

The purpose of processing is to establish a contractual relationship and to fulfill our contractual obligations to our customer. We also process data because legal provisions require us to do so (e.g., German Civil Code, Commercial Code, Fiscal Code, etc.). We process data of contact persons to enable user-friendly and prompt communication (e.g., for support requests), to maintain business relationships, and when changing/optimizing our services. These are also our legitimate interests, which outweigh the interests of the individual because no disadvantages arise for them, the information is provided voluntarily, and this is also in the interest of the contracting partner. Our interests in rapid and seamless communication therefore outweigh the interests of the data subject.

5.4. Storage Duration

Data is deleted as soon as it is no longer necessary for achieving the purpose for which it was collected. This is the case when the contractual relationship has ended and our statutory retention obligations no longer apply (e.g., § 147 of the German Fiscal Code). These periods can be up to 10 years. The assertion or defense of legal claims may necessitate storage beyond that, as certain warranty periods can be up to 30 years.

5.5. Right to Object and Removal

The data processing described above is strictly necessary. The data subject therefore has no right to object. Without providing the data, our services cannot be used.

6. Login / Cookies

6.1. Description and Scope of Data Processing

To use the Alan services, an authorized user must log in (authenticate). During login, the following data is collected from the authorized user:

  • Tenant data: Tenant name, global settings for the tenant (not personal data)
  • Login data: Email address
  • Log data: Information automatically sent by the browser or device; IP address; login ID; browser type; date and time of login
  • Usage data: Login ID; login time; acceptance of terms of use (yes/no); user agent; user agent version
  • Device information: Type of computer/mobile device; operating system; browser
  • API: When using the API, only the API key is evaluated.

We also set the following technically necessary cookies on the user’s device:

  • _oauth2_proxy: This is a technically necessary session cookie that is stored for the duration of the session and stores your authentication for the duration of the session to ensure your authorization.
  • privacyPolicyAccepted: This cookie is strictly necessary to provide you with a requested digital service (the one-time digital acceptance of the terms of use (T&Cs) via opt-in).

6.2. Legal Basis for Data Processing

The legal bases for processing login data are Art. 6(1)(b) GDPR (contract) and Art. 6(1)(f) GDPR. The legal basis for the cookies is Art. 6(1)(f) GDPR in conjunction with § 25(2) TDDDG.

6.3. Purpose of Processing / Legitimate Interest

Login is carried out to verify the user’s authorization (authentication), to provide the contractually owed services, to communicate with you in the event of support, and for IT security reasons (protection against misuse, fraud, illegal use, and access by unauthorized third parties). The latter is also our legitimate interest. This outweighs the interests of the data subject because authentication and protection against misuse are also in the data subject’s interest.

The cookies are set for reasons of proof of acceptance of the terms of use and for user-friendliness, since the user only has to accept the terms once and not on every use. These are also our legitimate interests, which outweigh the interests of users because no disadvantage arises for them; rather, it is in their interest not to have to accept terms on every login.

Storage Duration

The session cookie is deleted after the session ends. The other cookie remains stored permanently until the user deletes it in the browser. Otherwise, the data is deleted as follows:

  • Account data = after termination of the contract, but not before the expiry of our statutory retention obligations
  • Log data = 7 days
  • Usage data = 7 days
  • Device information = 7 days

6.4. Right to Object

The user can object to cookies via the browser settings, e.g., by disabling the use of cookies (though this may restrict the functionality of the Alan service). There is no right to object to the storage of other login data, as we need this to perform the contract and ensure IT security. However, the user may object to the use of the email address for maintaining the business relationship.

7. Data Processing in Alan Services

7.1. Description and Scope of Data Processing

Within the Alan workflow, there are, in simplified terms, two process stages that run independently:

In the first stage, preprocessing (PP), inputs are pre-processed and then passed to the downstream language model. Here we process:

  • Your account data: Email address (and first/last name, if provided)
  • Account names in your tenant: Email address (first/last name, if known)
  • Log data: Information automatically sent by the browser or device; IP address; login ID; browser type; date and time of login
  • Operational data: Time of request, request volume, response times
  • Device information: Operating system, browser, monitor resolution (data may depend on your settings)
  • User content: Personal data that you provide to us when entering data into our services (“content”), including your prompts and all content you upload or that is integrated into Alan (e.g., databases, data sources)

The result of the first stage is then forwarded to the connected language model (LLM) and processed in the second stage. As a result of this data processing, a response to the user’s prompt is generated.

Both the Comma LLM and, optionally, third-party LLMs are available as language models. Entered texts and the language model’s responses are stored in a user-specific (chat) history within Alan. This history is visible only to the respective authenticated user and serves user-friendliness. The Comma LLMs themselves are stateless, i.e., inputs are processed to generate a response; no storage beyond that takes place.

By default, we provide Alan services with LLMs trained by us specifically for Alan (Comma LLM). These Comma LLMs are subject to particularly high security requirements, as there is in particular no data transfer to third parties (with the exception of our cloud provider) and no training for our own purposes.

However, it is possible to optionally connect third-party LLMs. If our contracting partner desires this option, it can be activated on a customer-specific basis. It is then available to all authorized users of our contracting partner and can be actively selected by the respective user.

In this case, preprocessing does not change, but the language model (LLM), the data processing within the LLM, and thus the response to the user input and the prompt generated in PP do change.

It is expressly pointed out that Comma Soft has no contractual relationship with the third-party provider. User login information is not transmitted by Comma Soft to the third-party LLM. Comma Soft displays in the interface which LLM is currently being used and visually indicates a risk of data leakage to external services when a third-party LLM is used.

The contractual and terms of use as well as the privacy notices of the respective provider apply with regard to the third-party LLM. For more information, see section 3.4.2 of this privacy notice.

If the function for sharing knowledge bases or experts is used, account data (email addresses) within your tenant are processed to select the respective recipients and to inform them about the shared data source.

Where possible, we pseudonymize data. Users’ real names can be used only in special situations (e.g., hazard prevention such as cyberattacks, official orders, system instabilities, fraud, etc.) to take appropriate countermeasures and, for example, address perpetrators directly. Access to real names is particularly protected (e.g., audit log) and is generally only technically permitted and possible for a very small group of people.

Access to user content is particularly protected (four-eyes principle, audit log, etc.) and is only possible in exceptional cases and only after coordination with the user.

The aforementioned data processing relates to the use of Alan via a Comma Soft LLM, not via a third-party LLM.

We also use email addresses for communication in the event of support, for maintaining the business relationship, and to inform users about new features, etc. Since these contacts are also in the user’s interest and they can object to this use at any time, our legitimate interests in processing the email address for maintaining the business relationship prevail.

7.2. Legal Basis for Data Processing

Outside of a data processing agreement, the legal bases are Art. 6(1)(b) GDPR (contract), Art. 6(1)(c) GDPR (legal requirements), and Art. 6(1)(f) GDPR (legitimate interest).

7.3. Purpose of Processing

The purpose of processing is to provide the contractually owed service (offered features). In addition, we have a legitimate interest in proper contract performance, analysis and maintenance, product improvement, and providing a service with the most user-friendly features possible (e.g., storing chat history). Since the user is free to delete this at any time, these features are in their interest, and Comma Soft only accesses them after coordination with the user and only in certain critical situations, our legitimate interests in data processing and in providing this user-friendly function prevail. We also process the other data in order to ensure secure and stable system operation, provide the Alan services, and ensure a secure user environment. We have a legitimate interest in improving our services and adapting them to modern technical conditions and requirements (product improvement). Since this data processing also benefits the user and we provide transparent information about the processing, our legitimate interest outweighs users’ rights. In addition, we use the data for billing purposes, i.e., to comply with and optimize our legal requirements, in particular for proper billing, IT security, and data protection law. In the event of misuse, we also use this data for the purpose of legal prosecution.

Where possible, we pseudonymize data. This is the case, for example, when used to improve the Alan services or for dynamic performance adjustment.

7.4. Storage Duration

IP addresses, user inputs, user uploads, and user histories are deleted, like prompts (to Alan services), 30 days after contract termination. Metadata about the user and uploads is deleted 3 years after contract termination.

  • Your account data: 30 days after contract termination
  • Account names in your tenant: 30 days after contract termination
  • Log data: 7 days
  • Operational data: 30 days after contract termination
  • Device information: 7 days
  • User content: 30 days after contract termination

7.5. Right to Object

The user can delete the history in their account at any time. There is no right to object to further data processing, as this is strictly necessary for performing the contract and for billing and IT security purposes.

7.6. Personal Data of Third Parties

We process personal data of third parties if these are contained in inputs or knowledge sources of the Alan services. Whether and which data these are is unknown to us and presupposes that you are authorized to process this data with Alan. The controller for this within the meaning of the GDPR is our contracting partner, i.e., as a rule your employer. Please clarify internally which data you may use with our Alan services. Since we have no knowledge of any personal data of third parties and such data is only used within the interaction with Alan as part of normal chat activities, storage duration, etc., follow the information provided above.

8. Data Processing When Using Tools

The integration of tools that can embed functionalities of a third-party provider into the Alan services must be approved for use by our contracting partner (your employer), who is also the controller for the processing. Once this is done, the provisions of the data processing agreement apply, and our processing is carried out in accordance with instructions. The respective provider is therefore in a sub-processing relationship with us. The following presentation is primarily for user transparency.

8.1. Brave (Internet Search)

8.1.1. Description and Scope of Processing by Us

We have no knowledge of your inputs or the data generated by Alan for the internet search and act in accordance with instructions, which means the controller for this data transfer corresponds to the controller - your employer. In practice, this is a search comparable to one in the browser, with Alan itself creating the search query. This means that potentially all data available to Alan can be part of the prompt, which may include both sensitive and personal data. Therefore, the input is displayed to you before it is transmitted. Transmission only takes place after explicit approval by the user. Optionally, the frequency and conditions of confirmation can be reduced. However, this can only be done by administration by our contracting partner (your employer).

Which functions are available here corresponds to the instructions we have received from our contracting partner (your employer) or which they themselves have administered.

Provider’s privacy notice: https://api-dashboard.search.brave.com/privacy-policy

8.1.2. Legal Basis for Processing

Outside a data processing agreement, the legal bases are Art. 6(1)(b) GDPR (contract), Art. 6(1)(c) GDPR (legal requirements), and Art. 6(1)(f) GDPR (legitimate interest). The explicit approval of data transmission also satisfies the requirements of Art. 6(1)(a) GDPR (consent).

8.1.3. Purpose of Processing / Legitimate Interest

The purpose of processing is to provide internet search with the support of Alan in order to combine the specific characteristics of both systems (Alan, internet search) and increase the benefit. This also constitutes our legitimate interest. Since a display and explicit approval by the user is mandatory prior to data transmission, our legitimate interests in data processing and in providing this user-friendly function prevail.

8.1.4. Storage Duration

Search results are used by Alan on the fly to generate the response and are not persisted. The prompts prepared by Alan for transmission to the web search are stored in user chats and are available there for further use and documentation. They can also be deleted there.

The data transfer itself takes place without transmitting your user account or your identity.

8.1.5. Right to Object and Removal

The user decides in each individual case whether to use the tool and can delete any existing history in their account at any time. There is no right to object to further data processing, as this is strictly necessary to perform the contract or to provide the tool.

9. Email Inquiries / Support Requests

9.1. Description and Scope of Data Processing

It is possible to contact us via the email address we provide. If email is used to contact us, the following data is transmitted to us and stored.

  • Sender address along with mail metadata such as date, time, importance, or request for read receipt
  • Other recipients addressed directly or via cc
  • Subject and email text, including any personal data contained therein

The data is used solely for processing the conversation or request.

9.2. Legal Basis for Processing

The legal basis for processing data in connection with the contact form and an email inquiry is Art. 6(1)(f) GDPR. We have a legitimate interest in responding to your request.

If the contact aims at concluding a contract or a support ticket, the additional legal basis for processing is Art. 6(1)(b) GDPR.

9.3. Purpose of Processing

Processing of personal data from the contact form and the email inquiry serves solely to answer your inquiry or to provide technical support.

9.4. Storage Duration

Data is deleted as soon as it is no longer necessary for achieving the purpose of its collection. For personal data sent by email, this is the case when the respective conversation with the user has ended and there are no statutory retention periods to the contrary. The conversation is deemed ended when it can be inferred from the circumstances that the matter in question has been conclusively clarified.

9.5. Right to Object and Removal

The user may object to the storage of his personal data at any time. In such a case, the conversation cannot be continued. The objection to storage can be made by email or by post. All personal data stored in the course of contacting us will then be deleted unless statutory retention periods prevent this.

10. Rights of the Data Subject

If personal data concerning you is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

  • Right of access to the data stored about you, including any recipients and the planned storage duration, Art. 15 GDPR
  • Right to rectification if incorrect data concerning you is processed, Art. 16 GDPR

If the legal requirements are met, you also have the following rights:

  • Right to erasure, Art. 17 GDPR
  • Right to restriction of processing, Art. 18 GDPR
  • Right to notification, Art. 19 GDPR
  • Right to data portability, Art. 20 GDPR
  • Right to object, Art. 21 GDPR
  • Right to withdraw consent given, Art. 7(3) sentence 1 GDPR

If you believe that the processing of your personal data violates data protection law, you have the right under Art. 77(1) GDPR to lodge a complaint with a supervisory authority for data protection of your choice.

11. Right to Object, Art. 21 GDPR

You have the right, on grounds relating to your particular situation, to object at any time to processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on those provisions.

The controller will no longer process the personal data concerning you unless he demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise, or defense of legal claims.

Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing; this also applies to profiling to the extent it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

In connection with the use of information society services - and notwithstanding Directive 2002/58/EC - you may exercise your right to object by automated means using technical specifications.

12. IT Security

To protect the security of your data, we use extensive IT security measures, which you can also find in our Technical and Organizational Measures.

13. Right to Amend

We reserve the right to adapt this privacy notice so that it complies with current legal requirements.

14. Language

This Agreement has been prepared in German and English. In the event of any inconsistency, discrepancy, or ambiguity between the German and English versions, the German version shall prevail. The English version is provided for convenience only.

Copyright © 2023-2025 Comma Soft AG