The present Privacy Policy applies to all Users of the AI on-Demand platform (hereinafter referred to as the “Users” or the “User” and “AI on-Demand”, “AIoD”, or “Website” respectively) and forms an integral part of the AI on-Demand platform’s Website Terms and Conditions. The present Privacy Policy provides the User with general information regarding how the Data Controller uses personal data and other information required by data protection legislation. In case of future amendment, the User will be provided with necessary updates and information through updates to the present Privacy Policy, uploaded to the AI on-Demand Website.
1. Who is the Data Controller?
1.1. Data Controller
The organization with the name “Alma Mater Studiorum – University of Bologna” (“UNIBO”) is the Data Controller for the processing of the User’s personal data (hereinafter referred to as “Data Controller”).
1.2. Data Controller’s Contact details:
For any issue or concern with regards to the present Privacy Policy, including the User’s personal data processing as well as the exercise of the User’s rights, the User can communicate with the Data Controller using one of the following means:
By sending an email at the following email address: info@aiod.eu
By sending correspondence to the following address: Alma Mater Studiorum – University of Bologna
via Zamboni 33
40126 – Bologna
Italy
2. What is the purpose and the legal basis for User’s data processing?
2.1. Usage of the AI on-Demand platform
The AI on-Demand platform (AIoD) seeks to act as a resource to facilitate European research and innovation in AI. The objective of the platform is to support all solutions and tools that contribute to the ecosystem of excellence and the ecosystem of trust, which define the European Vision of AI.
AI assets and tools are made accessible through the platform to be used by the broader community to upskill and transfer knowledge to innovation sectors. It supplies new services and a marketplace for non-experts, so that they can experiment and deploy AI solutions in their own workplaces.
For all purposes related to making use of the platform Website (including but not limited to browsing, creating a User account, submitting content, uploading or downloading assets, etc.), the legal basis is the User’s prior consent.
Where the legal basis is User’s prior consent, the User can always withdraw their consent at any time without affecting the legitimacy of the data based on consent prior to its withdrawal.
2.2. Processing of data for reasons related to Data Controller’s compliance with legal obligations
In such cases, the processing of personal data takes place for only the necessary time period in order for the Data Controller to comply with obligations imposed by various legal provisions.
3. Which personal data are processed?
3.1. Personal data
3.1.1. User Authentication, Account Creation, and Account Linking
In order for a User to voluntarily create an account with the AI on-Demand (AIoD) platform, the User should login through the AIoD Login service. The AIoD platform primarily relies on the EGI Check-in service for user authentication and account creation.
The authentication process via EGI Check-in works as follows:
- When you choose to log in to AIoD, you will be redirected to the EGI Check-in service.
- EGI Check-in presents a discovery page allowing you to select your preferred identity provider.
- You can choose to authenticate using credentials from various sources supported by EGI Check-in, including:
- Institutional Accounts: Log in using the account provided by your university or research institution, typically via eduGAIN.
- Social & External Accounts: Use existing accounts from services like Google, ORCID, LinkedIn, or GitHub.
- EGI SSO: if none of the above methods are applicable, you can create an EGI SSO account to authenticate.
- You will be directed to your chosen provider’s login page to enter your credentials. Importantly, the AIoD platform never receives or stores these primary credentials (e.g., your university or Google password).
- On your first login to AIoD via EGI Check-in, you will typically be asked to consent to the release of specific identity information from EGI Check-in to the AIoD platform.
- After successful authentication at your provider, you are redirected back to the AIoD platform.
Upon your first successful login via EGI Check-in, an account profile is automatically created for you on the AIoD platform. The following personal data, received from EGI Check-in after your authentication and consent, may be associated with your AIoD account:
- Identification data:
- Name
- Identification numbers (a unique, opaque, persistent and non-reassignable Identifier provided by EGI Check-in service)
- E-mail address
- Affiliation
- Country
- IP address
- Behavioral data:
- Usage data (websites, services, social media)
- Login timestamps
- Data relating to memberships:
- Information on roles, groups, and communities
This data may be securely stored by the AIoD platform. Depending on the identity provider you choose via EGI Check-in, additional personal data (attributes) might be shared by that provider with EGI Check-in, which may then, subject to your consent, be relayed to AIoD. Examples could include affiliation details, language preference, profile picture, country, or login timestamps. The collection and sharing of data by your chosen identity provider (e.g., your university or Google) are governed by their respective privacy policies.
Account Linking: Identity linking allows you to access the AIoD platform with your existing personal AIoD ID, using any of the login credentials you have linked to your account. Instructions for this one-time linking process are available in your personal profile information settings after logging in to EGI Check-in.
3.1.2. Content submitted via the Contribution Gateway
Users can voluntarily submit content via the Contribution Gateway (https://www.ai4europe.eu/contribute) (see also Section 4.1.2.). This content may include, inter alia, news, events, information projects, AI assets, educational materials, organization profiles, and open calls. The submitted content is associated with their username, email address, and name. Only the username is publicly visible on the website. In addition to being publicly published to the AI on-Demand platform, submitted content (which may include associated personal data, such as the username) is made accessible through the AI on-Demand platform’s API, located at https://api.aiod.eu.
3.1.3. AI on-Demand’s communication for reasons related to User’s permitted use of the AI on-Demand
In order for the AI on-Demand platform to communicate with the User for the above purposes, the Data Controller can process all data relating to a User’s account, submitted content and data related to the User’s use of the AI on-Demand platform.
3.1.4. AI on-Demand’s communication via mailing list
In case the User actively opts in to receive the mailing list, then information provided by the user at signup (e.g. name, email address, IP address, user device) will be processed on behalf of the controller. The User can unsubscribe from the mailing list at any time.
3.2. Usage data
We may also collect information on how the webpage is accessed and used (“Usage Data”). This Usage Data may include information such as your computer’s Internet Protocol address (IP address), browser type, browser version, the pages of our webpage that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.
4. How AI on-Demand collects personal data
4.1. The information can be collected by the following ways:
4.1.1. During login of a User on the AI on-Demand platform (via AIoD Login).
4.1.2. When the User voluntarily submits content via the Contribution Gateway (https://www.ai4europe.eu/contribute), and purposefully includes personal data within that content (e.g. news, events, projects, AI assets, educational materials, etc.).
4.1.3. When the User voluntarily signs up for the mailing list, and provides the personal data needed for this purpose, i.e., name and email address. Interactions with the subsequent emails from the mailing list might also result in relevant personal data (e.g., open/clicks/IP address) being processed.
5. How long is personal data stored and when is it deleted?
5.1. User’s account data
Without prejudice to User’s deletion/erasure right mentioned below, the personal data registered and stored in the User’s account will be stored as long as the User wishes to make use of the AI on-Demand platform Website for the purpose mentioned above. In case Users wish to delete their account, they can do so by emailing info@aiod.eu.
5.2. AI on-Demand’s communication for reasons related to User’s permitted use of the AI on-Demand platform
Data related to such communication will be stored only as long as Users wish to use the AI on-Demand platform Website and maintain their account. In case Users wish to delete their account, they can delete their accounts through account settings or by contacting the Data Controller through the above mentioned contact details.
5.3. Mailing List
If a User has subscribed to the mailing list, their personal data will be stored and processed until consent is withdrawn by unsubscribing from the mailing list. A User can unsubscribe at any time using the link provided in every email or by contacting AI on-Demand directly.
5.4. Statistical analysis for the optimization of the Website
Regardless of the above mentioned provisions of Section 5, the Data Controller will store and process only necessary data for the period required in order to comply with its obligations imposed by law (compliance with fiscal obligations, etc) and to further optimize the structure and content of the Website.
For more information, please see the section on cookies (Section 10) below.
6. What are the User’s rights in relation to the processing of their personal data and how can these rights be exercised?
6.1 The Data Controller respects the User’s rights in relation to the processing of their personal data
6.2 Users can exercise their rights by contacting the Data Controller via the contact details provided by Section 1.
For User’s facilitation, User’s rights are included in the following table along with a short explanation of each right, as enshrined in the General Data Protection Regulation 2016/679 (GDPR):
| Right | Explanation |
| Access (Article 15) | The User can ask the Data Controller to:confirm whether the Data Controller processes the User’s personal dataprovide the User with a copy of their personal datagive the User other supplementary information related to User’s personal data such as the purposes of processing, to whom are these data disclosed, whether personal data is transferred to foreign countries and how it is protected, how long the data is stored, what are the User’s rights, how can a complaint be lodged, whether automated decision-making (including profiling) is used, and where the personal data was obtained to the extent this information is not included in the present Privacy Policy. |
| Rectification (Article 16) | The User can ask the Data Controller to rectify inaccurate personal data. The Data Controller can seek to verify the accuracy of the data before rectifying them. |
| Erasure/deletion (Article17) | The User can ask the Data Controller to erase their personal data:when the personal data are no longer needed for the purposes for which they were collectedwhen the User withdraws their consentwhen the personal data has been processed unlawfully The Data Controller is not obliged to comply with a User’s request to erase their personal data, if the processing of User’s personal data is necessary:for compliance with a legal obligationfor the fulfillment of another legitimate purpose or another legitimate legal basisfor the establishment, exercise, or defense of legal claims |
| Restriction (Article 18) | The User can ask the Data Controller to restrict (store but not process) User’s personal data when:their accuracy is contested (see rectification), so that the Data Controller can verify the accuracy of the personal datathe personal data have been unlawfully processed but the User opposes the erasure of the personal datathey are no longer necessary for the purposes for which they were collected but the User still needs them for the establishment, exercise or defense of legal claims or there is another legitimate purpose of processing or other legal basis |
| Data portability (Article 20) | When processing is based on consent and the processing is carried out by automated means, the User can ask the Data Controller to receive their personal data in a structured, commonly used and machine readable format or ask the Data Controller to transmit them to another controller directly from the Data Controller. Nevertheless, according to the law, this right refers only to those data that have been given by the User himself and not to those data that are inferred by the Data Controller based on the data that the User has provided. |
| Objection (Article 21) | The User can object at any time to the processing of personal data concerning them which is based on legitimate interest or performance of a task carried out in the public interest. When the User exercises their right to object, the Data Controller has the right to demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedom of the User or for the establishment, exercise or defense of legal claims. |
| Consent withdrawal (opt-out) | The User has the right to withdraw their consent where consent is the basis of processing. Withdrawal is valid for the future. |
| Supervisory Authority | The User has the right to lodge a complaint with the local supervisory authority related to data protection. In Ireland, the supervisory authority for data protection is the Data Protection Commission https://www.dataprotection.ie/ |
| Identity | The Data Controller takes the confidentiality of all files that include personal data seriously, and thus is entitled to request the User for proof of their identity if the User submits a request in relation to those files. |
| Cost | The User will not have to pay for the exercise of their rights in relation to personal data unless, as provided by law, the request for access to information is unfounded or excessive. In that case, the Data Controller can charge the User with a reasonable fee under specific circumstances. The Data Controller will inform the User for any possible charge before completing the request. |
| Timetable | Data Controller aims at answering at User’s valid requests the latest within one (1) month from their receipt, unless the request is extremely complicated or the User has submitted multiple requests, in which case the Data Controller aims at answering to them within three months. In case the Data Controller needs more than one month for the reasons above mentioned, the User will be informed. The Data Controller may ask the User if they want to explain what exactly they wish to receive or what is their concern. This will help the Data Controller to act more quickly in relation to the User’s request. In any case, the User should mention specific and true data and/or facts so that the Data Controller can accurately answer and/or satisfy the User’s request. Otherwise, the Data Controller reserves their right for any faults that are outside of their control. Additionally, the Data Controller can reject requests that are unfounded, excessive, abusive, made in bad faith, or are illegitimate in the framework of the legal provisions. |
7. How is data security safeguarded?
7.1. The Data Controller implements all appropriate security measures to ensure the protection and confidentiality of personal data.
This includes the following measures:
- Strong password policies in all servers
- HTTPS protocol for interacting with APIs and Web clients
- SSH protocol for server connection
- Periodical server updates with latest security fixes
7.2. Please note that only specifically authorized agents of the Data Controller, acting under the authority of the Data Controller and only on their instructions where necessary, handle personal data submitted by the User.
For processing, the Data Controller selects persons with appropriate qualifications that have sufficient knowledge as to technical safeguards and personal integrity to protect confidentiality. The Data Controller takes all necessary security measures for the protection and safeguard of secrecy, confidentiality, and integrity of personal data also through relevant contractual commitments of their associates. In case the security of the Website may be compromised due to reasons that reside outside the control of the Data Controller as well as due to technical or other problems of the network, force majeure, or accidents, the security of personal data cannot be guaranteed.
8. Who are the recipients of personal data?
8.1. The recipients of the User’s personal data
The recipients of the User’s personal data are associate organizations that provide technical infrastructure for the operation of the AI on-Demand Website, hosting provider as well as the organization that undertakes to send electronic communications related to the operation of the AI on-Demand platform to Users. Where necessary, as per applicable laws, the Data Controller will sign agreements with such organizations, which refer to the implementation and regular monitoring of security measures. In case personal data is transferred outside the ΕU, all necessary guarantees are in place.
8.2. Disclosure to Authorities for Legal and Public Interest Purposes
If the Data Controller receives a valid request to notify or transfer data following a request by the appropriate administrative authority, attorney, court or other authority, the Data Controller may notify / transfer such data in order to fulfill their duty executed in favor of the public interest towards these authorities (with or without User’s previous notification) in accordance with the appropriate legal provisions. If the User should be previously notified in accordance with the relevant legal provisions, then the User has the right to object to this processing as provided in Section 7 above.
8.3. Third-Party Identity Providers for User Authentication
Third-party identity providers that are integrated with AIoD Login / EGI Check-in, which are chosen by the User (for example, authenticating via eduGAIN, Google, ORCID, LinkedIn, GitHub, or EGI SSO).
8.4. Security Incident Response and Log File Sharing
In cases involving security incidents with AIoD Login / EGI Check-in, the records of your use and technical log files produced by the Check-in service components may be shared via secured mechanisms for security incident response purposes with other authorised participants in the academic and research distributed digital infrastructures (namely, federation operators of Sirtfi, the Security Incident Response Trust Framework for Federated Identity, who are supported by the eduGAIN Security Team), only for the same purposes and only as far as necessary to provide the incident response capability where doing so is likely to assist in the investigation of suspected misuse of infrastructure resources.
8.5. Visibility of Professional Details to Registered Users
Αs to the professional details made available by each User, they are available to all registered Users of the AI on-Demand platform for the purposes mentioned above.
8.6. Email Communication via Zoho Campaigns
For Users that register for the mailing list, Zoho Corporation, through their Zoho Campaigns product, will process their name and email address in order to provide email services for the AIoD platform.
8.7. Analytics Processing via Zoho (Statistics/Analytics Cookies)
For Users that accept statistics/analytics cookies, Zoho Corporation, through their Zoho PageSense product, will process certain collected personal data as detailed in Section 10.6.2. below.
9. Connection to other websites/social media
This Website connects with other websites through hyperlinks. These websites are not related to the Data Controller’s Website and their content is neither checked nor recommended by the Data Controller. Thus, the accuracy, legitimacy, completeness or quality of their content and legitimacy of the processing of User’s personal data cannot be checked and no guarantee is provided for them. The Data Controller cannot be held liable for them or any damage that may be caused to the User due to or following their use. The Data Controller cannot check the processing of the User’s personal data by those linked websites and thus does not bear any liability for the use of them. When the User accesses such websites they should take into consideration that the terms and conditions of each website apply. For any issue that may occur as to the content or the use of the linked website, the User should directly contact the operator or administrator of each website. The Data Controller does not approve or embrace the content or services of the linked websites, which the User accesses through the AI on-Demand Website.
The Website gives Users the possibility to connect and interact with social media following their own initiative and will. In that case, the Data Controller is not liable for the processing of a User’s data taking place through or by social media platforms. Users should directly address each specific social media platform in order to exercise their legitimate rights.
10. Cookies
10.1. Purpose of Cookies on the AI on-Demand Platform
The AI on-Demand uses cookies to be operational or more efficient in its operation, to improve the User’s navigation, to provide the User with the full potential of the AI on-Demand platform, and to ensure the correct display of content as well as for analytical and statistical purposes.
10.2. Definition and Function of Cookies
Cookies are small text files stored on the Users’ computer when they visit the AI on-Demand Website, which can be used as a means of identifying their computer.
10.3. User Consent for Cookie Installation
Cookies, apart from absolutely necessary cookies, are only installed if the User accepts their installation when they visit the AI on-Demand Website. By accepting cookies when entering the AI on-Demand Website, the User expressly states that they have read and understood the specific terms and conditions regarding the installation, function, and purpose of the cookies and that they provide their consent for their use.
10.4. Use of Essential Cookies Without Consent
Alternatively, the User may not accept cookies. In this case, only cookies that are technically and functionally necessary for the operation of the AI on-Demand will be installed.
10.5. User Control and Cookie Preference Management
Users can manage the use and installation of cookies at any time through a panel, where they can choose which categories of cookies they want to accept.
10.6. Types of Cookies Used on the AI on-Demand Website
In particular, the cookies used by the AI on-Demand Website are the following:
10.6.1. Strictly necessary cookies are essential for the proper operation of the AI on-Demand Website. These cookies store the User’s preferences regarding the use of other cookies and services such as the mailing list, and they allow the User to browse and use AI on-Demand features such as access to secure areas. Without them, the smooth operation of the AI on-Demand Website is not possible.
10.6.2. The AIoD Login / EGI Check-in service uses cookies to verify the identity of users before granting them access to the AI on-Demand Website’s resources and data. If the User makes use of this service to login to the AI on-Demand Website, then the following list of cookies are also applicable: EGI Check-in Cookies
10.6.3. The AI-on-Demand Website makes use of statistics/analytics cookies that evaluate the way visitors use the Website (for example, which pages are visited more often and whether they receive error messages from webpages). These cookies are used for statistical purposes and to improve the performance of AI-on-Demand. With the User’s consent for statistics/analytics cookies, the following list of cookies are placed by Zoho PageSense in order to begin logging usage statistics: Zoho PageSense Cookies
11. Children’s Privacy
Our project is not directed towards anyone under the age of 18. We do not knowingly collect personally identifiable information from anyone under the age of 18. If you are a parent or guardian and you are aware that your child has provided us with personal data, please contact us. If we become aware that we have collected personal data from children without verification of parental consent, we will take steps to remove that information from our servers.
12. Amendments to this Privacy Policy
The Data Controller reserves the right to amend this present Privacy Policy, for example when this is necessary to comply with new requirements imposed by applicable laws, guidelines or technical requirements, or in the course of a revision of the Data Controller’s processes and practices. The User will be notified of any amendment to this Privacy Policy through the AI on-Demand platform and/or by email. The User should regularly check this Privacy Policy for any amendments.
