1. Introduction
This Privacy Policy applies to all users of the AI on-Demand platform (hereinafter referred to as the “User(s)” and “AI on-Demand” or “AIoD”, respectively) and forms an integral part of the AI on-Demand platform’s Website Terms and Conditions.
This Privacy Policy provides Users with general information about how the Data Controller uses personal data, as required by applicable data protection legislation. In case of future amendments, Users will be informed through updates published on the AI on-Demand website.
2. Data Controller
2.1. Identity of the Data Controller
The organization responsible for the processing of Users’ personal data is:
Alma Mater Studiorum – University of Bologna
(hereinafter referred to as the “Data Controller” or “UNIBO”).
2.2. Contact Details
Users may contact the Data Controller regarding this Privacy Policy or for exercising their rights using the following means:
- Email: info@aiod.eu
- Postal Address:
Alma Mater Studiorum – University of Bologna
Via Zamboni 33
40126 – Bologna
Italy
3. Purpose and Legal Basis for Processing
3.1. Use of the AI on-Demand Platform
The AIoD platform is designed to support European AI research and innovation by providing access to tools and services that facilitate knowledge sharing and deployment of AI solutions. The legal basis for processing personal data related to platform use (e.g., browsing, account creation, content submission) is the User’s prior consent.
Users may withdraw their consent at any time without affecting the legality of prior data processing based on that consent.
3.2. Compliance with Legal Obligations
The Data Controller may process personal data to comply with legal obligations. In such cases, data will be processed only for the period necessary to fulfill those obligations.
4. Personal Data Processed
4.1. Account Authentication and Linking
When Users create an account, they log in through the AIoD Login service, primarily via the EGI Check-in authentication service. The process includes:
- Redirect to EGI Check-in to select an identity provider (e.g., university, Google, ORCID, LinkedIn, GitHub).
- Authentication occurs outside the AIoD platform.
- Upon first login and consent, the following data may be received by AIoD:
Identification Data:
- Full name
- Unique user ID (from EGI Check-in)
- Email address
- Affiliation and country
- IP address
Behavioral Data:
- Website/service usage
- Login timestamps
Membership Data:
- Roles, groups, and communities
Additional data (e.g., profile picture, language preference) may also be shared depending on the chosen identity provider.
Account Linking: Users can link multiple authentication methods to a single AIoD profile.
4.2. Content Submission
Users may voluntarily submit content via the Contribution Gateway, including news, events, AI assets, educational material, and organization profiles. Submitted content is associated with the User’s:
- Username (publicly visible)
- Name and email (not publicly visible)
This content is also accessible through the AIoD API.
4.3. Platform Communication
The Data Controller may use data associated with a User’s account and activity to communicate regarding permitted platform use.
4.4. Mailing List
If the User opts in to the mailing list, data such as name, email, IP address, and device info may be processed. Users may unsubscribe at any time.
4.5. Usage Data
AIoD collects technical information about how the site is accessed and used, such as:
- IP address
- Browser type/version
- Visited pages
- Time and date of visits
- Time spent on each page
- Device identifiers
5. Data Collection Methods
Personal data may be collected through:
- 5.1. Login via AIoD Login (EGI Check-in)
- 5.2. Voluntary content submission via the Contribution Gateway
- 5.3. Mailing list subscription and interaction (e.g., clicks, IP address)
6. Data Retention and Deletion
6.1. Account Data
Stored as long as the User maintains an active account. Users may request deletion via info@aiod.eu.
6.2. Communication Data
Stored while the account remains active. Deletion can be requested through account settings or by contacting the Data Controller.
6.3. Mailing List
Stored until the User unsubscribes.
6.4. Statistical Analysis
Usage data for website optimization and legal compliance is retained only as long as necessary.
7. User Rights Under GDPR
Users have the following rights under the General Data Protection Regulation (GDPR 2016/679):
| Right | Description |
|---|---|
| Access | Request access to personal data, details of processing, recipients, data retention, and origin. |
| Rectification | Request correction of inaccurate or incomplete data. |
| Erasure | Request deletion when data is no longer necessary, consent is withdrawn, or processing is unlawful. |
| Restriction | Request data storage without processing, under certain conditions (e.g., accuracy is contested, data is no longer needed but required for claims). |
| Data Portability | Receive data in a structured, machine-readable format, or have it transferred to another controller. |
| Objection | Object to processing based on public interest or legitimate interest. |
| Consent Withdrawal | Withdraw previously given consent at any time. |
| Supervisory Authority | Lodge a complaint with the data protection authority. In Ireland: Data Protection Commission |
The Data Controller may request proof of identity when processing a rights request.
Requests are handled within 1 month, extendable to 3 months in complex cases. Users will be informed of delays or additional information needed.
8. Data Security and Recipients of Personal Data
8.1. Data Security Measures
The Data Controller implements appropriate technical and organizational measures to safeguard personal data, including but not limited to:
- Access controls and monitoring mechanisms
- Strong password enforcement on all servers
- Secure communication via HTTPS and SSH protocols
8.2. Recipients of Personal Data
The User’s personal data may be shared with the following categories of recipients:
a. Associate organizations
Entities that provide technical infrastructure for the AI on-Demand platform, including hosting services and the organization responsible for distributing platform-related electronic communications. Where legally required, the Data Controller enters into agreements with these organizations to ensure appropriate safeguards and regular monitoring of security measures. If personal data is transferred outside the EU, all necessary guarantees are in place.
b. Administrative and judicial authorities
If the Data Controller receives a valid request from an appropriate administrative authority, attorney, court, or other authority, it may disclose personal data in order to fulfill its legal obligations in the public interest. Where legally required, Users will be notified and may object to such processing in accordance with Section 7.
c. Third-party identity providers
Selected by the User during login via AIoD Login / EGI Check-in, including but not limited to eduGAIN, Google, ORCID, LinkedIn, GitHub, or EGI SSO.
d. Security incident response participants
In the event of a security incident involving AIoD Login / EGI Check-in, technical logs may be shared securely with authorized participants in research and academic infrastructures (e.g., federation operators of Sirtfi, supported by the eduGAIN Security Team) solely for the purpose of incident response.
e. Other registered Users
Professional details made available by each User (such as affiliation or area of expertise) may be visible to all registered Users of the AI on-Demand platform in the context of platform collaboration.
f. Email service provider
If a User subscribes to the mailing list, their name and email address will be processed by Zoho Corporation via the Zoho Campaigns service to deliver newsletters and updates.
g. Analytics service provider
If a User consents to analytics cookies, Zoho Corporation may process certain usage data through its Zoho PageSense service, as detailed in Section 10.6.
9. Links to External Websites and Social Media
The AI on-Demand Website may contain hyperlinks to external websites. These third-party websites are not managed by the Data Controller, and their content is not reviewed, endorsed, or guaranteed by the Data Controller. Therefore:
- The Data Controller is not liable for the accuracy, lawfulness, or quality of content on these sites.
- The Data Controller is not responsible for any damage arising from the User’s interaction with such websites.
- Users should refer to the terms and privacy policies of the respective websites for more information.
- Any issues related to external websites must be addressed directly with their administrators.
- The inclusion of such links does not imply endorsement by the Data Controller.
The Website also enables Users to interact with social media platforms at their own discretion. In such cases:
- The Data Controller is not responsible for any processing of personal data that occurs via or by social media platforms.
- Users should exercise their rights directly with the relevant social media platform.
10. Cookies
10.1. Purpose of Cookies
AI on-Demand uses cookies to:
- Ensure the platform operates correctly and efficiently
- Improve navigation experience
- Display content properly
- Collect data for analytical and statistical purposes
10.2. What Are Cookies?
Cookies are small text files stored on the User’s device when they visit the AI on-Demand Website. These files may identify the device and help optimize platform usage.
10.3. Consent for Cookies
Except for strictly necessary cookies, other categories of cookies are installed only with the User’s explicit consent. Upon visiting the Website, the User may accept cookies and will be deemed to have read and understood the conditions for their use.
10.4. Refusing Cookies
Users may decline non-essential cookies. In this case, only technically necessary cookies will be installed.
10.5. Cookie Management
Users can manage their cookie preferences at any time using a control panel, where they can select which categories of cookies to accept.
10.6. Cookies Used
The AI on-Demand Website uses the following types of cookies:
(Note: Here, you can include a table or list of specific cookies used, categorized by type — e.g., Necessary, Preferences, Statistics, Marketing — along with their purpose, duration, and provider.)
Absolutely Necessary Cookies
| Type of Cookie | Explanation | Examples of Cookies | Duration | Transfer to Third Parties |
|---|---|---|---|---|
| Session/Login | Essential for the proper operation of the AI-on-Demand Website and secure access. Without them, core features would not function. | SSESS5f14077676e7784cad49646a1157d45c – session ID after login. Deleted on logout. | Session (24 days or until logout) | No |
| Consent Management | Used to track user response to the cookie consent banner. | cookiesjsr | 12 months | No |
| Email Campaign Tracking | Used by Zoho Campaigns to gather campaign ID and interaction data for analytics. | zc_cmp | 1 minute | No |
| Popup Management | Used by Zoho Campaigns to control popup form displays for users. | zc_dis | 12 months | No |
Statistics / Analytics Cookies (Optional, Requires Consent)
| Type of Cookie | Explanation | Examples of Cookies | Duration | Transfer to Third Parties |
|---|---|---|---|---|
| Visitor Analytics | Used by Matomo Analytics to track how users interact with the website to improve performance and usability. | _pk_id – stores unique visitor ID | 13 months | No |
| Referral Tracking | Tracks how users arrived at the site. | _pk_ref – stores referrer information | 6 months | No |
| Session Tracking | Temporarily stores visit data during a session. | _pk_ses – short-lived session cookie | 30 minutes | No |
Additional Cookies (If Logging In via AIoD Login / EGI Check-In)
| Type of Cookie | Explanation | Examples of Cookies | Duration | Transfer to Third Parties |
|---|---|---|---|---|
| Session State | Maintains authentication tokens to prevent session fixation attacks. | egi_proxy_authtoken, egi_oauth_proxy_authtoken | Until logout | No |
| Session State | Maintains user session ID for retrieving session information. | egi_proxy_sid, egi_oauth_proxy_sid, egi_co_registry_sid | Until logout | No |
| Preferences | Remembers preferred Identity Provider (IdP) selection. | egi_poweridpdisco_lastidp | Until expiration/deletion | No |
| Preferences | Stores preference to remember IdP selection. | egi_poweridpdisco_remember | Until expiration/deletion | No |
| Preferences | Stores preferred timezone selection. | egi_co_registry_tz | Until expiration/deletion | No |
| Preferences | Stores preferred language for EGI Check-in OpenID Connect Provider. | i18next | Until expiration/deletion | No |
11. Amendments to this Privacy Policy
The Data Controller reserves the right to amend this Privacy Policy at any time. Amendments may be made, for example, in order to:
- Comply with new legal requirements, guidelines, or technical standards
- Reflect updates in the Data Controller’s internal processes or practices
Users will be informed of any changes to this Privacy Policy via the AI on-Demand platform and/or by email. It is the User’s responsibility to regularly review this Privacy Policy for any updates or changes.
12. Children’s Privacy
The AI on-Demand platform is not directed to individuals under the age of 18. Accordingly:
If we become aware that personal data has been collected from a child without parental consent, we will take appropriate steps to delete such data from our servers.
We do not knowingly collect personally identifiable information from anyone under 18 years of age.
If you are a parent or legal guardian and believe that your child has provided us with personal data, please contact us immediately.
