Privacy and Data Protection Policy for Gi Service Provided by OpenAI

This document ensures that GFOUNDRY, through the Gi service, complies with GDPR by protecting the privacy and security of personal data processed for educational content generation using OpenAI’s technology, incorporating terms from the Data Processing Agreement with OpenAI.

Updated: 14-07-2024

ENTITY RESPONSIBLE FOR PROCESSING

GFoundry Lda, headquartered in Valença (Portugal), at Avenida Tito Flores, nº 71, with a capital stock of €55,000.00, registered at the Odivelas Registrar of Companies under the single registration and VAT number PT510809510, hereinafter referred to as GFOUNDRY, is the entity responsible for the Gi service provided by OpenAI. This policy outlines how GFOUNDRY ensures the protection, privacy, and security of personal data processed via Gi, in compliance with the General Data Protection Regulation (GDPR).

SCOPE OF Gi SERVICE

The Gi service encompasses two primary areas:

  1. Production of General Educational Content: Utilizing Generative AI to create content in broad skill and competency areas.
  2. Production of Educational Content Using Client Data: Processing client documents to generate tailored educational content. This policy particularly addresses the second area, ensuring clients that their data is handled privately, securely, and deleted promptly after content generation.

COLLECTION AND PROCESSING OF PERSONAL DATA

GFOUNDRY processes personal data strictly necessary for:

  • Providing information and operating the Gi service.
  • Processing client documents to generate educational content.

Data processed may include direct or indirect personal identifiers, such as names, email addresses, and document content. Users or clients will be informed about the necessity of such data to use Gi’s functionalities.

LEGAL BASIS FOR DATA PROCESSING

GFOUNDRY ensures that personal data is processed lawfully under the following conditions:

  • With the explicit consent of the data subject.
  • For the performance of a contract to which the data subject is a party.
  • In compliance with legal obligations.
  • To protect vital interests of the data subject or another person.
  • For tasks carried out in the public interest or in the exercise of official authority.

DATA PROTECTION MEASURES

GFOUNDRY employs robust technical and organizational measures to protect personal data, including:

  • Encryption of data in transit and at rest.
  • Access controls and authentication measures.
  • Regular security audits and vulnerability assessments.
  • Prompt deletion of personal data after content generation.

USER RIGHTS

Data subjects have the following rights under GDPR:

  • Right to Access: Obtain confirmation and access to personal data processed.
  • Right to Rectification: Correct inaccurate or incomplete personal data.
  • Right to Erasure: Request deletion of personal data when it is no longer necessary for the purposes for which it was collected.
  • Right to Restrict Processing: Limit the processing of personal data under certain conditions.
  • Right to Data Portability: Receive personal data in a structured, commonly used, and machine-readable format.
  • Right to Object: Object to the processing of personal data on grounds relating to their particular situation.

Requests to exercise these rights can be addressed to the Data Protection Officer at GFOUNDRY through the contact details provided below.

DATA RETENTION AND DELETION

GFOUNDRY retains personal data only as long as necessary to fulfill the purposes for which it was collected. Personal data used in the Gi service for content generation is deleted immediately after the content is produced, ensuring no residual data remains.

INTERNATIONAL DATA TRANSFERS

Any transfer of personal data to third countries or international organizations will comply with GDPR requirements, ensuring adequate protection of personal data.

CONTACT INFORMATION

For any questions, concerns, or requests related to this policy or the processing of personal data, please contact:

  • Email: [email protected]
  • Address: Rua do Instituto Industrial 16, 1200-225 Lisboa – Portugal

UPDATES TO THIS POLICY

GFOUNDRY may update this Privacy and Data Protection Policy to reflect changes in practices or legal requirements. Updates will be published in relevant channels to ensure transparency and inform Users and Customers.

SPECIFIC TERMS FOR THE Gi SERVICE PROVIDED BY OPENAI

In addition to the general terms outlined above, the following specific terms apply to the Gi service provided by OpenAI under the terms of the Data Processing Agreement (DPA) between GFoundry Lda and OpenAI.

1. Processing Requirements

As a Data Processor, OpenAI agrees to:

  • Process Customer Data only on Customer’s behalf for the purpose of providing and supporting OpenAI’s Services, including to provide insights, reporting, analytics, and platform abuse, trust and safety monitoring.
  • Comply with the written instructions received from Customer.
  • Provide a level of privacy protection required by Data Protection Laws.
  • Inform Customer promptly if OpenAI cannot comply with the requirements of this DPA.
  • Not provide Customer with remuneration in exchange for Customer Data.
  • Not “sell” or “share” Personal Data as defined by U.S. Privacy Laws.

2. Notice to Customer

OpenAI will inform Customer if OpenAI becomes aware of:

  • Any legally binding request for disclosure of Customer Data by a law enforcement authority, unless prohibited by law.
  • Any notice, inquiry, or investigation by a Supervisory Authority with respect to Customer Data.
  • Any complaint or request from Customer’s data subjects.

3. Assistance to Customer

OpenAI will provide reasonable assistance to Customer regarding:

  • Responding to requests from Customer’s data subjects in respect of access to or the rectification, erasure, restriction, portability, objection, blocking, or deletion of Customer Data.
  • Investigating any breach of OpenAI’s security leading to unauthorized access to Customer Data.
  • Preparing data protection impact assessments and, where necessary, carrying out consultations with any supervisory authority.

4. Required Processing

If OpenAI is required by Data Protection Laws to process any Customer Data for a reason other than in connection with the Agreement, OpenAI will inform Customer of this requirement in advance, unless legally prohibited.

5. Security

OpenAI will:

  • Maintain reasonable and appropriate organizational and technical security measures to protect Customer Data.
  • Ensure that OpenAI personnel are protecting the security, privacy, and confidentiality of Customer Data.
  • Notify Customer of any Personal Data Breach without undue delay.

6. Obligations of Customer

Customer represents, warrants, and covenants that:

  • It has all necessary rights, consents, and authorizations to provide the Customer Data to OpenAI.
  • It will comply with all applicable Data Protection Laws.
  • It will cooperate with OpenAI to assist in performing any obligations regarding requests from Customer’s data subjects.
  • It will not provide Customer Data to OpenAI except through agreed mechanisms.

7. International Data Transfers

OpenAI will process Customer Data provided by Customer that originates in the EEA or Switzerland in accordance with the Standard Contractual Clauses adopted by the EU Commission.

8. Term; Data Return and Deletion

This DPA shall remain in effect as long as OpenAI carries out Customer Data processing operations on Customer’s behalf. On termination of the DPA, OpenAI will delete Customer Data within thirty (30) days, unless prohibited by law.

EXHIBITS

Exhibit A: List of Parties

  • Data exporter(s): the Services customer identified on the applicable Services registration documents.
  • Data importer(s): OpenAI OpCo, LLC.

Exhibit B: Technical and Organizational Measures

  • Describes the information security program and security standards maintained by OpenAI to protect Customer Data.

 

Related documents: