Privacy Policy

1. Introduction

Inštitut Utrip ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our services, including PreventAdvisor, an AI-powered chatbot for evidence-based prevention.

This Privacy Policy complies with the General Data Protection Regulation (GDPR) (EU) 2016/679 and applicable Slovenian data protection laws.

2. Data Controller

Inštitut Utrip
Laze pri Borovnici 9
Laze pri Borovnici
1353 Borovnica
Slovenia
Email: info@institut-utrip.si
Website: https://ai.institut-utrip.si/

3. Information We Collect

3.1 Information You Provide

When you register for and use PreventAdvisor, we collect:

• Account Information - Email address, username, display name, first name, last name (as provided in WordPress user profile)
• Chatbot Conversations - All messages you send to and receive from the PreventAdvisor chatbot, including:
  • Your questions and queries
  • AI assistant responses
  • Source citations and references
  • Session identifiers
• Audio Files - MP3 audio files generated from chatbot responses (when you request audio summaries)
• Feedback Data - Ratings (thumbs up/down) and optional suggestion text you provide about chatbot responses
• Email Subscription - Email address and GDPR consent when signing up for early access notifications

3.2 Automatically Collected Information

When you use our website and services, we automatically collect:

• Usage Data - API call counts, rate limit tracking, subscription start dates, and last reset dates
• Technical Data - IP address, browser type and version, device information
• Navigation Data - Pages visited, time spent on pages, referring website addresses
• WordPress Data - Standard WordPress user data including registration date, login history, and role assignments

4. How We Use Your Information

We use the information we collect for the following purposes:

• Service Provision - To provide and maintain the PreventAdvisor chatbot service, including:
  • Processing your queries and generating AI responses
  • Saving and retrieving your conversation history
  • Generating audio summaries when requested
  • Managing your account and access permissions
• Rate Limiting - To track API usage and enforce usage limits based on your subscription tier (subscriber: 200 calls/month)
• Service Improvement - To analyze usage patterns, feedback, and improve the quality of responses and user experience
• Product Launch Notifications - To notify you when PreventAdvisor becomes available for testing and public use (via Mailchimp)
• Communication - To send you updates about PreventAdvisor, including alpha testing opportunities and product updates
• Email Delivery - To send chatbot conversation summaries to your email address when requested
• Legal Compliance - To comply with legal obligations, respond to legal requests, and protect our rights
• Security - To detect, prevent, and address technical issues, fraud, and security threats

5. Data Storage and Processing

5.1 Data Storage Locations

Your personal data is stored in the following locations:

• WordPress Database - All chatbot conversations, user accounts, rate limit data, and feedback are stored in our WordPress database hosted on our servers
• File Storage - MP3 audio files are stored on our servers, those are stored so that your history sessions are available for you to download and listen to later. Those mp3s are not shared with any third parties or listened to anyone else but you.
• Mailchimp - Email addresses for newsletter subscriptions are stored on Mailchimp's servers (see section 5.2)

5.2 Third-Party Data Processors

Mailchimp

We use Mailchimp, a third-party email marketing service operated by The Rocket Science Group LLC, to store email addresses and send notifications. Mailchimp is GDPR-compliant.

Your email address is stored on Mailchimp's servers, which are located in the United States. Mailchimp has implemented appropriate safeguards to protect your data in accordance with GDPR requirements, including Standard Contractual Clauses (SCCs) approved by the European Commission.

For more information about Mailchimp's privacy practices, please visit: https://mailchimp.com/legal/privacy/

Chatbot API Service

When you interact with PreventAdvisor, your queries are sent to our chatbot API service hosted on Render.com. This service processes your questions and generates responses. The API service may log your queries, response times, and technical metadata for service improvement and debugging purposes.

5.3 Data Retention Periods

We retain your personal data for the following periods:

• Chatbot Conversations - Retained until you delete them manually or request account deletion. You can delete individual conversations at any time through the chatbot interface.
• Rate Limit Data - Retained for the duration of your account plus 30 days after account deletion for audit purposes
• Feedback Data - Retained for 3 years from submission date for service improvement purposes
• MP3 Audio Files - Retained until you delete the associated conversation or request account deletion
• Email Addresses (Mailchimp) - Retained until you unsubscribe or request deletion
• WordPress User Account Data - Retained until you request account deletion or we determine the data is no longer necessary

After the retention period expires, we will securely delete or anonymize your personal data, unless we are required to retain it for legal compliance purposes.

6. Legal Basis for Processing (GDPR)

Under GDPR Article 6, we process your personal data based on the following legal grounds:

• Consent (Article 6(1)(a)) - You have given explicit consent for:
  • Receiving email notifications about PreventAdvisor (via Mailchimp)
  • Processing your chatbot conversations
  • Storing and processing feedback you provide
• Contract Performance (Article 6(1)(b)) - Processing necessary to provide the PreventAdvisor service you have requested, including:
  • Storing conversation history for your access
  • Managing your account and access permissions
  • Enforcing rate limits based on your subscription tier
• Legitimate Interest (Article 6(1)(f)) - We have a legitimate interest in:
  • Improving our services through usage analysis and feedback
  • Preventing abuse and ensuring fair usage through rate limiting
  • Ensuring security and preventing fraud
  • Maintaining service quality and debugging technical issues
• Legal Obligation (Article 6(1)(c)) - Processing necessary to comply with legal obligations, including data protection laws and responding to legal requests

You have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

7. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

• Right of Access (Article 15) - You can request a copy of all personal data we hold about you, including:
  • Your account information
  • All chatbot conversations
  • Rate limit and usage data
  • Feedback you have submitted
• Right to Rectification (Article 16) - You can request correction of inaccurate or incomplete personal data. You can update your WordPress profile information directly in your account settings.
• Right to Erasure (Article 17) - "Right to be Forgotten" - You can request deletion of your personal data, including:
  • Deleting individual chatbot conversations through the interface
  • Requesting complete account deletion
  • Requesting deletion of feedback submissions

  Note: We may retain certain data if required by law or for legitimate business purposes (e.g., legal claims, audit requirements).

• Right to Restrict Processing (Article 18) - You can request that we limit how we use your data in certain circumstances, such as when you contest the accuracy of data or object to processing.
• Right to Data Portability (Article 20) - You can request a copy of your personal data in a structured, commonly used, and machine-readable format (e.g., JSON or CSV). This includes:
  • Your chatbot conversation history
  • Your account data
  • Your feedback submissions
• Right to Object (Article 21) - You can object to processing of your personal data based on legitimate interests. We will stop processing unless we demonstrate compelling legitimate grounds.
• Right to Withdraw Consent (Article 7(3)) - You can withdraw your consent at any time. This includes:
  • Unsubscribing from email notifications (via Mailchimp unsubscribe link)
  • Requesting deletion of your account
• Right to Lodge a Complaint (Article 77) - You have the right to lodge a complaint with the Slovenian supervisory authority if you believe your data protection rights have been violated (see Section 14).

How to Exercise Your Rights:

To exercise any of these rights, please contact us at info@institut-utrip.si with:

• Your name and email address
• Clear description of the right you wish to exercise
• Any relevant details (e.g., specific conversations to delete)

We will respond to your request within one month (may be extended by two months for complex requests). We may request verification of your identity before processing certain requests.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (HTTPS)
• Secure storage practices
• Regular security assessments
• Access controls and authentication

However, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

9. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including:

• United States - Mailchimp servers and chatbot API service (Render.com hosting)
• Other countries - Where our third-party service providers operate

We ensure that such transfers comply with GDPR requirements (Chapter V) through:

• Standard Contractual Clauses (SCCs) - Approved by the European Commission for data transfers to third countries
• Adequacy Decisions - Where applicable, transfers to countries with adequacy decisions
• GDPR-Compliant Data Processing Agreements - With all third-party processors
• Additional Safeguards - Technical and organizational measures to protect your data

By using our services, you consent to these international transfers. You have the right to request information about the safeguards we have in place for international transfers.

10. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies for the following purposes:

• Essential Cookies - Required for the website to function, including WordPress authentication and session management
• Functional Cookies - To remember your preferences and improve your experience
• Analytics Cookies - To understand how visitors use our website (if applicable)

You can control cookie preferences through your browser settings. However, disabling essential cookies may affect the functionality of the website and PreventAdvisor service.

We do not use cookies for advertising or tracking across third-party websites.

11. Children's Privacy

Our services are not intended for individuals under the age of 16. We do not knowingly collect personal information from children under 16 years of age.

If you are a parent or guardian and believe that your child under 16 has provided us with personal information, please contact us immediately at info@institut-utrip.si. We will take steps to delete such information from our systems.

If we become aware that we have collected personal data from a child under 16 without parental consent, we will delete that information promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

We will notify you of any material changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last updated" date at the top of this page
• Sending an email notification to registered users (for significant changes)

You are advised to review this Privacy Policy periodically. Your continued use of our services after changes become effective constitutes acceptance of the updated Privacy Policy.

If you do not agree with the changes, you may stop using our services and request deletion of your account.

13. Contact Information

If you have any questions about this Privacy Policy, wish to exercise your GDPR rights, or have concerns about how we handle your personal data, please contact us:

Inštitut Utrip
Laze pri Borovnici 9
Laze pri Borovnici
1353 Borovnica
Slovenia
Email: info@institut-utrip.si
Website: https://ai.institut-utrip.si/

Data Protection Officer

For GDPR-related inquiries, data protection concerns, or to exercise your rights under GDPR, you can contact our Data Protection Officer at: info@institut-utrip.si

We will respond to your inquiry within one month as required by GDPR Article 12(3).

14. Supervisory Authority

If you are not satisfied with our response to your data protection concerns or believe that we have not adequately addressed your GDPR rights, you have the right to lodge a complaint with the Slovenian supervisory authority:

Informacijski pooblaščenec (Information Commissioner)
Dunajska cesta 22
1000 Ljubljana
Slovenia
Website: https://www.ip-rs.si/
Email: gp.ip@ip-rs.si
Phone: +386 1 230 97 30

You also have the right to lodge a complaint with the supervisory authority in your country of residence, place of work, or the place of the alleged infringement, if different from Slovenia.

15. Special Categories of Personal Data

PreventAdvisor is designed for evidence-based prevention science. While we do not intentionally collect special categories of personal data (sensitive data) as defined in GDPR Article 9, please be aware that:

• Your chatbot conversations may contain information about health, prevention strategies, or other topics that could be considered sensitive
• We process such data only to the extent necessary to provide the service you have requested
• We do not use your conversations for profiling or automated decision-making that produces legal effects
• All conversation data is stored securely and accessed only by authorized personnel for technical support purposes

If you have concerns about sensitive information in your conversations, you can delete conversations at any time or request account deletion.

16. Automated Decision-Making and Profiling

We do not use automated decision-making or profiling that produces legal effects or significantly affects you. The PreventAdvisor chatbot uses AI to generate responses based on your queries, but:

• All responses are generated in real-time based on your specific questions
• We do not create profiles about you based on your conversations
• Rate limiting is based solely on your subscription tier, not on profiling
• You always have the right to human intervention and can contact us directly