Privacy & EU Regions

Admin Bud-E is designed with privacy-first principles, making it suitable for GDPR-compliant deployments in schools, universities, and public institutions.

Core Privacy Principles

1. Local Conversation Storage

Conversation history stays in the user's browser.

• Chats are stored in browser local storage
• Never sent to the middleware server
• Never logged or archived server-side
• User can clear at any time (browser data/cache)

TIP

This is the key privacy feature. The middleware acts purely as a request broker and accountant, not a chat database.

2. Minimal Personal Data

Admin Bud-E requires no personal identifiers:

• No real names
• No email addresses
• No phone numbers
• No birthdates

What is stored:

• Username (arbitrary identifier like student-00123 or class-5a)
• API key (random token)
• Credit balance
• Usage metadata (tokens, timestamps, costs)

INFO

You can issue keys to groups (e.g., class-5a) instead of individuals, further minimizing personal data.

3. No Vendor Lock-In

Users don't create accounts with external AI providers (Google, OpenAI, etc.). The middleware uses your organization's API keys, so:

• Users remain anonymous to providers
• No individual tracking by vendors
• Easier to switch providers
• Centralized control

GDPR Compliance

Legal Basis

For educational use, typical legal bases are:

1. Public Interest (Art. 6(1)(e) GDPR) — Schools performing public education tasks
2. Legitimate Interest (Art. 6(1)(f) GDPR) — Organizations pursuing educational goals
3. Consent (Art. 6(1)(a) GDPR) — If required by your DPO

WARNING

Consult your Data Protection Officer (DPO) to determine the appropriate legal basis for your context.

Data Minimization

Admin Bud-E minimizes data collection:

Stored:

• Username (pseudonymous)
• Usage metadata (tokens, time, cost)
• API key (random)

Not stored:

• Chat content
• IP addresses (optional: can be logged for security, but not required)
• User-identifiable information

Right to Access (Art. 15 GDPR)

Users can request:

• Their usage logs
• Credit balance history
• Associated metadata

How to fulfill:

1. Export usage report filtered by username
2. Provide in human-readable format (CSV + explanation)

Right to Erasure (Art. 17 GDPR)

Users can request deletion of:

• Their account
• Usage logs

How to fulfill:

1. Navigate to Users → Delete user
2. Optionally anonymize usage logs (replace username with deleted-user-XXX)

INFO

Some jurisdictions require retaining aggregated usage data for accounting. Consult your DPO on anonymization vs. deletion.

Right to Data Portability (Art. 20 GDPR)

Users can request their data in machine-readable format.

How to fulfill:

1. Export usage report as CSV
2. Include:
   • Username
   • Timestamps
   • Tokens/characters/duration
   • Credits spent

Data Retention

Define and communicate your retention policy:

Example policy:

• Usage logs: 12 months
• Anonymized aggregates: 5 years (for budgeting)
• User accounts: Deleted 6 months after last activity

Implement automatic deletion:

• Schedule monthly cleanup job
• Archive old data before deletion (if required)

EU Data Residency

For GDPR compliance, keep data processing within the EU.

Middleware Server Location

Recommendation: Host in EU datacenter

Options:

• Hetzner Cloud (Germany)
• Scaleway (France)
• OVHcloud (France)
• Google Cloud Platform EU regions (Belgium, Netherlands, Frankfurt)

Benefits:

• Data doesn't leave EU
• Lower latency for EU users
• Simpler compliance

AI Provider Regions

Choose providers with EU data processing:

Google Vertex AI (Recommended)

EU Regions:

• europe-west1 (Belgium)
• europe-west3 (Frankfurt, Germany)
• europe-west4 (Netherlands)
• europe-west9 (Paris, France)

How to configure:

1. When creating your Vertex provider in Admin Bud-E, set Region to one of the above
2. Requests are routed to that region's endpoints
3. Data processing happens in the EU

References:

• Vertex AI locations
• Generative AI locations
• Google Cloud GDPR resource center

Mistral AI (EU Provider)

Location: France (EU company, EU infrastructure)

Benefits:

• Founded in France, subject to GDPR
• Data processing in EU
• Strong privacy commitments

Reference: Mistral AI Trust Center

Other Providers

Together AI:

• Check their Data Processing Agreement (DPA)
• May route through US datacenters (verify)

OpenAI:

• Typically US-based
• Enterprise plans may offer EU routing
• Review OpenAI Business Terms

DANGER

Always verify with the provider's documentation and DPA where data is processed.

Data Processing Agreements (DPAs)

For GDPR, you need a DPA with each AI provider.

What is a DPA?

A legal contract specifying:

• Where data is processed
• How long data is retained
• Security measures
• Sub-processors (if any)
• Your rights as data controller

How to Obtain DPAs

Google Cloud:

1. Sign in to Google Cloud Console
2. Navigate to Privacy → Data Processing Amendment
3. Accept online (legally binding)

Mistral AI:

• Available on request from their support
• Check Trust Center for standard terms

Others:

• Check provider website under "Legal," "Privacy," or "Enterprise"
• Contact sales for enterprise DPA

TIP

Keep signed DPAs on file. Your DPO may request them during audits.

TTS and ASR Considerations

Text-to-Speech (TTS)

Data sent to provider:

• Text to be spoken (e.g., "Hello, how are you?")
• Voice parameters (language, gender, pitch)

Privacy risk: Moderate

• Text may contain sensitive info (depends on use case)
• No conversation history (one-off synthesis)

Mitigation:

• Use EU-based TTS (Google Cloud TTS in EU region)
• Educate users not to synthesize personal data
• Review DPA terms on data retention

Automatic Speech Recognition (ASR)

Data sent to provider:

• Audio file (user's voice recording)
• Language parameters

Privacy risk: Higher

• Voice is biometric data (special category under GDPR Art. 9)
• May contain sensitive content

Mitigation:

• Use EU-based ASR
• Inform users that voice is processed
• Ensure DPA covers biometric data
• Minimize retention (transcribe and delete audio)
• Consider on-device ASR (Whisper local models) for highest privacy

WARNING

Voice recordings are special category data under GDPR. Extra safeguards required. Consult your DPO.

User Notifications

What to Tell Users

Required disclosures (GDPR Art. 13):

1. Who is responsible: Your organization (data controller)
2. What data is collected:
   • Usage metadata (tokens, timestamps)
   • No chat content stored server-side
3. Why (purpose):
   • Provide AI assistant services
   • Track usage and credits
4. Legal basis: (e.g., public interest, legitimate interest)
5. How long data is kept: (your retention policy)
6. Their rights:
   • Access, correction, deletion
   • Objection, data portability
7. How to exercise rights: Contact your admin/DPO
8. Data transfers: If using non-EU providers, disclose and explain safeguards

Sample Privacy Notice (Short)

Admin Bud-E Privacy Notice

We use Admin Bud-E to provide AI assistant services. When you make requests:

• Your conversations stay in your browser (not stored on our servers).
• We log usage data (tokens, time, cost) to manage credits.
• We use Google Vertex AI (EU region: Belgium) to process requests.
• Your data is kept for 12 months, then deleted.

You can request access, correction, or deletion by emailing [privacy@yourschool.edu].

For full details, see [link to full privacy policy].

Where to Publish

• School website
• Admin Bud-E login page (link at bottom)
• User onboarding email
• Classroom materials

Security Measures

Encryption

In transit:

• Always use HTTPS (TLS 1.2 or higher)
• Ensure reverse proxy (Caddy/Nginx) has valid certificate

At rest:

• Database encryption (if supported by your deployment)
• Backups should be encrypted

Access Control

Admin accounts:

• Strong passwords (min 12 characters, mixed case, symbols)
• Rotate passwords every 90 days
• Limit number of admins (principle of least privilege)

API keys:

• Generated securely (high entropy)
• Stored hashed (if feature available)
• Rotate on compromise

Logging

Security logs:

• Admin logins
• Failed authentication attempts
• User creation/deletion
• Credit adjustments

Audit trail:

• Who made changes
• When
• What changed

TIP

Keep security logs separate from usage logs. Retain for at least 12 months.

Sub-Processors

Under GDPR, you must disclose sub-processors (third parties that process data).

For Admin Bud-E, typical sub-processors:

1. AI Provider (e.g., Google Vertex AI)

   • Purpose: Generate AI responses
   • Location: EU (if configured)
   • DPA: Yes (Google Cloud Platform DPA)

2. Hosting Provider (e.g., Hetzner)

   • Purpose: Host middleware server
   • Location: Germany (or other EU country)
   • DPA: Yes (Hetzner DPA)

Maintain a list:

• Name
• Purpose
• Location
• DPA status

Update when adding providers.

Cookies and Tracking

Admin Bud-E typically uses:

Session cookies (essential):

• Admin login session
• Required for functionality
• No consent needed (ePrivacy Directive exception)

Local storage (in user browser):

• Conversation history (user-controlled)
• User preferences
• Consent choices (if applicable)

No tracking cookies:

• No analytics (unless you add Google Analytics or similar)
• No advertising
• No third-party trackers

INFO

If you add analytics (Google Analytics, Matomo, etc.), you must:

1. Update privacy notice
2. Obtain consent (if required by ePrivacy Directive)
3. Anonymize IPs

Data Breach Response

If a data breach occurs:

1. Assess severity:

   • What data was accessed? (usernames, usage logs, API keys?)
   • How many users affected?
   • Risk of harm?

2. Notify DPO immediately (within hours)

3. Contain breach:

   • Revoke compromised API keys
   • Patch vulnerability
   • Secure backups

4. GDPR notification requirements:

   • Supervisory authority: Within 72 hours (if high risk)
   • Affected users: Without undue delay (if high risk to them)

5. Document:

   • What happened
   • Actions taken
   • Lessons learned

DANGER

Failure to report a breach can result in fines up to €10 million or 2% of global turnover (GDPR Art. 83).

Checklist for GDPR Compliance

Use this checklist before launching:

• [ ] Middleware server hosted in EU
• [ ] AI providers use EU regions (Vertex, Mistral, etc.)
• [ ] DPAs signed with all providers
• [ ] Privacy notice published and linked
• [ ] Data retention policy defined
• [ ] User rights procedures documented (access, deletion)
• [ ] Security measures implemented (HTTPS, strong passwords)
• [ ] Sub-processor list maintained
• [ ] Admin access restricted (principle of least privilege)
• [ ] Backup encryption enabled
• [ ] Data breach response plan documented
• [ ] DPO consulted (if required)
• [ ] Legal basis determined

Next Steps

• Configure Vertex AI with EU regions
• Set up secure backups
• Review usage reports for anomalies
• Train admins on security best practices