Skip to main content

Which measures has Studytube taken to comply with relevant regulations, including the GDPR and AI Act?

When selecting the provider of our AI chatbot, Ruby, Studytube took several measures to comply with relevant regulations:

  • Careful handling of personal data
    • Low-risk classification: Our risk analysis shows that the chatbot poses a low privacy risk. No sensitive personal data is processed. The only data collected is a name and email address, and this is only when creating a support ticket in Freshdesk. Providing this information is always optional.
    • Data protection: All data is processed within the EEA and is encrypted. Helix3, the chatbot's provider (product name: Gleen), does not use conversational data to train its AI models.
    • GDPR compliance: The chatbot’s dataset consists entirely of our own FAQ articles. No personal data is stored in this dataset.
  • Transparency about AI functionality
    • Users are informed when they open the chatbot that they are interacting with an AI chatbot, as required by the AI Act.
    • The chatbot is only available to staff with LMS management rights, ensuring its use is limited to a specific audience.
    • There is always a human alternative available. If the chatbot cannot provide a suitable answer, the user can immediately create a ticket or choose another support option (email or phone).
  • Agreements with the sub-processor (Helix3)
    • Data Processing Agreement (DPA): We have a DPA with Helix3 that outlines agreements on data processing. Helix3 is also part of the Data Privacy Framework.
    • Technical documentation: The chatbot uses various models (such as OpenAI and Vector Search). These models are not trained on user data.
  • Compliance with the AI Act
    • Risk analysis: The chatbot is classified as a low-risk system. Potential risks, such as misinformation, are mitigated through monitoring and transparency.
    • Monitoring and security: Our staff regularly reviews the chatbot's performance to identify and correct incorrect or harmful answers.
    • Transparency requirements: All conversations with the chatbot are traceable and auditable, as required by the AI Act. It is also made clear to users that they are interacting with an AI chatbot.
  • Data retention period
    Personal data is retained for a maximum of 13 months.