Privacy policy

Thank you for your interest in the appliedAI Maturity Assessment Tool provided by the UnternehmerTUM GmbH.

We have developed this tool to help companies across Europe to advance their AI (Artificial Intelligence) activities by comprehensively assessing their status quo with regards to AI adoption and identify potentials for improvement. This privacy policy is intended to describe how we process the data that is gathered from users of the appliedAI maturity assessment platform (hereafter also referred to as “platform”).

1. Definitions

In this data protection declaration, we use the following terms:

a) Personal data: Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

b) Data subject: Data subject is any identified or identifiable natural person, whose personal data is processed by the controller responsible for the processing.

c) Processing: Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

d) Controller or controller responsible for the processing: Controller or controller responsible for the processing is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

e) Processor: Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

f) Recipient: Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

g) Third party: Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

h) Consent: Consent of the data subject is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2. Controller

Controller for the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in Member states of the European Union and other provisions related to data protection is:

UnternehmerTUM GmbH


85748 Garching bei München


+49 89 18 94 69 0


Website: www.unternehmertum.de

3. Data Protection Officer

The Data Protection Officer of the controller is:

Alexander Stolberg-Stolberg

SVF Lawyers

Oberanger 30

80331 München

+49 89 210 25 120



Any data subject may, at any time, contact our Data Protection Officer directly with all questions and suggestions concerning data protection.

4. Collection of personal data

We have designed the platform in a way that reduces collection of personal data to an absolute minimum. However, some data is required for the operation of the platform. With regards to personal data, the only data we collect is the e-mail address of the user provided with the registration.

When using the platform the following data maybe collected:

  • the browser types and versions used,

  • the operating system used by the accessing system,

  • the website from which an accessing system reaches our website (so-called referrers),

  • the sub-websites,

  • the date and time of access to the Internet site,

  • (an Internet protocol address (IP address),

  • the Internet service provider of the accessing system, and

  • any other similar data and information that may be used in the event of attacks on our information technology systems.

5. Google Cloud Services

We use Google Cloud to publish our platform on the Internet. In this context, personal data may be processed and stored on the servers of the providers, insofar as these are part of communication processes with us or are otherwise processed by us as set out in the context of this privacy policy. This service is provided by: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Website: https://cloud.google.com/ ;

Privacy policy: https://www.google.com/policies/privacy ,

Security information: https://cloud.google.com/security/privacy ;

Standard contractual clauses (guaranteeing the level of data protection for processing in third countries): https://cloud.google.com/terms/data-processing-terms ;

Additional information on data protection: https://cloud.google.com/terms/data-processing-terms .

6. Mailgun

When setting up an assessment you will receive an e-mail with a link. For this purpose we use "Mailgun", an email sending platform of the US provider Mailgun Technologies, Inc., 535 Mission St., San Francisco, CA 94105. There is a data processing agreement with Mailgun based on the EU standard contractual clauses. Detailed information on data processing by Mailgun can be found at https://www.mailgun.com/privacy-policy and https://www.mailgun.com/gdpr .

7. Auth0

To manage logins to the platform, we use the services of Auth0, 10900 NE 8th Street, Bellevue, WA 98004, USA 98004, on the basis of our legitimate interests (i.e. interest in the optimisation and economic operation of our online offer within the meaning of Art. 6 Para. 1 lit. f. DSGVO).Please also note Auth0's privacy policy at https://auth0.com/privacy .

8. Legal Basis

(1) Art. 6(1) lit. a GDPR serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose.

(2) If the processing of personal data is necessary for the performance of a contract to which the data subject is party, as is the case, for example, when processing operations are necessary to provide any service, the processing is based on Article 6(1) lit. b GDPR. The same applies to such processing operations which are necessary for carrying out pre-contractual measures, for example in the case of inquiries concerning our products or services.

(3) Is our company subject to a legal obligation by which processing of personal data is required, such as for the fulfillment of tax obligations, the processing is based on Art. 6(1) lit. c GDPR.

(4) Finally, processing operations could be based on Article 6(1) lit. f GDPR. This legal basis is used for processing operations which are not covered by any of the abovementioned legal grounds, if processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Such processing operations are particularly permissible because they have been specifically mentioned by the European legislator. He considered that a legitimate interest could be assumed if the data subject is a client of the controller (Recital 47 Sentence 2 GDPR).

9. Rights of data subject

(1) Any person concerned shall have the right

  • for information pursuant to Article 15 GDPR

  • to rectification under Article 16 GDPR

  • to cancellation under Article 17 GDPR

  • to limit the processing pursuant to Article 18 GDPR

  • to appeal under Article 21 GDPR, and

  • to data transferability under Article 20 GDPR.

(2) The restrictions in §§ 34 and 35 BDSG apply to the right to information and the right to cancellation. In addition, there is a right of complaint of a competent data protection supervisory authority (Article 77 GDPR & 19 BDSG).

(3) You can revoke your consent to the processing of personal data at any time. Please note that the revocation will only take effect in the future. Processing that took place before the revocation is not affected.

10. Change to our privacy policy

This privacy policy is currently valid and has the status September 2021.

We reserve the right to amend this privacy policy from time to time to ensure that it always complies with current legal requirements or to implement changes in our privacy policy. As a registered user, you will be informed of such changes by e-mail.