Terms & Conditions

OwnKeyBot – GTC, Terms of Use, and Privacy Policy

General Terms and Conditions (GTC)

1. Scope and Provider

These General Terms and Conditions (GTC) apply to all contracts and the use of the OwnKeyBot software platform, which is operated by nahgenuss web service KG, Mariahilferstraße 13/8, 8020 Graz, Austria (hereinafter "Operator" or "we"). The platform is aimed at both entrepreneurs (B2B) and consumers (B2C) as customers. By registering on the platform or using our services, you agree to these GTC. Any conflicting or deviating terms and conditions of the customer shall not become part of the contract unless we have expressly agreed to their validity in writing.

2. Subject of the Contract and Platform Services

OwnKeyBot is an online software platform (Software-as-a-Service) that allows customers to integrate their own AI chatbot into their website. To this end, the Operator provides the following main services:

  • Registration and Account: Customers can create an account on OwnKeyBot and gain access to the web-based platform. After successful registration, the customer receives access to a dashboard where they can configure and manage chatbots.
  • Integration of an OpenAI API Key: The customer has the option to store a personal OpenAI API key in their OwnKeyBot account. This API key is obtained by the customer from OpenAI under their own responsibility. The platform uses the stored key to make requests to the OpenAI API on behalf of the customer and to receive responses from the AI model. Communication with OpenAI's AI services thus takes place exclusively via the customer's API key, meaning the OpenAI service is used directly by the customer. The Operator has no control over the content provided by OpenAI and assumes no guarantee for it.
  • Provision of Chatbot Code: Through the platform, the customer can generate code (a JavaScript widget or iFrame) to embed the chatbot on their own website. The Operator provides these integration options and keeps the platform functional so that end-users can use the chatbot on the customer's website.
  • Storage of Chat Histories: The chatbot conversations (requests and responses) conducted by end-users on the customer's website are stored on the OwnKeyBot platform. These chat histories are exclusively visible to the respective customer via their account; end-users do not have access to them. The storage is carried out to enable the customer to analyze or track the chats and to provide the service functionality.
  • Billing via Stripe: The use of OwnKeyBot is subject to a fee, unless otherwise specified (e.g., free trial period). The billing of fees is automated via the payment service Stripe. Stripe is a service of Stripe Payments Europe Ltd. (Ireland) or the American Stripe, Inc. Depending on the selected package (e.g., monthly usage fee, tiered by chat volume or feature scope), payments are collected regularly via Stripe. Details on prices and payment intervals are shown on the platform or our website.

3. Conclusion of Contract and Registration

The presentation of the OwnKeyBot service on our website does not constitute a binding offer. The contract between the Operator and the customer for the use of the platform is only concluded upon registration and activation of an account and, if applicable, the selection of a paid package by the customer.

  • Registration Process: To use OwnKeyBot, the customer must create a user account. The customer is obliged to provide complete and truthful information during registration (in particular name/company, address, valid email). Any subsequent changes to this data must be updated immediately in the account settings.
  • Minimum Age: By registering, the customer confirms that they have full legal capacity. Consumers must have reached the age of 18 (or be represented by a legal guardian) to create an OwnKeyBot account. Companies confirm that the person carrying out the registration is authorized to represent the company and to legally consent to these GTC on behalf of the company.
  • Account and Access Data: Each customer may only maintain one user account and may not transfer it to third parties. Access data must be kept secret by the customer. The customer is responsible for all activities carried out using their access data. If the customer discovers unauthorized use of their account, they must inform us immediately. We assume no liability for damages resulting from unauthorized account access, unless we are responsible for it.

4. Obligations and Responsibilities of the Customer

The customer undertakes to use OwnKeyBot only within the framework of the contractual provisions, legal regulations, and in accordance with these GTC and the Terms of Use (see below). In particular, the following obligations apply:

  • Compliance with OpenAI Policies: Since the customer uses their own OpenAI API key on our platform, they must comply with the relevant usage policies and terms and conditions of OpenAI (openai.com). In particular, the service may not be used for illegal, harmful, or abusive purposes. The customer may not generate or allow the distribution of content via the chatbot that violates applicable law, the rights of third parties, or OpenAI policies (e.g., no incitement to violence, no discriminatory, offensive, defamatory, or youth-endangering content). The customer acknowledges that violations of OpenAI's terms may lead to the revocation of their API key by OpenAI.
  • Use of the API Key: The customer is responsible for ensuring that their OpenAI API key is kept secure and used only by them or within the scope of OwnKeyBot's functions. We store the key in encrypted form and only retrieve it to make requests to OpenAI on your behalf. The customer will not pass on their API key to unauthorized persons and is liable for any misuse of their key, insofar as they are responsible for it.
  • Prohibited Uses of the Platform: The customer may not misuse the OwnKeyBot platform. In particular, interference with the technology (e.g., hacking, bypassing security mechanisms), excessive load on the systems beyond the booked service package, the use of automated scripts outside the intended API interfaces, and any use of the platform that infringes the rights of third parties (e.g., copyrights, data protection rights) are prohibited. Furthermore, the customer may not distribute viruses, malware, or other harmful software via our service.
  • Chatbot Content: The customer is responsible for all content that the chatbot outputs to end-users, insofar as this content is based on the customer's specifications or training data or has been subsequently influenced by the customer. In the external relationship, the person who uses the AI is always liable for the answers generated by it. The Operator merely provides the technical infrastructure and has no influence on the specific statements of the chatbot operated by the customer. The customer is aware that the AI is based on statistical language models and that no guarantee can be given for the accuracy or completeness of the answers. He will therefore check the information generated by the chatbot at his own discretion – especially before using or publishing it for business purposes.
  • Information Obligations towards End-Users: If the customer embeds the OwnKeyBot chatbot on their own website, they are responsible under data protection law for the processing of the chat data of their website visitors. The customer undertakes to adequately inform the end-users of their website about the use of the chatbot and the processing of the data entered (e.g., in the privacy policy of the customer's website) and – where necessary – to obtain the consent of the end-users before personal data is collected in the chatbot. This includes, in particular, a notice that the user's chat inputs are stored and forwarded to the OpenAI API for a response. The customer is responsible for the lawful processing of the personal data of its end-users collected via the chatbot and ensures that it has all the necessary legal bases, authorizations, or consents for this. The Operator acts in this respect merely as a processor within the meaning of Art. 4(8) GDPR for the customer (see also Section 8 Data Protection).
  • Omission of Sensitive Data Transmission: The customer will not enter any particularly sensitive personal data (within the meaning of Art. 9 GDPR, e.g., health data) or other confidential data into the chatbot or have it entered by end-users, unless there is a function or necessity expressly provided for this purpose. The customer is aware that entered data could be transmitted to OpenAI servers outside the EU (see Data Protection section) and may be subject to limited control there. GDPR-compliant processing of such data can only be guaranteed as long as no personal or sensitive data is entered into the AI by the customer (or only when using an EU hosting option, if available). In case of doubt, the customer must anonymize such data before entering it.

5. Prices, Payment, and Billing

The current price models (e.g., monthly subscriptions, based on feature scope) and fees for OwnKeyBot are indicated on the website or within the platform. All prices are – unless otherwise stated – inclusive of statutory value-added tax.

  • Payment Processing via Stripe: Paid services are collected via the payment service Stripe. The customer agrees that we may transmit their necessary payment data to Stripe for billing purposes. The payment method specified by the customer (e.g., credit card) is automatically charged at the agreed intervals (e.g., monthly in advance for a subscription). Stripe may collect further data during the payment process (e.g., device identifier, IP address); for this, we refer to Stripe's privacy policy. We ourselves do not store complete credit card numbers or payment details on our systems, but only receive information from Stripe about the payment outcome.
  • Due Date and Default: The usage fee is due in advance for the upcoming usage period (unless otherwise agreed). If a payment collection fails (e.g., due to an invalid credit card or insufficient funds), we will notify the customer by email. In this case, the customer is obliged to provide a valid payment method in a timely manner. In the event of payment default, we are entitled to temporarily suspend the account or, after a reasonable period, to terminate it extraordinarily if the customer does not pay despite a reminder and a reasonable grace period.
  • Price Changes: We reserve the right to change the prices for our services appropriately or to introduce new service packages. Any price changes will be announced to the customer in advance (usually at least 4 weeks before they take effect) by email. If the customer does not agree with the price change, they can terminate the contract extraordinarily before the change takes effect. Without timely termination, the changed prices will apply from the notified date.

6. Contract Term, Termination, and Suspension

The contract for the use of the OwnKeyBot platform runs for an indefinite period, unless a fixed term was agreed upon at the time of booking. Both parties can terminate the user contract at any time with proper notice if no minimum term or subscription period has been agreed. For ongoing subscriptions without a fixed term, the customer can terminate the contract at any time with effect from the end of the current billing period; fees already paid for the current period will not be refunded on a pro-rata basis (except in the case of a legally provided withdrawal by consumers, see Right of Withdrawal below).

  • Form of Termination: The customer's termination can be made via the functions provided on the platform (account settings) or in text form (by email to us). We can declare the termination to the customer by email.
  • Minimum Contract Terms: If the customer has chosen a package with an agreed minimum term or commitment period, ordinary termination is possible for the first time at the end of this minimum term. Without termination, such a contractual relationship is automatically extended by the extension period specified in the offer (e.g., monthly or annually), but for a maximum of 12 months, and can then be terminated with due notice. The right to premature termination for cause remains unaffected.
  • Extraordinary Termination: Both parties are entitled to terminate the contract without notice for an important reason. An important reason for termination by the Operator exists, in particular, if the customer violates essential obligations of these GTC (e.g., serious or repeated violations of the usage rules in Section 4 or payment default despite a reminder) and does not remedy the violation within a reasonable period despite a request. In the event of a justified termination by us without notice, the customer has no claim to a refund of fees already paid.
  • Suspension of the Account: Instead of termination, we may, at our own discretion, temporarily suspend the customer's account if there are indications of abusive or illegal use of the platform. This applies in particular to prevent damage, to investigate security incidents, or during payment default. In this case, the customer remains obliged to continue paying the monthly fees. We will inform the customer immediately about a suspension and its reasons. As soon as the reason for the suspension has been resolved, the account will be reactivated. Our rights to termination remain unaffected.

7. Liability and Warranty

a) Warranty:

The Operator warrants that the OwnKeyBot software will be provided substantially in accordance with the contract. However, it is pointed out that constant and uninterrupted availability of the platform cannot be technically guaranteed. Occasional interruptions, maintenance times, or disruptions may occur. The Operator will endeavor to remedy any disruptions quickly. For consumers, the statutory warranty rights apply without restriction; these are not limited or excluded by these GTC. For entrepreneurs, any warranty for the platform and its functions is excluded to the extent permitted by law. As an entrepreneur, the customer must report any defects immediately. A guarantee in the legal sense is not assumed by the Operator; in particular, the Operator does not guarantee that specific results intended by the customer can be achieved through the use of the chatbot service.

b) Content Responsibility and AI Results:

The Operator provides the technical infrastructure for the AI chatbot but is not liable for the content-related statements of the chatbot. The customer expressly acknowledges that the chatbot's answers are based on the OpenAI AI and that the Operator has no influence on this. The provider is not liable for false statements or actions of the chatbot caused by the AI. The customer uses the information generated by the chatbot at their own risk and responsibility. If third parties assert claims against the customer or the Operator due to content that the chatbot has delivered at the instigation of the customer (e.g., for infringement of personality rights, copyrights, incorrect information, etc.), the customer shall indemnify the Operator from all related third-party claims upon first request, provided the customer has caused the reason for this (e.g., through inadmissible use of the AI or the training data).

c) Limitation of Liability of the Operator:

The Operator is liable to the customer – regardless of the legal reason – for damages only in cases of intent and gross negligence. In cases of slight negligence, we are only liable for the breach of an essential contractual obligation (cardinal duty), but limited to the typically foreseeable damage. An essential contractual obligation is a duty whose fulfillment makes the proper execution of the contract possible in the first place and on whose compliance the customer may regularly rely. Insofar as liability for slight negligence can be permissibly limited, this applies in consumer business within the legal framework – liability for simple negligence can be effectively excluded contractually towards consumers, but not for gross negligence or intentional harm. Towards entrepreneurs, we are also not liable for grossly negligent damages, unless they were caused by organs or senior employees of the Operator. In no case shall the Operator be liable to entrepreneurs for lost profits, indirect damages, consequential damages, or lack of economic success.

d) Mandatory Liability:

The foregoing limitations of liability do not apply to damages resulting from injury to life, body, or health, for which we are liable without limitation according to legal regulations. Likewise, mandatory liability provisions remain unaffected – in particular, liability under the Product Liability Act and within the scope of an express guarantee given by us or fraudulent concealment of a defect. In these cases, we are liable according to the legal provisions.

e) Liability for Availability and Data Loss:

The Operator is not liable for damages caused by temporary disruptions, interruptions, or limitations of the availability of the platform, unless these were caused by us intentionally or through gross negligence. We are not liable for data loss for which the Operator is not at fault; in the case of data loss for which the Operator is responsible, our liability towards entrepreneurs is limited in amount to the costs of recovery with proper, regular data backup by the customer (as the customer is obliged to back up important data – insofar as it is also available to them separately – externally at appropriate intervals).

f) Liability for Data Protection Violations:

The Operator operates the platform in compliance with the GDPR and Austrian data protection laws. The Operator assumes no liability for damages resulting from the customer's violation of data protection obligations (e.g., failing to obtain consent from their website users or unlawfully processing sensitive data). The customer is obliged to indemnify the Operator from all disadvantages that arise for the latter from the violation of the customer's data protection obligations. This also includes any fines or claims for damages by third parties based on the customer's misconduct.

8. Data Protection and Data Processing

The protection of personal data is a high priority for us. We process the customer's personal data exclusively in accordance with the applicable data protection regulations. Details are regulated in our Privacy Policy (see Privacy Policy below), which is part of this contract. Here in the GTC, we provide preliminary information on some essential aspects of data processing in the OwnKeyBot service:

  • Contact Details of the Controller: The controller within the meaning of the GDPR for data processing in the context of the OwnKeyBot platform is the Operator (nahgenuss web service KG, Mariahilferstraße 13/8, 8020 Graz, AT, Email: hi@ownkeybot.com). Any inquiries regarding data protection can be directed to this address.
  • Contract Data and Master Data: To provide the service, we collect master data of the customer upon registration and use (name, address, email address, for companies, if applicable, contact person and company name). We need this data for the execution of the contract (Art. 6(1)(b) GDPR) and for communication with the customer. Changes to this data must be updated in your account profile.
  • Usage Data: When using the platform, technical usage data is generated, such as the IP address of the accessor, timestamps of logins, actions performed in the dashboard, etc. We use this data to provide and secure the service (Art. 6(1)(f) GDPR, legitimate interest in IT security and prevention of misuse). Log files are regularly deleted unless they need to be retained longer for evidence purposes.
  • Chatbot Content and Chat Histories: When end-users use the chatbot on the customer's website, the entered questions and the answers generated by the AI model are stored on our servers and made available to the customer in their account. This conversation data may contain personal data if users type such information into the chat. We process this chat content exclusively to make it available to the respective customer and, if necessary, to enable evaluations (Art. 6(1)(b) GDPR, contract fulfillment towards the customer). In the relationship between the Operator and the customer, the customer is considered the controller for any personal data collected in the chat; we act in this respect as a processor and will process the data only according to the documented instructions of the customer (through the use of the platform functions). Processing for the Operator's own purposes does not take place. We have implemented technical and organizational measures to protect the confidentiality and security of the chat data. Upon request, we will conclude a data processing agreement (DPA) with customers who use the chatbot in relation to personal data, in accordance with Art. 28 GDPR. You can contact us for this purpose at the contact information provided above.
  • Transfer to OpenAI: To provide the chatbot function, we forward the end-users' requests and, if applicable, context information via the customer's stored API key to the interface of OpenAI (OpenAI OpCo, LLC, based in the USA), which then generates the corresponding AI response. OpenAI processes this content on our behalf or on behalf of the customer to generate the chatbot response. According to its own statements, OpenAI has no right of use to such API content; according to OpenAI's privacy policy, content that OpenAI processes on behalf of business customers (e.g., via API) is not used by OpenAI for training purposes. Nevertheless, the use of the OpenAI API involves a data export to the United States, as OpenAI's servers are located there (unless an OpenAI EU data center is chosen, which is currently not the case for standard API customers). We have concluded suitable contractual agreements with OpenAI (Standard Contractual Clauses) or base the transfer on the necessity for contract fulfillment to ensure an adequate level of data protection in accordance with Art. 44 et seq. GDPR. The customer should additionally check whether it is necessary from their perspective to conclude their own data processing agreement with OpenAI (OpenAI usually provides corresponding contract documents for API users).
  • Payment Data via Stripe: For paid use, payment processing data is passed on to Stripe. Stripe acts as an independent controller for payment processing. We only transmit the necessary information (e.g., invoice amount, payment method chosen by the customer, customer number) to Stripe. The customer enters credit card data directly into a Stripe input mask; this data is not known to us in full. Stripe may store transaction data in the USA. Stripe is obliged to ensure an adequate level of data protection in compliance with the GDPR. Details can be found in Stripe's privacy information. We store payment data (invoices, payment confirmations) in accordance with tax and commercial law retention periods (generally 7 years from the end of the year in Austria). The legal basis for the processing of payment and billing data is Art. 6(1)(b) GDPR (contract fulfillment) and Art. 6(1)(c) GDPR (legal obligations).
  • Analysis of User Behavior (Google Tag Manager): On our OwnKeyBot platform (e.g., in the dashboard or on the public website), we use Google Tag Manager (GTM) for analysis and improvement purposes – a service of Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. GTM is used to manage website tags and scripts. Google Tag Manager itself does not set cookies and does not store personal data. However, it may trigger other tags – such as for web analysis services like Google Analytics – which in turn can collect data (like IP address, device information, interactions). These analysis services are only activated by us with your prior consent (Art. 6(1)(a) GDPR). If you agree to its use in the cookie banner, Google Analytics allows us to evaluate and improve the behavior of customers on our platform. In this process, cookies may be stored on your device and information (including a shortened IP address) may be transmitted to Google servers in the USA. We use the IP anonymization function, whereby your IP address is shortened within the EU before transmission. You can revoke a consent once given at any time with effect for the future by adjusting the cookie settings on our website. Without your consent, the analysis services remain deactivated. In this case, GTM is only loaded in its function as an "intermediary" without triggering tracking tags. Further information can be found in our full privacy policy and in Google's privacy policies.
  • Data Processing in Third Countries: As described above, personal data in our service may be transmitted to recipients in third countries (outside the EU/EEA) – specifically the USA (e.g., to OpenAI, Stripe, or Google). The USA currently does not have a universally adequate level of data protection. We have therefore – wherever necessary – implemented appropriate safeguards in accordance with Art. 46 GDPR, such as the conclusion of EU Standard Contractual Clauses (SCCs) with the service providers, to establish a level of data protection comparable to that of the EU. In addition, we base certain transfers on your consent, where legally required (e.g., for the use of analysis cookies). Nevertheless, we point out that with data transfers to the USA, a residual risk may exist that US authorities may access data without you having European legal remedies against it. By using OwnKeyBot and in particular by integrating an OpenAI key, you consent – where necessary – to the transfer of chat content to OpenAI in the USA for the purpose of contract fulfillment.

Further details on data protection, including the rights of data subjects, can be found in the Privacy Policy below.

9. Right of Withdrawal for Consumers

(The following instruction applies only to customers who are consumers within the meaning of the KSchG [Austrian Consumer Protection Act]. Entrepreneurs are not granted a voluntary right of withdrawal.)

Withdrawal Instruction – If you conclude a paid contract for OwnKeyBot as a consumer, you may have a right of withdrawal (right of rescission) according to the provisions of the Fern- und Auswärtsgeschäfte-Gesetz (FAGG) [Distance and Off-Premises Business Act]. We hereby inform you about the conditions and consequences of this right of withdrawal.

Right of Withdrawal: You have the right to withdraw from this contract within fourteen days without giving any reason. The withdrawal period is fourteen days from the day the contract is concluded. To exercise your right of withdrawal, you must inform us – nahgenuss web service KG, Mariahilferstraße 13/8, 8020 Graz, Email: hi@ownkeybot.com – by means of a clear statement (e.g., a letter sent by post or an email) of your decision to withdraw from this contract. You can use the attached model withdrawal form for this purpose, but it is not mandatory. To meet the withdrawal deadline, it is sufficient for you to send the communication concerning your exercise of the right of withdrawal before the withdrawal period has expired.

Consequences of Withdrawal: If you withdraw from this contract, we shall reimburse to you all payments received from you, including any delivery or service fees already charged, without undue delay and in any event not later than fourteen days from the day on which we are informed about your decision to withdraw from this contract. For this repayment, we will use the same means of payment that you used for the initial transaction, unless you have expressly agreed otherwise. You will not be charged any fees for this repayment. If you have requested that the service (use of the OwnKeyBot platform) should begin during the withdrawal period, you shall pay us a reasonable amount corresponding to the proportion of the services already provided up to your withdrawal (cf. § 16 FAGG).

No Right of Withdrawal upon Early Commencement of Performance: Your right of withdrawal expires prematurely if we – with your express consent and your acknowledgment of the loss of the right of withdrawal – begin the performance of the service before the end of the 14-day period. This is particularly the case if you expressly request during registration that your account be activated immediately and that you can use OwnKeyBot immediately. If we have fully performed our service before you could declare the withdrawal, there is no longer a right of withdrawal.

Model Withdrawal Form:

(If you want to withdraw from the contract, you can fill out the following form and send it to us.)

To: nahgenuss web service KG, Mariahilferstraße 13/8, 8020 Graz, Email: hi@ownkeybot.com

I/We (*) hereby give notice that I/We (*) withdraw from my/our (*) contract for the use of the OwnKeyBot software platform.

Ordered/registered on: ______________ (Date)

Name of the consumer(s): ______________

Address of the consumer(s): ______________

Signature of the consumer(s) (only if this form is notified on paper): ______________

Date: ______________

(*) Delete as appropriate.

10. Final Provisions

  • Applicable Law: Austrian law shall apply, excluding its conflict of law rules and the UN Convention on Contracts for the International Sale of Goods. If the customer is a consumer with a habitual residence in the EU, the mandatory consumer protection provisions of the country in which the consumer has his or her residence remain applicable, provided they do not conflict with the Austrian level of protection.
  • Place of Jurisdiction: For all legal disputes arising from or in connection with this contractual relationship, the parties agree on the jurisdiction of the competent court in Graz, Austria, provided the customer is an entrepreneur. If the customer is a consumer, the statutory place of jurisdiction shall apply; lawsuits by the Operator against consumers will be brought at their court of residence.
  • Contract Language: The contract language is German. Communication may also be conducted in English at the Operator's discretion, whereby the German wording shall be decisive in case of doubt.
  • Changes to the GTC: We reserve the right to change or supplement these GTC in the future, in particular to adapt to legal requirements or changes in the scope of services. Changes to the GTC will be communicated to the customer in text form (e.g., by email or notice upon login) in a timely manner. If the customer does not object to the changes within 14 days of notification (we will specifically point out the significance of silence in the objection notice), the amended terms shall be deemed accepted. If the customer objects in a timely manner, we reserve the right to terminate the contract at the next possible date. For consumers, changes to the GTC only come into effect with express consent, unless they are purely beneficial or legally mandatory adjustments.
  • Severability Clause: Should a provision of these GTC be or become wholly or partially invalid or unenforceable, this shall not affect the validity of the remaining provisions. In place of the invalid provision, the valid provision that comes closest to the economic purpose of the invalid provision shall be deemed agreed. The same applies to any regulatory gaps.
  • Right of Set-off and Retention: The customer is not entitled to set off their own claims against our claims or to withhold payments, unless the customer's claims are undisputed or have been legally established by a court. For consumers, this only applies insofar as it does not concern counterclaims that are in a legal context with the consumer's liability.
  • Prohibition of Assignment: Without our prior written consent, the customer may not assign or transfer rights or obligations from this contractual relationship to third parties.

Terms of Use

(These Terms of Use specify some of the regulations mentioned in the GTC regarding the use of the OwnKeyBot platform and are directed at all registered users/customers of the software platform.)

1. General Usage Requirements

The OwnKeyBot platform may only be used within the scope of the technical conditions and the rules mentioned in the GTC and here. Access is via the provided web login. The user must use a compatible end device and a current browser. We are entitled to continuously update the platform and change functions to make improvements or react to security developments. The user has no claim to the retention of specific individual functionalities as long as the contractually guaranteed overall scope is maintained.

The login area of the platform is only accessible to registered customers. The user undertakes to keep access data secret and to prevent misuse (see GTC Section 3). Multiple registrations to circumvent contractual restrictions (e.g., for parallel use of free trial periods) are not permitted.

2. Content-related Use of the Chatbot Service

The user (customer) can configure their own chatbots via the platform. In doing so, the following requirements must not be violated:

  • No Unlawful Content: The user may not specifically use the chatbot to create or distribute illegal content. In particular, no criminal, extremist, violence-glorifying, pornographic, discriminatory, or defamatory content may be provided via the chatbot function. The user must moderate the use of the chatbot on their website accordingly and prevent abusive entries by end-users, insofar as this is reasonably possible.
  • Respect for Copyrights and Personality Rights: It is prohibited to generate and publish copyrighted texts or content of third parties via the chatbot without authorization. Likewise, the chatbot may not be used to evaluate or output personal data of third parties (e.g., names, images, biographies) without the consent of the persons concerned. The user is responsible for checking the prompts or training data they provide for legal compliance.
  • System and Security Integrity: The user will not attempt to technically manipulate the OwnKeyBot platform or the OpenAI API. In particular, it is forbidden to control the chatbot or the API in an automated way that is not provided for by our provided interface or official interfaces. The user will not take any measures to bypass or deactivate security features (such as content filters of the AI). Also prohibited is any action aimed at determining the source code, the underlying algorithms, or the database structure of the platform by means of reverse engineering. Violations may lead to immediate exclusion from use.
  • Fair Use: The functions made available to the user (e.g., number of API queries per month according to the booked package) may only be used to the intended extent. Use beyond the contractually agreed scope (such as mass automated requests without appropriate authorization) is not permitted. We reserve the right to throttle the service or charge additional fees if the agreed usage limits are exceeded, provided this is contractually agreed and communicated.
  • Labeling towards End-Users: We recommend that the user label the chatbot on their website as such for the end-users (e.g., notice "This chat is operated by an AI") and make it clear that the answers are generated by an AI. End-users should be informed that the information provided by the chatbot is without guarantee. Although this is not legally mandatory, it serves transparency and can increase the trust of end-users and reduce liability risks.

3. Responsibility and Liability of the User

The user bears responsibility for the content they provide with the help of the OwnKeyBot service. Their own inputs (prompts) as well as the AI outputs based on them are considered content that the user adopts as their own when they make it accessible to third parties (e.g., their website visitors). The user should check and correct AI-generated content before further use. The Operator is not liable for damages arising from the use of or reliance on information provided by the chatbot – it is up to the user to assess the suitability of the AI answers for their purpose.

Should the user become aware that the platform or the chatbot has faulty functions or produces inaccurate content to a significant extent that could infringe the rights of third parties, they will inform the Operator immediately so that appropriate measures (such as technical adjustments or warnings) can be taken.

The user indemnifies the Operator from all claims resulting from an improper or illegal use of the platform by the user. This includes in particular third-party claims due to the user's infringement of their rights or legal obligations (see GTC Liability Indemnification). If the API key is blocked or other sanctions are imposed by OpenAI due to violations for which the user is responsible (e.g., against the OpenAI usage policies), the user bears the responsibility for this; such a circumstance does not release the user from their contractual payment obligations to us.

4. Availability and Support

We strive for high availability of the OwnKeyBot platform. Technical maintenance or updates will be carried out during low-usage times as much as possible. If a temporary non-availability is foreseeable (e.g., planned maintenance), we will inform users about this, as far as feasible, by a notice on the website or by email.

The user has no claim to uninterrupted availability, but we guarantee a service quality that corresponds to the usual technical standard. In the event of unplanned disruptions (e.g., system failures), we will react as quickly as possible and initiate the remedy. The user's liability claims for temporary failures or data loss are limited within the framework of the GTC (see liability regulations in GTC Section 7).

The Operator offers support for technical problems within the scope of available resources. Support requests can be sent to us by email (during usual business hours). There is no entitlement to a specific response time, but we endeavor to process requests quickly. Higher-priced service packages may include individual SLAs (Service Level Agreements) for support and availability; in the absence of such individual regulations, what is described here applies.

5. Changes to the Service

We reserve the right to further develop the OwnKeyBot service. Improvements that enhance the user experience or security updates will be rolled out continuously without the user having to be informed in detail. We will notify users of significant changes to the scope of functions or the interface that affect usage more than insignificantly at least in the release notes or via a notification in the dashboard. If we introduce new, paid additional functions, the use of such functions will be at the user's discretion.

Should we intend to discontinue the service or replace it with a service that is fundamentally different in its mode of operation or form, we will announce this to active users at least 3 months in advance. Usage fees already paid for periods after the discontinuation would be refunded in this case.

6. Term and Termination of Use

The term of use is governed by the contract concluded between the user and the Operator (see GTC Section 6). If the user no longer has an active subscription and does not wish to continue using the service, they can delete their account independently or declare the termination of use to us. We will then block access and – subject to statutory retention periods – delete or anonymize the user's personal data.

In case of violations of these Terms of Use or the GTC, we are entitled to take appropriate measures (from a warning to blocking access) to ensure proper use.

Privacy Policy

Introduction: The protection of your personal data is of particular concern to us – nahgenuss web service KG (operator of the OwnKeyBot platform). We process personal data in accordance with the General Data Protection Regulation (GDPR) and the applicable national data protection laws (in particular the Austrian Data Protection Act, DSG). In this Privacy Policy, we inform you in accordance with Art. 13 GDPR about which personal data we collect, for what purposes we process it, to whom we disclose it, and what rights you have as a data subject.

1. Controller and Contact

The controller for data processing in connection with the OwnKeyBot platform is nahgenuss web service KG, Mariahilferstraße 13/8, 8020 Graz, Austria. You can reach us for data protection concerns by email at hi@ownkeybot.com or by post at the address mentioned above.

The appointment of a data protection officer is not legally mandatory for us, as we, as an SME, do not carry out extensive processing of special categories of data. However, you can contact us at any time with questions about data protection.

2. Processed Data and Purposes of Processing

We collect and process personal data of our customers and users of the platform only to the extent necessary to provide our services, or based on your consent or another legal basis. Below, we explain which data categories are affected and for what purposes the processing takes place:

  • Registration and Account Data: When registering an OwnKeyBot account, we collect master data such as your name or company, address, email address, and, if applicable, telephone number. This information is necessary to set up the user account, to identify you as a contractual partner, and to fulfill the contract for the use of the platform (Legal basis: Art. 6(1)(b) GDPR – contract performance). We also use your email to send you important information about the contract (e.g., confirmation email, changes to the GTC, technical notices). Your password is stored in encrypted form.
  • Usage and Log Data: When using the OwnKeyBot service, technical data is automatically generated. This includes, for example, the IP address of your device, timestamps of logins and actions, information about the browser/device you are using, and, if applicable, error messages. We need this log data to ensure the security and stability of our service, to defend against unauthorized access, and to operate the platform technically (legitimate interest according to Art. 6(1)(f) GDPR). We also use this data in aggregated form to analyze the load on our systems. Log data is stored separately from customer data and is regularly deleted, unless a security incident requires its longer retention.
  • Communication Data: If you contact us (e.g., support request by email), we process the data you provide (name, email, content of the request) to process and answer your inquiry. The legal basis for this is Art. 6(1)(b) GDPR (contract performance or pre-contractual inquiry) or Art. 6(1)(f) GDPR (our legitimate interest in maintaining customer relations and qualified response to inquiries). We store communication content for as long as is necessary for the processing and documentation of the matter.
  • OpenAI API Key: For the core function of OwnKeyBot, it is necessary to store your personal API key from the provider OpenAI. While this key itself is not personal information about you, it is stored securely (encrypted) in your account as it is necessary for using the AI services. We use the key exclusively to make requests to the OpenAI API on your behalf. No further use takes place. The storage of the API key is based on Art. 6(1)(b) GDPR (necessary for contract performance, as the service cannot be provided otherwise).
  • Chat Inputs and Chat Histories: When end-users use the chatbot embedded on your website, the users' chat inputs (questions, texts) and the chatbot answers generated by OpenAI are processed and stored by our platform. This processing is done to provide the functionality of the chatbot and to allow you as the customer to view the chat history and, if applicable, to perform analyses (purpose of the contract, Art. 6(1)(b) GDPR). The content of the chats may contain personal data if users enter such information into their messages. Please note that you, as the website operator, are the data controller for this end-user data (see also Section 4 of this policy). We process the chat histories only on your behalf and according to your instructions (as your processor) and do not pass them on to unauthorized third parties. Without your express consent, we will not evaluate or publish such content for our own purposes. The chat histories are visible to you in the customer dashboard and are stored by us until you delete them or until the contract is terminated. You have the option to remove individual chat histories from your dashboard at any time; this will also delete them from our active database. Data backups may still remain in our backups for a short time until they are automatically deleted.
  • Payment Data: If you book a paid package, we collect the payment information necessary for processing. Depending on the payment method, this can be, for example, a transaction ID, your billing address, and a confirmation of payment by the payment provider (Stripe). We do not collect credit card data or bank account information directly – this is requested and processed by Stripe. Stripe then only transmits to us the information on whether a payment was successful, as well as pseudonymized information (e.g., card type, shortened card number) and the payment time. We use this data to process your booking and ensure correct accounting (Art. 6(1)(b) GDPR). Invoices are stored in your account and contain your name/company, address, service description, and amount. We are legally obliged to keep billing-relevant data for 7 years (Art. 6(1)(c) GDPR in conjunction with § 132 BAO in Austria).
  • Website Analytics via Google Tag Manager: On our own website and in the platform dashboard, we use tools to analyze user behavior, subject to your consent. Specifically, we use Google Tag Manager to integrate services like Google Analytics (provided by Google Ireland Ltd.). Google Tag Manager itself does not process personal data and does not set cookies. However, it loads the Google Analytics script as soon as you have given your consent in the cookie banner (Legal basis: Art. 6(1)(a) GDPR). Google Analytics then collects data about your use of our website, such as pages visited, interactions, approximate region (based on anonymized IP), etc., to create reports on website activity. We have configured Google Analytics so that IP anonymization is active; Google thus shortens your IP address within the EU before it is further processed. The information collected by Google Analytics may be transmitted to Google servers in the USA. Google is certified under the EU-US Data Privacy Framework, or we have concluded Standard Contractual Clauses to ensure an adequate level of data protection. You can revoke your consent to web analysis at any time by changing the cookie settings on our website (e.g., by deselecting the Analytics box). Without your consent, these analysis tools remain inactive.
  • Cookies and Local Storage: The OwnKeyBot web application uses cookies or similar technologies to provide certain functions (e.g., session cookie for login status). These cookies are technically necessary and are deleted after the end of the session or after a logout. For the use of non-essential cookies (e.g., analytics cookies), we obtain your prior consent (see above). You can delete or block cookies at any time in your browser settings. Please note, however, that our services may not be fully functional if you deactivate technically necessary cookies.

3. Disclosure of Data to Third Parties

We generally do not pass on personal data to uninvolved third parties. However, we use external service providers for the fulfillment of our services and for payment processing and analysis, to whom we transmit data to the necessary extent. These recipients are either active for us as processors (and thus contractually strictly bound to our instructions) or act on their own responsibility (e.g., payment providers). Specifically, a transfer may occur to the following categories of recipients:

  • OpenAI (API Service Provider): As described above, chat content is passed on to OpenAI OpCo, LLC, as their AI model generates the answers. OpenAI receives the user's text inputs and the configuration (prompt) and returns a response. According to its own statements, OpenAI processes this data only to provide the service and not for other purposes, as it is customer data within the scope of API use. Nevertheless, OpenAI is located in the USA, so the data is processed there (see section on Data Transfers to Third Countries below). We have concluded Standard Contractual Clauses with OpenAI, or OpenAI offers a Data Processing Addendum that meets the requirements of Art. 28 GDPR. OpenAI is also contractually obliged to take appropriate security measures to protect the data.
  • Stripe (Payment Service Provider): For payment processing, we pass the necessary information to Stripe Payments Europe Ltd., Ireland (for card payments: card number, validity, etc., which you provide directly to Stripe; for SEPA: IBAN, name). Stripe may use this data to process the payment and for fraud prevention. Stripe acts as an independent controller, meaning Stripe's privacy policy applies. Stripe may transfer data to its parent company, Stripe, Inc. (USA). Stripe is contractually and legally bound to data protection; according to Stripe, a variety of security measures are taken to ensure data protection and data security. Information on data protection at Stripe can be found here: https://stripe.com/de/privacy. We only receive the information from Stripe that is necessary to confirm and book the payment (e.g., "payment made on [date]").
  • Hosting Provider: Our platform is operated on the server infrastructure of a European hosting provider. This provider processes data (e.g., stored databases, log files) only according to our instructions and serves for the storage and delivery of the website. Your personal data is not passed on to third parties by the hosting provider. The servers are located in an EU member state (currently in Germany). A data processing agreement exists with the hosting service.
  • Analysis and Marketing Service Providers: If you have consented, data may be transferred to Google Ireland (for Google Analytics), as described above. Google Ireland Ltd. is our contractual partner, but Google may also involve Google LLC in the USA for evaluation. Google acts partly as a processor (when we use the data only for our statistics) and partly as its own controller (e.g., for its own purposes of improving the service). We have concluded corresponding contracts with Google. There are currently no other recipients in the marketing area, as we do not conduct personalized advertising via the platform.
  • Other Third Parties: In certain cases, we may be legally obliged to transmit data to authorities or third parties – for example, in the context of criminal proceedings, official requests for information, or civil law enforcement of claims. A transmission then takes place exclusively on a legal basis and after careful examination of its permissibility. In addition, we transmit data to our tax advisor (e.g., accounting documents with invoice information) or, in the case of debt collection, to commissioned lawyers/collection agencies. These recipients are each subject to confidentiality obligations.

4. Data Processing on Behalf / Responsibilities

As already described in the GTC and above, there are two data protection roles in the use of OwnKeyBot:

  • Operator's Own Responsibility: For the personal data that you provide to us as a customer (account data, payment data, communication data, etc.), we act as the controller. This means we determine the purposes of the processing (provision of our platform services) and ensure the lawful processing of this data in accordance with this policy.
  • Processing on Behalf for Customer Data: Insofar as you process data of your end-users via our platform (specifically: content of the chats that your website visitors have with the chatbot, as well as possibly their metadata such as time, IP address if logged), we act in terms of data protection law as a processor on your behalf. This means: For this data, you as the customer determine the purpose (provision of a chatbot for your website visitors) and largely the means (through the configuration and use of our service). We use this data only to provide the service to you and not for our own purposes. We comply with the requirements of Art. 28 GDPR, in particular: We have taken appropriate technical and organizational measures to protect the data, process the data only as contractually agreed, assist you in fulfilling data subject rights, and delete or return the data as soon as the contract is terminated. Sub-processing (e.g., by OpenAI or hosting providers) only takes place with your knowledge and on the basis of contracts concluded with these sub-processors that meet the requirements of the GDPR. For example, OpenAI as a sub-processor has contractually assured to process data only according to our instructions and to provide adequate protection. If necessary, we will conclude a separate data processing agreement (DPA) with you. In many cases, however, this Privacy Policy and the GTC (which already regulate this processing on behalf) are sufficient as a contractual basis. We are happy to provide you with our DPA document upon request, which specifies the obligations of both parties (controller and processor) in detail.

Important for you as a customer: You are obliged to comply with the data protection requirements towards your end-users. In particular, you must transparently inform your website visitors about the use of the chatbot and – if necessary – obtain consent before personal data is collected in the chat. You should also ensure that you report any requests from data subjects (e.g., requests for access or erasure regarding personal data mentioned in chats) to us so that we can implement them according to your instructions. We point out that complete deletions of individual chat entries are technically possible and are carried out at the customer's request.

5. Data Transfers to Third Countries

Our processing generally takes place within the European Union (EU) or the European Economic Area (EEA). An exception exists when service providers or contractual partners are involved in a so-called third country (i.e., outside the EU/EEA) – in our case, this mainly concerns the USA (OpenAI, Stripe, Google). When we transfer personal data to a third country, we ensure that there is either an adequacy decision from the EU Commission for this or that appropriate safeguards have been agreed upon in accordance with Art. 46 GDPR (e.g., conclusion of Standard Contractual Clauses).

  • OpenAI (USA): The transfer of chat content to OpenAI in the USA is necessary for the performance of the contract (Art. 49(1)(b) GDPR), as the service cannot otherwise be provided. In addition, we have concluded EU Standard Contractual Clauses with OpenAI, which oblige OpenAI to comply with European data protection standards. Nevertheless, we point out that the legal enforcement of data protection rights in the USA is currently subject to limitations. OpenAI has announced that it will improve data protection for EU users (also in the context of fulfilling regulatory requirements, see e.g., measures following the Italian order) and offers EU customers the option to use certain privacy-friendly settings.
  • Stripe (USA): Stripe Payments Europe (Ireland) may forward data to Stripe, Inc. in the USA for fraud prevention and technical processing. Stripe, Inc. is certified under the EU-US Data Privacy Framework (if already concluded, as of 2025), which means that an adequate level of data protection is recognized. Alternatively, Stripe bases the transfer on Standard Contractual Clauses. Further information is provided by Stripe in its privacy principles.
  • Google (USA): Insofar as Google Analytics is used, data may reach Google servers in the USA. Google LLC is also certified under the EU-US Data Privacy Framework (as of 2023) or Standard Contractual Clauses have been agreed upon. Google undertakes to comply with EU data protection requirements. In addition, we have ensured through IP anonymization that Google only processes shortened IP addresses. This reduces the risk of a personal reference.

Finally, we would like to transparently point out that – despite all contractual and technical measures – with communication over the internet with US companies, it cannot be completely excluded that US authorities may access personal data based on legal powers (within the framework of surveillance programs). However, this risk mainly affects data that is transmitted unencrypted. The sensitive content (such as chat histories) is transmitted between our platform and OpenAI with transport encryption.

6. Storage Period

We store personal data only as long as is necessary for the respective purposes or as we are legally obliged to do so. Specifically, the following deletion periods apply, unless otherwise stated in this policy:

  • Account Data: Your customer account remains active as long as the user contract exists. If you delete your account or terminate the contract, we will delete or anonymize your personal master data within 30 days, provided there are no retention obligations. Should parts of your account (e.g., chat histories) be deleted earlier at your request, you can arrange this via the platform or inform us.
  • Chat Histories: Stored chat conversations of end-users are generally retained until you delete them yourself or your account is deleted. You can remove individual chat logs in the dashboard; they will then be immediately deleted from the production database. In our backups, deleted chats may still be present for up to 14 days, after which the backups are rotated and old data is overwritten. When a customer closes their OwnKeyBot account, all associated chat histories will be deleted within 30 days at the latest. Longer storage only takes place if we are obliged to do so due to legal requirements (e.g., official order) or if the customer has expressly requested a data handover before deletion.
  • Contract and Payment Documents: We retain invoices, booking data, and all information that is relevant for billing (name, address, service period, amount) in accordance with tax law requirements for seven years from the end of the calendar year (in Austria according to § 132 BAO). This period may be extended if, for example, an open procedure is pending. After the retention period has expired, the relevant data will be deleted or archived (if relevant for historical financial audits, for example, but then access will be restricted).
  • Support Communication: We generally store email inquiries and our responses to them for 2 years, in case there are follow-up questions on the same matter or to evaluate our service quality. If a contractual relationship arises from this or is relevant (e.g., pre-contractual communication), we may attach the correspondence to the contract file and retain it accordingly for longer.
  • Analysis Data: The analysis data collected with your consent (Google Analytics) is generally evaluated in aggregated form in Google Analytics. Raw data (on a user ID basis) is not stored by us for the long term. Google Analytics deletes or anonymizes the collected data 14 months after collection at the latest, unless we need it for long-term trends. You can also effect the deletion of your usage data at any time by revoking your consent; future data will then no longer be collected.

7. Your Rights as a Data Subject

As a data subject affected by data processing, you have various rights under the GDPR that you can assert against us:

  • Right of Access (Art. 15 GDPR): You have the right to obtain confirmation from us as to whether we are processing personal data concerning you. If this is the case, you can request access to this data. The access includes information about the purposes of the processing, the categories of data, the recipients to whom data has been disclosed, the planned storage period or criteria for its determination, and the origin of the data (if we have not collected it directly from you).
  • Right to Rectification (Art. 16 GDPR): If we have stored incorrect or incomplete personal data about you, you can demand the immediate rectification or completion of this data. In your OwnKeyBot account, you can update most master data yourself. For further corrections, you can contact us.
  • Right to Erasure (Art. 17 GDPR): You are entitled to demand the erasure of your personal data, provided the legal requirements are met. This is the case, for example, if the data is no longer necessary for the purposes for which it was collected, you withdraw a given consent and there is no other legal basis, or if the processing was unlawful. Please note that certain data may not be deleted immediately if we are legally obliged to retain it (e.g., invoice data) or we have an overriding legitimate interest in its storage (e.g., in legal disputes). In such cases, the processing will be restricted (blocked).
  • Right to Restriction of Processing (Art. 18 GDPR): Under certain conditions, you can demand the restriction (blocking) of the processing of your data. This applies, for example, as long as the accuracy of your data, which you contest, is being checked by us; or if you have requested erasure and we cannot/may not carry out an erasure immediately, then we will first restrict the processing.
  • Right to Data Portability (Art. 20 GDPR): You have the right to receive personal data that you have provided to us and that we process automatically on the basis of your consent or a contract, in a common, machine-readable format. Upon request – where technically feasible – we can also transmit this data directly to another controller. This right applies in particular to profile data; data that we store as a processor on your behalf (e.g., chat histories), we will gladly provide to you in a suitable format within the framework of the contract (e.g., as an export).
  • Right to Object (Art. 21 GDPR): You have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you, provided we base the processing on a legitimate interest (Art. 6(1)(f) GDPR). If you object, we will no longer process your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims. Note: The right to object to direct marketing is absolute – should we ever use your data for advertising purposes, you can object at any time without giving reasons and we will cease use for these purposes.
  • Revocation of Consent (Art. 7(3) GDPR): If you have given us consent to process certain data (e.g., for cookies/analytics), you can revoke this consent at any time with effect for the future. The revocation does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. After revocation, we will cease the relevant data processing and – unless another legal basis applies – delete the data.

To exercise your rights, you can contact us informally at any time (an email to hi@ownkeybot.com is sufficient). Please note that if we have doubts about your identity, we may request proof to protect your rights from misuse by third parties (e.g., sending a request from the email address stored with us). We will endeavor to respond to your request without delay, but at the latest within the legal period of one month.

8. Right to Lodge a Complaint with a Supervisory Authority

If you believe that the processing of your personal data by us violates data protection law or that we are not sufficiently respecting your data protection rights, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). In Austria, this is the Austrian Data Protection Authority (DSB), Barichgasse 40-42, 1030 Vienna, Web: www.dsb.gv.at, Email: dsb@dsb.gv.at. You can also contact the supervisory authority of your EU member state, in particular at your place of residence, your place of work, or the place of the alleged infringement.

However, we would appreciate it if you would first contact us so that we can resolve any concerns directly. Your satisfaction and your trust are important to us.

9. Data Security

We take appropriate technical and organizational measures (TOMs) to protect your personal data from loss, misuse, unauthorized access, or disclosure. These include, among other things, the use of SSL encryption for the transmission of sensitive data (e.g., login, API calls), regular backups, access restrictions according to the principle of least privilege, pseudonymization or encryption of data sets where possible (e.g., encryption of the API key). Our servers are located in secure data centers within the EU with access controls. Data protection is also taken very seriously internally; our employees are bound to confidentiality and are regularly trained.

Please note that despite all efforts, no electronic system can guarantee 100% security. You as a user should also contribute to security by, for example, choosing a strong password and keeping it secret. If there are signs of a data breach (e.g., unauthorized access to your account), please inform us immediately so that we can minimize any damage.

10. Changes to this Privacy Policy

This privacy policy will be updated as necessary to reflect changes to our services or to the legal situation. We will inform you in advance of significant changes (that affect your rights or introduce new processing). The current version is available on our website and we recommend that you read it occasionally.

Status of this Privacy Policy: August 2025

Back to Home