Privacy Notice for Aalto AI Assistant and Aalto AI APIs

Key Points at a Glance

Privacy Notice for Aalto AI Assistant and Aalto AI APIs

(Supplementing the IT Services Privacy Notice) 

Effective as of: 16.03.2026

This privacy notice supplements the IT Services Privacy Notice and describes how your personal data is processed by Aalto University when you use Aalto AI Assistant in accordance with its guidelines. Please note that Aalto AI Assistant is offered both as a chatbot and as an Application Programming Interface (API). 
 

1. Why and on what legal basis does Aalto University process your personal data?

Purposes of processing your personal data: 

• To enable you to use the service: For example, to enable you to chat with Aalto AI Assistant. Users can upload files to the service and engage in conversations with Aalto AI Assistant about their content. Using this function requires storing the selected files on the server for processing. 
• Maintenance and administration: Statistical and log information needed for service production may be created based on the content of files and discussions, e.g., to ensure information security (such as login times), investigate error situations, and track costs. 
• Information security purposes: For example, logging data. 

Aalto AI Assistant does not utilise automated decision-making or profiling in the processing of personal data. 

Legal bases for processing: 

2. What personal data does Aalto University collect and process? 

The personal data processed can be categorised as follows: 

Log data including: 

• IP address 
• Email address 
• Note: Log data never contains conversation data. 

User data including: 

• Identifier 
• Name 
• HAKA network’s auth_id 
• Role 
• Quota information 
• Other necessary attributes 

Conversation data including: 

• Messages and responses 
• Files uploaded by the user 
• Inbound flow data from other systems (e.g., course information database) 
• Personal data that may be included in prompts and responses 

Chat with Aalto.fi: 

• This chatbot uses data from aalto.fi as a source and therefore contains personal data available on aalto.fi, such as names mentioned in articles. 

3. To whom may Aalto disclose your personal data? 

Recipients who process your personal data: 

• Platform provider: Microsoft 
• Third-party sub-processors: Microsoft sub-processors (https://aka.ms/subprocessor) 

4. Transfer of personal data to third countries 

Azure OpenAI-based language models (e.g., GPT models): The Aalto AI Assistant service is operated on Microsoft servers located in the EU/EEA area. However, user data is stored on Aalto's own servers. 

The University's data protection policy is to exercise particular care if personal data is transferred outside the EU and European Economic Area (EEA) to countries that do not provide data protection in accordance with the EU General Data Protection Regulation (GDPR). Transfer of personal data outside the EU and EEA is carried out in accordance with the requirements of the GDPR using, for example, standard contractual clauses or other appropriate safeguards in accordance with the GDPR. 

Local language models: If you use local language models, the data is hosted on Aalto's own on-premise servers. 

5. How does Aalto University protect your personal data? 

Data security is important to Aalto University. Aalto University has implemented appropriate technical, organisational, and administrative security measures to protect all personal data against loss, misuse, unauthorised access, disclosure, alteration, and destruction. Aalto AI Assistant has undergone Aalto's detailed information security review process. 

6. How long is your personal data retained? 

Your personal data is retained for as long as it is necessary for the purpose for which it is processed, or for as long as required by law and regulations.

User data: User information in the backend server is saved as long as the user remains active. After a period of 2 years without the user logging into Aalto AI Assistant, this data is deleted (including files and conversations).

Files and conversations: The user is responsible for backing up important conversations. During the spring of 2026, Aalto University will start automatically deleting conversations that are older than 6 months. Pinned conversations will not be deleted. 

If the conversation is part of a document chat, deleting an individual conversation does not remove the uploaded files in the document chat; however, users can delete individual files or the document chat separately.

Log data: Log data is stored in accordance with Aalto's log management rules.
 
 

7. Updates to this privacy notice 

Aalto AI Assistant is being actively developed and new features are being added. As the service evolves, updates may be made to this privacy notice. The latest version is available on this page. 

Other privacy notices: 

• General:  https://www.aalto.fi/en/services/privacy-notices 
• IT Services: https://www.aalto.fi/en/aalto-university/it-services-privacy-notice 
• Students:  https://www.aalto.fi/en/student-guide/privacy-notice 
• Employees:  https://www.aalto.fi/en/aalto-university/privacy-notice-for-employees