Data Protection & Privacy Notice

Transparency is a core value, and this document is designed to inform you about what data we process, why we process it, and what your rights are under the GDPR.

Last updated: July 9, 2025

Layer 1: Notice for Slack/Teams Channel Description

This channel is powered by the Hurra.ai assistant to help you with your work tasks

How it works:

  • Your work-related questions are analyzed to select the best AI model (like OpenAI's GPT, Google's Gemini, or others) to answer your request.
  • To improve accuracy, the assistant may access your company's internal Confluence knowledge base or use external tools like web search.
  • The assistant filters queries for certain sensitive data (like credit card numbers) to protect your information.

Data & Recipients:

Your queries are processed by Hurra.ai and sent to our trusted AI model providers (Microsoft Azure, Google Cloud, Perplexity), who act as our processors. Your Slack/Teams User ID is used to manage the conversation. Conversation history is stored for 30 days to provide context.

Important Considerations:

This is a professional tool for work-related queries. Please avoid submitting personal or sensitive information. The AI's responses are generated automatically and may not always be accurate, especially for personal, medical, or financial topics.

For full details on how your data is processed and to learn about your data protection rights, please see our full Privacy Notice below.

Layer 2: The Full Privacy Notice

1. Introduction

This Privacy Notice explains how Hurra processes personal data when providing our hurra.ai service. Transparency is a core value, and this document is designed to inform you about what data we process, why we process it, and what your rights are under the General Data Protection Regulation (GDPR).

This notice is relevant to you if you are:

  • An employee using our service through your company's Slack or Teams (Users of Slack or Teams).
  • An administrator who set up the service for your company (Client Administrators).
  • An individual whose personal data is mentioned in your company's Confluence knowledge base (Individuals Mentioned in Client Knowledge Base).
  • An individual whose personal data is mentioned in a query submitted by a user (Individuals Mentioned in User Prompts).
  • An individual whose personal data is mentioned in a response generated by an AI model (Individuals Mentioned in AI Responses).

2. Identity and Contact Details of the Controller

Hurra Communications GmbH ("hurra.com") is the controller for the personal data processed for all services. For the processing of data from your company's Confluence knowledge base, we act as a joint controller with your employer.

Controller

The controller is the entity that decides how your personal data is processed. This means that we determine what data we collect, how we use it and how it is protected.

Hurra Communications GmbH
Lautenschlagerstraße 23a
70173 Stuttgart
Germany

Authorised Representatives: René Schweier, CEO
E-Mail: info@hurra.com

Contact information of the data protection officer

We have an internal data protection officer. If you have any questions about data protection or would like to exercise your rights as a data subject, you can contact him directly.

Michael Bätge
Data Protection Officer
Hurra Communications GmbH
Lautenschlagerstraße 23a
70173 Stuttgart
Germany

E-Mail: privacy@hurra.com

3. Purposes and Legal Basis for Processing

We process your personal data for several distinct purposes. Our legal basis for processing is Legitimate Interest (Article 6(1)(f) GDPR), as the processing is necessary to provide a contracted B2B service to your employer in a secure and efficient manner.

How We Balance Our Legitimate Interests

We have conducted an assessment and concluded that our legitimate interest in providing this service is not overridden by your rights and freedoms as a data subject. This conclusion is based on several key factors.

First, we considered the context of the processing. This service is a professional tool provided by your employer for work-related tasks. As an employee actively using the tool to assist with your duties, you can reasonably expect that your work-related queries will be processed to make the service function as intended. The processing is directly aligned with your actions and serves a mutual interest in enhancing productivity.

Furthermore, we have implemented significant safeguards and mitigating measures to protect your interests. This includes our automated PII filter designed to detect and redact certain sensitive data, our strict 30-day retention policy for conversation history, and our use of vetted processors under formal Data Processing Agreements (DPAs). Given these factors, we believe the processing is fair, proportionate, and does not unduly impact your fundamental rights.

Our Specific Purposes for Processing

  • To Provide the Core AI Service: We process your queries to filter them for sensitive information, select the best AI model, execute your request (including using tools like web search or your company's Confluence), and deliver the final response.
  • Data Subjects Involved: Users of Slack or Teams, Individuals Mentioned in User Prompts, Individuals Mentioned in Client Knowledge Base, Individuals Mentioned in AI Responses.
  • To Manage User Accounts: We process account information to set up and administer the service for your company and to identify you as a user to manage your conversation history.
  • Data Subjects Involved: Client Administrators, Users of Slack or Teams.
  • To Ensure Security and Stability: We process system logs to monitor the health of our service, investigate security incidents, and troubleshoot technical issues.
  • Data Subjects Involved: Users of Slack or Teams, Individuals Mentioned in User Prompts.
  • To Improve Our Service: We use query data from which direct user identifiers have been removed to analyze and improve the performance of our AI models.
  • Data Subjects Involved: Users of Slack or Teams, Individuals Mentioned in User Prompts.

4. Categories of Personal Data Processed

We process different categories of data to provide our service. This includes:

  • Data you provide or that is observed: Your unique Slack/Teams User ID (Deterministic identifiers), your query content (User-Generated Content within Prompts), and technical data like your IP address and Device characteristics (in system logs). For administrators, we process your email address (Deterministic identifier).
  • Data from your employer: Content from your company's Confluence knowledge base (Retrieved Contextual Data).
  • Data we generate: The final AI response (AI-Generated Response Content) and internal identifiers for conversation threads (Interaction identifiers).

Please be aware that User-Generated Content within Prompts is unpredictable. While we filter for certain Financial data and Sensitive data, other personal information could be processed if you include it in your query.

5. Recipients of Personal Data

To provide our service, we must share data with a limited number of vetted companies who act as our processors. We have Data Processing Agreements (DPAs) in place with all of them. Our main categories of recipients are:

  • AI Model Providers: Microsoft (for Azure OpenAI), Google (for GCP), Perplexity.
  • Infrastructure & Database Providers: Redis (for caching), Pinecone (for vector storage), Cohere (for vectorization).
  • External Tool Providers: OpenWeatherMap, and various media generation APIs.

6. International Data Transfers

Some of our processors are located outside the European Economic Area (EEA), primarily in the United States. When we transfer your data outside the EEA, we ensure it is protected by a valid transfer mechanism under Chapter V of the GDPR, such as the EU-U.S. Data Privacy Framework or Standard Contractual Clauses (SCCs).

7. Data Retention Periods

We adhere strictly to the principle of storage limitation.

  • Service Cache (Conversation History): To provide conversational context for follow-up questions, our service maintains a temporary cache of your recent chat threads. This cache is automatically and permanently deleted after 30 days.
  • Chat Platform History (Slack/Teams): Please be aware that our 30-day service cache is separate from the conversation history stored within your company's own Slack or Microsoft Teams workspace. Once a response is delivered to you, it becomes part of your chat history on that platform and is subject to the data retention policies set by your employer and the platform provider (Slack or Microsoft).
  • System Logs: Our operational and security logs are stored for 30 days.
  • Confluence RAG Data: The vectorized copy of your company's Confluence data is overwritten and refreshed every 24 hours.
  • Transient Data: Data held in active memory during processing is deleted as soon as the specific processing step is complete.

8. Your Data Protection Rights

As a data subject, you have rights under the GDPR. You can exercise these rights by contacting us at privacy@hurra.com.

Exercising Your Rights: Who to Contact

To ensure your request is handled as efficiently as possible, please note the following division of responsibilities, which is part of our joint-controllership arrangement with your employer:

  • For requests concerning data within your company's Confluence knowledge base (e.g., asking to correct or delete information stored in Confluence that was used by our service): Please direct your request to your employer's designated data protection contact or administrator. Your employer is the primary controller for this data and is responsible for managing its content. Once they update the information in Confluence, it will be reflected in our service during the next daily data refresh.
  • For all other requests concerning the processing of your personal data within the following services, please contact us directly at privacy@hurra.com:
  • The main Core AI Intermediary Service, including how your queries are processed, filtered, and cached.
  • The management of your User Account and preferences.
  • The data stored in our System Logs for service improvement and support.
  • The use of External Tools (other than Confluence) such as web search or image generation.

We provide this guidance for efficiency. However, you have the right to exercise your data protection rights in respect of, and against, either Hurra.com or your employer for any issue, regardless of the arrangement described above.

Your rights include:

  • Right of Access (Art. 15): You can ask for confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to that personal data (which includes the right to obtain a copy).
  • Right to Rectification (Art. 16): You can ask us or your employer (for Confluence data) to correct inaccurate data.
  • Right to Erasure (Art. 17): You can ask us or your employer (for Confluence data) to delete your personal data ("right to be forgotten"). This right applies in certain circumstances, such as when the data is no longer necessary for the purpose for which it was collected, or if you have successfully objected to the processing.
  • Right to Restriction of Processing (Art. 18): You can ask us to restrict the processing of your data in certain circumstances.
  • Right to Object (Art. 21): As we rely on legitimate interests for processing, you have the right to object at any time on grounds relating to your particular situation. If you object, we must stop processing your data unless we can demonstrate compelling legitimate grounds which override your interests, rights, and freedoms. This right must be explicitly brought to your attention.
  • Right to Lodge a Complaint (Art. 77): You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.

Our Supervisory Authority:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Lautenschlagerstraße 20, 70173 Stuttgart, Deutschland
https://www.baden-wuerttemberg.datenschutz.de/kontakt-aufnehmen/

9. Information on Automated Decision-Making

Our service uses automated processing, including profiling, for three key functions:

  • PII Filtering: To automatically identify and redact sensitive data from your query before it is processed further. This is a security and data protection measure.
  • AI Orchestration: To automatically analyze the characteristics of your query and select the best AI model from our available options to provide an optimal response.
  • AI Response Generation: After receiving the final prompt (which may include context from tools), the selected AI model performs its own complex, automated analysis to understand your request and synthetically generate a relevant text or media response.

This processing is described as "profiling" in our documentation to be fully transparent. These processes are designed to improve the service and protect your data. They do not produce legal or similarly significant effects on you.

10. Amendments to this Privacy Notice

We will update this Privacy Notice as soon as changes to the data processing we carry out make it necessary.

We will actively inform you of any substantive changes (for example, a change in our processing purposes, the categories of recipients, or the introduction of international transfers). We will provide this information to you in advance, allowing you a reasonable timeframe to consider the impact of the changes and exercise your rights if you wish to do so.

Furthermore, we will contact you directly if a change requires a specific action on your part, such as providing new consent.

Where this Privacy Notice provides addresses and contact information of other companies and organizations, please be aware that these details may change over time. We ask that you verify this information before making contact.