Privacy Policy & Data Handling

This privacy policy describes how we collect, use, store, and protect your data during the AI Workflow Study conducted by Aarhus University. We are committed to transparency and your right to privacy throughout this research project.

Research Institution: Aarhus University, Department of Computer Science

Study Duration: April - July 2026

Contact: wol@cs.au.dk

During the study, we collect the following types of data to understand AI adoption patterns and workflow changes:

We practice strict data minimization. We only collect data that is directly relevant to our research questions:

• We do not collect personal identifying information beyond what is necessary for study coordination
• We do not access files, databases, or systems beyond the AI tool itself
• We do not collect biometric data, location data, or device identifiers
• Participants can configure sensitive topics to be excluded from logging

Prompt logs are essential for understanding how AI is used in real workflows. However, we recognize that some content may be sensitive or confidential.

Before any data analysis or publication, we apply strict anonymization:

• All company names are replaced with generic identifiers (e.g., "Company A")
• Specific industry details are generalized (e.g., "professional services" instead of "law firm")
• Geographic information is removed or generalized to regional level
• Prompt content is analyzed for patterns, not quoted verbatim in publications
• Any published case examples are aggregated composites, not single companies

K-anonymity standard: We ensure that any published data point could apply to at least 3 participants, making re-identification practically impossible.

Only authorized research personnel have access to study data:

• Active study period: April - July 2026
• Analysis period: July - September 2026
• Publication preparation: October 2026 - March 2027
• Retention after publication: Anonymized, aggregated data may be retained for up to 5 years for follow-up research and reproducibility (standard academic practice)
• Deletion: All raw, identifiable data (including prompt logs with company identifiers) will be permanently deleted by December 2027

You can request early deletion of your data at any time.

No training on your data: None of your prompts, responses, or data will be used to train AI models. We use existing commercial AI providers with strict data processing agreements that prohibit training on customer data.

The AI tools we provide may use third-party AI providers (OpenAI, Anthropic, etc.). These providers:

• Process your prompts to generate responses
• Do NOT use your data for model training (business tier with zero retention)
• May temporarily log prompts for abuse prevention (retained for max 30 days, then deleted)

We will clearly disclose which AI providers are used and provide links to their privacy policies during onboarding.

As a study participant, you have the following rights:

• Right to access: Request a copy of all data we've collected about you
• Right to rectification: Correct any inaccurate information
• Right to erasure: Request deletion of your data at any time
• Right to withdraw: Exit the study without penalty or explanation
• Right to restrict processing: Limit how we use your data
• Right to object: Object to specific uses of your data
• Right to data portability: Receive your data in a machine-readable format

To exercise any of these rights, contact us at wol@cs.au.dk. We will respond within 14 days.

Our research findings will be published in:

• Academic papers and conference presentations
• Research reports and white papers
• Potentially blog posts or articles for practitioners

What we will publish:

• Aggregated statistics (e.g., "average token usage increased by 30%")
• Pattern descriptions (e.g., "companies used AI most frequently for research tasks")
• Anonymized, composite case examples that blend multiple participants
• General insights and recommendations for AI adoption in small teams

What we will NOT publish:

• Company names or identifying details
• Specific prompt examples that could identify a participant
• Individual company results or comparisons
• Any information you specifically mark as confidential

If your company requires a Non-Disclosure Agreement (NDA) or additional confidentiality protections, we are happy to sign one before the study begins.

Standard confidentiality provisions already apply under EU research ethics guidelines and Aarhus University policies.

Under the General Data Protection Regulation (GDPR), our legal basis for processing your data is:

• Consent (Article 6(1)(a)): You provide explicit, informed consent by applying to participate in the study
• Legitimate interests (Article 6(1)(f)):Scientific research in the public interest

You may withdraw consent at any time without consequences.

In the unlikely event of a data breach affecting your information, we will:

• Notify you within 72 hours of discovering the breach
• Explain what data was affected and what actions we're taking
• Provide guidance on protective measures you can take
• Report the breach to relevant supervisory authorities as required by law

If we make material changes to this privacy policy during the study, we will:

• Notify all participants via email
• Update this page with the new policy and revision date
• Request renewed consent if the changes affect how we collect or use data

Study Contact:
Email: wol@cs.au.dk
Aarhus University, Department of Computer Science

Data Protection Officer (Aarhus University):
[TODO: Insert DPO contact details before study launch]

Supervisory Authority:
If you believe your data protection rights have been violated, you may file a complaint with the Danish Data Protection Agency (Datatilsynet):
www.datatilsynet.dk