AI Governance & Privacy Policy

This document contains the governance framework for hallostu's AI systems. It is maintained as a living document and is subject to periodic review in line with regulatory developments and product evolution.

1. Purpose & Objectives

This AI Governance & Privacy Policy ("Policy") establishes the principles, controls, oversight mechanisms, and accountability structures governing the design, development, deployment, and ongoing operation of hallostu's AI-powered bureaucracy assistant for international students in Germany.

The objectives of this Policy are to ensure:

• Full compliance with applicable EU and German legislation
• Transparency in AI-generated outputs and system behaviour
• Accuracy and reliability of informational guidance
• Robust data protection and privacy safeguards
• Effective risk identification, assessment, and mitigation
• Responsible, ethical, and trustworthy AI deployment
• Sustained user trust and confidence in the platform

2. Scope of Application

This Policy applies to all AI and machine-learning components within the hallostu platform, including but not limited to:

• Official letter explanation and plain-language summarisation engine
• Bureaucratic question-answering system
• Deadline extraction and calendar integration module
• Document checklist generation engine
• Retrieval-Augmented Generation (RAG) pipeline and knowledge base
• All generative AI, natural language processing, and large language model (LLM) components
• All third-party AI service providers integrated into the platform

This Policy is binding on all hallostu personnel, contractors, and technology partners involved in the development, maintenance, or operation of AI systems.

3. Definitions

Term	Definition
AI System	Any software component that uses machine learning, deep learning, or generative AI techniques to produce outputs, predictions, or recommendations.
RAG	Retrieval-Augmented Generation — a framework combining information retrieval from curated sources with generative AI to produce grounded responses.
High-Risk Query	A user query involving visa expiration, residence permit status, financial penalties, immigration enforcement, or legal deadlines.
Knowledge Base	The curated, version-controlled repository of official German bureaucratic information used to ground AI outputs.
Confidence Indicator	A system-generated rating (High / Medium / Low) reflecting the AI's assessed reliability of a given output.
Data Subject	Any identified or identifiable natural person whose personal data is processed by hallostu (i.e., users).
DPA	Data Processing Agreement, as required under Art. 28 GDPR for third-party processors.
Controller	hallostu, as the entity determining the purposes and means of personal data processing.

4. AI System Classification

Under the EU AI Act risk-based classification framework, hallostu is classified as follows:

Classification Criterion	Determination
EU AI Act Risk Category	Limited-Risk AI System — subject to transparency obligations (Art. 52 EU AI Act).
System Type	Informational AI assistant — provides guidance, explanations, and structured information.
Impact Assessment	High-impact informational system due to the immigration and legal relevance of outputs.

Explicit Functional Boundaries

hallostu does not:

• Provide legally binding advice or legal opinions
• Act as or substitute for a licensed legal representative or immigration lawyer
• Represent users before government authorities, courts, or administrative bodies
• Submit government applications, objections, or official filings on behalf of users
• Make automated legal determinations or decisions affecting legal rights
• Engage in activities constituting regulated legal services under the German Rechtsdienstleistungsgesetz (RDG)

5. Governing Principles

5.1 Transparency

Users must at all times be clearly informed that:

• They are interacting with an AI system, not a human advisor
• Outputs are generated using retrieval-augmented generative AI technology
• All outputs are informational in nature and do not constitute legal, immigration, or professional advice
• The AI system's methodology and limitations are described in accessible, plain-language documentation

5.2 Accuracy & Source Verification

All AI-generated outputs must:

• Be grounded exclusively in official German government and institutional sources
• Provide verifiable reference links to original source material where applicable
• Include source version or publication date to enable currency assessment
• Display a confidence indicator (High / Medium / Low) for each substantive output
• Be subject to automated consistency checks against the curated knowledge base

5.3 Human Oversight

hallostu maintains meaningful human oversight through:

• Periodic manual review of high-risk query categories and corresponding outputs
• Escalation review protocols for immigration-sensitive outputs
• Scheduled audits of the knowledge base for completeness, accuracy, and currency
• User feedback integration and triage processes
• Designated human reviewers with subject-matter competence

5.4 Risk Minimization

The AI system must:

• Automatically flag high-risk topics (e.g., visa expiry, penalties, deportation risk, permit revocation)
• Present contextual warning banners on sensitive outputs
• Actively encourage users to verify critical information with official authorities
• Provide direct links to relevant government offices and official contact points
• Refrain from generating speculative or hallucinated content

5.5 Data Protection by Design & Default

All AI systems and data pipelines must comply with:

• EU General Data Protection Regulation (GDPR)
• German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG)
• EU data transfer and adequacy requirements
• Privacy-by-design and privacy-by-default principles (Art. 25 GDPR)

6. Legal & Regulatory Compliance Framework

6.1 Applicable Legislation

Regulation	Relevance
EU AI Act (Regulation (EU) 2024/1689)	AI system classification, transparency obligations, risk management
GDPR (Regulation (EU) 2016/679)	Personal data processing, data subject rights, breach notification
German BDSG	Supplementary national data protection provisions
EU Digital Services Act (DSA)	Platform obligations, content transparency, user protections
German Digital Services Act (DDG)	National implementation of DSA requirements
German Legal Services Act (RDG)	Boundary between informational guidance and regulated legal services
German Civil Code (BGB)	Consumer protection, contract law, terms of service
ePrivacy Directive / TTDSG	Cookie consent, electronic communications privacy

6.2 Legal Services Act (RDG) Compliance

hallostu's compliance with the Rechtsdienstleistungsgesetz (RDG) is a foundational design constraint. The platform is architected to ensure that all outputs remain within the boundary of general informational guidance and do not cross into regulated legal services.

Compliance controls include:

• System prompts and output guardrails that constrain responses to informational content
• Prohibition on generating individualised legal opinions or case-specific legal assessments
• Prohibition on drafting official objections (Widersprueche), appeals, or legal filings
• Mandatory legal disclaimer displayed on every substantive output (see Annex B)
• Regular legal review of output samples to verify RDG boundary compliance

7. AI System Controls & Safeguards

7.1 Source Grounding (RAG Framework)

• All AI responses are generated using a Retrieval-Augmented Generation (RAG) architecture that retrieves information from a curated, version-controlled knowledge base of official sources
• The system is prohibited from generating speculative, hallucinated, or ungrounded content
• Each knowledge base entry is tagged with source authority, publication date, and topic classification
• Source revision dates are tracked and flagged when content may be outdated

7.2 Confidence Indicator System

Each substantive AI output includes:

• Confidence Level: High (directly sourced), Medium (inferred from related sources), or Low (limited source coverage)
• Reasoning Summary: Brief explanation of how the response was derived
• Source Citation: Link(s) to official source material used

7.3 High-Risk Query Protocol

When the system detects a query involving high-risk topics — including but not limited to visa expiration, residence permit status, financial penalties, or immigration enforcement — the following safeguards activate:

• Prominent warning banner displayed above the response
• Explicit recommendation to verify information with the relevant official authority
• Direct link to the applicable government office or contact point
• Elevated logging and periodic human review of output quality

7.4 Output Guardrails

• System prompts enforce informational-only output boundaries
• Responses are filtered for prohibited content (legal advice, case-specific opinions, speculative predictions)
• Automated post-generation checks validate output against guardrail rules
• Outputs that fail guardrail checks are suppressed and escalated for review

7.5 Audit Logging

hallostu maintains comprehensive audit logs comprising:

• User query (anonymised or pseudonymised where technically feasible)
• AI-generated response
• Sources retrieved and cited
• Model version and configuration identifier
• Timestamp (UTC)
• Confidence rating assigned
• Guardrail check results

Audit logs are stored securely with access restricted to authorised personnel and are used exclusively for quality monitoring, risk mitigation, compliance documentation, and system improvement.

8. Data Governance & Privacy

8.1 Lawful Basis for Processing

Personal data is processed under the following GDPR lawful bases:

• Consent (Art. 6(1)(a) GDPR) — for optional features, analytics, and document uploads
• Contractual Necessity (Art. 6(1)(b) GDPR) — for service delivery to registered users
• Legitimate Interest (Art. 6(1)(f) GDPR) — for system security, fraud prevention, and service improvement, subject to balancing tests

8.2 Data Minimisation

hallostu adheres strictly to the principle of data minimisation (Art. 5(1)(c) GDPR):

• Only data strictly necessary for service delivery is collected
• Document uploads are processed for the specific requested function only
• User profile data is limited to essential registration and preference information
• No unnecessary metadata is retained beyond operational requirements

8.3 Document Handling & Storage

• All documents are encrypted at rest (AES-256 or equivalent) and in transit (TLS 1.2+)
• Upload channels use secure, authenticated endpoints
• Users retain full control over document deletion at any time
• Automatic deletion policy applies after a defined retention period (configurable, default: 12 months)
• Documents are stored within the European Economic Area (EEA) unless explicit, informed consent is obtained for transfer

8.4 Data Retention

Data Category	Retention Period
Uploaded documents	User-controlled; auto-deleted after 12 months of inactivity
Account data	Duration of account + 30 days post-deletion
Audit logs	24 months (anonymised after 12 months)
Anonymised analytics	Indefinite (no personal data)
Payment records	As required by German tax law (typically 10 years)

8.5 International Data Transfers

Where personal data is transferred outside the EEA (e.g., to third-party AI providers), hallostu ensures adequate safeguards are in place, including:

• EU Standard Contractual Clauses (SCCs)
• Adequacy decisions where applicable
• Supplementary technical and organisational measures as required by Schrems II
• Transfer Impact Assessments (TIAs) documented and reviewed periodically

9. Third-Party AI Provider Management

All third-party AI service providers integrated into hallostu must:

• Execute a Data Processing Agreement (DPA) compliant with Art. 28 GDPR
• Demonstrate GDPR compliance and adherence to EU data protection standards
• Contractually confirm that user data (including documents and queries) is not used for model training without explicit, informed user consent
• Provide transparent documentation of data handling, storage locations, and sub-processors
• Support data deletion requests in accordance with GDPR timelines
• Undergo periodic compliance review by hallostu

hallostu maintains a register of all third-party AI providers, including DPA status, data flow documentation, and most recent compliance review date.

10. Incident Response & Breach Management

10.1 Scope of Incidents

This protocol covers:

• Incorrect or misleading AI output on a high-risk topic
• Personal data breach (unauthorised access, loss, or disclosure)
• Systematic AI output failure or degradation
• User-reported harm or complaint arising from AI guidance

10.2 Response Protocol

Phase	Action
1. Detection	Incident identified via monitoring, user report, or automated alert
2. Triage	Severity assessed; high-risk incidents escalated immediately to Governance Lead
3. Investigation	Root cause analysis conducted; affected outputs identified
4. Containment	Erroneous outputs corrected or suppressed; knowledge base updated if required
5. Notification	Affected users notified where the incident may have caused material harm
6. Regulatory Reporting	Data protection authority notified within 72 hours for qualifying personal data breaches (Art. 33 GDPR)
7. Remediation	Systemic fixes implemented; policy and controls updated as needed
8. Documentation	Full incident record maintained in the incident log

11. Model Governance & Change Management

• Version Control: The knowledge base and all AI model configurations are maintained under version control with full change history
• Change Log: All regulatory updates, source material changes, and model adjustments are documented in a structured change log
• Scheduled Reviews: Immigration policies, bureaucratic procedures, and regulatory requirements are reviewed on a defined schedule (minimum quarterly)
• Continuous Monitoring: Official government websites and regulatory publications are monitored for changes affecting platform accuracy
• Staged Deployment: Material changes to AI models or knowledge base content are tested in a staging environment before production release
• Rollback Capability: The system supports rapid rollback to previous known-good configurations in the event of quality degradation

12. User Rights

In accordance with GDPR Chapter III, users have the right to:

• Access — obtain confirmation of processing and a copy of their personal data (Art. 15)
• Rectification — correct inaccurate personal data (Art. 16)
• Erasure — request deletion of personal data ('right to be forgotten') (Art. 17)
• Data Portability — receive personal data in a structured, machine-readable format (Art. 20)
• Restriction — restrict processing in certain circumstances (Art. 18)
• Object — object to processing based on legitimate interests (Art. 21)
• Withdraw Consent — withdraw consent at any time without affecting prior lawfulness (Art. 7(3))
• Lodge Complaint — file a complaint with the competent data protection supervisory authority

Users may exercise their rights by contacting hallostu at info@hallostu.com. Requests are processed within 30 days in accordance with Art. 12(3) GDPR.

13. AI Ethics Commitment

13.1 Non-Discrimination & Fairness

• AI outputs do not discriminate based on nationality, ethnicity, gender, religion, or any protected characteristic
• All nationalities receive equivalent quality and completeness of guidance
• System behaviour is monitored for unintended bias in output quality or coverage

13.2 Clear & Accessible Communication

• Outputs are delivered in clear, plain language appropriate for non-native speakers
• Technical or legal terminology is explained in accessible terms
• Multi-language support is provided where feasible

13.3 Preventing Overreliance

• Users are actively discouraged from treating AI outputs as authoritative or final
• The platform avoids fear-based, alarmist, or manipulative messaging
• Critical decisions are consistently directed to qualified professionals or official authorities
• The system does not create artificial urgency or exploit user anxiety

13.4 Automation Bias Mitigation

• The platform design encourages users to verify information independently
• Confidence indicators and source citations support informed user judgement
• Limitations of AI-generated content are communicated transparently

14. Governance Structure & Accountability

Role	Responsibilities
AI Governance Lead / CEO	Overall accountability for AI governance; policy approval; strategic oversight; regulatory liaison
Product Owner (AI Oversight)	Day-to-day AI output quality monitoring; user feedback triage; feature governance
Technical Lead (System Integrity)	RAG pipeline integrity; model configuration management; security controls; deployment management
Data Protection Officer (DPO)	GDPR compliance oversight; DPIA coordination; data subject rights management (appointed when legally required or as a voluntary best practice)
External Legal Advisor	Periodic review of RDG compliance, regulatory developments, and output boundary assessment

Governance responsibilities are reviewed upon team expansion, organisational changes, or material changes to the regulatory environment.

15. Continuous Improvement & Review Cycle

This Policy is a living document and is subject to review:

• Scheduled Review: Every six (6) months from the effective date
• Regulatory Trigger: Upon enactment or material amendment of applicable legislation (e.g., EU AI Act implementing measures)
• Product Trigger: Upon significant product expansion, new AI capability deployment, or material change in data processing
• Incident Trigger: Following any material incident that exposes a policy gap or control deficiency

All revisions are documented in the Revision History (Annex C) with a summary of changes, effective date, and approval record.

16. Future Alignment & Standards Roadmap

hallostu intends to progressively align with recognised international standards and frameworks as the product and organisation mature:

Standard / Framework	Description
ISO/IEC 42001:2023	AI Management Systems — requirements for establishing, implementing, and improving AI management
NIST AI RMF 1.0	AI Risk Management Framework — structured approach to AI risk identification and mitigation
ISO/IEC 27001	Information Security Management Systems — foundational security controls
EU AI Act Harmonised Standards	Technical standards adopted under the AI Act for conformity assessment (as published)

Annex A — Applicable Legislation Reference Table

Legislation	Key Provisions
EU AI Act	Art. 6 (classification), Art. 52 (transparency), Art. 9 (risk management)
GDPR	Art. 5–11 (principles & lawfulness), Art. 12–23 (data subject rights), Art. 25 (DPbD), Art. 28 (processors), Art. 33–34 (breach notification), Art. 44–49 (transfers)
BDSG	§§ 1–16 (general provisions), §§ 22–31 (special categories), § 38 (DPO threshold)
RDG	§ 1 (scope), § 2 (definition of legal services), § 5 (permitted ancillary services)
DSA / DDG	Transparency, illegal content, platform obligations, user rights
BGB	§§ 305–310 (general terms), §§ 312–312k (distance selling), § 355 (right of withdrawal)
TTDSG	§ 25 (cookie consent and terminal device access)

Annex B — Disclaimer Templates

B.1 Standard Output Disclaimer (English)

B.2 Standard Output Disclaimer (German)

B.3 High-Risk Query Warning

Annex C — Revision History

Version	Date	Author	Summary of Changes
1.0	1 March 2026	hallostu Governance Lead	Initial release

hallostu is committed to building a transparent, secure, legally compliant, and responsibly governed AI assistant that reduces bureaucratic stress for international students in Germany — while upholding the highest standards of user trust, data protection, and ethical AI practice.