Hey-KI

Discover jobs now

Privacy Policy

Last updated: 18 May 2026

1. Brief overview

Hey-KI is an AI-assisted job platform operated by WEB WE DO GmbH. You can use the job search without registering. When you use Hey-KI, we process your inputs in order to understand your request, search for suitable job offers, and display answers or job suggestions to you.

In summary:

  • When the website is accessed, technically necessary data is processed so that the website can be delivered and operated securely.
  • We operate our website, software, databases, and their monitoring exclusively on servers administered by us and located in Germany. In doing so, we work with service and infrastructure providers that have their registered offices in Germany.
  • Technical server logs that may contain your IP address are deleted after 14 days. Before usage data is statistically evaluated, we remove possible identifiers such as IP addresses or detailed device information directly on the server.
  • If you use the interactive job search, our system processes your messages and inputs. We use internal AI components and external AI services to understand your inputs, search for suitable job offers, and formulate answers. For external AI services, we work primarily with OpenAI; in limited cases and exceptional situations, Google/Gemini may be used.
  • If, when a message is sent, consents that could become necessary for processing by external services are missing, we again display an option for active consent before the message is sent. Without appropriate consent, sending the message to us is blocked where possible; at the latest, use of the external service and further processing are blocked.
  • We use services for advertising optimization, such as feedback to Google Ads, only if you have consented via our cookie/privacy banner. If it is apparent that you reached us via another platform, e.g. TikTok, feedback may also be transmitted to that platform after your active consent.
  • Settings and details regarding cookies and similar storage technologies, such as Local Storage and Session Storage, can be found in the settings of our cookie/privacy banner.

2. Controller

The controller within the meaning of the General Data Protection Regulation is:

WEB WE DO GmbH
Dammwiesenweg 1
69256 Mauer
Germany

Email: mail@webwedo.de
Website: https://webwedo.de
Phone: +49 6226 9688021

Managing Director: Elena Senn-Hein
Registry court: Amtsgericht Mannheim
Commercial register number: HRB 747236

3. Principles and legal bases

We process personal data only to the extent that there is a legal basis for doing so. Depending on the processing, the following legal bases in particular may apply:

  • Art. 6(1)(b) GDPR, where the processing is necessary to provide a service you requested, in particular the AI-assisted job search and communication with Hey-KI.
  • Art. 6(1)(a) GDPR, where you have consented to processing, in particular for external AI services as well as marketing/conversion services.
  • Art. 6(1)(c) GDPR, where we must comply with legal obligations, such as documentation, commercial, or tax-law obligations.
  • Art. 6(1)(f) GDPR, where we pursue legitimate interests, in particular security, prevention of misuse, error analysis, technical operation, and internal anonymized evaluations.
  • Section 25(2) German Telecommunications Digital Services Data Protection Act (TDDDG), insofar as storage or access on your end device is strictly necessary in order to provide a digital service expressly requested by you.
  • Section 25(1) TDDDG, insofar as cookies, Local Storage, Session Storage, or comparable technologies that are not strictly necessary are used; for this, we obtain your consent.

Where we rely on legitimate interests, we take into account the nature, scope, and purpose of the processing as well as your interests in confidentiality and data protection.

4. Website access, infrastructure, and server logs

4.1 Provision of the website

When you access hey-ki.de, our system processes technically necessary information in order to deliver the website to your end device and enable secure operation. This may include in particular:

  • IP address for the technical delivery of the requested content,
  • date and time of the request,
  • accessed URL or file,
  • amount of data transferred,
  • access status,
  • referrer information,
  • browser family and operating system information,
  • technical error and security information.

The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure, stable, and misuse-resistant operation of the website.

4.2 Hosting and technical infrastructure

Our website, software, databases, and their monitoring are operated on servers administered by us and located in Germany. In doing so, we work with service and infrastructure providers that have their registered offices in Germany. Domain, DNS, and email infrastructure may be provided through technical service providers.

These service providers process data only within the scope of technical operation, insofar as this is necessary for provision, security, maintenance, or contractual handling.

Where these service providers process personal data on our behalf, we use them on the basis of a data processing agreement pursuant to Art. 28 GDPR.

The monitoring of our servers and technical alerts are also carried out on servers administered by us through our internal systems. We do not use external monitoring service providers for this.

The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure and reliable operation of our website, software, databases, and technical infrastructure.

4.3 Server logs and internal evaluation

Our web servers may generate technical server logs with IP addresses. These logs are processed on servers administered by us and deleted after 14 days.

Before usage data is statistically evaluated, we remove possible identifiers such as IP addresses or detailed device information directly on the server. In further internal evaluations, we do not use an IP address, but instead technical mappings and aggregations that are not directly personal.

After deletion of the server logs, attribution of the statistical data generated from them to individual users is generally no longer possible.

Statistical evaluations of usage data as well as the recording and analysis of runtime errors are carried out on servers administered by us through our internal systems. We do not use external analytics or error-reporting service providers for this.

The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in operational security, error analysis, prevention of misuse, and the statistical improvement of our offering.

5. Cookies, Local Storage, Session Storage, and consent management

We use cookies, Local Storage, Session Storage, and comparable technologies. We distinguish between technically necessary technologies and those that are used only with your consent.

5.1 Consent management

For managing your privacy and cookie settings, we deliberately rely on a specialized external service provider from Germany. We use Usercentrics as a consent management service for this purpose. The recipient of this consent data is Usercentrics GmbH as our service provider and processor.

Usercentrics helps us document your consents and rejections and control services according to your selection. For this purpose, your selection is technically stored in your browser.

In particular, the following may be processed:

  • your consent selection,
  • time of selection,
  • technical device and browser information,
  • consent ID or comparable technical proof information.

The processing serves in particular to implement your selection and to be able to provide legally required evidence. The legal basis, insofar as we comply with legal documentation obligations, is Art. 6(1)(c) GDPR. Insofar as consent management is necessary for the technically and legally orderly operation of our website, we also rely on Art. 6(1)(f) GDPR. For technically necessary storage on your end device, Section 25(2) TDDDG is decisive.

According to Usercentrics, consent data is stored for 1 year. Storage takes place in the European Union.

5.2 Technically necessary storage

We use technically necessary storage in particular to:

  • to display and document your consent selection,
  • to provide the interactive job search,
  • to restore ongoing use, insofar as this is necessary for use,
  • security and error prevention.

Hey-KI may use a technical session identifier in the Session Storage of your browser. This session identifier is particularly important so that ongoing use can be restored after technical interruptions, for example on mobile devices. The session identifier is generally deleted when you close your browser.

The legal basis for the processing of personal data is Art. 6(1)(f) GDPR. Our legitimate interest lies in providing Hey-KI in a technically reliable, secure, and usable manner. Section 25(2) TDDDG applies to technically necessary storage on your end device.

5.3 Non-essential technologies

We use non-essential technologies, in particular for marketing, conversion measurement, or third-party tracking, only if you have consented.

Details on the individual services, categories, purposes, storage technologies, and storage periods can be found in the settings of our consent management tool. You can change or withdraw your selection there at any time.

The legal basis for the processing of personal data is your consent pursuant to Art. 6(1)(a) GDPR. Section 25(1) TDDDG applies to access to or storage of information on your end device.

6. Hey-KI and AI-assisted job search

6.1 Purpose of processing

When you use Hey-KI, we process your inputs in order to:

  • understand your job-related request,
  • ask follow-up questions,
  • search for and filter suitable job offers,
  • optimize search results,
  • technically continue the previous history,
  • display answers and job suggestions to you.

Hey-KI is AI-assisted. This means that our system uses internal AI components and large language models to interpret your inputs, find suitable job offers, and generate answers.

6.2 Which data is processed

When using Hey-KI, the following data in particular may be processed:

  • your messages, voice inputs, and information contained in them,
  • search criteria specified by you, e.g. occupation, location, desired form of work, qualification, or preferences,
  • previous history and technical session information,
  • technical Conversation-/Response-IDs,
  • tool inputs and tool outputs of our search and processing steps,
  • consent status for processing by external services.

As a rule, you do not have to provide a name, email address, or postal address to use Hey-KI. Please do not enter any sensitive information that is not necessary for the job search, especially health data, information about religion, political opinions, trade union membership, or comparable data requiring special protection.

6.3 Processing by external AI services

To process your inputs, we transmit messages, voice inputs, and the context necessary for processing to external AI services.

As a rule, we use OpenAI. In limited cases, Google/Gemini or Google Cloud/Vertex AI infrastructure may be used, for example for tests, quality assurance, technical failover, or alternative processing routes.

Recipients may include in particular OpenAI and Google Cloud/Vertex AI/Gemini. Further information on recipients and service providers can be found in Section 10.

When using external AI services on our servers, we do not disclose direct identifiers such as IP addresses or information about your browser or end device to OpenAI or Google/Gemini.

The external AI services process the transmitted content according to their respective contractual and data protection terms. The commercial API and cloud interfaces we use contractually exclude the use of transmitted inputs, outputs, and processing contexts for training general AI models.

6.4 Consent and blocking without appropriate consent

Insofar as your inputs are transmitted to external AI services such as OpenAI or Google/Gemini for processing, we obtain your active consent beforehand. This may take place through our consent management or through a consent option displayed in Hey-KI.

If this consent is missing when a message is sent or cannot be reliably determined, we again display an option for active consent before the message is sent. Without appropriate consent, sending the message to us is blocked where possible; at the latest, the use of external AI services and further processing are blocked.

This check is carried out not only at the start of use, but also during use. This also blocks further server-side processing if appropriate consent is no longer present during ongoing search or processing operations.

6.5 Quality Assurance

For quality assurance, we primarily evaluate the use of Hey-KI statistically. For example, we check whether the job search works, whether answers are helpful, and how well the results match the query.

In addition, we may review individual excerpts or histories if this is necessary for error analysis, prevention of misuse, or quality control. This may happen in particular if our AI system detects clear use for unintended purposes, abusive content, or other substantial anomalies during use and marks the dialog accordingly.

Insofar as we use external AI services for this, we use only data that has already been transmitted to the relevant service in the context of the respective use. For this purpose, we do not send any additional direct identifiers such as IP addresses or information about your browser or end device to the external AI service.

6.6 Legal bases

We base the processing of your messages and inputs by our own systems to provide the AI-assisted job search on Art. 6(1)(b) GDPR, insofar as the processing is necessary to provide the service you requested.

To the extent that we evaluate usage data, excerpts or histories for error analysis, prevention of misuse, security or quality assurance, we rely on Art. 6(1)(f) GDPR. Our legitimate interest is to provide Hey-KI securely, reliably and in line with its intended purpose, and to detect and remedy malfunctions and misuse.

The transmission and processing of your inputs by external AI services such as OpenAI or Google/Gemini is based on your consent under Art. 6(1)(a) GDPR. Insofar as technical storage on your end device is strictly necessary for the use of Hey-KI, Section 25(2) TDDDG applies; Section 25(1) TDDDG applies to non-essential storage.

6.7 Storage period

We store data from the use of Hey-KI and technical session identifiers only for as long as this is necessary for provision, continuation, error analysis, prevention of misuse, security, quality assurance, or statutory or contractual documentation. The specific storage period depends in particular on whether ongoing use is to be continued, whether technical errors or misuse must be examined, and whether statutory or contractual documentation obligations exist.

7. Email contact

If you contact us by email, we process the data you transmit, in particular:

  • email address,
  • name, if provided,
  • content of your message,
  • technical email metadata.

We use this data to process your request. Depending on the content of the request, the legal basis is Art. 6(1)(b) GDPR, Art. 6(1)(c) GDPR, or Art. 6(1)(f) GDPR. Our legitimate interest lies in processing and documenting requests.

Email communication is not a central user communication channel at hey-ki.de, but remains available as a contact option.

8. Marketing, conversion measurement, and external advertising services

We use marketing and conversion services only if you have consented via our consent management. Without corresponding consent, these services are not loaded by our website. You can change or withdraw your consent at any time via our consent management system.

8.1 Google Ads and Google Marketing Tags

Without express consent via our consent management system, we do not load anything from Google in your browser and do not send any marketing signals to Google Ads.

After you consent, we load only the Google code required for advertising measurement. This may technically load additional Google/DoubleClick resources. In addition, we may inform Google whether an advertisement has led to relevant use of Hey-KI.

In particular, the following may be processed:

  • your consent to measurement,
  • the Google click ID (gclid), where available, to associate signals with an ad placement,
  • signals regarding usage intensity (conversion values), but no content or topics of your use.

In addition, loading the Google code may, for technical reasons, result in Google receiving metadata that your browser transmits during such connections. This may include in particular:

  • technical browser and device information,
  • IP address,
  • URL of the currently accessed page including existing parameters,
  • URL of the previous page including existing parameters,
  • information stored by Google, e.g. Google cookies.

The legal basis is your consent pursuant to Art. 6(1)(a) GDPR and Section 25(1) TDDDG.

8.2 TikTok

Without express consent via our consent management system, we do not load anything from TikTok in your browser and do not send any marketing signals to TikTok.

After you consent, we load the TikTok code required for advertising measurement only if it is apparent that you reached us via TikTok. Technically, this is the case in particular if a valid TikTok click identifier (ttclid) is present. We may also inform TikTok whether a TikTok ad led to relevant use of Hey-KI.

In particular, the following may be processed:

  • your consent to measurement,
  • the TikTok click ID (ttclid), where available, to associate signals with a TikTok ad,
  • signals regarding usage intensity (conversion values), but no content or topics of your use.

In addition, loading the TikTok code may, for technical reasons, result in TikTok receiving metadata that your browser transmits during such connections. This may include in particular:

  • technical browser and device information,
  • IP address,
  • URL of the currently accessed page including existing parameters,
  • URL of the previous page including existing parameters,
  • information stored by TikTok, e.g. TikTok cookies.

The legal basis is your consent pursuant to Art. 6(1)(a) GDPR and Section 25(1) TDDDG.

9. Social Media Presences and External Profiles

We maintain profiles or presences on TikTok, Instagram, YouTube, Facebook, LinkedIn, XING and Linktr.ee.

If you visit these profiles or interact with us there, the respective platform provider initially processes personal data under its own responsibility. This applies in particular if you are logged in or use functions such as following, liking, commenting, sharing or direct messages.

We process data that you provide to us via these platforms or that is displayed to us there, for example profile names, public profile information, messages, comments or reactions. We use this data to communicate with you, answer enquiries and manage our public presence.

The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in communication, public relations and maintaining our online presences.

The platforms may provide us with aggregated statistics and so-called insights about our profiles. Depending on the platform, we and the platform provider may be joint controllers within the meaning of Art. 26 GDPR in this respect. In this context, we do not receive complete user profiles of individual persons or access to detailed underlying data from platform analytics, but only aggregated evaluations of the use of our presences.

Platform providers may also process personal data outside the European Union or the European Economic Area. Details can be found in the privacy notices and settings of the respective platform.

You can generally exercise your data protection rights both against us and against the respective platform provider. Since the platform providers have access to the respective platform accounts and the data processed there, contacting the platform directly may be the more effective route in individual cases. We will support you within the scope of our possibilities.

Further information can be found in the privacy notices of the providers:
TikTok, Instagram, YouTube / Google, Facebook, LinkedIn, XING, Linktr.ee.

10. Recipients and service providers

We transmit personal data only if this is necessary for the described purposes, if a legal basis exists, or if you have consented.

Depending on the use, the following recipients or categories of recipients in particular may be involved:

  • hosting, server, database, domain, DNS, and email service providers for technical operation,
  • Usercentrics GmbH, Sendlinger Straße 7, 80331 München, as consent management service provider,
  • OpenAI Ireland Ltd., 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland, for the processing of messages, voice inputs, and other inputs in the context of Hey-KI use,
  • Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland, for Google/Gemini or Google Cloud/Vertex AI in limited processing scenarios,
  • Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, for Google Ads and associated Google/DoubleClick services after marketing consent,
  • TikTok Technology Limited, The Sorting Office, Ropemaker Place, Dublin 2, D02 HD23, Ireland, after marketing consent and where the user originated from TikTok,
  • authorities, courts, advisors, or other bodies, insofar as this is legally required or needed for asserting or defending legal claims.

Where these providers process personal data on our behalf, we use them on the basis of a processing agreement pursuant to Art. 28 GDPR. This applies in particular to technical service providers and API/cloud services that we use to provide, process, or secure our offering.

In this public privacy policy, we generally describe basic technical infrastructure as categories. We maintain the specific internal provider, contract, and security documentation separately.

11. Third-country transfers

Some of the providers mentioned or their sub-processors may also process personal data outside the European Union or the European Economic Area.

Insofar as data is transferred to third countries, this is done on the basis of the applicable mechanisms in each case, in particular:

  • adequacy decisions of the European Commission,
  • EU Standard Contractual Clauses,
  • supplementary contractual, technical, and organizational safeguards,
  • Data Processing Agreements or processing agreements,
  • your consent, insofar as this is required in the individual case.

This concerns in particular internationally active providers such as OpenAI, Google, and TikTok. Details may change depending on the provider, product, contractual configuration, and sub-processors.

For OpenAI services, OpenAI Ireland Ltd. is generally the contracting party for customers based in the European Economic Area. OpenAI may use affiliated companies and sub-processors outside the EU or EEA to provide the services. According to the OpenAI Data Processing Addendum, such transfers are carried out in particular on the basis of EU Standard Contractual Clauses or adequacy decisions. OpenAI processes customer data as a processor under the Data Processing Addendum; OpenAI publishes the sub-processors used in its sub-processor list.

For Google services, in addition to our EU contracting partners Google Cloud EMEA Limited and Google Ireland Limited, Google companies outside the EU or EEA may also be involved as sub-processors. Google LLC is certified under the EU-U.S. Data Privacy Framework. Where personal data is transferred to Google LLC within the scope of certified Google services, the transfer may be based on the European Commission’s adequacy decision for the EU-U.S. Data Privacy Framework. The relevant Google data processing terms and, where required, EU Standard Contractual Clauses also apply.

For TikTok services, TikTok may also process data outside the EU or EEA or grant companies of the TikTok corporate group outside the EU or EEA limited access. According to TikTok, such transfers are carried out in particular on the basis of EU Standard Contractual Clauses. We use TikTok services on hey-ki.de only with your consent.

12. Automated decision-making

Hey-KI supports you in your job search and displays suitable job suggestions and answers to you on the basis of your inputs. However, we do not make any automated decision within the meaning of Art. 22 GDPR concerning an application, hiring, rejection, or any comparable legal effect toward you.

The suggestions displayed by Hey-KI do not replace a decision by an employer and do not establish any entitlement to a position.

13. Obligation to provide data

Use of the website is generally possible without registration.

If you wish to use certain functions, you must provide the data required for them:

  • For the interactive job search, you must enter messages, voice inputs, or search criteria.
  • For restoring ongoing use, technically necessary session information may be required.
  • No provision is required for marketing and conversion services; these take place only after your consent.

If you do not provide required data or consents, the respective function cannot be used or can be used only to a limited extent.

14. Storage period

We store personal data only for as long as this is necessary for the respective purposes or statutory obligations exist.

Specifically, the following applies:

  • Raw access logs with IP addresses are deleted after 14 days.
  • Consent data is stored for as long as this is necessary to prove your selection and to comply with legal documentation obligations.
  • Data from the use of Hey-KI is stored for as long as this is necessary for provision, continuation, error analysis, prevention of misuse, security, or statutory or contractual documentation.
  • We store data from email communication for as long as this is necessary to process your inquiry and to comply with statutory retention obligations.
  • Marketing and conversion data depends on your consent, the respective service settings, and the provider terms.

Insofar as specific storage periods cannot be stated, these are determined by the cessation of the purpose, statutory retention obligations, legitimate documentation interests, security requirements, and technical deletion options.

15. Your rights

Under the GDPR, you have in particular the following rights:

  • right of access under Art. 15 GDPR,
  • right to rectification under Art. 16 GDPR,
  • right to erasure under Art. 17 GDPR,
  • right to restriction of processing under Art. 18 GDPR,
  • right to data portability under Art. 20 GDPR,
  • right to object under Art. 21 GDPR,
  • right to withdraw consents given under Art. 7(3) GDPR.

If you withdraw consent, this does not affect the lawfulness of processing up to the time of withdrawal.

You can use the contact details stated above to exercise your rights.

16. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. In particular, you can contact the supervisory authority responsible for us or the supervisory authority of your usual place of residence.

The supervisory authority responsible for us is the State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (LfDI BW), Heilbronner Straße 35, 70191 Stuttgart. Further information and complaint options can be found at:
https://www.baden-wuerttemberg.datenschutz.de/beschwerde/.

17. Changes to this privacy policy

We may amend this privacy policy if our website, our data processing, or legal requirements change. The version published on hey-ki.de at the relevant time applies.

Choose your language / Sprache wählen

DeutschEnglishEspañolFrançaisPolskiRomânăTürkçeУкраїнськаالعربية