Pickware AI connects the Pickware Cloud with AI models from leading providers to offer you productive assistance features, automated analyses, and intelligent workflow support. A step like this puts data protection, transparency, and trust front and center. This article answers the most common questions about data protection and data processing with Pickware AI.
Basics
What is Pickware AI?
Pickware AI is an extension of the Pickware Cloud that provides selected features using generative AI models — such as analysis and reporting aids, suggestions for inventory optimization, or support for recurring tasks in the backend. Pickware AI is designed as an integral part of the Pickware Cloud and follows the same data protection and security standards as the main product. You can find more information about the features in the article What is Pickware AI?
Who is responsible under data protection law?
Pickware remains the data processor within the meaning of Art. 28 GDPR. You, as the merchant, remain the controller within the meaning of Art. 4 No. 7 GDPR. The AI providers used as part of Pickware AI act as sub-processors on behalf of Pickware. This structure is documented transparently in the Data Processing Agreement (DPA) as well as in the sub-processor list.
Which AI providers are used?
The following providers are currently used as part of Pickware AI:
OpenAI Ireland Ltd. — primary provider of generative AI models (e.g. the GPT family).
Braintrust Data Inc. — logging and tracing for quality assurance of the AI processing.
Cloudflare, Inc. — reverse proxy between the Pickware Cloud and OpenAI as well as a general security layer.
You can find a complete and always up-to-date list at pickware.com/de/sub-prozessoren.
Data protection and data processing
What data is transmitted to the AI providers?
The AI chat in Pickware AI can use technical tools to access data from your Pickware Cloud tenant. Which data is specifically transmitted depends on the request you make to the AI. The principle of data minimization applies — the AI's tools are limited to the data sources necessary for the respective feature.
If you give the AI a request that contains or requires end customer data (e.g. "summarize all orders from customer Smith"), the AI can use its tools to access the corresponding data sets and transmit them to OpenAI. Your customers' end customers never see the AI outputs directly — the AI features can only be used in the merchant backend.
Is my data used to train AI models?
No. It is contractually excluded with all AI providers used that data transmitted as part of Pickware AI is used to train the models. A Data Processing Addendum (DPA) has been concluded with OpenAI Ireland Ltd. that categorically excludes use for training.
Is my data stored by OpenAI?
No. Zero Data Retention (ZDR) is activated for the Pickware account with OpenAI. This means that OpenAI does not store the data transmitted as part of API requests. In combination with the contractual exclusion of training use, this ensures that your data neither remains permanently with OpenAI nor is used to improve AI models.
Where is the data processed?
The contracting party for Pickware AI is OpenAI Ireland Ltd., headquartered in Ireland. According to the current state, the actual data processing may also take place on servers in the USA, as OpenAI, being a global provider, operates servers in several regions. For all transfers to third countries, Pickware relies on the EU–US Data Privacy Framework (DPF) and the EU Standard Contractual Clauses (SCC 2021/914).
In addition, a set of technical and contractual measures is in place to secure the level of protection: Zero Data Retention (no storage by OpenAI), a contractual exclusion of training use in the Data Processing Addendum, OpenAI's DPF certification, data minimization through limited AI tool access, and exclusive back-office use — end customers never interact directly with the AI at any point.
Is plain-text end customer data transmitted?
Yes, this can happen depending on the request. Since the AI chat uses tools to access the Pickware Cloud database and you, as the merchant, can make any request, plain-text end customer data can be transmitted to the AI. Complete pseudonymization of arbitrary free-text requests is not technically reliable. Pickware therefore relies on a combination of clear restrictions on the AI tools, tenant separation, a contractual exclusion of training use with OpenAI, and Zero Data Retention.
Contractual and legal aspects
Do I need to sign a new DPA?
No. The existing DPA remains valid and has simply been supplemented with the new sub-processors. You can find the updated DPA at pickware.com/de/avv.
Do I have a right to object?
Yes. If you do not agree with the addition of a sub-processor, you can object by stating specific reasons via email to [email protected].
What obligations do I have towards my end customers?
As the controller with respect to your end customers, we recommend the following measures:
Update your privacy policy — including references to the use of AI-supported processes when handling orders, requests, or master data.
Update your record of processing activities (Art. 30 GDPR).
Review your legal bases (Art. 6 GDPR) — AI-supported back-office features generally rely on legitimate interests (Art. 6(1)(f) GDPR).
Observe the EU AI Regulation (AI Act) — in particular the obligation to ensure AI competence among your employees (Art. 4 EU AI Act).
You can request a sample template for supplementing your privacy policy from [email protected].
Is there a Data Protection Impact Assessment (DPIA)?
Yes. Pickware has carried out a complete Data Protection Impact Assessment for Pickware AI in accordance with Art. 35 GDPR. It can be disclosed in excerpts on a justified request to you or your data protection officer.
How does Pickware AI fit with the EU AI Regulation (AI Act)?
Pickware AI has been classified according to the requirements of Regulation (EU) 2024/1689 (AI Act) and falls into the "limited risk" category. Only models that are not subject to the prohibited practices under Art. 5 AI Act are used.
Use and control
Can I deactivate Pickware AI?
Yes. Pickware AI is designed as an optional module. If you do not want to actively use Pickware AI, you can deactivate the features for your tenant. To do so, contact Pickware support or write an email to [email protected].
Can I trace what the AI does with my data?
Yes. Pickware uses a logging and tracing tool that enables quality assurance and error analysis. On a justified request — within the retention period — excerpts from these logs are made available to you, for example if an end customer exercises their right of access under Art. 15 GDPR.
What happens if the AI makes a mistake?
Generative AI models can produce incorrect or fabricated content. Pickware AI is therefore designed so that all AI outputs are to be understood as suggestions, with human review intended. Check results before acting on them — especially for figures and calculations. If you notice a faulty output, feel free to report it via the feedback icon in the Pickware backend or to [email protected].
Future changes
Pickware communicates significant changes — in particular the addition of further sub-processors — via the sub-processor list and notices in the Pickware backend.
Glossary
DPA — Data Processing Agreement under Art. 28 GDPR.
DPIA — Data Protection Impact Assessment under Art. 35 GDPR.
SCC — Standard Contractual Clauses of the European Commission.
DPF — EU–US Data Privacy Framework, adequacy decision of the European Commission.
ZDR — Zero Data Retention, the provider's contractual assurance not to store transmitted data.
AI Act — Regulation (EU) 2024/1689 on artificial intelligence.
Related documents
Contact
Data protection questions: [email protected]
Technical questions about Pickware AI: [email protected]
Contractual questions / DPA: [email protected]
