The GDPR (General Data Protection Regulation) has been in force since 2018, but in 2026, European supervisory authorities are increasingly active. Fines are multiplying, including for small and medium businesses. If you're deploying a chatbot on your website, you're potentially collecting personal data — and you have specific obligations to meet.
The good news: with the right solution, GDPR compliance doesn't have to be a headache. This guide explains what a chatbot collects, what you need to do, and how Chatbot Flow is designed to make compliance straightforward.
What Data Does a Chatbot Collect?
A chatbot can collect several categories of data, depending on its configuration:
Automatically collected data
- Conversation content: the questions asked and responses generated. This data may contain personal information if the visitor mentions it spontaneously ("I'm 45 and I'm looking for…", "My name is…").
- Session metadata: time of the conversation, URL of the page, device type (mobile/desktop). This is technical data and relatively low-sensitivity, but still subject to GDPR.
- Session identifier: an anonymous cookie used to maintain context across multiple pages. Without this cookie, the chatbot loses context between page views.
Voluntarily provided data
- Email: when the visitor chooses to leave their details to be contacted.
- Phone number: if the integrated contact form requests it.
- Any other information the visitor types of their own accord in the chat.
GDPR Obligations for a Chatbot
1. Inform visitors
Before or at the start of a conversation, visitors must be informed that their data is being processed. This information can appear in your privacy policy (accessible via a link in the chatbot widget) or in the chatbot's own welcome message.
The minimum required: explain who processes the data (your company), why (to improve the experience, respond to requests), how long it is retained, and how to exercise rights.
2. Legal basis for processing
Every data processing activity must have a legal basis. For a chatbot, two bases typically apply:
- Legitimate interest: for support conversations and technical session data. You have a legitimate interest in improving your visitors' experience and responding to their questions.
- Consent: for collecting email for marketing purposes or newsletter sign-ups. Consent must be explicit, separate and revocable.
3. Hosting within the European Union
Personal data of EU residents can only be transferred outside the EU with specific safeguards (standard contractual clauses, adequacy decisions). In practice, the simplest solution is to host your data within Europe.
Chatbot Flow hosts all its data in France, on OVH servers. No data transfer outside the EU — compliance is built in from day one.
4. Data retention period
You must define and respect a retention period. Chatbot Flow retains conversations and leads for 24 months from the last interaction, then deletes them automatically. This duration is reasonable and aligned with supervisory authority recommendations.
5. Data subject rights
Any visitor can exercise their rights: access to their data, rectification, erasure ("right to be forgotten"), portability. Chatbot Flow lets you export or delete a specific visitor's data from the dashboard, enabling you to respond to such requests within minutes.
The Risks of Non-Compliance
European data protection authorities can impose fines of up to:
- €10 million or 2% of global turnover for Level 1 violations (failure to meet basic obligations)
- €20 million or 4% of global turnover for Level 2 violations (infringement of fundamental rights)
These figures apply to large corporations, but SMEs are not exempt. In 2025, European authorities issued hundreds of sanctions, many concerning organisations with fewer than 50 people. The most commonly sanctioned violations: failure to inform users, cookies without consent, and unregulated international data transfers.
Beyond fines, a GDPR compliance incident can seriously damage your reputation — especially if you have a trust-based relationship with your clients.
How Chatbot Flow is Built for GDPR Compliance
GDPR compliance isn't a bolt-on in Chatbot Flow — it's a design principle. Here are the concrete measures in place:
- 100% France hosting (OVH): no data leaves the EU.
- Isolated vector database per client: your data is never mixed with other clients' data.
- Automatic deletion after 24 months with no manual intervention needed.
- Export and deletion on request: on cancellation, an email with a download link for your data (conversations, leads) is automatically sent. The link is valid for 30 days, after which all your data is permanently deleted.
- No third-party cookies: the Chatbot Flow widget only places first-party cookies necessary for the conversation to function.
- Documented sub-processors: data sub-processors (hosting provider, LLM model) are documented and bound by GDPR-compliant Data Processing Agreements (DPAs).
GDPR Compliance Checklist for Your Chatbot
Use this list to verify your compliance:
- Up-to-date privacy policy: does your policy mention the chatbot, the data collected, the legal basis and the retention period? If not, update it.
- Visible link to the policy: the chatbot widget should include a link to your privacy policy. Chatbot Flow lets you configure this in the widget settings.
- Consent for marketing: if you use collected emails to send newsletters or offers, you must obtain separate explicit consent beyond the simple callback request.
- EU hosting confirmed: ask your chatbot provider where your data is hosted. "In the cloud" is not enough — you need written confirmation of the hosting country.
- Rights request procedure: do you have a way to respond within 30 days to an access or erasure request? With Chatbot Flow, it's a few clicks from the dashboard.
Important: this guide is informational and does not constitute legal advice. For a precise analysis of your situation, consult a lawyer specialising in data protection or a Data Protection Officer (DPO).