GDPR-Compliant AI Chatbots: A Founder's Checklist

What you actually need to do to ship an AI chatbot to EU visitors without losing sleep — or your customers' trust.

GDPR compliance for an AI chatbot is mostly common sense plus a few specific data flows. Below is the checklist we walk new customers through. None of this is legal advice; it's the operational reality.

1. Lawful basis

For most chatbots, the lawful basis is legitimate interest (answering visitor questions) or consent (lead capture). Document which you're using.

2. Data minimization

Only ask for what you need. An email is fine when the bot can't answer; asking for full name, phone, and company on hello is not.

3. Subprocessor disclosure

Your privacy policy should list the AI model provider (OpenAI in our case) and the chatbot vendor. PageBot publishes a sub-processors page you can link from yours.

4. Right to erasure

When a user asks for their conversation deleted, the vendor must support it. PageBot exposes a per-conversation deletion endpoint.

5. Cross-border transfers

If user data leaves the EU (it does, when calling US-based AI providers), you need standard contractual clauses in place. Your chatbot vendor's DPA should include them.

6. Hallucination as a privacy risk

Underrated angle: a bot that invents details about a user (or worse, about another user) is a data accuracy problem under GDPR. Pick a vendor with retrieval-grounded answers and source citation.