In what way do chatbots fall under GDPR? What kind of data is protected? And what measures need to be taken to make sure your chatbot is GDPR compliant? Read on to get these questions answered and join us for a deep dive into the exciting world of data privacy.

What is GDPR?

Does May 25th 2018 ring a bell? It should (if you’re interested in data privacy 😎). For this is the birthdate of The General Data Protection Regulation, better known as GDPR. A regulation that came to mark a new age in data protection legislation. And the main purpose was to apply transparency in how and why data is collected, processed, used and stored online.

Simply said – a regulation for protecting privacy online.

The regulation states that all companies or service providers operating in the European Union are obliged to inform their visitors, users or customers about how and when data is collected. They also have to make sure that all users can have their personal information edited, retrieved, forgotten or removed at any time.

Data protected by GDPR

GDPR, compared to the former Data Protection Directive, introduced a new approach to what constitutes personal data. Before GDPR, personal data was basically your name, address and social security number. But as a result of the rise and spread of internet, companies suddenly had to apply the same level of protection for completely new kinds of data.

In short, GDPR protects data such as:
✅ Basic identity information (like name, address, email address, but also user-generated data, such as social media posts and personal images uploaded to websites etc.)
✅ Web data (such as location, IP address, cookie data, and RFID tags)
✅ Health, genetic and biometric data (such as your medical history)
✅ Racial or ethnic data, political opinions, religious beliefs, sexual orientation, and so on..

How does GDPR apply to chatbots?

Since chatbots are all about gathering data, GDPR is highly relevant. Especially for chatbots using Natural Language Processing (NLP) and machine learning. Because if you want to build a chatbot that actually works well – in other words – a chatbot that can understand context and provide meaningful conversations, you have to gather data. This includes data such as name, email address or even social security number if that is relevant.

In other words: Without data – no personalization. Without personalization – no chatbot. 🤷‍♀️

3 Steps to make sure your chatbot is GDPR compliant

As stated above, there’s no doubt that chatbots are an area of interest when it comes to data privacy. With this in mind, we have put together a checklist of what should be done before launching your chatbot project.

➡️ Step 1: Update your privacy policy

Make sure it’s clear and accessible
Having a clear and accessible Privacy Policy is one of the main requirements of GDPR. In this context, accessible refers both to the privacy policy being easy to find on the website, but also that it should be easy to understand. That is, it should be written in a conversational and natural language without any unnecessary legal jargon.

Be transparent & define your purposes
What comes next is to make sure that your privacy policy provides all information needed. Examples of information that the privacy policy must include are:

  • What kind of personal data that is being collected
  • How the data is collected
  • Why the data is collected
  • How the data will be used
  • Who has access to the data. Are there any third parties involved in a data exchange?
  • How long the data will be stored and what happens after.
  • What your legal basis for collecting personal data is

Provide contact information
While making your privacy policy accessible and being transparent about your purposes is important; you should also make sure that your contact information is easily accessible and that it is clear for the user who is the company’s Personal Data Controller and how to get in touch with this person.

➡️ Step 2: Privacy by design

Provide information & get user consent
The easiest way to inform the user of how you manage personal data, or to get user consent, is to include this directly in the chatbot’s design. This can be done either by adding a question about user consent in the conversational flow, or by including a direct link to the privacy policy in the chatbot widget.


Allow users to retrieve their data
As earlier stated, a user must be able to retrieve their data at any time. When it comes to chatbots, this translates to users being able to download a copy of their conversation transcripts or have them deleted. One way to do it is to build a dialogue for this in the conversational flow, e.g ‘what data you are storing’ or ‘can you send me my data’. The response should include a presentation of the data or be sent by email. Another alternative is to add a link with the option (to download or delete the transcripts) in the chatbot’s persistent menu.

Make sure the chatbot is secure
Imagine that you run an e-commerce business. On the website you have implemented a chatbot for customer support purposes. One of the most common support inquiries the chatbot handles is regarding invoices. Invocide data is sensitive information that you shouldn’t distribute if you haven’t been able to verify the customers identification. To be able to provide users with sensitive information you should make sure to integrate a secure authentication method. The most used authentication method in Sweden is ‘BankID’. BankID is an e-ID provided by Swedish banks and can be integrated and used directly in a chatbot’s conversational flow.


➡️ Step 3: Make sure you store the data safely and securely

All data should be stored separated and encrypted, preferably on a cloud service. Using a cloud service makes it possible for your company to store information about user preferences and provide customized solutions, messages and products based on the behavior and preferences of users.

Choosing the right cloud provider can be challenging. There’s a lot of providers to choose from. But if you are a company operating in the EU and therefore have to obey GDPR, there is a benefit of choosing an EU-based cloud provider since these providers by default oblige all rules in GDPR.


One example of an european cloud provider is OVH. OVH has the highest standards of security and is also the largest hosting provider across all of Europe. They specialize in delivering industry-leading performance and cost-effective solutions to better manage, secure, and scale data.

PS. Don’t forget to set up a data retention policy, i.e. a set of guidelines defining how long information must be kept and how to dispose of the information when it’s no longer needed.

Some final words (finally..)

First of all – a big applause for making it through all the way. We are truly impressed! 👏

GDPR is not the ‘sexiest’ subject to say the least, but you can’t ignore the fact that it is as important as it is essential when working with chatbots. Therefore we hope that you, with this article, now feel more confident in how to ensure your chatbot project is GDPR compliant!