July 2, 2026 · 8 min read
AI chatbot data privacy & GDPR: what e-commerce owners must know

Adding an AI chatbot to your store means adding a new place where customer data flows — questions, names, sometimes an email or an order number. Under the GDPR, that makes the chatbot part of your compliance surface, and "the vendor handles it" is not a defense if something goes wrong. The good news: getting this right is mostly about asking a handful of pointed questions and choosing a tool that answers them cleanly.
This guide walks through what data a support chatbot actually touches, the obligations that land on you as the store owner, and a vendor checklist you can use verbatim.
This is general information for store owners, not legal advice. For your specific situation — especially anything involving special-category data or large-scale processing — talk to a qualified data-protection professional.
Quick take
- You're the data controller. The chatbot vendor is usually a processor acting on your instructions — but the accountability stays with you.
- Minimize by default. A support bot rarely needs more than the question itself; don't collect what you can't justify.
- The big three to verify: where data is stored, whether it's used to train anyone's models, and how long it's kept.
- Get it in writing: a Data Processing Agreement (DPA), a list of sub-processors, and clear retention controls.
What data a support chatbot actually touches
Before you can protect data, you need to know what's flowing. A typical e-commerce support conversation involves less than people fear — but it's not nothing.
| Data type | When it appears | Sensitivity |
|---|---|---|
| The message content | Every conversation | Usually low, but can contain anything a shopper types |
| Name / email / phone | If you capture leads or look up orders | Personal data — the core of GDPR scope |
| Order number & status | Order-lookup conversations | Personal data when tied to a customer |
| IP address / device info | Often logged by default | Personal data under GDPR |
| Payment details | Should never enter a chat | High — keep it out entirely |
Two rules make the rest simpler. First, a support chatbot should never handle payment card details — checkout stays in your payment processor, full stop. Second, collect only what the conversation needs: to look up an order you need an order number and the email on it, not a phone number, home address, and date of birth. Data you don't collect is data you can't leak, don't have to secure, and never have to delete.
Your obligations, in plain English
You don't need to memorize the regulation. For a support chatbot, the duties that actually matter come down to a short list.
Have a lawful basis. For support, this is usually "legitimate interest" (answering a customer who contacted you) or performance of a contract (handling an order). If you use conversations for marketing follow-up, that's a separate purpose that typically needs consent.
Be transparent. Your privacy policy should mention the chatbot: that an AI assists support, what it collects, and who processes it. A one-line notice near the chat ("By chatting you agree to our privacy policy") plus the detail in the policy itself is the norm.
Minimize and limit purpose. Collect only what's needed for support, and don't quietly repurpose it. An email captured to answer a delivery question isn't automatically a marketing subscriber.
Respect data-subject rights. Customers can ask what you hold, correct it, or have it deleted. You need to be able to honor that — which means knowing where chat data lives and being able to remove it.
Keep it secure and keep it briefly. Reasonable security (encryption, access control) and a retention period that isn't "forever." If you don't need a two-year-old support chat, don't keep it.
Legitimate interest still needs a light touch
"Legitimate interest" isn't a blank cheque. It works well for answering the customer in front of you. It does not automatically cover training models on their messages, selling data, or bolting them onto a marketing list. When in doubt, ask: would the shopper reasonably expect this use? If not, you need consent or you shouldn't do it.
The vendor checklist (use this verbatim)
Most of your compliance depends on the tool you pick, so interrogate it before you install it. A trustworthy vendor answers all of these without squirming:
- Do you offer a Data Processing Agreement (DPA)? If they can't provide one, walk away — you legally need it.
- Where is the data stored and processed? For EU shoppers, EU/EEA storage (or a valid transfer mechanism) keeps things simple.
- Who are your sub-processors? The model provider, hosting, analytics — you're entitled to the list, and you inherit their practices.
- Is my data used to train AI models? The answer you want is "no." Your customers' questions should not become someone's training set.
- What's the data retention, and can I control it? You want configurable retention and automatic deletion, not indefinite storage.
- How do you handle deletion and export requests? You need a practical way to fulfill data-subject rights.
- How is data secured? Encryption in transit and at rest, access controls, and tenant isolation so one store's data can't reach another's.
If a vendor is vague on the training question or can't produce a DPA, that's your answer. Privacy posture is part of choosing well — see our broader guide to choosing an AI support agent.
Green flags
- Ready DPA and a public sub-processor list
- EU data storage option; clear on transfers
- Explicit "we don't train on your data"
- Configurable retention with auto-deletion
- Per-store data isolation and encryption
Red flags
- No DPA, or "we'll sort it later"
- Won't say where data lives or who sub-processes it
- Evasive on model training
- "We keep everything forever"
- Encourages putting payment or ID details in chat
How Loqara approaches it
We built Loqara for EU stores, so privacy is a default, not an upsell. In plain terms: conversations are not used to train foundation models; each store's data is isolated from every other tenant; retention is time-bounded with automatic cleanup rather than kept indefinitely; and sensitive flows are designed so payment details never enter the chat (checkout stays on your store). When a conversation needs a person, the handoff keeps the data within your own inbox.
We'll also tell you plainly what we are and aren't: we're a practical, privacy-respecting tool for small and mid-size stores, not a heavyweight enterprise compliance suite. If your situation demands specific certifications or contractual guarantees, ask us directly and we'll give you a straight answer rather than a sales pitch.
Frequently asked questions
Does using an AI chatbot make me GDPR non-compliant?
No — a chatbot is fine under GDPR when handled correctly. You need a lawful basis (usually answering the customer), transparency in your privacy policy, a DPA with the vendor, data minimization, and a sensible retention period. Thousands of EU stores run chatbots compliantly; the work is in choosing a solid vendor and being honest in your policy.
Am I responsible, or is the chatbot company?
Both, in different roles. You're the data controller — you decide why and how customer data is used, so accountability sits with you. The vendor is typically a processor acting on your instructions, governed by the DPA. "The vendor is responsible" won't shield you if you skipped the basics.
What's the single most important thing to check in a vendor?
Whether your data is used to train AI models, and whether they'll sign a DPA. If conversations become someone's training data, or there's no processing agreement, no other feature makes up for it. After that, check data location and retention.
Do I need to mention the chatbot in my privacy policy?
Yes. Note that an AI assistant helps with support, what data it collects, and who processes it (including the model provider). A short notice by the chat window pointing to the full policy is standard practice.
How long should chat data be kept?
Only as long as you actually need it for support and record-keeping — then delete it automatically. There's no fixed number in the GDPR, but "indefinitely" is the wrong answer. Prefer a tool with configurable retention so old conversations clean themselves up.
Privacy done right is a trust advantage, not a chore — shoppers in the EU notice. Ask the hard questions, minimize what you collect, and pick a tool that answers cleanly. See how Loqara handles it.


