Compliance
GDPR-compliant AI chatbots: what to look out for
An AI chatbot processes personal data in every message. These six points decide whether it is GDPR-compliant.
As soon as an AI chatbot talks to real visitors, it processes personal data — often in every single message. That brings it under the GDPR. The good news: compliance is not rocket science if the platform provides the right foundations. These six points are worth checking before you put a chatbot into production.
1. Hosting in the EU
The most important lever is where the servers sit. If data is processed in the EU, the thorny question of third-country transfers to the US largely disappears. Kyros is hosted in the EU and built for the German and European market from the ground up — German-first, available bilingually. You’ll find the details on the security page.
2. Data processing agreement (DPA)
When a provider processes personal data on your behalf, Art. 28 GDPR requires a data processing agreement (DPA) including technical and organisational measures (TOMs). Make sure the provider offers such a DPA and discloses the sub-processors it uses. What Kyros provides here is on the GDPR page.
3. Retention & deletion
Data minimisation means: don’t store data longer than necessary. Check whether the retention of chat logs is configurable. With Kyros, retention is adjustable — as a platform default of 30 days, fully disabled (“never”), or a custom period based on inactivity. That lets you align the storage duration with your own privacy policy instead of having to accept it.
4. PII moderation
Visitors often type more into a chat box than they should — names, addresses, card numbers. Moderation that detects and withholds personal data (PII) is therefore central. In Kyros, moderation screens incoming messages before they reach the model or get stored. Six categories are on by default — including PII and protection against sexual, hateful, violent, dangerous and self-harm content. Flagged messages are withheld beforehand; the assessment is handled by a moderation provider (Mistral). Optionally, health, financial and legal advice as well as jailbreak detection can be enabled, and a custom sensitivity threshold can be set.
5. Transparency & citations
Users have a right to know that they are talking to an AI and where its answers come from. Grounded answers in Kyros cite their sources with clickable footnotes — creating traceability and reducing hallucinations. For accountability, the audit log with 21 tracked action types additionally lets you reconstruct who changed what and when.
6. Privacy notice inside the widget
The notice about data processing belongs where the processing happens — inside the chat window itself. The Kyros chat widget ships with a GDPR-worded privacy panel right in the menu, explaining what data is processed, on what legal basis and how long it is kept. So you don’t have to build a separate consent construct.
Conclusion
GDPR compliance doesn’t come from a single checkbox but from the interplay of EU hosting, a DPA, configurable retention, PII moderation, transparency and clear notices in the widget. A platform that already brings these building blocks does most of the work for you — you just have to configure them correctly.
Frequently asked questions
Start with a chatbot that takes privacy seriously.
14-day free trial. No credit card. EU-hosted.