GDPR and Privacy in AI Assistants: A Practical Guide
Citai Team
March 17, 2026 · 7 min read
Why Does GDPR Matter for AI Chatbots?
If your chatbot interacts with users in the European Union, the General Data Protection Regulation (GDPR) applies directly. An AI chatbot stores conversations, preferences, and potentially personal data — all regulated by GDPR.
- Art. 17 — Right to erasure ("right to be forgotten"): users can request deletion of all their data
- Art. 20 — Data portability: users can request an exportable copy of their data
- Art. 25 — Privacy by design: data protection must be integrated from the architecture
- Art. 30 — Records of processing: obligation to document what data is processed and why
What Data Does an AI Chatbot Store?
It’s important to understand what information is collected during interactions:
| Data type | Example | Sensitivity level |
|---|---|---|
| Conversations | Questions and answers | Medium-High |
| Session metadata | IP, user-agent, timestamps | Medium |
| Pre-chat data | Name, email | High |
| Feedback | Ratings, reasons | Low |
| Uploaded documents | PDFs, DOCX | Variable |
| Usage logs | Queries, response times | Low |
Right to Erasure (Art. 17)
The “right to be forgotten” requires you to delete all user data upon request. Citai implements this with:
- Conversation deletion — all user conversations are erased
- Widget session deletion — messages and metadata removed
- Log purge — usage logs associated with the user deleted
- Cascade deletion — feedback, escalations, and related data
Data Portability (Art. 20)
Users have the right to receive their data in a structured, machine-readable format:
- JSON export — all conversations and user data in standard JSON format
- CSV export — for tabular data like usage logs and feedback
- Complete inclusion — conversations, feedback, personal settings
Retention Policies
Data retention must be proportional to the purpose. Citai offers flexible configurations:
- Conversations: Configurable retention (30, 60, 90, 180 days, or indefinite)
- Audit logs: Separate retention (recommended: 1 year for compliance)
- Semantic cache: Configurable TTL (default 7 days)
- Widget sessions: Configurable automatic purge
GDPR Rights and How Citai Implements Them
| GDPR Right | Article | Citai Implementation |
|---|---|---|
| Access | Art. 15 | User data export |
| Rectification | Art. 16 | Profile and data editing |
| Erasure | Art. 17 | Complete data deletion |
| Portability | Art. 20 | JSON/CSV export |
| Objection | Art. 21 | Processing deactivation |
| Restriction | Art. 18 | Data processing pause |
Auditing for Compliance
Audit logs are essential to demonstrate compliance:
- 15+ event types recorded: login, CRUD, configuration changes
- JSON metadata per event — who, what, when, from where
- Configurable retention — keep logs as long as your regulation requires
- Export — download logs for external audits
Conclusion
GDPR compliance isn’t just a legal obligation — it’s a competitive advantage. Users trust platforms that respect their privacy more. Citai integrates compliance from the architecture: data export, complete deletion, configurable retention, and detailed auditing.
Deploy an AI chatbot that respects your users’ privacy. Try Citai →
Try Citai for free
Create your intelligent knowledge base in minutes. No credit card required.
Create free accountRelated articles
AI Chatbot Security: 2FA, OAuth, Headers and More
Complete security guide for AI assistants: multi-factor authentication, OAuth, HTTP headers, API key hashing, and rate limiting.
Read article → TechnologyAudit Logging: Complete Traceability for AI Compliance
How audit logs in Citai enable complete action traceability, regulatory compliance, and forensic analysis.
Read article → TechnologyMulti-Tenancy in SaaS: Data Isolation with PostgreSQL
How we implement real multi-tenancy with complete data isolation, hierarchical roles, anti-fraud plan enforcement, and enterprise security.
Read article →