Practical GuideMarch 17, 2026·7 min read

GDPR and Privacy in AI Assistants: A Practical Guide

Citai Team

March 17, 2026 · 7 min read

Why Does GDPR Matter for AI Chatbots?

If your chatbot interacts with users in the European Union, the General Data Protection Regulation (GDPR) applies directly. An AI chatbot stores conversations, preferences, and potentially personal data — all regulated by GDPR.

Key GDPR Articles:
  • Art. 17 — Right to erasure ("right to be forgotten"): users can request deletion of all their data
  • Art. 20 — Data portability: users can request an exportable copy of their data
  • Art. 25 — Privacy by design: data protection must be integrated from the architecture
  • Art. 30 — Records of processing: obligation to document what data is processed and why

What Data Does an AI Chatbot Store?

It’s important to understand what information is collected during interactions:

Data type Example Sensitivity level
Conversations Questions and answers Medium-High
Session metadata IP, user-agent, timestamps Medium
Pre-chat data Name, email High
Feedback Ratings, reasons Low
Uploaded documents PDFs, DOCX Variable
Usage logs Queries, response times Low

Right to Erasure (Art. 17)

The “right to be forgotten” requires you to delete all user data upon request. Citai implements this with:

  • Conversation deletion — all user conversations are erased
  • Widget session deletion — messages and metadata removed
  • Log purge — usage logs associated with the user deleted
  • Cascade deletion — feedback, escalations, and related data
Practical implementation: Configure an automatic retention policy (e.g., 90 days) so data is purged without manual intervention. Citai allows configuring retention policies per tenant.

Data Portability (Art. 20)

Users have the right to receive their data in a structured, machine-readable format:

  • JSON export — all conversations and user data in standard JSON format
  • CSV export — for tabular data like usage logs and feedback
  • Complete inclusion — conversations, feedback, personal settings

Retention Policies

Data retention must be proportional to the purpose. Citai offers flexible configurations:

  • Conversations: Configurable retention (30, 60, 90, 180 days, or indefinite)
  • Audit logs: Separate retention (recommended: 1 year for compliance)
  • Semantic cache: Configurable TTL (default 7 days)
  • Widget sessions: Configurable automatic purge

GDPR Rights and How Citai Implements Them

GDPR Right Article Citai Implementation
Access Art. 15 User data export
Rectification Art. 16 Profile and data editing
Erasure Art. 17 Complete data deletion
Portability Art. 20 JSON/CSV export
Objection Art. 21 Processing deactivation
Restriction Art. 18 Data processing pause

Auditing for Compliance

Audit logs are essential to demonstrate compliance:

  • 15+ event types recorded: login, CRUD, configuration changes
  • JSON metadata per event — who, what, when, from where
  • Configurable retention — keep logs as long as your regulation requires
  • Export — download logs for external audits

Conclusion

GDPR compliance isn’t just a legal obligation — it’s a competitive advantage. Users trust platforms that respect their privacy more. Citai integrates compliance from the architecture: data export, complete deletion, configurable retention, and detailed auditing.


Deploy an AI chatbot that respects your users’ privacy. Try Citai →

Try Citai for free

Create your intelligent knowledge base in minutes. No credit card required.

Create free account