Pricing
News
Blog
Docs

Footer

Breezaro on SaasHubBreezaro on SaasHub

Product

  • Pricing
  • Blog

Company

  • Contact

Legal information

  • Terms of service
  • Privacy policy
  • Cookies
  • Withdraw from contract

© 2026 Breezaro s.r.o. · All rights reserved

← Back to blog

AI chatbots and GDPR — what to keep in mind (2026)

Guides3 min readPublished June 23, 2026

What personal data an AI chatbot processes, where the data goes and how it's protected. A practical GDPR overview for businesses deploying a chatbot — and how Breezaro handles it.

Not legal advice. This article is an orientation overview. For binding, up-to-date information on data processing, see our privacy policy.

Why GDPR applies to a chatbot too

An AI chatbot for customer support processes personal data — at minimum the conversation content, often the IP address or device information too. As soon as you process data of people in the EU, GDPR applies. The good news: once you know what data flows where, it's quite manageable.

What personal data a chatbot processes

  • Conversation content — what the visitor writes and the bot's answers.
  • Technical data — IP address, browser and device type, language, where the visitor came from.
  • Derived location — country and city, for live-support context.
  • Account data (for you as a customer) — email, name and a password stored only as an irreversible hash.

Where the data goes

To make the chatbot work, we rely on a few processors — for example OpenAI and Google (generating answers), Pinecone (searching your knowledge base), Stripe (payments) or Resend (email). The full, current list is in our privacy policy, which also describes how we handle data transfers.

How Breezaro protects data

  • We derive geolocation from a local database. To determine a visitor's country and city we don't send their IP address to any third party — the lookup happens on our side.
  • Encryption of sensitive tokens. Access tokens (for example to WhatsApp and social networks) are encrypted with AES-256-GCM.
  • Encrypted transport. All communication runs over HTTPS.
  • Data separation between customers. The knowledge base and vectors are isolated per account.
  • Analytics only with consent. Measurement tools turn on only after the visitor grants consent.

The right to erasure

Visitors and customers have the GDPR right to erasure. With Breezaro:

  • You can delete your account yourself in settings, or request it by email at info@breezaro.com.
  • After deletion we remove data across systems — from the database, file storage and the vector database — and anonymize the account record.
  • Default retention: uploaded documents 365 days, conversation history 90 days (configurable). Trial accounts are deleted automatically 30 days after the trial ends.

Cookies and consent

The site uses a consent banner. Analytics tools are off by default until you grant consent; sign-in uses only essential session cookies.

A practical checklist for you

When you deploy a chatbot, a few steps cover GDPR:

  1. Inform your visitors — mention the chatbot and data processing in your privacy policy.
  2. Don't collect more than you need — don't push customers to type sensitive data into the chat.
  3. Be clear on retention — set how long to keep conversations and documents.
  4. Enable erasure — have a process ready for handling a deletion request.
  5. Handle the human escalation — when an operator takes over a conversation, the same rules apply.

GDPR isn't an obstacle for an AI chatbot — it's a matter of clarity: knowing what data you process, where it goes, and how to delete it on request.

Related: AI chatbots for customer support — the complete guide.