The data protection questions you need to answer
Before deploying a customer-facing AI chatbot, your organisation needs clear answers to: what personal data does the chatbot process, where is it processed, how long is it retained, and who can access it?
What data a chatbot processes
A typical chatbot interaction involves:
- The content of the conversation (may include names, account numbers, health information depending on use case)
- IP address and session identifiers
- The user's authentication credentials (if the chatbot is authenticated)
- Query and response logs
UK GDPR requirements
Under UK GDPR, you need a lawful basis for processing personal data. For most chatbot deployments, this is legitimate interests (providing a service the user has requested) or contract (the chatbot is part of a service the user has contracted for).
You must provide clear privacy information to users before they engage with the chatbot — including that they are interacting with an AI system.
Conversation data retention
We implement configurable retention periods for conversation logs. Typical configurations:
- 30 days for anonymous public chatbot conversations
- 90 days for authenticated user conversations
- 12 months for compliance-sensitive use cases
Retention periods are enforced by automated deletion jobs, not manual processes.
Data residency
For UK and EU deployments, we configure LLM API requests to use EU-based inference endpoints (OpenAI EU, Azure OpenAI in West Europe) where available. For strict data residency requirements, we can deploy open-source models (Llama 3, Mistral) on your own infrastructure — no data ever leaves your network.
Security controls
Every production chatbot we deploy includes:
- TLS for all API communication
- Rate limiting and IP-based abuse prevention
- Input sanitisation to prevent prompt injection
- Authentication for any chatbot with access to private data
- Audit logging for admin access to conversation data