E-commerce

AI Chatbot and GDPR: Best Practices for an E-commerce Store

AI Chatbot and GDPR: Best Practices for an E-commerce Store

June 26, 2026

You deploy an AI chatbot on your Shopify store to respond faster to product inquiries, order tracking, and returns. Each message may contain an email, an order number, an address, or a photo of a defective product. All of this is personal data subject to the GDPR, and since 2024, supplemented by the European AI Act.

Tension is common: the SaaS provider hosts the tool, but you, the merchant, remain the data controller representation to European customers. Many believe that "the vendor handles compliance," whereas the privacy policy, record of processing activities, DPA, and individuals' rights fall under your governance.

This article does not replace legal advice. It provides an operational roadmap to align AI chatbots, customer trust, and GDPR and AI Act requirements on an e-commerce store in 2026.

Summary

Why does the GDPR apply to your e-commerce chatbot?

The GDPR applies as soon as you process personal data of individuals located in the European Union, even if your company is registered outside the EU. This is the extraterritorial scope logic of Article 3 of the regulation.

An American store that delivers to France, displays prices in euros, and targets geolocated Meta campaigns must comply with the GDPR for its European visitors, including via the chat widget.

Chatbot = data processing

Each session where the customer enters their email to retrieve an order, describes a delivery problem, or sends a photo constitutes processing. The fact that the AI "does not store" on the browser side is not enough: server logs, helpdesk tickets, conversation analytics, and potential copies with the LLM all count.

Controller vs. processor

You are generally the data controller for the data collected via your site. The chatbot provider often acts as a data processor when it processes this data on your behalf. Both roles must be documented in a DPA and in the record of processing activities.

Stripe reminds that the GDPR and the AI Act stack for e-commerce chatbots in France: transparency, accuracy of responses, and the prohibition of automated decisions with significant impact without human intervention (Stripe, chatbots e-commerce France).

Consult our GDPR glossary to frame your register. List all collection points right now: website widget, WhatsApp, Instagram DM forwarded to the bot, pre-chat forms.

What personal data does your bot actually process?

A typical e-commerce chatbot processes much more than just "anonymous questions". Identifying the data categories allows you to choose appropriate legal bases and retention periods.

Identification and contact

Email, name, telephone, Shopify customer ID, chat session ID, IP address, and timestamp. These elements often identify a person directly or indirectly.

Order and message content

Order number, fulfillment status, amount, products, delivery address, tracking link, return history. The WISMO bot reads these fields via the Shopify API. Free text questions, sent photos, or health mentions related to a product are also personal data when linked to a person.

Metadata and vendor logs

Detected intents, CSAT scores, session duration, navigation path, language, device. Conversational analytics tools aggregate these signals. Even if not displayed in the merchant admin, embeddings, inference logs, and synchronized copies to Gorgias or Zendesk must be described to the customer.

Donneespersonnelles.fr reminds us that a chatbot processes personal data even without an identification form: cookies, IP, and conversations are enough (Données personnelles, chatbot RGPD).

Prohibit the entry of full card numbers in your bot scripts: redirect to the secure checkout if a customer attempts to share them in the chat.

On which legal basis should you rely: contract, legitimate interest, consent?

Each use of data by the chatbot must be based on a legal basis within the meaning of Article 6 of the GDPR. Consent is not the only option, and often not the best one for post-purchase support.

Performance of a contract

Answering "where is my order", initiating a return, or confirming a modification related to a purchase can fall under the performance of a contract when the request originates from the customer and is necessary for the service.

Legitimate interest

Improving the bot's quality, detecting repetitive intents, reducing response time, or preventing chat abuse can fall under legitimate interest, after a documented balance test (LIA). Heeya recommends this basis for a customer service chatbot without superfluous active collection (Heeya, GDPR chatbot 2026).

Consent

Required for non-essential cookies, marketing follow-ups from the chat, newsletters, or sharing with partners. Consent must be granular, revocable, and separate from pre-ticked boxes.

Frequent mistake: using cookie consent to justify the entire support processing. Link your choices to training a chatbot with Shopify data: separate public FAQ corpus, synthetic data, and real customer history. For zero-party data, document how the user's voluntary declaration differs from a simple server log.

How should users be informed according to the GDPR and the AI Act?

Transparency is the foundation of trust and a GDPR obligation (Articles 12 to 14). For AI chatbots, the AI Act adds a reporting obligation when the user interacts with an AI system.

Privacy Policy and Chat Notice

Your policy must mention the chatbot, the data processed, purposes, durations, AI processors, transfers outside the EU, and rights. A visible link upon opening the widget ("how we use this chat") reduces tickets and complaints.

Article 50 AI Act: AI Disclosure

Starting August 2, 2026, deployers of conversational systems must clearly inform the user that they are interacting with an AI, except in very narrow exceptions. A message before the first bubble is sufficient: "You are chatting with an automated AI assistant, not a human advisor" (EU AI Act, Article 50).

No Dark Patterns

Do not simulate a human with a stock photo and artificial delays if the bot is responding alone. If an agent takes over, indicate the transfer. See human chatbot handoff.

The CNIL emphasizes transparency from the design phase of AI systems and clear information for the data subjects (CNIL, AI recommendations).

Test the notice with a non-lawyer: if your support team cannot summarize in two sentences what the bot does with the data, the public text is insufficient.

What to check in the sub-contracting agreement (DPA)?

The data processing agreement (DPA) with your chatbot provider is mandatory when the vendor processes personal data on your behalf. Without a signed DPA, you should not activate production.

Essential clauses

  • Documented instructions and prohibition of use on behalf of the vendor

  • List of sub-processors (hosting provider, LLM model, observability)

  • Technical and organizational security measures

  • Assistance for data subjects' rights and audits

  • Deletion or return of data at the end of the contract

Training on customer data

By default, require that your customer conversations are not used to train a global model without a legal basis and an explicit clause. Compound Law points out for retail that a compliant chatbot requires a DPA, an AI notice, and configured retention (Compound Law, retail e-commerce).

Incident and notification

Breach notification timeframe to the controller, report template, cooperation with your DPO. Also verify Shopify API scopes: the DPA must align with the permissions actually granted in the admin.

How to apply minimization and retention of conversations?

The GDPR requires collecting only what is necessary and keeping data only for as long as it remains useful. For a support chatbot, retention policies of 30 to 90 days on raw logs are common, with longer helpdesk archiving if justified.

Minimization by intent

  • Product FAQ without an account: no email required

  • WISMO: email + order number, not the full history if not necessary

  • After-sales return: strictly data related to the concerned case

  • Marketing from the chat: separate collection with explicit consent

Retention by tier

Separate the duration of chat messages, synchronized tickets, aggregated analytics, and backups. Document automatic purge jobs and test them quarterly.

Upon erasure request, delete or anonymize in the bot, the helpdesk, and CSV exports that the team might have extracted. Automating support does not justify unlimited storage "to improve AI". See reducing tickets with AI with KPIs, not opaque retention.

How do I handle access, erasure, and GDPR requests via chat?

People whose data passes through the chatbot have GDPR rights: access, rectification, erasure, restriction, objection, and portability where applicable.

Access and Erasure

You must be able to provide conversations and metadata linked to an email or customer ID, generally within one month. The right to erasure is not absolute: a disputed order or an accounting obligation may justify partial retention.

Internal Process

  1. Route GDPR requests received via chat to a dedicated workflow, not to the bot alone

  2. The bot can receive the request; a human or a case management tool validates it

  3. Synchronize chat deletion, helpdesk, and marketing exports

  4. Train the support team: "delete my chat" in the widget = same quality as a DPO email

When transferring to an agent, avoid duplicating sensitive data in unsecure internal notes. Keep a log of rights requests linked to the chat: useful for CNIL audits and to avoid double processing between tools.

How to secure transfers outside the EU and API flows?

Many AI chatbot stacks involve transfers outside the EU/EEA: US hosting, LLM APIs, global technical support. GDPR Chapter V imposes appropriate safeguards.

Standard clauses and EU hosting

The 2021 Standard Contractual Clauses, supplemented by a transfer impact assessment (TIA), remain the standard route with US vendors. Choosing a vendor with an EU region for storage reduces complexity, but check LLM subprocessors and backups: "EU hosting" on the marketing page does not replace the contract.

Shopify Flows

Shopify API calls from a chat server cross-reference store data and messages. Map the complete flow down to the model's datacenter. Indicate the processing countries and safeguards in the policy.

Re-evaluate transfers after every model change or cloud migration: a silent vendor upgrade can move logs.

When to conduct a data protection impact assessment (DPIA) before deployment?

Not all chatbots require a DPIA (data protection impact assessment), but several e-commerce scenarios make it prudent or mandatory.

When to launch a DPIA

  • Large-scale processing of identified customer data

  • Sensitive data mentioned spontaneously (health, pregnancy, allergy)

  • Profiling or automated customer sorting (VIP, fraud, targeted discounts)

  • Chatbot combination + aggressive tracking or multi-channel cross-referencing

What needs to be documented

Up-to-date processing register, LIA, DPIA if performed, retention policies, incident log, proof of team training. The CNIL considers that a DPIA is in principle necessary for high-risk systems involving personal data (CNIL, DPIA and AI).

A standard support bot generally remains outside the AI Act high-risk category, but document the classification. Each new bot skill (auto discount, account access, cart reading) must undergo a privacy review before production.

What compliance errors are most commonly seen?

Here are the most common compliance errors on stores deploying an AI chatbot without a robust privacy framework.

  • Activating the bot without a DPA because "it's a beta"

  • Training on ticket history without anonymization or legal basis

  • Keeping chats indefinitely "to improve the AI"

  • Impersonating a human with an agent name and stock photo

  • Forgetting WhatsApp or Messenger in the processing register

  • Copying a US policy without adjusting for transfers and EU rights

  • Letting the bot respond to deletion requests without a human process

If your chatbot does not appear in your privacy policy, it is an immediate risk signal during an audit. Schedule a bi-annual review: app and LLM model updates often change faster than your policy.

How Qstomy deploys a privacy-first chatbot on Shopify?

Qstomy helps Shopify merchants automate AI customer support with a privacy-first approach: order data is used to respond usefulness, not to build a generic model on your conversations.

What Qstomy puts in place

  • Shopify Context: order status, tracking, returns through controlled scopes

  • AI Transparency: identifiable assistant, structured human handoff

  • Minimization: collection adapted to WISMO, support or FAQ intent

  • Documented Subcontracting: DPA and information for registry and policy

  • Governed Analytics: intents to understand customer questions, with configurable retention

DTC Scenario in Numbers

A DTC brand processes 4,200 orders per month and activates Qstomy on WISMO, returns and product FAQ. Before deployment, the team updates the policy, signs the DPA, configures 60-day retention on chat logs and adds the AI Act mention in the widget.

90-day pilot objective: 62% bot resolution without agent on covered intents, zero card data leak incidents, average processing time for erasure requests reduced from 18 to 6 business days thanks to bot routing to DPO workflow. Estimated avoided agent cost: 95 hours over the period, without model training on customer transcripts.

Discover Qstomy AI customer support, Shopify integration and request a demo to frame compliance and ROI on your stack.

Which playbooks should be launched this week?

Playbook 1: Flow Mapping in 60 Minutes

Map out the journey: widget → chatbot server → Shopify API → helpdesk → LLM. List every field read or written. This is the foundation of your register and updated policy.

Playbook 2: Chat Notice and AI Act

Draft a three-line welcome message: AI nature, support purpose, link to privacy policy. Add an "AI Assistant" badge visible throughout the conversation. Check the mobile display.

Playbook 3: DPA Audit in 30 Minutes

  1. Signed and up-to-date DPA

  2. No-training clause on customer conversations

  3. SCCs or EU hosting documented

  4. Configurable retention period and tested purging

  5. Incident notification process under 72 hours

Playbook 4: Erasure Request Test

Simulate a "delete my conversations" request via chat. Verify that the bot routes to the human process, that the ticket is created with a GDPR tag, and that chat + helpdesk deletion is possible within 30 days.

Useful Mapping

This week, open your chatbot admin and list every granted Shopify API scope: you will know immediately if you are collecting more than necessary.

Enzo

June 26, 2026

Convert over 2,000 customers on average per month with Qstomy.

The world’s 1st Shopify AI dedicated to customer conversion

Empowering 200+ e-commerce merchants

Subscribe to the newsletter and get a personalized e-book!

No-code solution, no technical knowledge required. AI trained on your e-shop and non-intrusive.

*Unsubscribe at any time. We do not send spam.

Subscribe to the newsletter and get a personalized e-book!

No-code solution, no technical knowledge required. AI trained on your e-shop and non-intrusive.

*Unsubscribe at any time. We do not send spam.