GDPR-compliant chatbot — without a US cloud, with the AI Act.
An AI chatbot is GDPR-compliant if the request never leaves the customer's hosting, the legal basis is clearly defined, and the bot identifies itself as AI upon initial contact. DigElite chatbots achieve this technically: the web frontend, LLM endpoint, and knowledge base run either on the customer's server or in a German cloud. No data point is transferred to a third country. No data processing agreement is required with DigElite—the customer remains solely responsible.
What distinguishes a chatbot from asterisk-based privacy policy.
GDPR compliance is not a marketing sticker, but a chain of three legally concrete steps. We will describe each one individually.
Legal basis precisely according to Art. 6 GDPR
We specify the legal basis for each use case: contract initiation (Art. 6 para. 1 lit. b) for a consultation, legitimate interest (Art. 6 para. 1 lit. f) for FAQ information, legal obligation (Art. 6 para. 1 lit. c) for administrative services. No blanket "consent" as a cover.
Order processing can be optionally avoided.
If the customer hosts the service themselves (on their own server or in their own German cloud), a data processing agreement (DPA) with DigElite is completely unnecessary—we do not process any personal data. Plugin updates are purely software maintenance. You only need to conclude a DPA with your hosting provider—this is standard practice anyway.
AI Act transparency obligation built in
The EU's AI regulation classifies chatbots as systems with "limited risk" and requires transparency. The chatbot clearly identifies itself as AI upon first contact, discloses the model used upon request, and provides information only in regulated contexts—decisions remain with humans.
SaaS Chat Widget vs. DigElite Chatbot.
| criterion | SaaS widget (typical) | DigElite chatbot |
|---|---|---|
| Frontend | The provider's CDN | Client WordPress |
| LLM Hosting | Provider cloud, often USA | German server or customer server |
| AVV according to Art. 28 | Duty | Optionally avoidable |
| US third country | Frequent (Schrems II risk) | No |
| AI Act Transparency | provider-dependent | Built-in |
| Automatic opt-out for stopwords | Rarely | standard |
| Source of knowledge | Provider knowledge + training data | Customer documents only |
Example: Bandage in the medium size range.
An association is using a chatbot to handle membership fee inquiries. The legal basis is clear: legitimate interest (Art. 6 para. 1 lit. f) for efficient member support, plus contract fulfillment (lit. b) for ongoing membership. The knowledge base consists of the association's statutes, fee regulations, and the office's FAQ. The chatbot answers questions, identifies itself as AI, and refers members to the office for personalized membership fee inquiries. A member's information request can be answered in just a few minutes: an SQL query for their email address, exporting the conversations, and that's it.
„"GDPR compliance is not a marketing statement — it's a chain: legal basis, hosting, model selection, transparency, and the ability to provide information. We build chatbots in such a way that this chain never breaks.""
— Philipp Herrmann, founder of DigElite
What potential customers should ask before deployment.
What does "no US third-country transfer" technically mean?
The request, LLM processing, and response all take place within the EU. For Aleph Alpha Luminous: German servers in Heidelberg. For Mistral: French servers. For Llama on-premise: servers at the customer's site. There is no hop to a US region, no US CDN connection, and no US-based authentication service.
How is the chatbot identified as AI (AI Act)?
Upon first contact, a clear notice appears in the conversation window: "You are chatting with an AI assistant. We will gladly tell you which model is used upon request." This statement is not optional and cannot be disabled—it is mandatory under Article 50 of the AI Act for systems with "limited risk.".
What happens to the conversation logs?
They are stored in a separate table within the customer's WordPress database. The retention period is configurable (default: 90 days), and automatic deletion is handled via WP-Cron. For a data access request under Article 15 of the GDPR, an SQL query using the email address or session ID is sufficient.
Do I need a cookie banner update for the chatbot?
No, if the chatbot only sets functional cookies (session ID for the current conversation). There is no external tracking, no remarketing pixels, and no advertising analytics. If you want to store the chat history for longer than 90 days, add a paragraph to your privacy policy—we provide sample text.
Three clusters that together support the GDPR argument.
Each individual pillar answers a sub-question. Only all three together result in a truly GDPR-compliant AI chatbot.
Where you can continue reading.
This feature is part of the DigElite chatbot family — check it out. Product Overview or the thematically related clusters.
15 minutes is enough to get an impression.
We'll be live-chatting with our own chatbot on nordzypern.live and showing you how it responds to real documents, when it honestly says "I don't know," and how it hands the call off to a human. No sales pitch, no Slide 47.
Watch the chatbot live & get an initial consultation