You are currently viewing GDPR Compliance Checklist for Shopify Chatbots: 2026 Guide
Smart Phone Using E-mail Online Messaging Concept

GDPR Compliance Checklist for Shopify Chatbots: 2026 Guide

This guide is for informational purposes. It does not constitute legal advice. Consult a qualified data protection specialist for advice specific to your business.

A Shopify chatbot collects personal data the moment a customer types their name, email, order number, or any message that can identify them. Under GDPR and UK GDPR, that makes your chatbot a data collection point that requires a lawful basis, a privacy notice, a data retention limit, and a signed Data Processing Agreement with your chatbot vendor. Most Shopify store owners have none of these in place. This checklist covers every compliance requirement your chatbot setup needs to meet.

Key Takeaways

  • Every chatbot conversation containing identifiable information is personal data under GDPR

  • You are the data controller. Your chatbot vendor is a data processor. You need a signed DPA with them.

  • Pre-ticking consent boxes or using soft opt-ins for chat data collection is not valid GDPR consent

  • Chat transcripts stored beyond your stated retention period are a compliance liability

  • WhatsApp conversations are subject to GDPR when your customer is an EU or UK resident, regardless of where Meta processes the data

  • AI chatbots that use your conversation data to train their models require explicit disclosure and a lawful basis

  • UK GDPR applies post-Brexit with near-identical requirements to EU GDPR for most ecommerce purposes

Who This Applies To

GDPR applies to your Shopify store if any of these are true:

  • Your store sells to customers in the EU or UK

  • You are based in the EU or UK

  • You process personal data of EU or UK residents regardless of where your business is registered

For chatbot purposes, processing begins the moment a customer sends a message that contains identifiable information. That includes their name, email address, order number tied to their account, IP address, or any combination of details that could identify them.

You are the data controller: you determine the purpose and means of processing. Your chatbot vendor is the data processor: they process data on your behalf. Both roles carry distinct legal obligations under GDPR.

The Full Compliance Checklist

Section 1: Lawful Basis for Processing

  • You have identified a lawful basis for collecting chat data (most commonly: legitimate interests for support queries, or consent for marketing-related chat flows)

  • Your lawful basis is documented in your privacy policy with specific reference to chatbot data

  • If using legitimate interests, you have completed a Legitimate Interests Assessment (LIA) documenting why your interests outweigh the customer’s privacy rights

  • You do not rely on legitimate interests for processing special category data (health, financial, biometric)

  • Marketing-triggered chat flows (abandoned cart recovery, promotional campaigns) use consent, not legitimate interests, as the lawful basis

Section 2: Consent Management

  • Your chat widget does not auto-open and begin collecting data before the customer has been informed of data processing

  • If you collect email or phone number through the chat widget pre-conversation, explicit consent is obtained before collection

  • Consent boxes in the chat widget are unchecked by default. Pre-ticked consent is not valid under GDPR.

  • Consent for marketing messages via WhatsApp or email is separate from consent to receive support responses

  • Consent records are stored with timestamp and method of consent

  • Customers can withdraw consent as easily as they gave it, with a clear mechanism in the chat or via privacy contact

Section 3: Privacy Notice and Transparency

  • Your privacy policy explicitly mentions chatbot data collection and explains what is collected, why, and for how long

  • A link to your privacy policy is visible at or before the point of data collection in the chat widget

  • If your chatbot collects data from WhatsApp or Instagram conversations, those channels are named in your privacy policy

  • Your privacy notice explains whether conversations are reviewed by human agents and under what circumstances

  • You disclose whether your chatbot vendor uses conversation data to train AI models (see Section 8)

  • Your privacy policy is written in plain language a non-specialist can understand, not solely in legal terminology

Section 4: Data Minimisation

  • Your chatbot only collects data that is necessary for the stated purpose of each conversation

  • Pre-populated fields (name, email pulled from Shopify customer data) are used only when necessary for the interaction, not collected by default for every conversation

  • Your chatbot does not collect sensitive data (health conditions, payment card numbers, passwords) through chat. If a flow inadvertently prompts for this, it is redirected.

  • Free-text fields in chatbot flows are limited to where genuinely needed. Structured option menus reduce unstructured personal data entry.

Section 5: Data Subject Rights

  • You have a documented process for responding to Subject Access Requests (SARs) that includes chat transcript data

  • You can locate and export all chat data for a specific individual within 30 days when requested

  • You have a process for deleting an individual’s chat data when a right to erasure request is received

  • Chat data deletion cascades to your chatbot vendor’s storage, not just your own platform records

  • You can provide chat transcripts in a portable format if a data portability request is received

  • Your privacy policy includes contact details for submitting data subject requests (email address or web form)

Section 6: Data Retention

  • You have defined a maximum retention period for chat transcripts (common practice is 12 to 24 months for support conversations)

  • Your retention period is documented in your privacy policy

  • Automated deletion of chat data beyond the retention period is configured in your chatbot platform, or there is a manual review schedule

  • Retention periods differ by data type: support transcripts, marketing opt-ins, and customer identification data may have different retention justifications

  • Chat data is not retained indefinitely simply because the platform default allows it

Section 7: Data Processing Agreement (DPA)

  • You have a signed DPA with your chatbot vendor covering their processing of customer data on your behalf

  • The DPA specifies the categories of data processed, the purpose of processing, and sub-processors used

  • Your chatbot vendor’s DPA confirms they will assist you in responding to data subject requests within legally required timeframes

  • You have DPAs in place for all channels your chatbot operates on (website chat, WhatsApp, Instagram) — some channels involve separate processors

Where to find DPAs for common platforms: Most major chatbot vendors provide DPAs on request or within their legal documentation portal. For AeroChat, request the DPA through the account settings or support channel. For WhatsApp Business API, Meta’s Data Processing Terms govern the processor relationship and are accepted during API onboarding.

Section 8: AI Training Data — The Most Overlooked Risk

This is the compliance area most Shopify merchants miss entirely.

Several chatbot platforms use conversation data to train or improve their AI models. Under GDPR, using your customers’ personal data for AI training requires:

  • A lawful basis separate from the support interaction itself

  • Disclosure in your privacy policy

  • Opt-out mechanism if legitimate interests is the basis, or explicit consent if consent is used

  • You have checked whether your chatbot vendor uses conversation data for AI model training (review their privacy policy and DPA)

  • If they do, this is disclosed in your own privacy policy

  • You have assessed whether customers need to be informed and given opt-out rights for this secondary processing purpose

  • You have confirmed whether opting out of AI training is possible within the platform settings