This guide is for informational purposes. It does not constitute legal advice. Consult a qualified data protection specialist for advice specific to your business.
A Shopify chatbot collects personal data the moment a customer types their name, email, order number, or any message that can identify them. Under GDPR and UK GDPR, that makes your chatbot a data collection point that requires a lawful basis, a privacy notice, a data retention limit, and a signed Data Processing Agreement with your chatbot vendor. Most Shopify store owners have none of these in place. This checklist covers every compliance requirement your chatbot setup needs to meet.
Key Takeaways
Every chatbot conversation containing identifiable information is personal data under GDPR
You are the data controller. Your chatbot vendor is a data processor. You need a signed DPA with them.
Pre-ticking consent boxes or using soft opt-ins for chat data collection is not valid GDPR consent
Chat transcripts stored beyond your stated retention period are a compliance liability
WhatsApp conversations are subject to GDPR when your customer is an EU or UK resident, regardless of where Meta processes the data
AI chatbots that use your conversation data to train their models require explicit disclosure and a lawful basis
UK GDPR applies post-Brexit with near-identical requirements to EU GDPR for most ecommerce purposes
Who This Applies To
GDPR applies to your Shopify store if any of these are true:
Your store sells to customers in the EU or UK
You are based in the EU or UK
You process personal data of EU or UK residents regardless of where your business is registered
For chatbot purposes, processing begins the moment a customer sends a message that contains identifiable information. That includes their name, email address, order number tied to their account, IP address, or any combination of details that could identify them.
You are the data controller: you determine the purpose and means of processing. Your chatbot vendor is the data processor: they process data on your behalf. Both roles carry distinct legal obligations under GDPR.
The Full Compliance Checklist
Section 1: Lawful Basis for Processing
You have identified a lawful basis for collecting chat data (most commonly: legitimate interests for support queries, or consent for marketing-related chat flows)
Your lawful basis is documented in your privacy policy with specific reference to chatbot data
If using legitimate interests, you have completed a Legitimate Interests Assessment (LIA) documenting why your interests outweigh the customer’s privacy rights
You do not rely on legitimate interests for processing special category data (health, financial, biometric)
Marketing-triggered chat flows (abandoned cart recovery, promotional campaigns) use consent, not legitimate interests, as the lawful basis
Section 2: Consent Management
Your chat widget does not auto-open and begin collecting data before the customer has been informed of data processing
If you collect email or phone number through the chat widget pre-conversation, explicit consent is obtained before collection
Consent boxes in the chat widget are unchecked by default. Pre-ticked consent is not valid under GDPR.
Consent for marketing messages via WhatsApp or email is separate from consent to receive support responses
Consent records are stored with timestamp and method of consent
Customers can withdraw consent as easily as they gave it, with a clear mechanism in the chat or via privacy contact
Section 3: Privacy Notice and Transparency
Your privacy policy explicitly mentions chatbot data collection and explains what is collected, why, and for how long
A link to your privacy policy is visible at or before the point of data collection in the chat widget
If your chatbot collects data from WhatsApp or Instagram conversations, those channels are named in your privacy policy
Your privacy notice explains whether conversations are reviewed by human agents and under what circumstances
You disclose whether your chatbot vendor uses conversation data to train AI models (see Section 8)
Your privacy policy is written in plain language a non-specialist can understand, not solely in legal terminology
Section 4: Data Minimisation
Your chatbot only collects data that is necessary for the stated purpose of each conversation
Pre-populated fields (name, email pulled from Shopify customer data) are used only when necessary for the interaction, not collected by default for every conversation
Your chatbot does not collect sensitive data (health conditions, payment card numbers, passwords) through chat. If a flow inadvertently prompts for this, it is redirected.
Free-text fields in chatbot flows are limited to where genuinely needed. Structured option menus reduce unstructured personal data entry.
Section 5: Data Subject Rights
You have a documented process for responding to Subject Access Requests (SARs) that includes chat transcript data
You can locate and export all chat data for a specific individual within 30 days when requested
You have a process for deleting an individual’s chat data when a right to erasure request is received
Chat data deletion cascades to your chatbot vendor’s storage, not just your own platform records
You can provide chat transcripts in a portable format if a data portability request is received
Your privacy policy includes contact details for submitting data subject requests (email address or web form)
Section 6: Data Retention
You have defined a maximum retention period for chat transcripts (common practice is 12 to 24 months for support conversations)
Your retention period is documented in your privacy policy
Automated deletion of chat data beyond the retention period is configured in your chatbot platform, or there is a manual review schedule
Retention periods differ by data type: support transcripts, marketing opt-ins, and customer identification data may have different retention justifications
Chat data is not retained indefinitely simply because the platform default allows it
Section 7: Data Processing Agreement (DPA)
You have a signed DPA with your chatbot vendor covering their processing of customer data on your behalf
The DPA specifies the categories of data processed, the purpose of processing, and sub-processors used
Your chatbot vendor’s DPA confirms they will assist you in responding to data subject requests within legally required timeframes
You have DPAs in place for all channels your chatbot operates on (website chat, WhatsApp, Instagram) — some channels involve separate processors
Where to find DPAs for common platforms: Most major chatbot vendors provide DPAs on request or within their legal documentation portal. For AeroChat, request the DPA through the account settings or support channel. For WhatsApp Business API, Meta’s Data Processing Terms govern the processor relationship and are accepted during API onboarding.
Section 8: AI Training Data — The Most Overlooked Risk
This is the compliance area most Shopify merchants miss entirely.
Several chatbot platforms use conversation data to train or improve their AI models. Under GDPR, using your customers’ personal data for AI training requires:
A lawful basis separate from the support interaction itself
Disclosure in your privacy policy
Opt-out mechanism if legitimate interests is the basis, or explicit consent if consent is used
You have checked whether your chatbot vendor uses conversation data for AI model training (review their privacy policy and DPA)
If they do, this is disclosed in your own privacy policy
You have assessed whether customers need to be informed and given opt-out rights for this secondary processing purpose
You have confirmed whether opting out of AI training is possible within the platform settings

