This guide is for informational purposes. It does not constitute legal advice. Consult a qualified data protection specialist for advice specific to your business.
A Shopify chatbot collects personal data the moment a customer types their name, email, order number, or any message that can identify them. Under GDPR and UK GDPR, that makes your chatbot a data collection point that requires a lawful basis, a privacy notice, a data retention limit, and a signed Data Processing Agreement with your chatbot vendor. Most Shopify store owners have none of these in place. This checklist covers every compliance requirement your chatbot setup needs to meet.
Key Takeaways
Every chatbot conversation containing identifiable information is personal data under GDPR
You are the data controller. Your chatbot vendor is a data processor. You need a signed DPA with them.
Pre-ticking consent boxes or using soft opt-ins for chat data collection is not valid GDPR consent
Chat transcripts stored beyond your stated retention period are a compliance liability
WhatsApp conversations are subject to GDPR when your customer is an EU or UK resident, regardless of where Meta processes the data
AI chatbots that use your conversation data to train their models require explicit disclosure and a lawful basis
UK GDPR applies post-Brexit with near-identical requirements to EU GDPR for most ecommerce purposes
Who This Applies To
GDPR applies to your Shopify store if any of these are true:
Your store sells to customers in the EU or UK
You are based in the EU or UK
You process personal data of EU or UK residents regardless of where your business is registered
For chatbot purposes, processing begins the moment a customer sends a message that contains identifiable information. That includes their name, email address, order number tied to their account, IP address, or any combination of details that could identify them.
You are the data controller: you determine the purpose and means of processing. Your chatbot vendor is the data processor: they process data on your behalf. Both roles carry distinct legal obligations under GDPR.
The Full Compliance Checklist
Section 1: Lawful Basis for Processing
You have identified a lawful basis for collecting chat data (most commonly: legitimate interests for support queries, or consent for marketing-related chat flows)
Your lawful basis is documented in your privacy policy with specific reference to chatbot data
If using legitimate interests, you have completed a Legitimate Interests Assessment (LIA) documenting why your interests outweigh the customer's privacy rights
You do not rely on legitimate interests for processing special category data (health, financial, biometric)
Marketing-triggered chat flows (abandoned cart recovery, promotional campaigns) use consent, not legitimate interests, as the lawful basis
Section 2: Consent Management
Your chat widget does not auto-open and begin collecting data before the customer has been informed of data processing
If you collect email or phone number through the chat widget pre-conversation, explicit consent is obtained before collection
Consent boxes in the chat widget are unchecked by default. Pre-ticked consent is not valid under GDPR.
Consent for marketing messages via WhatsApp or email is separate from consent to receive support responses
Consent records are stored with timestamp and method of consent
Customers can withdraw consent as easily as they gave it, with a clear mechanism in the chat or via privacy contact
Section 3: Privacy Notice and Transparency
Your privacy policy explicitly mentions chatbot data collection and explains what is collected, why, and for how long
A link to your privacy policy is visible at or before the point of data collection in the chat widget
If your chatbot collects data from WhatsApp or Instagram conversations, those channels are named in your privacy policy
Your privacy notice explains whether conversations are reviewed by human agents and under what circumstances
You disclose whether your chatbot vendor uses conversation data to train AI models (see Section 8)
Your privacy policy is written in plain language a non-specialist can understand, not solely in legal terminology
Section 4: Data Minimisation
Your chatbot only collects data that is necessary for the stated purpose of each conversation
Pre-populated fields (name, email pulled from Shopify customer data) are used only when necessary for the interaction, not collected by default for every conversation
Your chatbot does not collect sensitive data (health conditions, payment card numbers, passwords) through chat. If a flow inadvertently prompts for this, it is redirected.
Free-text fields in chatbot flows are limited to where genuinely needed. Structured option menus reduce unstructured personal data entry.
Section 5: Data Subject Rights
You have a documented process for responding to Subject Access Requests (SARs) that includes chat transcript data
You can locate and export all chat data for a specific individual within 30 days when requested
You have a process for deleting an individual's chat data when a right to erasure request is received
Chat data deletion cascades to your chatbot vendor's storage, not just your own platform records
You can provide chat transcripts in a portable format if a data portability request is received
Your privacy policy includes contact details for submitting data subject requests (email address or web form)
Section 6: Data Retention
You have defined a maximum retention period for chat transcripts (common practice is 12 to 24 months for support conversations)
Your retention period is documented in your privacy policy
Automated deletion of chat data beyond the retention period is configured in your chatbot platform, or there is a manual review schedule
Retention periods differ by data type: support transcripts, marketing opt-ins, and customer identification data may have different retention justifications
Chat data is not retained indefinitely simply because the platform default allows it
Section 7: Data Processing Agreement (DPA)
You have a signed DPA with your chatbot vendor covering their processing of customer data on your behalf
The DPA specifies the categories of data processed, the purpose of processing, and sub-processors used
Your chatbot vendor's DPA confirms they will assist you in responding to data subject requests within legally required timeframes
You have DPAs in place for all channels your chatbot operates on (website chat, WhatsApp, Instagram) — some channels involve separate processors
Where to find DPAs for common platforms: Most major chatbot vendors provide DPAs on request or within their legal documentation portal. For AeroChat, request the DPA through the account settings or support channel. For WhatsApp Business API, Meta's Data Processing Terms govern the processor relationship and are accepted during API onboarding.
Section 8: AI Training Data — The Most Overlooked Risk
This is the compliance area most Shopify merchants miss entirely.
Several chatbot platforms use conversation data to train or improve their AI models. Under GDPR, using your customers' personal data for AI training requires:
A lawful basis separate from the support interaction itself
Disclosure in your privacy policy
Opt-out mechanism if legitimate interests is the basis, or explicit consent if consent is used
You have checked whether your chatbot vendor uses conversation data for AI model training (review their privacy policy and DPA)
If they do, this is disclosed in your own privacy policy
You have assessed whether customers need to be informed and given opt-out rights for this secondary processing purpose
You have confirmed whether opting out of AI training is possible within the platform settings
Platforms that use conversation data for AI improvement typically disclose this in their terms. Read the DPA data use provisions specifically, not just the general privacy policy.
Section 9: International Data Transfers
You have confirmed where your chatbot vendor processes and stores data (EU, UK, US, or other regions)
If data transfers occur outside the UK or EEA, an appropriate transfer mechanism is in place (Standard Contractual Clauses, UK IDTA, or adequacy decision)
For WhatsApp: Meta processes data in the US. Meta's Standard Contractual Clauses govern this transfer. Confirm these are referenced in your DPA with Meta.
You are not transferring customer chat data to countries without adequate protection without a documented transfer mechanism
Section 10: Security
Chat data is transmitted over HTTPS/TLS. Unencrypted chat is not GDPR-compliant.
Access to chat transcripts within your team is restricted to those with a genuine need
Your chatbot platform requires strong authentication (password policy, 2FA) for agent and admin accounts
You have assessed and documented the security measures your chatbot vendor applies to stored data (typically covered in the DPA)
API keys and integration credentials are stored securely, not in plain text in app settings or shared documents
Section 11: Breach Notification
You have a process for detecting a potential data breach involving chat data (unauthorised access, data leak from chatbot platform)
You know your 72-hour notification obligation to your supervisory authority (ICO in the UK, relevant national authority in the EU) in the event of a breach
Your chatbot vendor is contractually required to notify you of a breach affecting your data without undue delay (covered in the DPA)
Breach response includes notifying affected customers where the breach is likely to result in high risk to their rights
Chatbot-Specific GDPR Traps Most Guides Miss
Chat Widget Cookies and Tracking
Many chatbot widgets set cookies that track visitor behaviour before any conversation begins. These tracking cookies require consent under both GDPR and the UK PECR (Privacy and Electronic Communications Regulations). A cookie consent banner that excludes chat widget cookies is incomplete compliance.
Check whether your chatbot widget sets any cookies. If it does, ensure they are listed in your cookie policy and blocked until consent is given. The lazy loading chat widget setup approach also delays widget initialisation, which can reduce cookie firing before consent in some configurations.
Shopify Customer Data Pre-Population
Some Shopify chatbot integrations pre-populate the chat widget with the logged-in customer's name and email from the Shopify session. This is convenient but carries compliance implications: you are transferring Shopify customer data to your chatbot vendor's systems without the customer being explicitly aware.
Your privacy policy should disclose that Shopify account data may be passed to the chat system for authenticated sessions. Your DPA with the chatbot vendor should cover this as a data transfer.
WhatsApp and Instagram Channels
When you operate chatbot automation through WhatsApp Business API or Instagram DM automation, the personal data in those conversations is still subject to GDPR when the customer is an EU or UK resident. The fact that the conversation happens on Meta's platform does not transfer the compliance obligation to Meta.
Your chatbot platform acting as a middleware processor between Meta and your Shopify store is a sub-processor relationship that should be covered in your DPA chain.
Compliance Score: Where Does Your Setup Stand?
Count your checked items across all 11 sections. The checklist contains 40 items total.
Score | Status | Action |
|---|---|---|
35 to 40 | Compliant | Annual review sufficient |
25 to 34 | Mostly compliant | Address gaps within 30 days |
15 to 24 | Partial compliance | Priority remediation required |
Under 15 | High risk | Immediate review needed before operating chatbot |
If you scored below 25, the highest priority items to address first are: signed DPA with chatbot vendor, privacy policy update to include chatbot data, and data retention limits. These three alone move most stores from high risk to manageable risk while fuller compliance is built out.
FAQs
Does GDPR apply to my Shopify store if I am based outside the EU? Yes, if you sell to EU or UK residents. GDPR has extra-territorial scope. A US-based or Australian-based Shopify store that processes the personal data of EU customers through a chatbot is subject to GDPR for that processing activity.
Is a chatbot vendor's standard privacy policy enough, or do I need a separate DPA? You need a separate DPA. A privacy policy governs the vendor's relationship with their own users. A DPA governs their processing of your customers' data on your behalf. These are different legal relationships. Most established chatbot vendors provide a DPA template on request.
Does the free plan of a chatbot tool require the same GDPR compliance? Yes. The compliance obligation is triggered by the personal data you process, not the price you pay for the tool. A free plan that stores customer chat transcripts carries the same GDPR obligations as a paid enterprise plan.
How long can I legally retain chatbot conversation transcripts? GDPR requires data to be kept no longer than necessary for the purpose it was collected. For support conversations, 12 to 24 months is commonly used as a defensible retention period. For marketing consent records, you should retain evidence of consent for as long as you continue to use it, then delete promptly once it expires or is withdrawn.
What should I do if my chatbot vendor suffers a data breach? Your DPA should require the vendor to notify you without undue delay. Once notified, you have 72 hours to assess whether the breach must be reported to your supervisory authority (ICO for UK, relevant national authority for EU). If the breach is likely to result in high risk to affected individuals, you must also notify those individuals directly.
Does chatbot accessibility compliance overlap with GDPR? They are separate obligations but both apply. Chatbot accessibility requirements under WCAG 2.1 AA focus on usability for disabled users. GDPR focuses on data rights. A fully compliant chatbot setup addresses both.
Do I need a cookie consent banner specifically for the chatbot widget? If your chatbot widget sets cookies, yes. Check with your chatbot provider whether any cookies are set by the widget script and, if so, categorise them correctly (functional, analytics, or marketing) in your cookie consent management. Functional cookies required for basic chat operation may not require active consent, but analytics or tracking cookies always do.