RGPD checklist for AI customer service: the eight things to verify

RGPD is not "do not collect data". It is "be able to explain what you do and why". Most SMBs deploying an AI receptionist worry about it more than they need to — but only if they actually run through the checklist. Here is the working version.

1. Where is the data hosted?

Your AI provider must host inside the EU, full stop. Janore is hosted in Paris (eu-west-3 / fra1) and uses no third-country sub-processors for chat data. Ask your provider: "Show me the region in your dashboard." If they cannot point at it, that is your answer.

2. Is there a Data Processing Agreement?

A DPA is the contract between you (data controller) and the AI vendor (data processor). Without it, the relationship is informal — that is a finding waiting to happen. Janore offers a one-click DPA in the dashboard for all paid plans, plus a co-signed PDF for Business tier.

3. What is the retention period?

Conversations should not live forever. Janore retains chat transcripts for 90 days by default, configurable down to 30 or up to 365. Your retention policy on your "Politique de confidentialité" page must match this.

4. Right to access and right to delete

Two rights every visitor can ask you for. The data must be exportable in a machine-readable format (we offer CSV and JSON), and deletable on request within 30 days. Janore's account-level export and delete handle both — under `Settings → RGPD → Export` and `Settings → RGPD → Delete account`.

5. Cookie consent

Your embed widget must respect the visitor's cookie consent. If they refused tracking, the AI still works (because basic functionality is essential), but no analytics fire. Janore reads the standard `__consent` signal automatically.

6. Inform the visitor

A short banner inside the chat: "This conversation is processed by an AI. Your message and email may be shared with [Your business] for follow-up." Two sentences. Keep them in the visitor's language. Janore prepends this automatically when consent is enabled.

7. Sub-processors list

Publish your sub-processors. Janore's are: OpenAI (model inference, EU-routed), Supabase (data store, EU region), Resend (transactional email), Stripe (billing). Listing them on a sub-processors page protects you when a customer asks.

8. Data minimisation

Do not ask for more than you need. Email is reasonable for follow-up; date of birth, address, ID number — almost never. Janore's default fields are name + email + message. Anything else requires a custom intake step you trigger consciously.

What this looks like in your stack

A working RGPD-compliant deployment of Janore involves:

• DPA signed (one click)
• Retention set to 90 days (or your policy)
• Cookie consent respected
• "Politique de confidentialité" page updated to mention AI processing + retention
• Export/delete tested at least once
• Sub-processors page published

That is it. Six artefacts and you are defensible. The CNIL has a published view that AI-driven customer service is fine when handled this way — the official guidance lives at cnil.fr/en/recommendations.

What you do not need

• A DPIA (impact assessment) for routine AI chat — not required when the data flow is low-risk.
• A formal DPO appointment — not required for SMBs under 250 employees unless you process special-category data.
• A consent click for every message — only at the start of the conversation.

If your customer ever sends a request you do not know how to handle, escalate to your DPO or the CNIL helpline. They are friendly. The horror stories are exceptions.