Is There a GDPR-Compliant AI Chatbot for E-commerce? Yes. Here Is What That Means.
Yes. Emporiqa is run by an EU company, signs a Data Processing Agreement under Article 28, does not train on your customer data, and honors access and erasure requests. The chat model runs on OpenAI, search reranking uses OpenRouter, and the site uses Cloudflare, all named openly as subprocessors. OpenAI deletes API requests within 30 days, and we delete chat history after 90 days. All of this is on the normal pay-as-you-go plan.
A store chatbot reads what shoppers type, so GDPR applies the moment you turn one on. A GDPR-compliant AI chatbot for e-commerce is one whose vendor signs a DPA, does not train on your data, keeps model-call retention at zero, names its subprocessors, and lets you honor access and erasure. Emporiqa does all of this on the standard plan.
GDPR checklist: generic AI chatbot vendor vs Emporiqa
| What to check | Typical AI chatbot vendor | Emporiqa |
|---|---|---|
| Signed DPA (Article 28) | Sometimes, often enterprise-only | Yes, available on every plan |
| Trains on your data | Often yes, or unclear in the terms | No, your data is never used for training |
| Model-call retention | Varies, sometimes 30 days or more | Not trained on; OpenAI deletes API data within 30 days |
| Data-subject rights | Manual, slow, or unclear | Access and erasure requests honored |
| Subprocessors disclosed | Often buried or absent | OpenAI, OpenRouter, and Cloudflare, named openly |
| EU AI Act disclosure | Rarely addressed | Widget can disclose it is an AI |
| Company location | Often outside the EU | EU company, Rosel Group LTD, Bulgaria |
| Compliance behind a tier | Frequently enterprise-gated | On the normal pay-as-you-go plan |
What GDPR compliance means for a store chatbot
When a shopper types a question, that text is personal data the moment it can be linked to a person. GDPR asks you to control who processes it, why, for how long, and whether anyone reuses it. For a chatbot that means a signed contract with your vendor (the DPA under Article 28), a clear no on training, a short and known retention window, and a way to answer when a customer asks what you hold or asks you to delete it.
It also means knowing who else touches the data. Every vendor relies on subprocessors. The question is whether they tell you who, so your own privacy policy can name them.
What Emporiqa does, and what it is honest about
Emporiqa is run by Rosel Group LTD, an EU company in Bulgaria. We sign a DPA under Article 28. We do not train on your customer data, and OpenAI does not use API data to train its models. OpenAI keeps API requests for up to 30 days to monitor for abuse, then deletes them. Your chat history is stored for 90 days, then deleted. For stricter requirements, a zero-retention arrangement can be requested. We honor data-subject access and erasure requests. The widget can be set to disclose that it is an AI.
We are upfront about where the data goes. The chat model runs on OpenAI. Search reranking uses OpenRouter, which only receives a product-search query with no shopper identifier attached, so it cannot tie a query to a person. The site uses Cloudflare. All are named openly as subprocessors so you can list them in your own records. We do not claim the servers sit in the EU. Our case is the contract, no training on your data, and short deletion windows you can verify.
The EU AI Act in one line
The EU AI Act expects shoppers to know when they are talking to a machine. Emporiqa lets you set the widget so it discloses that it is an AI, which covers that transparency duty for a store chatbot.
Questions store owners ask
Is Emporiqa GDPR compliant?
Yes. Emporiqa is run by an EU company, signs a DPA under Article 28, does not train on your data, deletes API requests within 30 days, and honors access and erasure requests.
Do you train on my customer data?
No. Your customer data is never used to train any model. OpenAI keeps API requests for up to 30 days for abuse monitoring, then deletes them, and your chat history is deleted after 90 days.
Do you sign a DPA?
Yes. We provide a signed Data Processing Agreement under Article 28, available on every plan.
How do you handle data location?
Emporiqa is run by an EU company and does not train on your data. The chat model runs on OpenAI, which deletes API requests within 30 days, search reranking uses OpenRouter (a product query with no shopper identifier attached), and the site uses Cloudflare, all disclosed as subprocessors so you can list them in your records.
Start with a compliant setup
Create a free account with $25 of signup credit, no card required. The DPA is available on the normal pay-as-you-go plan.