Most AI chatbots were built in the US, store your conversations on their own servers, and treat data protection as a checkbox. If your visitors are in Europe, that risk is yours to carry, not the vendor's. And the rules are tightening: by August 2026, chatbots in use are expected to meet the EU AI Act's transparency requirements and stay GDPR-compliant, with fines reaching up to 20 million euros or 4% of global revenue for serious breaches.

This comparison looks at the 7 most privacy-focused chatbots on the market, scored on the criteria that actually matter for compliance: where your data lives, whether there is a Data Processing Agreement, how deletion works, and whether the tool discloses that it is AI. Full transparency: Agentorie Chat is our own product. It is in this comparison, but we placed it last and held it to the same standard as the rest. If you want our platform-specific picks, we cover them separately in our WordPress chatbot comparison and PrestaShop chatbot comparison.

Why GDPR compliance is non-negotiable for chatbots in 2026

Chatbots collect some of the most sensitive data in your stack. Every conversation can capture names, emails, phone numbers, purchase intent, and sometimes health or financial questions, given voluntarily by the visitor. That is valuable first-party data, but it is also personal data the moment it is stored, which puts it squarely under GDPR.

The August 2026 deadline is real

The EU AI Act is phasing in alongside GDPR. For most websites, a chatbot is classified as limited risk, and the main obligation is transparency: the visitor must know they are talking to AI, not a human. By August 2026, chatbots in service are expected to meet these transparency rules. Stricter requirements, like technical documentation, human oversight, and conformity assessment, only apply to high-risk use cases, which most support and e-commerce bots are not. The practical takeaway: disclose the bot, and pick a tool that handles consent and data rights properly.

Non-compliance costs more than fines

GDPR fines can reach 20 million euros or 4% of global revenue, but the quieter cost is trust. Around 62% of European consumers will abandon a chatbot if they sense a lack of transparency about how their data is used. A privacy-respecting chatbot is not just a legal safeguard, it is a conversion lever with a skeptical European audience.

What GDPR actually requires from a chatbot

Before comparing tools, here is what compliance actually demands. These are also the criteria we score each chatbot on.

1. A legal basis and clear consent

You need a documented lawful basis for processing, and in most cases active, informed consent before collecting personal data. Consent must be freely given and specific: the visitor should know what you collect and why, and declining should limit the chatbot rather than block your whole service.

2. Transparency that it is AI

Both GDPR and the EU AI Act push the same point: people must know when they are talking to a machine. A compliant chatbot discloses that it is AI and does not impersonate a human agent. This is the single easiest requirement to meet, and the one most likely to lose you customers if you ignore it.

3. Data minimization and a real retention policy

Collect only what you need, and keep it only as long as you can justify. "We keep data as long as necessary" is not a retention policy under GDPR. You need specific timeframes tied to specific purposes, and automated deletion when they expire. Manual cleanup does not scale and does not hold up under scrutiny.

4. Where the data lives (residency)

This is the criterion that separates the field. Data stored in the EU, or in infrastructure you control, is far simpler to defend than data sitting on US servers. For non-EU hosting you need a valid transfer mechanism and documentation. The strongest position is data that never leaves infrastructure you own.

5. A Data Processing Agreement (DPA)

Any third party that processes personal data on your behalf must sign a DPA. Every serious vendor offers one. The only way to not depend on a processor's DPA for storage is to keep the data yourself, by self-hosting or by storing it in your own database.

6. The right to erasure (and the training-data trap)

Visitors can request deletion of their data, and you must honor it, typically within 30 days. Two things make this harder than it sounds. First, conversation data often spreads across multiple systems. Second, if your chatbot runs on a third-party AI model, check whether user prompts are used to train that model: even if you are compliant, your provider might not be. Tools with zero data retention on the AI side, or data kept in your own database, make this far cleaner.

GDPR-compliant chatbot comparison table

Here is how the 7 tools stack up on the criteria that matter for compliance. Legend: ✓ yes, ◐ partial or conditional, ✕ no.

Solution Price from Hosting Data in your own DB DPA Auto-deletion
Intercom $39/seat/mo
+ $0.99/AI resolution
US (multi-region)
Tidio $29/mo
+ Lyro from $32.50
EU option
Crisp Free
AI from €95/mo
EU (Amsterdam)
Userlike Free
from €90/mo
Germany
Landbot Free
from €40/mo
EU (Belgium)
Chatwoot Free self-host
cloud from $19/agent
Your server or cloud Self-host
Agentorie Chat Free
then from a few €
Your own server

The 7 most privacy-focused chatbots in detail

Each tool occupies a different point on the privacy spectrum, from certified US enterprise platforms to fully self-hosted open source. Here is the detailed read on each, with a rating and the profile it suits.

1. Intercom, the certified enterprise standard

Most certifications · Fin AI · US-based
★★★★☆ 4.2/5

Intercom is the enterprise benchmark, and its Fin AI agent is genuinely capable, with a deep certification stack (SOC 2, ISO 27001, HIPAA on higher tiers) and a DPA as standard. If you need to satisfy a procurement team's security checklist, few tools tick more boxes.

The catch is twofold. First, cost: seats start at $39 per seat per month, Fin AI is billed separately at $0.99 per resolution, and the add-on stack pushes real bills to several hundred or several thousand dollars a month. Second, your data lives on Intercom's cloud, billed in US dollars, not in the EU by default and not in your own infrastructure. Certified is not the same as data-sovereign.

Strengths

  • Deepest certification stack (SOC 2, ISO 27001, HIPAA)
  • Fin AI is capable and well-built
  • DPA standard, mature security posture
  • Strong for enterprise procurement reviews

Limits

  • Expensive, costs escalate with add-ons and AI resolutions
  • Data on Intercom's cloud, not your infrastructure
  • Billed in USD, no permanent free tier
  • Overkill for small sites
Price from $39/seat/mo
Hosting US cloud
Best for Enterprise teams

2. Tidio, popular with e-commerce

SMB e-commerce favorite · EU hosting option
★★★★☆ 4.2/5

Tidio is the most popular live chat and chatbot among SMB e-commerce, with a polished interface, fast setup, and its Lyro AI handling a large share of routine questions. It is GDPR-compliant, with a published privacy policy covering data subject rights and an EU data hosting option, which already puts it ahead of many US tools on residency.

The watch-outs: pricing stacks (Starter from around $29 per month, Lyro AI billed separately from $32.50 per month and per conversation beyond allowances), and your conversations still live on Tidio's infrastructure rather than in your own database. Compliant, but not data-sovereign.

Strengths

  • EU data hosting option available
  • Polished UI, very fast setup
  • Strong e-commerce integrations (Shopify, WooCommerce)
  • DPA and documented data rights

Limits

  • Lyro AI billed separately and per conversation
  • Data on Tidio's servers, not yours
  • Costs climb with volume
  • Limited free plan
Price from $29/mo
Hosting EU option
Best for E-commerce SMBs

3. Crisp, the strongest mainstream EU option

French · data hosted in Amsterdam · all-in-one
★★★★☆ 4.4/5

Crisp is the strongest mainstream EU option. Headquartered in Nantes, France, with messaging data hosted exclusively in Amsterdam, it is one of the few platforms that, in practice, keeps EU conversation data inside the EU. It bundles live chat, a shared inbox, knowledge base, light CRM, and its Hugo AI in one coherent product, with a genuinely useful free tier for a two-agent live chat.

Two honest caveats. The AI chatbot only unlocks on the Essentials plan at around 95 euros per month, which prices out small sites that just wanted some automation. And while messaging data stays in the EU, some relay data has historically touched servers outside it, so confirm the current setup if your requirements are strict.

Strengths

  • Messaging data hosted in the EU (Amsterdam)
  • All-in-one: chat, AI, inbox, CRM, knowledge base
  • Free plan for basic live chat
  • European company, GDPR-aligned by design

Limits

  • AI chatbot only from around €95/mo
  • Some relay data has touched non-EU servers
  • Data still on Crisp's cloud, not yours
  • Analytics lighter than enterprise tools
Price from Free
Hosting EU (Amsterdam)
Best for EU support teams

4. Userlike (Lime Connect), made in Germany

Hosted in Germany · ISO 27001 certified
★★★★☆ 4.3/5

Userlike, now Lime Connect, is the made-in-Germany benchmark for data protection. All chat data is encrypted and stored exclusively on ISO 27001-certified servers in Germany, with automatic deletion features and a privacy posture shaped by some of the strictest data rules in Europe. For DACH-market businesses, this is often the default safe choice, used by names like Toyota and Hermes.

The trade-offs are price and scope. The free plan is limited to a single seat with no AI, the Team plan starts around 90 euros per month for four seats, and the AI Agent is a paid add-on from around 99 euros per month on top. And like the other SaaS tools here, your data lives on Userlike's German servers, which is excellent for residency but still not your own database.

Strengths

  • Data stored exclusively in Germany, ISO 27001 certified
  • Automatic deletion, strong privacy features
  • Trusted by large DACH enterprises
  • Omnichannel (web, WhatsApp, Instagram, email)

Limits

  • AI is a paid add-on on top of the base plan
  • Entry price steep (around €90/mo for 4 seats)
  • Data on Userlike's servers, not yours
  • Heavier than a simple website bot needs
Price from Free
Hosting Germany
Best for DACH market

5. Landbot, the EU no-code builder

No-code flows · hosted in Belgium (EU)
★★★★☆ 4.0/5

Landbot is a no-code conversational builder focused on lead-generation flows, hosted in Belgium on Google Cloud (EU), which makes EU data residency straightforward. Its drag-and-drop builder is fast and pleasant, and a permanent free Sandbox plan (100 chats per month) lets you validate a use case at no cost.

Two things to weigh. Landbot sits closer to rule-based flows than to true conversational AI, even with its AI Agent layer, and AI chats are tightly capped on lower tiers. And pricing climbs: Starter is around 40 euros per month, Pro around 100 euros, with overage fees on chats and seats. Good EU residency, but more a flow builder than a deeply conversational assistant.

Strengths

  • EU data residency (Belgium, Google Cloud)
  • Fast no-code drag-and-drop builder
  • Permanent free plan to start
  • Strong for lead-gen and WhatsApp flows

Limits

  • Closer to rule-based flows than true AI
  • AI chats tightly capped on lower tiers
  • Overage fees on chats and seats
  • Data on Landbot's cloud, not yours
Price from Free
Hosting EU (Belgium)
Best for No-code lead gen

6. Chatwoot, open source and self-hostable

Open source · self-host · full data sovereignty
★★★★☆ 4.1/5

Chatwoot is the open-source answer to Intercom and Zendesk: a shared inbox for live chat, email, and social, with an MIT-licensed core you can self-host for free. Self-hosting is the strongest possible privacy position, your conversation data never leaves servers you control, which removes the cross-border transfer question entirely. Its Captain AI agent adds automation on top.

The cost is operational. Self-hosting means you run a Linux server with PostgreSQL and Redis, handle updates, security, and scaling yourself, and some advanced features (SSO, audit logs) sit behind a paid enterprise license. The managed cloud starts at $19 per agent per month if you would rather not run infrastructure, but then your data is back on Chatwoot's servers. Total data control, in exchange for DevOps work.

Strengths

  • Open source, self-host for free with full data control
  • Data never leaves your servers when self-hosted
  • Omnichannel shared inbox
  • Captain AI agent for automation

Limits

  • Self-hosting requires running and securing servers
  • Advanced features behind a paid enterprise license
  • Cloud version puts data back on their servers
  • Per-agent cloud pricing adds up
Price from Free (self-host)
Hosting Your server
Best for Technical teams

Which GDPR-compliant chatbot should you choose?

There is no universal winner. Here is the best fit by profile:

Enterprise with a procurement checklist

You need SOC 2, ISO 27001, maybe HIPAA, and a vendor that satisfies a formal security review. Budget is secondary to certifications.

Intercom

Data must never leave your servers

A regulated or highly sensitive context where the cleanest answer is data on infrastructure you control, and you have the team to run it.

Chatwoot or Agentorie Chat

E-commerce on WordPress or PrestaShop

You want catalog-aware AI plus GDPR safety, with the conversation data ideally in your own store database.

Agentorie Chat or Tidio

DACH / German-speaking market

Your customers expect German data residency and ISO certification as table stakes, not as a premium extra.

Userlike

EU support team, all-in-one

You want chat, inbox, AI, and CRM in one EU-hosted tool, and you have the AI budget to match.

Crisp

No-code lead-gen flows

Marketing-led conversational flows and WhatsApp campaigns with EU residency matter more to you than deep AI.

Landbot

Frequently asked questions

ChatGPT itself is not automatically GDPR-compliant for business use. If you embed a raw ChatGPT or OpenAI integration on your site, you are responsible for the legal basis, consent, data minimization, and a Data Processing Agreement, and you must check whether user prompts are used to train the model. Compliance depends on how you configure and deploy it, not on the model alone. A chatbot built on a compliant architecture, with EU hosting or data kept in your own database, a signed DPA and clear retention rules, is the safer route.

Several things together: a documented legal basis and clear consent before processing personal data, transparency that the user is talking to AI (also an EU AI Act requirement), data minimization, a signed DPA with any processor, known data residency, the right to erasure with automated deletion, and a real retention policy with specific timeframes. No single feature makes a chatbot compliant. It is the combination, plus where the data physically lives.

Yes. If a third party processes personal data on your behalf, a signed Data Processing Agreement is mandatory under GDPR. Every reputable vendor in this comparison offers one. The only way to avoid relying on a processor's DPA for storage is to keep the data in infrastructure you control, either by self-hosting or by using a tool that stores indexed data directly in your own database.

Ideally within the EU, or in infrastructure you control. EU-hosted tools (Crisp in Amsterdam, Userlike in Germany, Landbot in Belgium) keep data in Europe on their own servers. Self-hosted tools and tools that store indexed data in your own database go a step further: the data never leaves infrastructure you own. For non-EU hosting, you need a valid transfer mechanism and a DPA, and you should document it.

For most websites, yes, but lightly. Most chatbots are classified as limited risk, so the main obligation is transparency: users must be clearly told they are interacting with AI. By August 2026, chatbots in use are expected to meet these transparency requirements alongside GDPR. Stricter obligations like technical documentation, human oversight, and conformity assessment only apply if your use case is high risk, which most customer-support and e-commerce bots are not.

It can, because the data stays on infrastructure you control, which removes the cross-border transfer question and reduces reliance on a processor. The trade-off is that you run and secure the servers, handle updates, and own the maintenance. A middle path is a tool that keeps indexed data in your existing database without making you operate separate chatbot infrastructure, which gives much of the data-sovereignty benefit without the DevOps burden.

In summary

GDPR compliance for chatbots in 2026 comes down to a few questions: where does your data physically live, is there a signed DPA, can you delete data on request and on schedule, and does the bot disclose that it is AI? The EU AI Act adds the transparency layer, and August 2026 is the practical deadline to have all of this in order.

Intercom wins on certifications if budget is no object. Crisp is the strongest mainstream EU option. Userlike is the German-residency benchmark. Landbot covers EU no-code flows. Chatwoot gives total data control if you can run the servers. And Agentorie Chat, our tool, is built for the specific case of keeping indexed data in your own WordPress or PrestaShop database, the data-sovereignty of self-hosting without the infrastructure, with a real free plan.

Whatever you choose, get a signed DPA before you go live, document where your data is stored, and disclose the bot to your visitors. Compliance is a combination of the right tool and the right setup, never the tool alone.