Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Botpress is an AI chatbot and conversational agent platform that embeds a chat widget, processes conversation content and may set cookies or identifiers.
Botpress is a platform for building AI chatbots and conversational agents that businesses embed on their websites as a chat widget. It interprets user messages, generates replies and can connect to large language models to power natural conversation. Botpress Cloud is operated from the United States and processes the conversation content that users type.
Botpress processes the full content of chat conversations, which can include names, contact details and anything else a user volunteers. The widget may set cookies or identifiers to maintain the session and recognise returning users. Because users can disclose health, financial or other sensitive details in free text, conversation logs can contain special category data.
Non essential cookies set by the chat widget require prior consent under the ePrivacy Directive. Under the GDPR you need a lawful basis and clear information for processing conversation data, and you must account for any large language model subprocessor. As the website operator you are the controller and Botpress acts as your processor under a data processing agreement.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Any non essential cookies or identifiers must load only after freely given, specific, informed and unambiguous consent. The chat function a user actively starts can rely on consent or legitimate interest, but you should warn users not to share sensitive data. Where the assistant is likely to handle special category data, explicit consent or another Article 9 condition is required.
Botpress Cloud is hosted in the United States and large language model subprocessors may also be located outside the European Economic Area. These transfers must be covered by Standard Contractual Clauses or the EU US Data Privacy Framework. Review the data processing agreement, map the subprocessors and document the transfer mechanism in your records of processing.
Sign the data processing agreement, review the subprocessor list and confirm transfer safeguards. Gate non essential cookies behind your consent banner, add a notice in the chat warning against sharing sensitive data and set retention limits for conversation logs. Complete a data protection impact assessment and describe the AI processing in your privacy notice.
Websites using Botpress must obtain user consent under GDPR regulations.
DPIA considerations
Because Botpress processes conversation content that can be personal or sensitive, may use large language models and transfers data to the United States, a data protection impact assessment is strongly recommended. Assess what users might disclose in chat, the role of AI subprocessors and the safeguards covering the transfer.
Sample consent text
We use Botpress to power our chat assistant, which processes your messages and may set cookies. Non essential cookies load only after you accept, and you should avoid sharing sensitive information in the chat. You can change your choice at any time in cookie settings.
Third-party domains contacted
botpress.comcdn.botpress.cloudwebchat.botpress.cloudmessaging.botpress.cloudCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| bp_session | Functional | Session | Maintains the chat session and conversation continuity. |
| bp_user_id | Functional | 1 year | Recognises returning users to restore prior conversations. |
| bp_analytics | Analytics | 1 year | Measures chat usage and assistant performance. |
Botpress uses cookies for user preferences — inform visitors with a consent banner.
Botpress may set a functional cookie that keeps the chat session running, an identifier that recognises returning users to restore conversations and an analytics cookie that measures chat usage. The non essential cookies require consent before they load.
Yes for non essential cookies and identifiers. Under the ePrivacy Directive these must load only after the visitor opts in through your consent banner, so the chat widget should not place them before consent is given.
Non essential cookies rely on consent. Processing conversation data can rely on consent or legitimate interest, but where the assistant is likely to handle sensitive details you need explicit consent or another Article 9 condition. Document each basis in your records.
Yes. Botpress Cloud is hosted in the United States and large language model subprocessors may also be outside the European Economic Area. Ensure transfers are covered by Standard Contractual Clauses or the EU US Data Privacy Framework and map every subprocessor.
A data protection impact assessment is strongly recommended because conversation content can be personal or sensitive, the platform may use AI models and data is transferred internationally. Assess what users might disclose and the role of AI subprocessors before deployment.
Sign the data processing agreement, review the subprocessor list and confirm transfer safeguards. Gate non essential cookies behind your consent banner, warn users in the chat against sharing sensitive data, set retention limits for logs and describe the AI processing in your privacy notice.
Yes. Tools such as Rasa, which can be self hosted, and other European chatbot providers offer similar features with more local hosting options. Whichever you choose, the same consent, transfer and conversation handling duties apply.
List each Botpress cookie with its name, purpose and duration, state that conversation data is processed in the United States and name the transfer safeguard. Mention any AI subprocessors and keep the policy aligned with what your consent banner controls.