Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Chatbase is an AI chatbot builder that allows businesses to create custom chatbots trained on their own data and embed them on their websites. When deployed, the Chatbase widget collects visitor conversation data and transmits it to OpenAI API servers in the United States for AI processing. Its use on European websites requires prior consent under GDPR and the ePrivacy Directive, as personal data including IP addresses and conversation content is processed from the first interaction.
Chatbase is a no-code AI chatbot platform that enables businesses and developers to build custom chatbots trained on their own documents, websites, and data sources. Once trained, the chatbot can be embedded on any website as a widget or accessed via API. Chatbase is built on top of large language models, primarily the OpenAI GPT family, meaning every conversation a visitor has with the chatbot is processed by OpenAI's API infrastructure in the United States. This architecture creates a dual data processing chain involving both Chatbase as the primary processor and OpenAI as a sub-processor, with significant implications for GDPR compliance.
Chatbase collects and stores the full content of every conversation held through the widget, including all messages sent by the visitor. It also collects IP addresses, browser and device information, session identifiers, and metadata about conversation timing and length. If the website owner configures Chatbase to capture user identity (name, email) as part of the chat flow, this data is also stored in Chatbase's dashboard. All conversation data is transmitted to OpenAI API for processing on each message, meaning OpenAI also receives the conversation content and any personal data it contains.
Chatbase raises specific GDPR challenges that go beyond standard third-party widget compliance. First, the unpredictable nature of AI chat conversations means visitors may voluntarily share sensitive personal data (health information, financial details, personal circumstances) that the website operator did not anticipate collecting. Second, the transmission of conversation content to OpenAI creates a sub-processing relationship that must be disclosed and covered by a Data Processing Agreement chain. Third, there is currently no EU data residency option for Chatbase, meaning all data leaves the EU. Fourth, depending on OpenAI's data retention policies, conversation content may be used for model improvement unless specifically opted out.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The Chatbase widget must not load until explicit, informed consent is obtained. The consent notice must explain that an AI chatbot is used, that conversation data is processed by Chatbase in the US, and that messages are transmitted to OpenAI for AI response generation. Visitors must understand that anything they type in the chat may be processed by a US-based AI provider. A clear opt-out must be available, and the widget must be fully suppressed for users who decline or withdraw consent. Given the sensitivity of AI conversation data, a more prominent and specific consent notice than standard analytics cookies is advisable.
Chatbase operates exclusively on US infrastructure with no EU data residency option. Every conversation is transferred to the US twice: once to Chatbase's servers and once to OpenAI's API. Both transfers constitute third-country transfers under GDPR Chapter V. Standard Contractual Clauses apply to the Chatbase transfer. For the OpenAI sub-processing chain, organisations should verify that Chatbase has appropriate contractual protections in place with OpenAI and disclose both entities in their privacy policy and sub-processor list. OpenAI maintains its own GDPR compliance measures and SCCs for API customers.
To deploy Chatbase compliantly in the EU: block the widget until consent is obtained; update your privacy policy to disclose both Chatbase and OpenAI as data processors with a description of the data transferred and the US transfer mechanism; sign a Data Processing Agreement with Chatbase; verify Chatbase's sub-DPA with OpenAI and include OpenAI in your sub-processor list; configure Chatbase to minimise data collection (avoid capturing unnecessary identity fields); enable OpenAI's zero data retention option if available for your API tier to prevent conversation data from being used for model training; and document all US transfers in your Records of Processing Activities.
Websites using Chatbase must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is strongly recommended for Chatbase deployments because conversation data is transmitted to a third-party AI provider (OpenAI) in the US, creating a chain of sub-processing that is difficult to fully control. Key risks include the unpredictable nature of conversation content (visitors may share sensitive personal data), the absence of EU data residency, AI model training implications, and the dual transfer to both Chatbase and OpenAI infrastructure.
Sample consent text
We use Chatbase to power the AI chat assistant on this website. When you use the chat, your messages and session data are processed by Chatbase and transmitted to OpenAI servers in the United States to generate responses. Please accept to enable the chat assistant.
Third-party domains contacted
www.chatbase.coapi.chatbase.coapi.openai.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| chatbase-session | session | Session | Session identifier used to maintain the active chat conversation state |
| chatbase-widget | persistent | 30 days | Widget state token used to persist chat preferences and conversation context across page visits |
Chatbase uses cookies for user preferences — inform visitors with a consent banner.
Chatbase sets session and functional cookies to manage the chat widget state and identify sessions. It also uses localStorage to persist conversation context across page navigations. The specific cookies vary by integration method, but typically include a session identifier and widget state token. Because the widget loads external scripts from Chatbase servers, third-party cookies may also be set depending on browser settings.
Yes. Chatbase collects conversation content, IP addresses, and session identifiers, and transmits this data to OpenAI API servers in the US from the first message. Under GDPR and the ePrivacy Directive, consent must be obtained before the widget loads. The consent notice must specifically mention both Chatbase and OpenAI as processors and disclose the US data transfer.
Consent under Article 6(1)(a) GDPR is the primary legal basis for deploying a Chatbase widget on a public website. Where the chatbot is used to fulfil a specific service explicitly requested by the user (such as retrieving account information), contract performance under Article 6(1)(b) may also apply, but this does not remove the ePrivacy requirement to obtain consent before loading the widget.
Yes. All Chatbase conversation data is processed in the United States. Additionally, every message sent through the chatbot is transmitted to OpenAI's API, also hosted in the US, for AI response generation. Both transfers are subject to GDPR Chapter V requirements. Standard Contractual Clauses apply to the Chatbase transfer. Organisations must verify the contractual chain covering the OpenAI sub-processing.
A DPIA is strongly recommended. The combination of AI conversation processing, unpredictable sensitive data exposure, dual US transfers (Chatbase and OpenAI), absence of EU data residency, and potential AI model training implications creates a high-risk processing profile. The DPIA should specifically assess the risk of visitors sharing special category data in chat, the sub-processing chain, and the adequacy of transfer safeguards.
Block the Chatbase widget script until explicit consent is received via your CMP. Update your privacy policy to name both Chatbase and OpenAI as processors. Sign a DPA with Chatbase and confirm they have a DPA with OpenAI. Enable OpenAI zero data retention if available. Minimise data collection in the chat flow by avoiding unnecessary identity capture fields. Add a visible notice inside the chat interface reminding users not to share sensitive personal data. Document both US transfers in your RoPA.
Yes. Botpress can be self-hosted on EU infrastructure and supports integration with EU-based LLM providers. Flowise is another open-source chatbot builder that can be deployed on your own servers. For organisations that want to avoid OpenAI entirely, self-hosted models via Ollama or Mistral AI (French company with EU data residency) can power chatbots without any US data transfer.
Add an entry for Chatbase in your cookie policy covering the session and widget state cookies it sets, their duration, and their purpose. Note that conversation data is transmitted to Chatbase and OpenAI servers in the US beyond what is stored in cookies. Reference Chatbase as a third-party AI processor in your privacy policy and disclose both the Chatbase and OpenAI US transfers with their applicable safeguards (Standard Contractual Clauses).