Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
XGen AI is a US based AI content and automation platform that ships embeddable assistant widgets built on top of OpenAI and Anthropic foundation models. Conversations entered into XGen AI widgets are processed in the United States and may contain personal data, occasionally including Art. 9 GDPR special categories such as health or political opinions. Loading the widget on an EU facing site sets identifiers and triggers Art. 5(3) ePrivacy plus the GDPR Schrems II framework for transfers.
XGen AI is a US based platform that lets product, marketing and support teams generate content and deploy embeddable assistant chatbots on top of OpenAI and Anthropic foundation models. Customers build assistants in a hosted workspace and inject a JavaScript snippet into their website to render a chat widget. The widget runs first party scripts, loads remote assets and forwards every user message to XGen AI servers in the United States, where retrieval augmented generation orchestrates calls to upstream model providers and returns the response to the browser.
Each conversation captures the full prompt typed by the visitor, the generated reply, a session identifier, the page URL, the referrer, the user agent and the IP address. Most deployments add a unique assistant identifier in local storage and a session cookie. Because users can type anything, transcripts routinely contain personal data and may include Art. 9 GDPR special categories such as health questions, political views or sexual orientation, especially on healthcare, legal or HR sites. XGen AI may also retain logs for safety filtering and quality monitoring.
The site operator is data controller, XGen AI is processor and the foundation model providers are sub processors. Loading the widget writes identifiers to the visitor device and triggers Art. 5(3) ePrivacy. Under the EU AI Act (Regulation 2024/1689), the assistant is at minimum a limited risk system subject to transparency duties (Art. 50): the visitor must know they are interacting with AI. If the chatbot is used for hiring, credit scoring or biometric inference, the high risk regime applies and additional documentation, logging and human oversight are required.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Embedding an XGen AI assistant on an EU facing page requires Art. 6(1)(a) GDPR consent, both for the cookies and local storage written by the widget and for the substantive processing of the conversation. Where the visitor may share Art. 9 data, the lawful basis is explicit consent under Art. 9(2)(a) GDPR. The consent gate must block the widget script entirely until the user opts in, and the AI Act transparency notice should be visible inside the chat surface itself, not buried in a footer link.
XGen AI runs on AWS regions in the United States and routes prompts to OpenAI (US) and Anthropic (US). Transfers rely on the EU US Data Privacy Framework, where the operators are certified, or on Standard Contractual Clauses combined with supplementary measures. A Schrems II Transfer Impact Assessment is mandatory and should specifically evaluate FISA 702 risk for highly textual content. Operators should opt out of model training on customer data with each upstream provider and pin the inference region where possible.
Place the XGen AI loader behind a CMP gate and only inject it after explicit consent. Disable model training on customer data, set a short retention window for transcripts (30 to 90 days), and configure prompt redaction to mask emails, phone numbers and identifiers before inference. Publish an AI specific privacy notice that lists XGen AI, OpenAI and Anthropic as sub processors. Run periodic red team tests for prompt injection, document the EU AI Act risk classification and offer users a one click way to delete their transcript and export the data on request.
Websites using XGen AI must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is required for XGen AI on EU traffic because the service processes free text prompts that can contain personal data and, in many cases, Art. 9 GDPR special categories (health, religion, political opinion, sexual orientation). The assessment must cover the upstream model providers (OpenAI, Anthropic, in the United States), retention of conversation logs, training data isolation, the risk of prompt injection or data exfiltration, classification under the EU AI Act (limited risk transparency duties at minimum, high risk if used in HR, credit or biometric contexts) and the Schrems II Transfer Impact Assessment for outbound US flows.
Sample consent text
This page offers an AI assistant powered by XGen AI. With your consent, your messages will be sent to XGen AI in the United States and to upstream model providers (OpenAI, Anthropic) to generate replies. Please avoid sharing health, identification or other sensitive details. You can accept, decline or close the assistant at any time. Transcripts are retained for service operation and may be deleted on request.
Third-party domains contacted
xgen.aiapp.xgen.aicdn.xgen.aiapi.openai.comapi.anthropic.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| xgen_session | Session | Session | Maintains the visitor conversation session with the embedded XGen AI assistant so that turns are linked and the model has short term context. Requires consent before the widget loads. |
| xgen_cid | Persistent | 12 months | Persistent identifier that lets XGen AI recognise the same visitor across visits for memory and usage analytics. Requires explicit opt in consent. |
| xgen_assistant_id | Local Storage | 12 months | Stores the active assistant configuration ID in browser local storage so the widget can resume conversations. Triggers Art. 5(3) ePrivacy. |
| xgen_csrf | Session | Session | CSRF protection token for API calls made by the chat widget. Strictly necessary once the visitor has consented to use the assistant. |
XGen AI uses cookies for user preferences — inform visitors with a consent banner.
The widget captures every message the visitor types, the assistant reply, a conversation identifier, the URL of the page, the referrer, the IP address and the user agent. It typically writes a session cookie and an assistant identifier into local storage. Because prompts are free text, transcripts can contain personal data, contact details, account numbers and, frequently, Art. 9 GDPR special categories such as health, religion or political opinion. XGen AI may retain transcripts for safety filtering, debugging and quality monitoring, and may forward them to OpenAI or Anthropic for inference.
Yes. The XGen AI loader writes identifiers to the device, which triggers Art. 5(3) ePrivacy, and it sends conversation content to processors in the United States, which triggers Art. 6(1)(a) GDPR consent. If users can share Art. 9 GDPR data the legal basis must be explicit consent under Art. 9(2)(a). The widget must be blocked behind a Consent Management Platform until the visitor opts in, and the EU AI Act Art. 50 transparency notice should be visible directly in the chat surface.
For most assistant use cases the lawful basis is consent under Art. 6(1)(a) GDPR plus Art. 5(3) ePrivacy for the device storage. The merchant facing XGen AI workspace processes employer data under contract (Art. 6(1)(b) GDPR) and may rely on legitimate interest (Art. 6(1)(f)) for service security and abuse detection. Where the chatbot processes Art. 9 special category data the operator must rely on explicit consent (Art. 9(2)(a)) or another Art. 9 derogation. The AI Act adds transparency obligations independent of GDPR.
Yes. XGen AI servers run in the United States, and prompts are forwarded to OpenAI and Anthropic, both also US based. Transfers rely either on the EU US Data Privacy Framework, if the operator is certified, or on Standard Contractual Clauses with supplementary measures. A Schrems II Transfer Impact Assessment is mandatory and must specifically address FISA 702 risk for textual content. Operators should pin the inference region, opt out of training on customer data and document encryption and access controls between the EU and the US endpoint.
Almost always yes. Combining AI based automated content generation, free text prompts that can include Art. 9 data, transfers to a non adequate third country and large scale website deployment satisfies several EDPB criteria. The DPIA should describe the assistant use case, data flows, retention, sub processors (OpenAI, Anthropic), risk of hallucination and re identification, the EU AI Act classification (limited or high risk), and the mitigations applied (prompt redaction, opt out from training, short retention, human review).
Block the XGen AI loader behind the CMP and inject it only after consent. Disable training on customer data with OpenAI and Anthropic, apply prompt redaction or PII detection before inference, set a short transcript retention window and restrict access on a need to know basis. Publish an AI specific privacy notice that names XGen AI and the upstream model providers as sub processors, place the AI Act transparency disclaimer inside the chat surface and give users a clear way to download or delete their conversation history.
For EU only deployments consider self hosted open source assistants based on Mistral, Llama or Falcon running on European infrastructure (OVH, Scaleway, Hetzner, IONOS). Managed alternatives with EU residency include Mistral La Plateforme (Paris), Aleph Alpha (Heidelberg) and Azure OpenAI in West Europe with data residency contracts. These options keep both the orchestration layer and the inference in the EEA, which simplifies the Schrems II posture and removes FISA 702 exposure, at the cost of some feature parity with XGen AI workflows.
Review the AI privacy notice and the EU AI Act technical documentation at least every six months and whenever you change the assistant prompt template, swap the underlying model, add a new data source, switch sub processor or open the chatbot to a new user category. Re run prompt injection and bias tests, refresh the cookie inventory if the widget configuration changed, and re prompt users for consent when material processing purposes evolve, such as enabling memory across sessions or analytics on transcripts.