Soriz
Privacy guide · UK & EU · 7 min read

GDPR & AI chatbots — your UK rights.

Short answer

If a chatbot processes your personal data and you're in the UK or EU, UK GDPR applies — full stop. Here's what it requires and how to spot a compliant app.

We'll walk through the rules that actually matter when you chat with an AI: what lawful processing looks like, what "data minimization" means in practice, how the right to erasure works, why children's data needs extra care under the UK Age Appropriate Design Code, and exactly how Soriz handles each of these.

In short

The 4-bullet compliance answer.

  • UK GDPR applies if you're in the UK. EU GDPR applies if you're in the EU. The rules are close cousins — same rights, same core principles, same enforcement weight.
  • You have real rights. Access, rectification, erasure, data portability, and the ability to object to certain processing. A compliant chatbot app makes exercising these rights easy, not a maze.
  • Chatbots must minimise data. Only collect what's needed to run the service. Only keep it as long as necessary. Only process it for the purpose you were told about.
  • Soriz is built with these defaults on — no training on your chats, self-serve deletion, age-appropriate defaults, and a privacy contact at hello@soriz.com.
What GDPR requires

What UK GDPR actually requires from an AI chatbot

GDPR is famously long, but for an AI chatbot the practical requirements boil down to a handful of layers. If the app isn't getting these right, that's your signal.

A lawful basis for processing

Usually contract (you signed up) or consent (you ticked a specific, informed box). Vague "legitimate interest" claims for sensitive emotional data don't hold up.

A clear, plain-English notice

Users should understand what's collected, why, for how long, and who it's shared with — without needing a solicitor.

Data minimization & purpose limitation

Collect only what's needed. Use it only for the purpose you stated. Don't quietly repurpose chat logs for ad targeting.

Data subject rights

Access, rectification, erasure, portability, objection — responded to within one month, usually free of charge, self-serve wherever possible.

Security by design

Encryption in transit and at rest, access controls, breach response plan. "Trust us" isn't a security measure.

Contact for concerns

A named privacy contact or DPO you can actually reach — email, not a hidden form that goes nowhere.

Common gaps

Common gaps in AI chatbot privacy

Where AI chatbots tend to fall short — the patterns worth checking before you sign up:

  • Vague "improve our services" language. If the privacy notice won't rule out training on your chats, assume it happens.
  • Bundled consent. One big checkbox covering chat storage, model training, and marketing emails isn't specific consent under UK GDPR.
  • Hidden retention periods. "We might keep your data for as long as necessary" is not a retention policy. You want actual timeframes.
  • Friction on erasure. If deleting your account requires a support ticket, a screenshot, and two weeks, that's a choice — not a compliance success.
  • Off-EU data transfers. If your data goes outside the UK/EU, the company needs a lawful transfer mechanism (SCCs, adequacy decision). This should be disclosed.
  • Weak age defaults. Apps likely used by under-18s must default to high-privacy settings — not ship with everything switched on.
Your rights checklist

A 5-minute pre-signup check

Before you give a chatbot your thoughts, check for these specifics. You don't need to be a lawyer — you just need to read carefully.

  • Open the privacy notice and search for "train." You want an explicit statement that chats are not used to train models.
  • Search for "delete" and "erasure." A compliant app documents how deletion works. Self-serve is a good sign.
  • Search for "children" or "age." UK-facing apps should reference the Age Appropriate Design Code or set a clear minimum age.
  • Search for "DPO" or "data protection." You want a real contact email, not a form.
  • Check retention. Specific periods (e.g. "we delete inactive accounts after 24 months") beat vague "as long as necessary" wording.
  • Check transfers. If data goes outside the UK/EU, the mechanism should be named (Standard Contractual Clauses, adequacy decision).
How Soriz handles this

How Soriz meets UK GDPR

The short version, plainly stated:

  • We don't train our models on your chats. This is default and stated in our privacy policy. No opt-out needed — it's just off.
  • Data minimization is baked in. We ask for an account and accept your chats. We don't ingest your contacts, scrape your gallery, or harvest location.
  • Erasure is self-serve. You can clear a companion's memory, delete individual chats, or close your account directly from Settings. Deletion propagates globally — not just in the UK/EU.
  • Consent is specific. Marketing emails and optional features have their own opt-in boxes. Nothing is bundled in the signup flow.
  • Age-appropriate defaults are on. Non-sexual, non-exploitative defaults across all 20 companions. The UK Age Appropriate Design Code shaped our product design, not just our legal page.
  • Privacy contact is real. Reach us at hello@soriz.com for data subject requests, DPO-style queries, or concerns. We respond within the UK GDPR one-month window.
  • We document transfers. Where your data lives and how it moves is written in our privacy policy in plain English.

If any of this changes, we'll say so — and we'll tell you before it affects you, not after.

Feature by feature

Soriz & UK GDPR — at a glance

UK GDPR requirement How Soriz handles it
Lawful basis for processing Contract for core chat; specific consent for optional features like marketing email.
Data minimization Account essentials + chat content only. No contact-list, location, or gallery ingestion.
Right to access Request your data export via hello@soriz.com. Responded to within one month.
Right to erasure Self-serve from Settings — memory clear, chat delete, or full account close. Global scope.
Training on user data Off by default. Not used to train Soriz models.
Children's data (UK AADC) High-privacy defaults; non-sexual content across all companions; no behavioural ad profiling.
Security Encryption in transit and at rest, access controls, incident response process.
Privacy contact hello@soriz.com — real human, real response.
Red flags

Red flags to avoid

Training on chats by default

Either openly stated, or hidden behind vague language that doesn't rule it out.

Buried erasure path

Deletion requires a support ticket, proof of ID for no reason, or weeks of follow-up.

No named privacy contact

Just a form that disappears into the void. UK GDPR expects a real route for data subject rights.

Undisclosed non-UK transfers

Your data is processed outside the UK/EU but no transfer mechanism is named.

Children's data gaps

App likely used by under-18s but ships without high-privacy defaults or a clear age gate.

Silent policy edits

Privacy notice changes without user-facing notice. You should always be told before terms shift.

Closing note

This isn't legal advice

This guide is general information about UK GDPR expectations for AI chatbot services — not legal advice. UK GDPR is enforced by the Information Commissioner's Office (ICO) in the UK and by national supervisory authorities across the EU under EU GDPR. For specific legal or compliance questions, speak with a qualified solicitor or data protection professional. If you believe a service is mishandling your data, you can raise a concern with the ICO (UK) or your national data protection authority (EU).
FAQ

Real questions.

Do AI chatbots need to comply with GDPR?+

Yes. Any AI chatbot that processes the personal data of UK or EU residents falls under UK GDPR or EU GDPR — regardless of where the company is based. That means a lawful basis for processing, a plain-English privacy notice, support for data subject rights, and appropriate security. Using an AI chatbot does not exempt a company from the rules.

What does data minimization mean for an AI chatbot?+

Data minimization means a chatbot should only collect the personal data it genuinely needs to provide the service. An AI companion app needs an account and chat content to work — it does not need your full contact list, location history, or an open microphone. If a chatbot asks for more than it needs, that is a compliance concern.

Can I ask an AI chatbot to delete my data?+

Yes. The right to erasure (sometimes called the right to be forgotten) is one of the core rights under UK GDPR. A compliant AI chatbot must let you delete chats, clear memory, and close your account in a reasonable timeframe. Soriz honours erasure requests globally and provides self-serve deletion in Settings.

Do AI chatbots need my consent?+

It depends on the processing activity. Running the core chat usually relies on contract (you signed up to use the service). Optional activities — analytics, marketing emails, model training on your data — require separate, specific consent. Bundled consent buried in a terms checkbox is not lawful consent under UK GDPR.

What about children's data under the UK Age Appropriate Design Code?+

The UK Age Appropriate Design Code requires services likely to be used by children to default to high-privacy settings, minimise data collection, avoid dark patterns, and provide clear, age-appropriate information. AI companion apps should treat teen accounts with stricter defaults — Soriz keeps age-appropriate and non-sexual defaults on for all companions and does not profile users for advertising.

Does Soriz have a Data Protection Officer (DPO)?+

You can reach our data protection contact at hello@soriz.com. For UK and EU users, our privacy team handles data subject access requests, erasure requests, and concerns about processing. Full contact information and process details are in our privacy policy.

Does Soriz train its AI models on UK users' chats?+

No. Soriz does not use your conversations to train its models. This is stated explicitly in our privacy policy and is the default for every account — no opt-out required. This approach meets UK GDPR expectations around purpose limitation and transparent processing.

Keep reading

Related guides.

Safety guide

Are AI companions safe?

Privacy, mental health, and what to check.

Explainer

What is an AI companion?

Start here if the category is new to you.

Reference

AI companion glossary

Every term, defined plainly.

Private by default. Not as a feature.

No training on your chats. Self-serve deletion. A real privacy contact. Built with UK GDPR expectations in mind.

Try Soriz — 7-day free trial Read privacy policy

No credit card · Cancel anytime · $9.99 a month after trial