CodeWords raises $9M seed round
BlogResources

How to keep your WhatsApp bot GDPR compliant

Keep your WhatsApp bot GDPR compliant with six practical steps covering consent, data minimisation, right to erasure, and retention limits for 2026.

Rebecca PearsonRebecca Pearson6 min read
How to keep your WhatsApp bot GDPR compliant

GDPR compliance for WhatsApp bots isn't optional in the UK and EU — and regulators are paying more attention to conversational AI than ever. But it's also not as complicated as most compliance guides make it sound. This article covers the legal requirements you actually need to know and six practical steps to stay on the right side of the rules.

TL;DR

  • GDPR applies the moment your bot touches personal data — which starts with the phone number the conversation comes from.
  • Six practical steps cover the essentials: consent, disclosure, data minimisation, TTLs, erasure commands, and log masking.
  • How you build matters as much as what you build. Platforms that use ephemeral sandboxes, encrypted secrets, and namespace isolation reduce your exposure significantly.

What GDPR actually requires for WhatsApp bots

The General Data Protection Regulation applies whenever you process personal data about EU or UK residents. A WhatsApp bot processes personal data from the first message — the sender's phone number is personally identifiable information.

Here are the four requirements that matter most for bot builders.

Lawful basis for processing. You need a legal reason to process each type of data. For most WhatsApp bots, this is either legitimate interests (you have a genuine business reason that doesn't override the user's rights) or consent (the user has actively agreed). For sensitive data — health information, financial details — consent is almost always required.

Data minimisation. Only collect what you actually need. If your bot answers FAQs, you don't need to store the user's name. If it books appointments, you need the name and time slot — not their home address.

Right to erasure. Users have the right to ask you to delete their data. Your bot needs a way to honour this request, and it should be easy to find.

Retention limits. You can't keep personal data indefinitely. You need a policy for how long conversation data is stored and a mechanism to delete it automatically.

Six practical steps to stay compliant

Step 1: tell users they're talking to an AI

This is both a GDPR transparency requirement and good practice. Users have a right to know when they're interacting with an automated system, especially one that's collecting their data.

Add a disclosure to your opening message: "Hi, I'm [Name], [Business]'s AI automation assistant. I can help with [X, Y, Z]. Anything you share is handled in line with our privacy policy at [link]."

This is also about trust. Users who know they're talking to an AI and still choose to engage are implicitly consenting to that interaction. You want that consent to be informed.

If your bot needs personal details — name, email, address, health information, payment details — ask for consent before collecting them. Don't bury it in your opening message. Ask clearly and wait for a positive response.

"To book your appointment, I'll need to save your name and contact number. Is that okay?" followed by waiting for "yes" before proceeding is a simple, compliant pattern.

This is especially important for sensitive categories of data. A bot serving a health clinic that asks "what's your reason for visiting?" is collecting health data. That requires explicit consent.

Step 3: set conversation TTLs to auto-delete

TTL stands for time-to-live. It means your conversation data is automatically deleted after a set period. For most WhatsApp bots, 30–90 days is a reasonable retention window.

Anything beyond 90 days should only be kept if there's a clear business reason (e.g. ongoing client relationships) and should be documented.

Configure your TTL at platform level where possible. Automatic deletion is more reliable than manual review.

Step 4: implement a "delete my data" command

Users have the right to erasure. Make it easy: if someone types "delete my data" or "forget me," the bot should confirm what data it holds and offer to delete it immediately.

A simple system prompt instruction handles this: "If the user asks to delete their data, forget me, or similar, confirm what information you hold and that it will be deleted, then tell them it's done. Do not continue the conversation after deletion."

Document this behaviour in your privacy policy and in your data processing records.

Step 5: mask or avoid logging personally identifiable information

Logs are a common GDPR blind spot. Many bot platforms log full conversation transcripts by default — including phone numbers, names, and whatever personal details were shared. That's a data store that's easy to forget and hard to secure.

Best practice: don't log raw conversation content. If you need logs for debugging, mask phone numbers (replace the middle digits with asterisks) and strip PII from log entries. Treat your logs as a security-sensitive asset, not a debugging convenience.

Step 6: document your processing activities

Article 30 of GDPR requires organisations to maintain records of processing activities. For most small businesses, a simple spreadsheet works fine. It should cover: what data you collect, why you collect it, how long you keep it, who has access to it, and how it's secured.

This sounds onerous, but for a typical WhatsApp bot it's one to two pages. Having it done means you're ready if you ever receive a Subject Access Request or a regulator enquiry.

How CodeWords approaches data privacy

If you're building your WhatsApp bot on CodeWords, several of these requirements are handled at platform level.

CodeWords uses ephemeral sandboxes — each bot execution runs in an isolated environment that's cleaned up after completion. Your API keys and integration credentials are stored as encrypted secrets, not in plain text. Conversation memory is namespaced per user, meaning one user's data is never accessible to another. And CodeWords never uses your conversation data to train AI models.

That doesn't mean you can skip the six steps above — your responsibilities as a data controller remain yours. But the infrastructure layer is already built with privacy in mind, which reduces your exposure considerably.

GDPR as a competitive advantage

Compliance is often framed as a burden. But for WhatsApp bots that touch personal data — which is most of them — being demonstrably GDPR compliant is a trust signal.

If you're building bots for clients, include a brief compliance checklist in your handover documentation. If you're building for your own business, publish a clear privacy notice and make the "delete my data" command visible. Users who see you taking privacy seriously are more likely to engage openly — which makes your bot more effective.

Get started today

Your first agent is free to build.

Describe what you need. Cody handles the build, the connections, and the deployment.