Flyweight: Using an AI Chatbot for Shopify in Compliance with GDPR & AI Act
Complete guide to using Flyweight AI Chatbot for Shopify in compliance with GDPR and AI Act. Includes privacy policy template and compliance checklist.🇺🇸 English | 🇩🇪 Wechsle zur deutschen Version
Order Processing Agreement, Labeling Obligation, Privacy Policy, GDPR, AI Act – WHAT? 🤯🤯

The checklist and the privacy policy template provided here assume we operate a Shopify store and want to implement the GDPR-compliant AI chatbot. This article is presented without any acknowledgment of a legal obligation or legal advice.
Terminology
-
General Data Protection Regulation (GDPR)
The GDPR is the primary data protection regulation in Europe, aimed at protecting users' personal data. It sets out how companies must handle data—for instance, collecting only as much as is truly necessary and storing data securely. The GDPR also grants user rights, such as access, deletion, and correction of their data. For chatbots, this means they must not collect user data indiscriminately and must be transparent about data handling. -
Artificial Intelligence Act (AI Act)
The AI Act is a new, proposed EU law that establishes guidelines for artificial intelligence. Its goal is to ensure the safe and fair use of AI systems like chatbots. The AI Act categorizes AI systems by risk levels, from low to high risk. Depending on the risk category, there are specific requirements, such as making it clear to users that they are interacting with AI and ensuring the AI does not make discriminatory decisions. Chatbots performing sensitive tasks fall into higher risk categories and must meet stricter requirements. -
Data Processing Agreement (DPA)
A Data Processing Agreement is a contract between a company (wishing to use the chatbot) and a provider (offering or operating the chatbot). This agreement ensures that the provider processes user data according to the company's instructions and complies with data protection requirements. This helps ensure data is used safely and responsibly. If a company uses an external chatbot service, a DPA is needed to prove that the provider also respects the GDPR. -
Privacy Policy
A privacy policy is an information page for chatbot users. It explains which data is collected, why it’s needed, and how long it will be stored. The privacy policy also explains user rights, such as the right to delete data or learn what data has been stored. It's essential to present this information clearly, so users understand what they agree to when using the chatbot. -
Labeling Obligation
According to GDPR and particularly the planned AI Act, users must always be aware that they are interacting with AI—a chatbot—and not a real person. This is called a labeling obligation. Companies should make it clear that the chatbot is not a human. This labeling fosters transparency and avoids misunderstandings.
Roles and Responsibilities
Understanding roles is crucial as they define responsibilities.
Processor
The chatbot provider typically acts as the processor. In this role, the provider processes data on behalf of the store operator and according to their instructions. The provider handles the chatbot's technical implementation and operation without making decisions about the purposes of data processing. The provider’s task is to apply the data protection standards set by the controller and implement technical and organizational measures to protect personal data. As a result, the chatbot provider is contractually obligated to process data only as directed and not for any independent purposes.
Controller
It may seem confusing at first, but the store operator assumes the role of the controller. As the controller, they decide on the purposes and methods of data processing, such as what data the chatbot collects and for what purpose (e.g., for customer support or marketing). They are responsible for ensuring that data collection and processing meet data protection requirements and that affected persons' rights are upheld. The store operator is the entity that determines and manages the chatbot’s usage and is, therefore, responsible for data protection compliance in this context. This may sound extensive, but it simply requires clear definition in the privacy policy.
Practical Example
The Shopify store "GarlicPress24" wants to use an AI chatbot to generate leads: when a customer asks about the specifications of a garlic press, the AI should provide guidance from a garlic press expert, collecting the customer’s contact details (name and email) and forwarding them to the expert.
The Shopify store has a choice—do they collect the lead through AI, or do they simply show customers a note: “contact our experts at Email X”? The Shopify store is the controller (deciding what should happen and ensuring customers are informed in the privacy policy). The AI chatbot provider handles the technical setup and ensures that data is processed in a way that complies with data protection requirements—acting as the processor.
How to Use an AI Chatbot in Compliance with Data Protection Requirements: A Checklist
Roles define responsibilities for operating a GDPR- and AI Act-compliant chatbot.
-
Collect Only Necessary Data
The chatbot should collect only essential information and nothing more. This responsibility lies with the chatbot provider. At Flyweight, we aim to process only the minimum necessary personal data. For instance, if a customer inquires about an order status, we process only postal codes and order numbers, avoiding additional personal address or order data. Moreover, personal data is treated separately from the AI. -
Be Transparent
Users should understand precisely what data the chatbot collects and how it will be used. The privacy policy can clarify this, which is especially important for Shopify store operators. As the controller, the privacy policy must be adapted to inform customers properly. Don’t worry; a template for enhancing the privacy policy for compliant chatbot usage is provided below. -
Establish a Data Processing Agreement (DPA)
If the chatbot is from an external provider, a contract should ensure the provider handles data per GDPR. Make sure the chatbot provider offers a DPA (often part of the contract). -
Regularly Check Security and Data Protection
The AI Act also requires regular checks of AI risks to ensure the chatbot remains compliant. Typically, this is handled by the chatbot provider. We regularly update this guide and inform you of relevant changes. -
Labeling Obligation
Although explicit labeling may not yet be a legal requirement, transparent communication is always recommended to inform users that they’re interacting with AI. Our AI chatbot is delivered with a default footer reading: “AI powered by Flyweight,” which we recommend keeping. To be extra cautious, you can also mention AI in the start message or the chatbot’s name.
⭐️ Privacy Policy Template
As we've seen, Shopify stores, in the role of controllers, are primarily responsible for clearly communicating how data is processed.
Where’s the best place for this? The privacy policy, of course!
💡 If we were the shop operator using the Flyweight AI Chatbot, we would add the following section to our privacy policy (without acknowledging a legal obligation or providing legal advice):
👇👇👇👇👇👇👇👇👇👇
Use of the Chatbot with Forms
We offer you an AI-based chatbot from Flyweight GmbH, Jungbuschstraße 28, 68159 Mannheim, Germany (https://www.flyweight.io/legal-notice / https://www.flyweight.io/privacy-statement) on our website to answer your questions. When using the chatbot, your queries are combined using the database created from the website information read from our own website and a large language model to provide you with answers to your query. The chatbot is instructed not to ask for personal data. Good to know: If separate forms appear as a result of your inquiries, in which you may then have to provide personal data based on your inquiry, the information you provide there will be processed separately and accordingly will not be sent to AI.
Processed Data Categories: The data categories result from your inquiries when you enter personal data within your question.
-
For example, if you ask: “Where is my order?”, a form will appear in which you can enter your order number and your zip code.
-
If, for example, you would like to find out more about a product and receive appropriate advice, a form will appear in which you can enter the relevant information (e.g. name, telephone, e-mail, etc.).
Purpose of Processing: Processing the information you provide to create responses to your requests using the chatbot.
-
Example: For example, if you ask: “Where is my order?” and enter your order number and zip code in the form, this information is used to make a direct request to the store system (Shopify) so that the delivery information can be sent and you can be informed about the status of the order.
-
Example: If you would like advice on a product, your request (with the data you provide in the form and the entire chat history) will be forwarded to the store operator so that they can contact you.
Data Source: We collect this data directly from you.
Legal Basis: We process data to fulfill contractual or pre-contractual obligations in accordance with Article 1 Paragraph 1 Subparagraph 1 Letter b GDPR.
Data Retention: Data is stored until your inquiry is resolved or for the contract’s duration and beyond until legal retention periods (6 to 10 years) have passed.
Location of Recipients: EU and non-EU.
Guarantees for Transfers to Third Countries: EU Standard Contractual Clauses (SCC), Adequacy Decision
👆👆👆👆👆👆👆👆👆👆
Install the privacy-compliant chatbot for European Shopify stores ✌️