Can an AI chatbot be GDPR-compliant for an aesthetic clinic?

An AI chatbot can be used in a GDPR-compliant way by an aesthetic clinic, but a “GDPR-compliant chatbot” is not a product a clinic can simply buy.

Compliance depends on what the chatbot processes, whether visitors disclose health information, where their messages are sent, whether conversations are stored or reused, which providers are involved and what visitors are told.

A privacy-conscious product can make compliance considerably easier. It cannot replace the clinic’s own privacy notice, contracts and responsibilities.

The useful question is therefore not:

Is there a GDPR-compliant badge on the chatbot?

It is:

What happens to a visitor’s message from the moment they type it?

Why aesthetic clinics require particular care

Not every clinic chatbot message contains personal data.

Questions such as these may reveal nothing about the visitor:

Do you offer Sculptra?
Is there parking near the clinic?
What happens during a consultation?

But the conversation can change in one message:

I have rosacea and take isotretinoin. Can I have this treatment?
I had filler yesterday and now my vision is blurred.

Information about an identifiable person’s physical or mental health can qualify as data concerning health. Under Article 9 of the GDPR, health data belongs to a specially protected category of personal data.

Example messageWhat it may contain
“Do you offer this treatment?”Usually no personal data
“Please call me on this number”Contact and identification data
“I have rosacea and take medication”Potential health data
“Here is a photograph of my swelling”Personal data, possible health data and clinical risk
“My vision is blurred after filler”Potential health data and an urgent safety issue

A clinic chatbot can therefore move from an anonymous practical question to sensitive information almost instantly.

Its privacy design must account for what visitors may type—not only what the chatbot deliberately asks them.

What does the GDPR require?

Data minimisation

Article 5 of the GDPR requires personal data to be adequate, relevant and limited to what is necessary for the purpose.

A clinic does not ordinarily need someone’s name, email address and phone number to answer whether it offers a treatment, has private consultation rooms or opens on Saturdays.

Collecting less personal data is not only a legal principle. It also creates a better user experience.

A visitor can have genuine treatment intent without being ready to identify themselves. Requiring contact details before giving a basic answer turns the chatbot into a lead form disguised as conversation.

A lawful basis

Where personal data is processed, the clinic must identify an appropriate lawful basis under the GDPR.

Where health data is involved, an applicable Article 9 condition is also required. The fact that a visitor voluntarily typed health information does not, by itself, settle every legal question about how that information may subsequently be stored, shared or reused.

Consent may be relevant in some situations, but “the visitor accepted cookies” is not a universal answer.

Transparency

Visitors should be told, in clear language:

  • who is responsible for the processing;
  • why their data is processed;
  • which providers receive it;
  • whether conversations are stored;
  • how long information is retained;
  • whether it is reused for model training;
  • whether data leaves the European Economic Area;
  • what rights the visitor has.

Article 13 of the GDPR sets out information that must be provided when personal data is obtained directly from an individual.

AI disclosure becomes legally required on 2 August 2026

Data-protection information and AI disclosure are related, but they are not identical.

Article 50 of the EU AI Act requires providers of AI systems designed to interact directly with people to ensure that users are informed that they are interacting with AI, unless this is already obvious from the circumstances.

This obligation applies from 2 August 2026.

For clinics, the practical point is simple: the chatbot used on the website should clearly identify itself as AI from the beginning of the interaction. A visitor should never have to guess whether they are speaking to reception staff or software.

When choosing a chatbot, a clinic should confirm that the provider builds this AI disclosure in.

Storage limitation

Chat histories should not be retained indefinitely simply because storage is inexpensive.

If conversations are stored, the clinic and provider should be able to explain:

  • why storage is necessary;
  • which messages are retained;
  • who can access them;
  • how long they remain available;
  • when they are deleted.

Conversation logs from an aesthetic clinic may contain far more sensitive information than an ordinary e-commerce support transcript.

Processor agreements

When a chatbot provider processes personal data on behalf of a clinic, the relationship generally requires appropriate contractual terms under Article 28 of the GDPR.

The clinic should also know which subprocessors, hosting providers and AI providers are involved.

International transfers

Using a non-EU company is not automatically prohibited. However, the clinic must understand where personal data is processed and what safeguards apply if it is transferred outside the European Economic Area.

The relevant question is not merely where the chatbot company has its registered office. It is where the complete processing chain sends the data.

Cookie consent does not answer the chatbot question

Cookie banners regularly create a false sense that all website privacy decisions have been resolved.

They have not.

The visitor rejected cookies, but the chatbot still stores messages

A visitor may reject optional cookies and then use the chatbot. The provider may still store the conversation on its servers.

Server-side conversation storage does not necessarily depend on cookies.

The relevant questions are whether the storage has a lawful purpose, whether it is necessary, whether it was properly disclosed and how long the messages are retained.

Rejecting cookies does not automatically prevent all other forms of data processing.

The visitor accepted cookies, but did not agree to everything

Accepting analytics or marketing cookies does not automatically mean that the visitor agreed to:

  • full chatbot conversation storage;
  • indefinite retention of health details;
  • reuse of messages for AI training;
  • disclosure to unrelated providers.

A generic “Accept all” click should not be stretched into permission for unrelated processing purposes.

Cookie consent and chatbot-message processing must be assessed separately.

The chatbot demands personal details before answering

Some chat widgets require a visitor to provide:

  • a full name;
  • an email address;
  • a phone number;

before asking whether the clinic offers a treatment or has parking.

Why?

The visitor has not necessarily decided to contact the clinic. They may still be researching, comparing options and deciding whether the clinic is relevant.

That is not privacy-first assistance. It is mandatory lead capture.

Where clinic chatbots commonly fail

RiskWhy it mattersBetter approach
Name, email and phone required before the first answerCreates unnecessary collection and frictionAllow anonymous questions
Full conversations stored without clear disclosureMessages may contain health informationAvoid storage or define a narrow purpose and retention period
Cookie acceptance treated as permission for chat storageDifferent processing purposes are conflatedExplain chatbot processing separately
Conversations reused for model trainingPatient information may be used for a secondary purposeObtain a clear contractual answer and prevent reuse
No data processing agreementResponsibilities remain unclearPut appropriate Article 28 terms in place
No subprocessor or hosting informationThe clinic cannot assess the data chainDisclose providers and processing locations
No AI disclosureVisitors may believe they are speaking to staffIdentify the chatbot clearly as AI
Photographs accepted through ordinary chatPrivacy and clinical risk increase sharplyUse a separate secure clinical workflow
Logs retained indefinitelyConflicts with storage limitationEstablish and enforce deletion periods
No urgent-symptom pathwayThe assistant may respond inappropriately to complicationsUse predefined escalation rules

The European Data Protection Board has specifically examined the processing of personal data in the development and deployment of AI models, including questions around anonymity, legitimate interests and the consequences of unlawfully processed training data. Its guidance makes clear that data-protection principles must be considered throughout the design and operation of an AI system, rather than treated as an afterthought.

Questions to ask before choosing a clinic chatbot

Do not accept “we are GDPR-compliant” as the complete answer. Ask for the real data flow.

  1. Can visitors ask ordinary questions without giving their name, email address or phone number?
  2. Are full conversations stored?
  3. If conversations are stored, why and for how long?
  4. Are messages used to train or improve AI models?
  5. Which information is sent to the AI provider?
  6. Where is that information processed?
  7. Which subprocessors are involved?
  8. Is a data processing agreement available?
  9. What happens when a visitor enters health information?
  10. Can visitors upload photographs?
  11. How are urgent symptoms handled?
  12. Does the interface clearly disclose that it uses AI?
  13. What data is retained after a callback or contact request?
  14. Can the provider explain the entire flow without vague phrases such as “service improvement”?

Clinics should never assume that “AI-powered” describes one standard processing model. Different providers may handle messages in very different ways.

How iGlowly approaches privacy

iGlowly was designed around data minimisation rather than mandatory lead capture.

Visitors can ask pre-booking questions anonymously. They do not need to create an account or provide a name, email address or phone number before receiving an answer.

Conversation histories are not stored.

The most important design choice concerns what the AI model can see. Before a message is sent to the AI model, it passes through an Azure-based sanitising layer designed to detect and remove names, contact details and other direct identifiers. Model training on iGlowly conversation data is disabled. In other words, personal data is minimised by the architecture itself, not by a setting each clinic has to remember to switch on.

Personal data is processed only when a visitor actively chooses to request a callback. In that case:

  1. The visitor provides a name and phone number.
  2. The visitor explicitly agrees to those details being emailed to the clinic’s reception team.
  3. iGlowly processes the information to deliver that callback request.
  4. The information is not retained by iGlowly as a lead database.

This is different from requiring every visitor to identify themselves before they can ask a basic question.

The default conversation remains anonymous. Identifiable information enters the workflow only when the visitor deliberately asks the clinic to contact them.

iGlowly also identifies itself as an AI assistant and is restricted to controlled medical information and clinic-approved content. It does not search the open web during patient conversations.

These are built-in product choices, not optional privacy settings that each clinic must remember to activate. You can read how the architecture works in the Zero-PHI architecture overview and how the widget operates without cookies in the no-cookies explanation. A fuller account of the product’s privacy posture is in the iGlowly Trust Center.

These design choices are also more precise than claiming that a chatbot is universally “GDPR-compliant.” The clinic still needs an accurate privacy notice, appropriate contractual arrangements and procedures consistent with how it uses the service.

The honest verdict

An AI chatbot can be used by an aesthetic clinic without turning every question into a stored patient record.

But that outcome depends on the design:

  • anonymous access;
  • minimal data processing;
  • no unnecessary lead gate;
  • clear AI disclosure;
  • limited or no conversation retention;
  • no undisclosed reuse;
  • appropriate contracts;
  • explicit agreement when a visitor requests personal follow-up.

Rejecting cookies does not necessarily stop server-side chat storage.

Accepting cookies does not mean agreeing to store or train on every message.

And asking for a name, email address and phone number before answering a basic question is not conversational support. It is lead capture.

The most useful question a clinic can ask is:

What happens to the visitor’s message after they press send?

See how iGlowly Assistant handles privacy and patient questions.

This article provides general information and is not a substitute for legal advice about a clinic’s particular processing activities.

FAQ

Un chatbot IA est-il automatiquement conforme au RGPD ?

Non. La conformité dépend de la manière dont le chatbot est configuré et utilisé : quelles données il traite, si les visiteurs divulguent des informations de santé, si les conversations sont conservées ou réutilisées, quels prestataires interviennent et ce qui est expliqué aux visiteurs. Un produit conçu pour limiter les données facilite la conformité, mais ne remplace pas les obligations de la clinique.

Les messages d’un chatbot peuvent-ils contenir des données de santé ?

Oui. Une question générale comme « Proposez-vous ce traitement ? » ne révèle généralement aucune donnée de santé. En revanche, un message mentionnant une maladie, un médicament, un traitement antérieur ou une complication peut contenir des données concernant la santé, qui bénéficient d’une protection particulière au titre du RGPD.

Une clinique doit-elle indiquer que son chatbot utilise l’IA ?

Oui. À partir du 2 août 2026, l’article 50 du règlement européen sur l’IA impose aux fournisseurs de systèmes conçus pour interagir directement avec des personnes de veiller à ce que les utilisateurs sachent qu’ils interagissent avec une IA, sauf si cela est déjà évident. En pratique, le chatbot d’une clinique devrait s’identifier clairement comme assistant IA dès le début de l’échange.

Une clinique européenne peut-elle utiliser un fournisseur de chatbot basé aux États-Unis ?

Oui, mais elle doit comprendre où les données sont réellement traitées, quels prestataires interviennent et quelles garanties s’appliquent si des données personnelles sont transférées en dehors de l’Espace économique européen. Le pays du siège social ne suffit pas à répondre à la question : c’est le flux de données complet qui compte.

By iGlowly Insights
July 12, 2026
Sources