An AI chatbot can be used in a GDPR-compliant way by an aesthetic clinic, but a “GDPR-compliant chatbot” is not a product a clinic can simply buy.
Compliance depends on what the chatbot processes, whether visitors disclose health information, where their messages are sent, whether conversations are stored or reused, which providers are involved and what visitors are told.
A privacy-conscious product can make compliance considerably easier. It cannot replace the clinic’s own privacy notice, contracts and responsibilities.
The useful question is therefore not:
Is there a GDPR-compliant badge on the chatbot?
It is:
What happens to a visitor’s message from the moment they type it?
Why aesthetic clinics require particular care
Not every clinic chatbot message contains personal data.
Questions such as these may reveal nothing about the visitor:
Do you offer Sculptra?
Is there parking near the clinic?
What happens during a consultation?
But the conversation can change in one message:
I have rosacea and take isotretinoin. Can I have this treatment?
I had filler yesterday and now my vision is blurred.
Information about an identifiable person’s physical or mental health can qualify as data concerning health. Under Article 9 of the GDPR, health data belongs to a specially protected category of personal data.
A clinic chatbot can therefore move from an anonymous practical question to sensitive information almost instantly.
Its privacy design must account for what visitors may type—not only what the chatbot deliberately asks them.
What does the GDPR require?
Data minimisation
Article 5 of the GDPR requires personal data to be adequate, relevant and limited to what is necessary for the purpose.
A clinic does not ordinarily need someone’s name, email address and phone number to answer whether it offers a treatment, has private consultation rooms or opens on Saturdays.
Collecting less personal data is not only a legal principle. It also creates a better user experience.
A visitor can have genuine treatment intent without being ready to identify themselves. Requiring contact details before giving a basic answer turns the chatbot into a lead form disguised as conversation.
A lawful basis
Where personal data is processed, the clinic must identify an appropriate lawful basis under the GDPR.
Where health data is involved, an applicable Article 9 condition is also required. The fact that a visitor voluntarily typed health information does not, by itself, settle every legal question about how that information may subsequently be stored, shared or reused.
Consent may be relevant in some situations, but “the visitor accepted cookies” is not a universal answer.
Transparency
Visitors should be told, in clear language:
- who is responsible for the processing;
- why their data is processed;
- which providers receive it;
- whether conversations are stored;
- how long information is retained;
- whether it is reused for model training;
- whether data leaves the European Economic Area;
- what rights the visitor has.
Article 13 of the GDPR sets out information that must be provided when personal data is obtained directly from an individual.
AI disclosure becomes legally required on 2 August 2026
Data-protection information and AI disclosure are related, but they are not identical.
Article 50 of the EU AI Act requires providers of AI systems designed to interact directly with people to ensure that users are informed that they are interacting with AI, unless this is already obvious from the circumstances.
This obligation applies from 2 August 2026.
For clinics, the practical point is simple: the chatbot used on the website should clearly identify itself as AI from the beginning of the interaction. A visitor should never have to guess whether they are speaking to reception staff or software.
When choosing a chatbot, a clinic should confirm that the provider builds this AI disclosure in.
Storage limitation
Chat histories should not be retained indefinitely simply because storage is inexpensive.
If conversations are stored, the clinic and provider should be able to explain:
- why storage is necessary;
- which messages are retained;
- who can access them;
- how long they remain available;
- when they are deleted.
Conversation logs from an aesthetic clinic may contain far more sensitive information than an ordinary e-commerce support transcript.
Processor agreements
When a chatbot provider processes personal data on behalf of a clinic, the relationship generally requires appropriate contractual terms under Article 28 of the GDPR.
The clinic should also know which subprocessors, hosting providers and AI providers are involved.
International transfers
Using a non-EU company is not automatically prohibited. However, the clinic must understand where personal data is processed and what safeguards apply if it is transferred outside the European Economic Area.
The relevant question is not merely where the chatbot company has its registered office. It is where the complete processing chain sends the data.
Cookie consent does not answer the chatbot question
Cookie banners regularly create a false sense that all website privacy decisions have been resolved.
They have not.
The visitor rejected cookies, but the chatbot still stores messages
A visitor may reject optional cookies and then use the chatbot. The provider may still store the conversation on its servers.
Server-side conversation storage does not necessarily depend on cookies.
The relevant questions are whether the storage has a lawful purpose, whether it is necessary, whether it was properly disclosed and how long the messages are retained.
Rejecting cookies does not automatically prevent all other forms of data processing.
The visitor accepted cookies, but did not agree to everything
Accepting analytics or marketing cookies does not automatically mean that the visitor agreed to:
- full chatbot conversation storage;
- indefinite retention of health details;
- reuse of messages for AI training;
- disclosure to unrelated providers.
A generic “Accept all” click should not be stretched into permission for unrelated processing purposes.
Cookie consent and chatbot-message processing must be assessed separately.
The chatbot demands personal details before answering
Some chat widgets require a visitor to provide:
- a full name;
- an email address;
- a phone number;
before asking whether the clinic offers a treatment or has parking.
Why?
The visitor has not necessarily decided to contact the clinic. They may still be researching, comparing options and deciding whether the clinic is relevant.
That is not privacy-first assistance. It is mandatory lead capture.
Where clinic chatbots commonly fail
The European Data Protection Board has specifically examined the processing of personal data in the development and deployment of AI models, including questions around anonymity, legitimate interests and the consequences of unlawfully processed training data. Its guidance makes clear that data-protection principles must be considered throughout the design and operation of an AI system, rather than treated as an afterthought.
Questions to ask before choosing a clinic chatbot
Do not accept “we are GDPR-compliant” as the complete answer. Ask for the real data flow.
- Can visitors ask ordinary questions without giving their name, email address or phone number?
- Are full conversations stored?
- If conversations are stored, why and for how long?
- Are messages used to train or improve AI models?
- Which information is sent to the AI provider?
- Where is that information processed?
- Which subprocessors are involved?
- Is a data processing agreement available?
- What happens when a visitor enters health information?
- Can visitors upload photographs?
- How are urgent symptoms handled?
- Does the interface clearly disclose that it uses AI?
- What data is retained after a callback or contact request?
- Can the provider explain the entire flow without vague phrases such as “service improvement”?
Clinics should never assume that “AI-powered” describes one standard processing model. Different providers may handle messages in very different ways.
How iGlowly approaches privacy
iGlowly was designed around data minimisation rather than mandatory lead capture.
Visitors can ask pre-booking questions anonymously. They do not need to create an account or provide a name, email address or phone number before receiving an answer.
Conversation histories are not stored.
The most important design choice concerns what the AI model can see. Before a message is sent to the AI model, it passes through an Azure-based sanitising layer designed to detect and remove names, contact details and other direct identifiers. Model training on iGlowly conversation data is disabled. In other words, personal data is minimised by the architecture itself, not by a setting each clinic has to remember to switch on.
Personal data is processed only when a visitor actively chooses to request a callback. In that case:
- The visitor provides a name and phone number.
- The visitor explicitly agrees to those details being emailed to the clinic’s reception team.
- iGlowly processes the information to deliver that callback request.
- The information is not retained by iGlowly as a lead database.
This is different from requiring every visitor to identify themselves before they can ask a basic question.
The default conversation remains anonymous. Identifiable information enters the workflow only when the visitor deliberately asks the clinic to contact them.
iGlowly also identifies itself as an AI assistant and is restricted to controlled medical information and clinic-approved content. It does not search the open web during patient conversations.
These are built-in product choices, not optional privacy settings that each clinic must remember to activate. You can read how the architecture works in the Zero-PHI architecture overview and how the widget operates without cookies in the no-cookies explanation. A fuller account of the product’s privacy posture is in the iGlowly Trust Center.
These design choices are also more precise than claiming that a chatbot is universally “GDPR-compliant.” The clinic still needs an accurate privacy notice, appropriate contractual arrangements and procedures consistent with how it uses the service.
The honest verdict
An AI chatbot can be used by an aesthetic clinic without turning every question into a stored patient record.
But that outcome depends on the design:
- anonymous access;
- minimal data processing;
- no unnecessary lead gate;
- clear AI disclosure;
- limited or no conversation retention;
- no undisclosed reuse;
- appropriate contracts;
- explicit agreement when a visitor requests personal follow-up.
Rejecting cookies does not necessarily stop server-side chat storage.
Accepting cookies does not mean agreeing to store or train on every message.
And asking for a name, email address and phone number before answering a basic question is not conversational support. It is lead capture.
The most useful question a clinic can ask is:
What happens to the visitor’s message after they press send?
See how iGlowly Assistant handles privacy and patient questions.
This article provides general information and is not a substitute for legal advice about a clinic’s particular processing activities.