If you use the contact collection feature of your chatbot, you must obtain visitor consent for processing their personal data under the General Data Protection Regulation (GDPR). This guide walks you through how to set up contact collection so your chatbot stays compliant with current EU privacy regulations.
💡 Related guide: For a full walkthrough of the contact collection feature itself, see our Leadgen Chatbot article.
We've split this article into five sections:
Who is responsible for what
Under GDPR there are two distinct roles:
Data controller — determines how and why personal data is processed.
Data processor — processes personal data on behalf of the controller, following the controller's instructions.
When you use the automatic contact collection feature of a Smartsupp chatbot, you become the data controller. You decide which data is collected, how it's handled, and you carry the legal obligations that come with protecting that data. Smartsupp acts as the data processor — we process the data based on your instructions, but we do not decide what's collected or how it's used.
💡 Tip: Make sure your internal team understands which legal obligations fall on you as the controller — consent management, data retention rules, and responding to data subject requests are all your responsibility.
Requiring consent
The chatbot's contact collection feature includes a built-in option to require visitor consent before processing their personal data. When enabled, the chatbot asks the visitor to grant consent first — only then does it proceed with collecting contact details.
The visitor's consent decision is stored directly in their visitor profile. This gives you a clear overview of which contacts have granted consent and which haven't. If a visitor declines, the chatbot stops the collection flow.
⚠️ Important: Always enable the consent prompt before launching a contact collection chatbot. Collecting personal data without explicit consent violates GDPR and can result in significant fines.
Communicating with collected contacts
Once you start collecting contacts, it's critical that your marketing communication is sent only to contacts who granted consent. Reaching out to people who haven't consented — or who actively declined — is a direct GDPR violation.
In the Smartsupp dashboard you can filter contacts by their consent status, so it's easy to build a clean marketing list that only includes people who have opted in.
💡 Tip: Regularly review your contact list and remove contacts that withdrew consent or that you no longer have a legitimate reason to keep. Data minimisation is a core GDPR principle.
Link to the Privacy Policy
When asking for consent inside the chatbot, we strongly recommend including a direct link to your Privacy Policy. While Smartsupp doesn't legally require you to publish the chatbot's Privacy Policy, as the data controller you must inform visitors about how their personal data is processed — and a Privacy Policy link is the simplest way to satisfy that obligation.
If no Privacy Policy link is set, the chatbot falls back to Smartsupp's general GDPR notice, which only explains our role as the data processor and your role as the controller — it cannot describe your specific data handling practices.
💡 Tip: Your Privacy Policy should cover what data you collect, why you collect it, how long you store it, who you share it with, and how visitors can exercise their rights (access, correction, deletion).
What's next?
Leadgen Chatbot — step-by-step guide to building a chatbot that collects leads.
Chatbot — full overview of how chatbots work and how to create one.
Chatbot Actions — see what actions a chatbot can perform, including contact collection.
Chatbot conditions — control when, where, and to whom the bot appears.
Chatbot conversation — understand how chatbot conversations differ from regular ones.
💡 Need more help? Contact our support team — we'll be happy to help! For specific GDPR questions, we recommend consulting a qualified legal advisor.