GDPR-compliant AI chatbot: the EU hosting setup for SMEs

The August 2, 2026 enforcement date for high-risk systems under the EU AI Act is three months out, and the Digital Omnibus delay attempt failed on April 28. For most small businesses, your chatbot is not a high-risk system, but the GDPR rules around data residency, consent, and processing already apply. The first SME fines tied to chatbots in 2024 started around £35,000, almost all for consent and transfer failures.

If you bolted a US-hosted chatbot onto your site last year, this is the post for you.

What actually triggers GDPR for a chatbot

A chatbot becomes a GDPR processor the moment it captures anything that identifies a person: a name in a contact form, an IP address logged with a question, an email tied to a conversation. That covers roughly every chatbot worth running on a small-business site.

Two things matter most. Where the data goes (residency), and whether the user knew (consent and transparency). Most of the SME enforcement actions in 2024 and 2025 were not exotic: they were chatbots that quietly logged conversations with no disclosure, or that piped prompts to US servers without a valid transfer mechanism in place.

The EU hosting setup that works

Three pieces, in order of importance.

Pick a model provider with real EU residency. Mistral (Paris), Aleph Alpha (Heidelberg), and OpenAI's EU region all keep prompts and outputs inside the EEA when configured correctly. Anthropic's EU residency runs through Vertex on Google Cloud's europe-west regions. The default OpenAI endpoint does not qualify: you have to opt into the EU region explicitly and sign the right Data Processing Addendum. Default settings are not your friend here.

Host the orchestration in the EU. If you're running an n8n workflow, a Vercel function, or a custom backend, deploy it to a Frankfurt, Paris, or Brussels region. Vercel and Netlify both support EU-only deployments. Supabase and Neon offer EU-hosted Postgres. This is a setting, not a rebuild.

Get the paperwork right. A signed DPA with each vendor, an Article 30 record of processing activities, a published privacy notice that names the chatbot, and a documented retention period. The Belgian Gegevensbeschermingsautoriteit has been clear: "we trust our vendor" is not a defence.

What to skip

You probably don't need an on-premise LLM. Running your own model means GPU costs, model updates, and an evals pipeline, and for a 50-message-a-day SME chatbot it's overkill. EU-region API access from a major provider with a signed DPA is enough for most use cases.

You also don't need to log every conversation forever. A 30- or 90-day retention window with automatic deletion is usually defensible, and it dramatically cuts your breach exposure when something does go wrong.

The honest version

For a typical Belgian SME running a customer-support or lead-qualification chatbot, the one-time setup is roughly €2,000 to €6,000 in configuration, DPA review, and a privacy notice rewrite. Annual maintenance lands between €800 and €2,400. That's the realistic number from the firms doing this work in 2026, including ours.

The August deadline isn't going to pass quietly. Get the residency and consent pieces right while it's still a config change, not a remediation project.