NOLO
EU data law · guide

AI andthe GDPR.

AI doesn't get a pass on data-protection law. If a chatbot handles the personal data of people in the EU, the GDPR applies. Here is what that means for your rights, the contested question of training, and what to check, in plain language. This is general information, not legal advice.

The basics

GDPR still applies.

The tech is new; the principles are not. An AI provider handling your personal data has the same core duties as any other.

Lawful basis

The provider needs a valid legal reason to process your data, and must tell you what it collects and why.

Your rights

You can generally ask to access, correct, erase or port your data, and object to some processing.

The training question

Whether AI may train on personal data is contested and under regulator scrutiny. The safest path is services that don't train on your inputs at all.

The simplest compliance

Collect less.

The GDPR rewards data minimisation. The less personal data a service gathers, the fewer risks and obligations for everyone, and the more privacy for you.

What to check

Before trusting an AI tool with anything sensitive.

  • RetentionHow long is your data kept?
  • TrainingDoes it train on your inputs?
  • Location and rightsWhere is data processed, and how do you exercise your rights?

How NOLO minimises data

Privacy by design is also the simplest compliance.

  • No account or emailBarely any personal data to begin with.
  • History on your deviceNot stored in a NOLO database.
  • Zero retention, no trainingGDPR-compliant providers discard your message.
  • Tools get a keyword onlyNever your full conversation.
FAQ

Frequently asked questions.

Yes. If an AI service processes personal data of people in the EU, the GDPR applies. The provider is typically a data controller or processor and must have a lawful basis, respect your rights, and protect the data, regardless of the fact that AI is involved.

Under GDPR you can generally request access to the personal data held about you, ask for it to be corrected or erased, object to certain processing, and ask for portability. How easily you can exercise these depends on the provider.

It is contested. Training on personal data needs a lawful basis and must respect your rights, and several EU regulators have scrutinised how AI companies do this. The safest position for you is to use services that simply don't train on your inputs.

Check its privacy policy for the lawful basis, data retention, whether it trains on your data, where data is processed, and how you can exercise your rights. Vague answers are a red flag. This page is general information, not legal advice.

NOLO minimises personal data by design: no account or email, history kept in your browser, and chat models on GDPR-compliant providers configured for zero retention that don't train on your messages. Less personal data collected means fewer obligations and less risk for everyone.

Private by design

Data protection
by collecting less.

NOLO is built to minimise personal data from the start: no account, no tracking, nothing retained. The simplest privacy there is.