Every business chatbot collects data. The moment a customer types their name, shares their phone number, or describes their requirement in a chat window, that information is stored somewhere. Understanding what is collected, how it is stored, and what you are legally expected to disclose is not optional it is the foundation of running a chatbot responsibly.
What data a chatbot collects
The specific data collected depends on your build. A lead qualification chatbot collects name, phone, budget, and requirement. An appointment booking chatbot collects name, contact, and appointment details. A support chatbot collects the complaint description and account information. All of this is personal data.
India's data protection landscape (2026)
India's Digital Personal Data Protection Act (DPDPA) 2023 came into effect progressively through 2024 2025. The core requirements for businesses collecting personal data digitally:
Consent: You must obtain clear, informed consent before collecting personal data. A chatbot that collects a name and phone number without disclosure is non-compliant.
Purpose limitation: Data collected for one purpose (booking an appointment) cannot be used for another (adding the person to a marketing list) without separate consent.
Data minimisation: Collect only what you need. A chatbot that asks for Aadhaar number to answer a pricing query is collecting far more than necessary.
Right to erasure: Users can request deletion of their data. You must have a process to honour this.
This is not legal advice. Consult a qualified Indian lawyer for advice specific to your business and sector.
Ready to take the next step?
Let Perceptra scope the right approach for your business.
Book a Free Strategy Session ?The minimum disclosures every chatbot must have
Disclosure that this is an automated system: Tell users they are interacting with a bot, not a human. This is both ethically appropriate and increasingly expected by users.
What data is being collected: "I will collect your name and contact information to follow up with you."
Why it is being collected: "This information will be used to connect you with our team and follow up on your enquiry."
How long it will be retained: "Your details are stored for 12 months."
How to request deletion: "To request deletion of your data, contact us at [email]."
These disclosures can be brief. The goal is transparency, not a legal wall of text.
Where to put the privacy disclosure in a chatbot
First message or welcome message: "Hi! I am Perceptra's assistant. I will collect your contact details to connect you with our team. [Privacy Policy]." A link to your full privacy policy in the opening message covers the disclosure requirement.
Before collecting contact information: "Before I take your details just so you know, this information will be shared with our team to follow up with you. Is that okay?"
Website privacy policy: Your website's privacy policy must explicitly mention chatbot data collection. If you have a chatbot and your privacy policy was written before it existed, update it.
Data storage and security basics
Where is the data stored? Ask your chatbot platform explicitly. For Indian businesses, preferring India-region servers is best practice, though not yet legally mandatory for most sectors.
Who has access? Chatbot conversation logs should be accessible only to authorised team members not your entire company, and certainly not third parties unless they are part of your service delivery.
How long is it retained? Set a retention policy. Six to twelve months for lead data is common. Healthcare data has longer retention requirements.
Can users access their own data? Have a process for users who request to see what you have stored about them.
Frequently asked questions
If your existing privacy policy does not mention automated chat, chatbot data collection, or the specific types of data your chatbot collects yes, update it. This is a one-hour task with a template.
No. Under DPDPA and WhatsApp's own terms, marketing messages require explicit opt-in consent. Collecting a number through a chatbot does not constitute opt-in for marketing.
You are still the data controller responsible for what is collected and how it is used. Review your chatbot platform's data processing agreement and ensure they meet basic security standards.
We include a privacy disclosure review as part of every chatbot deployment. We are not lawyers we recommend specific legal advice for complex cases but we ensure the basics are in place. Contact us.