Foundational
AI Chat History and GDPR: Your Rights Over Your Conversations
Under GDPR, your AI chat history is personal data, which gives you rights of access, erasure, and portability over conversations held by providers operating in the EU. This guide explains what those rights cover, where they have limits, and how local-first tools reduce your exposure.
Under the GDPR, your AI chat history is personal data, and that classification gives you real rights over it: to access it, correct it, have it erased, and receive a portable copy, when the provider falls within GDPR's scope. It also means the conversations are subject to the provider's obligations as a data controller. This guide explains what those rights cover, where they stop, and how a local-first approach reduces how much of your conversation data sits with third parties in the first place. It is general information, not legal advice.
Why AI chat history counts as personal data
GDPR defines personal data broadly: any information relating to an identified or identifiable person. AI conversation history usually qualifies for two reasons:
- It is tied to you. Conversations are stored against your account, which is linked to your identity.
- It can contain personal data in the content. Prompts and responses often include names, locations, health details, financial information, or details about other people.
Both the link to your account and the content inside the conversation bring AI chat history within GDPR's reach when the provider is subject to it.
The rights you have
For providers operating under GDPR, the main data subject rights apply to your conversation history:
| Right | What it lets you do |
|---|---|
| Access (Art. 15) | Request the personal data the provider holds about you |
| Rectification (Art. 16) | Ask to correct inaccurate personal data |
| Erasure (Art. 17) | Ask to delete your personal data, the "right to be forgotten" |
| Portability (Art. 20) | Receive your data in a structured, machine-readable format |
| Object / restrict (Art. 18, 21) | Object to or restrict certain processing, such as some training uses |
In practice, the self-service data export and deletion controls that platforms like ChatGPT and Gemini already offer cover much of the access, portability, and erasure rights without a formal request. The data minimisation principle (Art. 5) is also relevant: providers should not hold more than they need, and you can apply the same principle to what you put in.
Where the rights have limits
The rights are meaningful but not absolute, and the erasure right is where people most often misunderstand the boundary.
A provider can lawfully retain your data despite an erasure request when it has a competing legal obligation or another lawful basis. The clearest recent example is a legal hold: in 2025, a US court ordered OpenAI to preserve ChatGPT output logs, including deleted conversations, during litigation. While such an order is in force, an individual deletion request cannot compel removal of data the provider is legally required to keep. That order was later terminated, but it illustrates the principle: erasure is a right to request deletion, subject to the provider's legitimate and legal reasons to retain.
The takeaway is not that GDPR is weak, but that "delete my data" operates within a legal framework that can include overriding obligations. See does ChatGPT keep deleted conversations for how this plays out in practice.
Your own responsibility for what you input
GDPR responsibility is not only the provider's. When you paste another person's personal data into a cloud AI chat, you are sending their data to a third party. In a personal context this is usually low stakes, but in a work context it can matter:
- Putting customer, patient, or employee data into a consumer AI tool may breach your organisation's obligations.
- The safest control is data minimisation at the point of input: do not include real identifiers or special-category data unless you have a clear basis and an appropriate tool.
This is why many organisations restrict which AI tools can be used for work and what may be entered into them.
How local-first reduces your exposure
Every conversation you hold in a cloud AI service is additional personal data sitting on someone else's servers, subject to their retention, their training settings, and their legal obligations. A local-first approach shrinks that footprint.
LLMnesia is a free, local-first Chrome extension that indexes your AI conversations across ChatGPT, Claude, Gemini, and 10+ platforms on your own device. Because the index lives locally:
- No extra third-party copy. The searchable record of your history is not additional personal data held by another company.
- Data minimisation by design. Your retrieval layer processes nothing in the cloud; it stays on your machine.
- You control it. Removing the data is as simple as clearing the local index, with no request to file.
The underlying chat with a cloud AI is still processed by that platform under its own GDPR obligations; LLMnesia changes only the retrieval layer you add on top. For the broader case, see local-first AI tools and privacy and are AI conversations private.
Install LLMnesia from the Chrome Web Store to keep your conversation index on your own device.
In summary
Under GDPR, your AI chat history is personal data, giving you rights of access, rectification, erasure, and portability against providers within scope, mostly exercisable today through their export and deletion controls. Those rights have limits, especially erasure, which yields to legal obligations like court-ordered preservation. You also carry responsibility for the personal data you put into prompts. Minimising what you send to the cloud, and keeping your searchable history local-first, is the most direct way to reduce your exposure rather than relying solely on rights you have to invoke after the fact.
Frequently asked
Is AI chat history personal data under GDPR?
Generally yes. If your AI conversations are tied to your account and can identify you, or contain personal data about you or others, they are personal data under GDPR. That brings them within the scope of data subject rights such as access, rectification, erasure, and portability when the provider falls under GDPR. The conversation content itself can also contain other people's personal data, which adds responsibility for what you put in.
Can I ask an AI company to delete my conversation history under GDPR?
You can exercise the right to erasure (the right to be forgotten) with providers subject to GDPR, asking them to delete your personal data including conversation history. The right is not absolute: providers can retain data where they have a legal obligation or a lawful basis to keep it, such as a court-ordered legal hold. So an erasure request is a right to request deletion, not an automatic guarantee in every case.
Can I get a copy of my AI conversation data under GDPR?
Yes. The right of access lets you request the personal data a provider holds about you, and the right to data portability lets you receive your data in a structured, machine-readable format. In practice most major AI platforms offer a self-service data export that satisfies much of this, so you can often get a copy without filing a formal request.
Does using a local-first AI tool help with GDPR compliance?
It reduces exposure by minimising the personal data sent to third parties. A local-first tool stores data on your device rather than uploading it to a server, which aligns with the data minimisation principle. LLMnesia keeps your conversation index on your own device, so the searchable copy of your history is not additional personal data held by another company. The underlying cloud chat is still processed by that platform under its own GDPR obligations.
Who is responsible for personal data in an AI conversation?
The AI provider is the controller or processor for the conversation data it holds and must meet its GDPR obligations. You also have responsibility for what you input: pasting other people's personal data into a cloud AI chat can itself be a processing activity you should be cautious about, especially in a work context. When in doubt, minimise the personal data you put into prompts.
Sources
Related reading
Stop losing AI answers
LLMnesia indexes your ChatGPT, Claude, and Gemini conversations automatically. Search everything from one place — no copy-paste, no repeat prompting.
Add to Chrome — Free