GDPR, WhatsApp, and AI replies — what every UK business needs to know

This article is for informational purposes and does not constitute legal advice. If you have specific compliance concerns, consult a qualified solicitor or data protection officer.

Using AI to handle customer messages is a significant operational choice — and in the UK and EU, it's one that comes with legal obligations. Most small businesses don't realise this until after they've deployed a system. This guide covers what you're required to do, what you're not required to do, and how RheXa helps you stay on the right side of the line.

What GDPR actually covers in this context

The UK GDPR (which mirrors the EU GDPR post-Brexit, with the ICO as the supervisory authority) applies whenever you process personal data of individuals in the UK or EU. A WhatsApp message from a customer contains personal data: their phone number, their name if they've provided it, and the content of the conversation.

When that message is processed by an AI system — read, analysed, used to generate a reply — that constitutes processing under GDPR. Which means all the usual rules apply:

• You need a lawful basis for processing
• You must handle the data securely and not retain it longer than necessary
• Individuals have rights over their data, including access, erasure, and the right to object
• If you use a third-party processor (like RheXa), you need a Data Processing Agreement (DPA)

Lawful basis: what works for AI-powered customer service

Most service businesses will rely on one of two lawful bases:

Legitimate interests (Article 6(1)(f)): You have a legitimate business interest in handling customer enquiries efficiently. Processing messages to reply to them is a reasonable and expected part of doing business. This is the most commonly applicable basis for customer service AI.

Contractual necessity (Article 6(1)(b)): If the customer has already entered into a contract with you, processing their communications to fulfil that contract is lawful under this basis.

Legitimate interests requires a balancing test — you need to weigh your interest against the customer's privacy interests. In most cases, replying to a message a customer sent you passes this test easily. They reached out to you. They're expecting a reply.

Disclosure: what you're required to tell customers

Here's where most businesses get it wrong by assuming they need to do more or less than they actually do.

You are NOT required to:

• Start every AI reply with "I am an AI"
• Ask for consent before using AI to process a message
• Show a banner or pop-up warning before the first reply

You ARE required to:

• Disclose in your privacy policy that you use AI to process customer communications
• Name the third-party processor (RheXa) and describe what it does
• Explain the lawful basis you're relying on
• Provide a contact method for data subject requests

The ICO guidance is clear: privacy information can be provided at the point of data collection (e.g., a link to your privacy policy in your WhatsApp Business profile) rather than embedded in every message. A customer who messages your WhatsApp number is in a position to read your privacy policy before doing so — as long as it's accessible.

Automated decision-making: Article 22

Article 22 of GDPR gives individuals rights around automated decision-making — specifically decisions that have significant effects on them and are made solely by automated means without human review.

For most customer service AI, this doesn't apply. RheXa is replying to enquiries, not making decisions about credit, employment, insurance, or other high-stakes matters. A reply to "what are your opening hours?" is not a significant automated decision.

Where it could apply: if you use AI to decide whether to accept or reject a service request — for example, automatically declining bookings from certain postcodes or flagging certain customers for restriction. If you implement logic like this, Article 22 requires you to offer the customer the right to request human review.

RheXa doesn't implement any such logic by default. All routing decisions (AI handles vs. escalate to human) are based on confidence and topic, not on customer identity.

Data retention: how long can you keep conversation data?

GDPR requires you to keep personal data for no longer than necessary for the purpose you collected it. For customer service conversations, "necessary" depends on context:

• Active customer relationships: Retaining conversation history while the customer relationship is active is generally justified — it lets you provide consistent service and reference past interactions.
• Inactive leads: A prospect who enquired and never converted — and hasn't been in contact for a year — has a weaker case for retention. Industry norm is 12–24 months from last contact for marketing/enquiry data.
• Legal hold: If a conversation is relevant to a dispute, complaint, or legal matter, you may need to retain it longer.

RheXa stores conversation data per organisation. You can export or delete any conversation from the dashboard at any time. If a customer submits a Subject Access Request (asking to see their data) or an erasure request, you can action it directly in the RheXa interface without involving our support team.

The Data Processing Agreement

Under GDPR, if you share personal data with a third-party service that processes it on your behalf, you need a Data Processing Agreement (DPA). This is a contract that specifies:

• What data is processed and for what purpose
• The security measures in place
• Subprocessor arrangements (e.g., the AI model provider RheXa uses)
• How data subject requests will be handled
• What happens to data on termination

RheXa's DPA is included in our Terms of Service and applies automatically to all accounts. You don't need to sign a separate document. If your business requires a countersigned DPA for internal compliance reasons, contact our team and we'll arrange one.

What RheXa does to keep you compliant by default

• Data residency: All customer conversation data is stored in EU/UK data centres (Supabase on AWS eu-west-1). No personal data is transmitted to US-based servers for storage.
• Encryption: Conversations are encrypted at rest (AES-256) and in transit (TLS 1.3).
• Access controls: Only users in your organisation with appropriate permissions can access conversation data. RheXa staff do not have access to your customer conversations except to resolve specific support issues, with your consent.
• Subprocessors: RheXa uses OpenAI (via API) to generate AI replies. OpenAI operates under a DPA that prohibits training on API data. Your customer conversations are not used to train OpenAI models.
• Audit logs: Every AI reply is logged with the confidence score, the retrieved knowledge base chunks, and the timestamp. This provides an audit trail for any complaint or dispute.

Practical steps to get compliant today

1. Update your privacy policy to mention AI-powered customer service and name RheXa as a processor
2. Link your privacy policy in your WhatsApp Business profile
3. Set a data retention policy in your RheXa dashboard (we recommend 24 months from last contact)
4. Designate a contact address for data subject requests
5. If you're in a sector with additional regulations (healthcare, financial services, education), review sector-specific guidance from the ICO

Compliance isn't complicated for a service business using AI for customer communication. It's mostly good practice: be transparent about what you do, handle data carefully, respect customer rights. RheXa is built to make that straightforward.