Privacy & Hosting for Your AI Assistant
An AI chat assistant processes the requests of your visitors — which is why XICBOT aligns hosting and data processing rigorously with the GDPR: operation in Germany and the EU, a data processing agreement under Art. 28 GDPR, data sovereignty in your hands, a clear deletion policy, and no sharing or selling of data. On request with European or self-hosted language models.
DE / EU
hosting and data processing
DPA
data processing under Art. 28
Deletion
defined periods and rules
on request
European or self-hosted models
An AI chat assistant only relieves your team if it does not turn data protection into a problem. As soon as an assistant talks to people on your website or in your shop, it processes personal data — questions, contact details, sometimes order or appointment requests. That is why XICBOT is built from the ground up so this processing is transparent, minimal and aligned with the General Data Protection Regulation. In concrete terms: hosting and processing in Germany and the EU, a data processing agreement under Art. 28 GDPR, a clear deletion policy and the commitment that we neither share nor sell your data. Why this standard matters to us is explained under About us.
Four Layers That Protect Your Data
How XICBOT Protects Your Data
Data protection is not a single setting but an interplay of location, contract, technology and clear rules. We look at each of these layers and align them so your assistant is helpful in everyday use without accumulating data unnecessarily. The following building blocks are the starting point in every XICBOT project and are shaped concretely with you — to fit your industry and the tasks your assistant is meant to take on.
Hosting in Germany and the EU
Operation and data processing take place in data centres within the EU. This keeps the data within the European legal area and avoids transfer to unsafe third countries.
Data Processing Agreement
We conclude a data processing agreement with you under Art. 28 GDPR. You remain the controller under the GDPR, and we process the data solely on your instructions for the agreed purpose.
Data Sovereignty With You
The content and conversation data belong to you. You decide which sources the assistant uses, which actions it may perform and how long data is retained.
Deletion Policy With Periods
Together we define retention periods and deletion rules. Data that is no longer needed is deleted in a governed way instead of being stored indefinitely — data minimisation as a principle.
Encryption and Access Control
Transmission is encrypted via TLS, access is logged and rights are strictly limited to what is necessary. This keeps the circle of those who see data small and traceable.
European or Self-Hosted Models
On request we use European or self-hosted language models so that processing stays even closer to your environment. We clarify the right framework in the initial consultation.
Try XICBOT live
This is not a video or a recording — you are chatting with a real assistant trained on XICBOT. Ask a question or click an example to start.
This demo processes your input to reply — also via a provider outside the EU (standard contractual clauses). Please do not enter sensitive data. Click “Understood” to start the chat. Privacy
Data Protection Builds Trust, Not Just Compliance
For many companies, data protection is first of all an obligation — with an AI assistant, it quickly becomes a genuine factor of trust. Anyone who asks a question on a website or leaves contact details wants to know what happens to that information. An assistant that visibly handles data sparingly, is operated in Germany and the EU and shares nothing with third parties lowers the barrier to entering a conversation at all. In this way, clean data processing pays off not only in legal certainty but also in the number of enquiries and completions your assistant generates.
For you as the operator, this also means less effort and less risk. Because the data processing agreement, the deletion policy and purpose limitation are settled from the start, the assistant can be added to your existing privacy policy and record of processing activities without detours. You do not have to clarify afterwards where data is stored or how long it is kept — these questions are already answered. And because we stay factual, we do not promise absolute security but a transparent processing aligned with the GDPR and the current state of the art.
Especially in sensitive industries such as practices, law firms or trade involving personal data, the handling of information decides whether a digital offer is accepted. This is where XICBOT plays to its strengths: on request, processing stays even closer to your environment with European or self-hosted language models, and the assistant hands over to a human on delicate topics rather than deciding on its own. In this way, data protection and reliability combine into an offer your customers trust.
Reading and Acting — Data-Minimising and With Approvals
An assistant is only as privacy-friendly as the data flows it triggers. That is why XICBOT works on the principle of data minimisation: it reads only the sources you approve and performs only actions for which you have defined a function. It does not build profiles as a precaution and does not track visitors without a legal basis. How the assistant is trained from your own content and binds its answers to those sources is explained under Knowledge base & training. Typical content it reads includes:
- Website content and subpages you approve
- Shop catalogue based on Shopware Community Edition with products, prices and availability
- Opening hours, locations and contact details
- Documents, PDFs and data sheets from your knowledge base
- FAQs, help articles and internal knowledge base
- Calendar availability as well as order and delivery status
The assistant performs actions only through clearly defined functions, each with its own approval. This prevents uncontrolled access to your systems, and every action is traceable. How the assistant is embedded technically with a short snippet, without loading a bloated third-party widget, is described on the Integration page. Typical approved actions include:
- Add a product to the cart and change quantities
- Apply a voucher or promotion and show shipping costs
- Book or reschedule an appointment and send confirmation
- Request a callback and pre-fill the contact form
- Hand a qualified lead to an inbox or CRM
- Create a support ticket and hand over to a human for sensitive topics
Answers From Your Sources, No Data Collection on the Side
The assistant binds its answers to your own content and triggers actions only through approved functions. The data flow is therefore manageable: requests are processed within the EU, answered bound to your content and not evaluated for external purposes. An AI assistant can be wrong — which is why we rely on source binding, handover to humans and later evaluation rather than unfounded claims.
- Answers bound to your own, approved sources
- Actions only through defined functions with approval
- No selling and no sharing with third parties
How We Set Up Data Protection
Data protection is not created at the end of a project but from the very start. We clarify the relevant data protection questions as early as the initial consultation, record the agreements in a contract and implement them technically. This way you know early which data the assistant processes, where it is stored and how long it is retained. The following process is the framework we tailor to your project together with you.
Initial Consultation and Privacy Clarification
In the free initial consultation we clarify which tasks your assistant should take on and which data is processed in the process. We discuss the hosting location, the question of European or self-hosted models and your requirements for retention and deletion — clearly and without technical jargon.
Start plan · net plus VAT
- Hosting and data processing in Germany and the EU
- Data processing agreement under Art. 28 GDPR included
- Deletion policy with defined periods, no sharing, no selling
- On request European or self-hosted language models
Data protection is included in every XICBOT plan. The entry-level Start plan begins with a one-time setup from 990 € net and operation from 49 € per month net — including hosting in Germany, operation, maintenance, updates and GDPR-aligned data processing. More extensive plans as well as European or self-hosted models can be found in the pricing overview. Every project begins with a free initial consultation and, on request, a free demo.
Third-Party Widget and XICBOT Compared
Many standard chatbots are embedded as a ready-made widget from an external provider. That is quick to install but shifts control over location, contracts and data usage to a third party. XICBOT takes the opposite route: individually built, operated in Germany and the EU and with clear contractual rules. The comparison shows where the difference lies in everyday practice.
| Aspect | Third-party chatbot widget | XICBOT |
|---|---|---|
| Hosting location | often outside the EU | Germany and the EU |
| Contractual basis | blanket provider terms | data processing agreement under Art. 28 GDPR |
| Data usage | use for external purposes possible | no sharing, no selling |
| Deletion | periods often intransparent | defined deletion policy with periods |
| Language model | fixed by the provider | on request European or self-hosted |
| Data sovereignty | with the provider | with you |
Your Privacy Questions in the Initial Consultation