{"site":{"name":"Koji","description":"AI-native customer research platform that helps teams conduct, analyze, and synthesize customer interviews at scale.","url":"https://www.koji.so","contentTypes":["blog","documentation"],"lastUpdated":"2026-05-14T12:51:20.488Z"},"content":[{"type":"documentation","id":"4ebf0f84-5517-4032-9cb9-3d6f6c8c957c","slug":"gdpr-compliant-ai-user-research","title":"GDPR-Compliant AI User Research: A Practical Guide","url":"https://www.koji.so/docs/gdpr-compliant-ai-user-research","summary":"GDPR-compliant AI user research requires six things on paper: a lawful basis (usually consent), purpose limitation, data minimization, storage limitation, participant rights, and sub-processor transparency. For AI interviews, the privacy notice must name the LLM vendor and disclose cross-border transfers. Koji handles each requirement with a built-in consent intake form, per-study retention controls, EU-region routing, BYOK for direct LLM contracting, DPA on request, and SAR-ready data export. Best practices: pseudonymize participants, minimize demographic fields, anonymize transcripts in reports, document retention in your Record of Processing Activities. Most simple research doesn't need a DPIA; sensitive categories or vulnerable groups do.","content":"## What GDPR-compliant AI user research means\n\nGDPR-compliant AI user research is a research practice where every participant interaction — recruitment, consent, interview, transcript, analysis, and storage — satisfies the EU General Data Protection Regulation. The two things that matter most are (1) a lawful basis for processing each participant's data, and (2) clear participant control over their own data, including the right to withdraw at any time.\n\nWhen the moderator is an AI rather than a human, GDPR still applies — sometimes more strictly, because LLM providers may be sub-processors located outside the EU. This guide explains how to run GDPR-compliant AI user research end to end, the questions your DPO will ask, and how Koji is built so EU teams can deploy AI interviews without a legal sprint.\n\nNothing in this guide is legal advice. Run your specific use case past counsel before processing data from EU residents.\n\n## The six GDPR essentials for AI research\n\nEvery GDPR-compliant AI user research program needs to answer these six questions on paper:\n\n1. **Lawful basis** — usually consent (Art. 6(1)(a)) for research, occasionally legitimate interest (Art. 6(1)(f)) for existing customers.\n2. **Purpose limitation** — research participants are told exactly what their data will be used for and you don't silently use it for something else (training a model, marketing, etc.).\n3. **Data minimization** — collect only what the research goal requires. Don't ask for date of birth if age band is enough.\n4. **Storage limitation** — define a retention period, document it, and delete after.\n5. **Participant rights** — provide a clear way to access, rectify, port, and delete their data.\n6. **Sub-processor transparency** — disclose every third party that touches participant data (LLM provider, transcription service, hosting region).\n\nThe rest of this guide walks each one through the lens of running an AI-moderated interview study.\n\n## Lawful basis: when consent is required\n\nFor most user research, consent is the cleanest lawful basis because participation is voluntary, the data is sensitive (qualitative answers often reveal personal opinions), and you want unambiguous proof of agreement.\n\nConsent under GDPR has to be:\n\n- **Freely given** — no dark patterns, no penalty for declining.\n- **Specific** — for this study, not all future research.\n- **Informed** — the participant knows what data is collected, by whom, for how long, and who else will see it.\n- **Unambiguous** — affirmative action, not a pre-checked box.\n\nKoji handles this with the built-in intake form ([intake forms and consent](/docs/intake-forms-and-consent)). You can require participants to read your privacy notice and tick a consent box before the AI moderator starts. For each study, the consent record is timestamped and retrievable.\n\nIf you're researching existing customers and the research is closely related to the service you already provide, legitimate interest may apply — but you still owe participants a clear notice and an easy opt-out. Document the balancing test.\n\n## The participant-facing privacy notice\n\nEvery AI research study processing EU data needs a privacy notice at the start of the interview. It should cover, in plain language:\n\n- **Who you are** (data controller) and contact info.\n- **What you'll ask** and roughly how long the interview takes.\n- **Whether the interview is recorded** (voice mode) or transcript-only (text mode).\n- **Which AI provider transcribes / moderates** (OpenAI, Anthropic, Google — name the LLM vendor).\n- **Where data is stored** and for how long.\n- **Whether data leaves the EU** and what safeguards apply (SCCs, adequacy decisions).\n- **How to withdraw consent** and request deletion.\n- **Whether any decisions affecting the participant are made automatically** (under Art. 22).\n\nKoji ships customizable notice fields in the intake step, and the [research consent form templates](/docs/research-consent-form-templates) include EU-ready language you can adapt.\n\n## Data minimization for AI interviews\n\nThe AI moderator doesn't need a lot of personal data to do its job. Best practice:\n\n- **Use pseudonymous IDs.** Pass `participant_id=abc-123` instead of `email=jane@example.com` where possible. See [personalized interview links](/docs/personalized-interview-links).\n- **Skip demographic questions you won't analyze.** Don't ask for nationality, exact age, or income if cohort-level data is enough.\n- **Anonymize transcripts.** Koji can strip names, employers, and email addresses from analysis exports — useful when sharing reports beyond the research team.\n- **Aggregate, don't identify.** When publishing findings, summarize at the theme level. Verbatim quotes need separate consent.\n\nThe fewer columns of personal data you store, the smaller the GDPR surface area and the simpler your DPIA becomes.\n\n## Retention: how long is \"as long as necessary\"?\n\nGDPR says you can keep personal data only as long as you need it for the stated purpose. For research, common retention bands are:\n\n- **30 days** for raw audio recordings (used only for transcription verification).\n- **6–12 months** for transcripts (long enough for follow-up analysis and report iteration).\n- **12–24 months** for de-identified themes and aggregated insights (those usually don't qualify as personal data once anonymized).\n\nKoji lets you set per-study retention. Configure it in the study settings, and Koji automatically purges raw conversations on schedule while keeping the aggregated report intact.\n\n## Right to withdraw, access, port, and delete\n\nEvery participant must be able to:\n\n- Withdraw consent at any time, including mid-study.\n- Access the personal data you hold about them.\n- Receive a portable copy in a common format.\n- Request deletion (right to erasure).\n\nOperationally:\n\n- Provide a single email address (`privacy@yourcompany.com`) in the intake notice.\n- Train CS or the research team to action these requests within 30 days.\n- Use Koji's [exporting research data](/docs/exporting-research-data) feature to produce a participant-specific export when a Subject Access Request comes in.\n- Use the delete-interview action in the study admin to remove a participant's session and transcript.\n\nDocument each request and the response date for audit purposes.\n\n## Sub-processors and cross-border transfers\n\nThe biggest GDPR question with AI research is: which third parties touch the data, and where are they?\n\nKoji discloses every sub-processor on its public sub-processor page (cloud host, LLM provider, transcription provider, email delivery, etc.). For EU customers, key points:\n\n- **Data residency**: studies can be configured to keep transcripts within the EU; LLM inference may happen in a US region under Standard Contractual Clauses with additional safeguards.\n- **Bring Your Own Key (BYOK)**: enterprise customers can route LLM calls through their own contracted OpenAI / Anthropic accounts so the LLM relationship is direct. See [bring your own key](/docs/bring-your-own-key).\n- **DPA on file**: Koji signs a Data Processing Agreement on request for any plan.\n- **No training on customer data**: Koji's LLM contracts disable training on customer prompts and outputs.\n\nIf your organization has strict residency rules (financial services, public sector), discuss BYOK and EU-region routing during procurement.\n\n## DPIA: do you need one?\n\nA Data Protection Impact Assessment is mandatory under Art. 35 when processing is \"likely to result in a high risk\" to participants. Most simple AI user research (voluntary, no sensitive categories, anonymized output) doesn't cross that threshold. You should run a DPIA if:\n\n- You're collecting health data, sexual orientation, political views, or other [Art. 9 special categories](https://gdpr-info.eu/art-9-gdpr/).\n- You're researching vulnerable groups (children, patients, employees in power-imbalanced contexts).\n- The interview is mandatory (employees in mandatory feedback, customers tied to service access).\n- The AI makes any consequential decision automatically.\n\nFor everything else, document the lawful basis, consent flow, and retention in a lightweight Record of Processing Activities (Art. 30) and you're typically covered.\n\n## How Koji compares to running AI research with raw ChatGPT\n\nSome teams paste customer interview transcripts into raw ChatGPT to analyze them. Under GDPR, this is risky:\n\n- Pasting personal data into a general-purpose ChatGPT account is a transfer to a sub-processor you may not have authorized.\n- Free-tier ChatGPT trains on inputs by default.\n- There's no DPA, no consent record, no retention policy, no deletion path.\n\nKoji, in contrast, is purpose-built for compliant research: contracted LLM use with training disabled, consent records, per-study retention, deletion workflow, EU residency option, and a DPA available. See [can I paste user interviews into ChatGPT](/docs/can-i-paste-user-interviews-into-chatgpt-a-guide-to-gdpr-and-llms) for the deeper comparison.\n\n## Practical setup checklist for EU teams\n\nBefore publishing your first study:\n\n1. Draft a participant-facing privacy notice covering the seven elements above.\n2. Configure the Koji intake form to require explicit consent.\n3. Set per-study retention (audio, transcript, themes).\n4. Confirm your DPA is signed.\n5. If your DPO requires EU residency, request EU-region routing or enable BYOK.\n6. Document the lawful basis and retention in your Record of Processing Activities.\n7. Train CS / research on handling Subject Access Requests within 30 days.\n\nWith those seven steps, your AI user research program meets the GDPR bar without slowing discovery to a crawl.\n\n## Related Resources\n\n- [Intake forms and consent](/docs/intake-forms-and-consent) — configure GDPR-ready consent screens\n- [Research consent form templates](/docs/research-consent-form-templates) — EU-ready notice language\n- [Personalized interview links](/docs/personalized-interview-links) — pseudonymize participants without losing context\n- [Bring your own key](/docs/bring-your-own-key) — route LLM calls through your own contracted account\n- [Exporting research data](/docs/exporting-research-data) — produce Subject Access Request exports\n- [Can I paste user interviews into ChatGPT? A GDPR guide](/docs/can-i-paste-user-interviews-into-chatgpt-a-guide-to-gdpr-and-llms)\n- [Structured questions guide](/docs/structured-questions-guide) — design briefs that minimize personal data collection","category":"Research Operations","lastModified":"2026-05-14T03:16:47.309629+00:00","metaTitle":"GDPR-Compliant AI User Research: A Practical Guide | Koji","metaDescription":"Run AI-moderated customer interviews under GDPR. Lawful basis, consent flows, data minimization, retention, sub-processors — and how Koji handles each requirement.","keywords":["GDPR user research","GDPR AI research","GDPR-compliant survey","EU customer research compliance","data protection user research","research consent EU","AI research privacy","research DPIA","research sub-processors"],"aiSummary":"GDPR-compliant AI user research requires six things on paper: a lawful basis (usually consent), purpose limitation, data minimization, storage limitation, participant rights, and sub-processor transparency. For AI interviews, the privacy notice must name the LLM vendor and disclose cross-border transfers. Koji handles each requirement with a built-in consent intake form, per-study retention controls, EU-region routing, BYOK for direct LLM contracting, DPA on request, and SAR-ready data export. Best practices: pseudonymize participants, minimize demographic fields, anonymize transcripts in reports, document retention in your Record of Processing Activities. Most simple research doesn't need a DPIA; sensitive categories or vulnerable groups do.","aiPrerequisites":["Familiarity with GDPR basics","Access to your organization DPO or counsel","Awareness of your data residency requirements"],"aiLearningOutcomes":["Identify the correct lawful basis for an AI research study","Draft a GDPR-ready participant privacy notice","Configure consent, retention, and sub-processor disclosure in Koji","Decide when a DPIA is required","Handle Subject Access and erasure requests within 30 days"],"aiDifficulty":"intermediate","aiEstimatedTime":"15 min read"}],"pagination":{"total":1,"returned":1,"offset":0}}