GDPR-Compliant AI User Research: A Practical Guide

What GDPR-compliant AI user research means

GDPR-compliant AI user research is a research practice where every participant interaction — recruitment, consent, interview, transcript, analysis, and storage — satisfies the EU General Data Protection Regulation. The two things that matter most are (1) a lawful basis for processing each participant's data, and (2) clear participant control over their own data, including the right to withdraw at any time.

When the moderator is an AI rather than a human, GDPR still applies — sometimes more strictly, because LLM providers may be sub-processors located outside the EU. This guide explains how to run GDPR-compliant AI user research end to end, the questions your DPO will ask, and how Koji is built so EU teams can deploy AI interviews without a legal sprint.

Nothing in this guide is legal advice. Run your specific use case past counsel before processing data from EU residents.

The six GDPR essentials for AI research

Every GDPR-compliant AI user research program needs to answer these six questions on paper:

1. Lawful basis — usually consent (Art. 6(1)(a)) for research, occasionally legitimate interest (Art. 6(1)(f)) for existing customers.
2. Purpose limitation — research participants are told exactly what their data will be used for and you don't silently use it for something else (training a model, marketing, etc.).
3. Data minimization — collect only what the research goal requires. Don't ask for date of birth if age band is enough.
4. Storage limitation — define a retention period, document it, and delete after.
5. Participant rights — provide a clear way to access, rectify, port, and delete their data.
6. Sub-processor transparency — disclose every third party that touches participant data (LLM provider, transcription service, hosting region).

The rest of this guide walks each one through the lens of running an AI-moderated interview study.

Lawful basis: when consent is required

For most user research, consent is the cleanest lawful basis because participation is voluntary, the data is sensitive (qualitative answers often reveal personal opinions), and you want unambiguous proof of agreement.

Consent under GDPR has to be:

• Freely given — no dark patterns, no penalty for declining.
• Specific — for this study, not all future research.
• Informed — the participant knows what data is collected, by whom, for how long, and who else will see it.
• Unambiguous — affirmative action, not a pre-checked box.

Koji handles this with the built-in intake form (intake forms and consent). You can require participants to read your privacy notice and tick a consent box before the AI moderator starts. For each study, the consent record is timestamped and retrievable.

If you're researching existing customers and the research is closely related to the service you already provide, legitimate interest may apply — but you still owe participants a clear notice and an easy opt-out. Document the balancing test.

The participant-facing privacy notice

Every AI research study processing EU data needs a privacy notice at the start of the interview. It should cover, in plain language:

• Who you are (data controller) and contact info.
• What you'll ask and roughly how long the interview takes.
• Whether the interview is recorded (voice mode) or transcript-only (text mode).
• Which AI provider transcribes / moderates (OpenAI, Anthropic, Google — name the LLM vendor).
• Where data is stored and for how long.
• Whether data leaves the EU and what safeguards apply (SCCs, adequacy decisions).
• How to withdraw consent and request deletion.
• Whether any decisions affecting the participant are made automatically (under Art. 22).

Koji ships customizable notice fields in the intake step, and the research consent form templates include EU-ready language you can adapt.

Data minimization for AI interviews

The AI moderator doesn't need a lot of personal data to do its job. Best practice:

• Use pseudonymous IDs. Pass participant_id=abc-123 instead of [email protected] where possible. See personalized interview links.
• Skip demographic questions you won't analyze. Don't ask for nationality, exact age, or income if cohort-level data is enough.
• Anonymize transcripts. Koji can strip names, employers, and email addresses from analysis exports — useful when sharing reports beyond the research team.
• Aggregate, don't identify. When publishing findings, summarize at the theme level. Verbatim quotes need separate consent.

The fewer columns of personal data you store, the smaller the GDPR surface area and the simpler your DPIA becomes.

Retention: how long is "as long as necessary"?

GDPR says you can keep personal data only as long as you need it for the stated purpose. For research, common retention bands are:

• 30 days for raw audio recordings (used only for transcription verification).
• 6–12 months for transcripts (long enough for follow-up analysis and report iteration).
• 12–24 months for de-identified themes and aggregated insights (those usually don't qualify as personal data once anonymized).

Koji lets you set per-study retention. Configure it in the study settings, and Koji automatically purges raw conversations on schedule while keeping the aggregated report intact.

Right to withdraw, access, port, and delete

Every participant must be able to:

• Withdraw consent at any time, including mid-study.
• Access the personal data you hold about them.
• Receive a portable copy in a common format.
• Request deletion (right to erasure).

Operationally:

• Provide a single email address ([email protected]) in the intake notice.
• Train CS or the research team to action these requests within 30 days.
• Use Koji's exporting research data feature to produce a participant-specific export when a Subject Access Request comes in.
• Use the delete-interview action in the study admin to remove a participant's session and transcript.

Document each request and the response date for audit purposes.

Sub-processors and cross-border transfers

The biggest GDPR question with AI research is: which third parties touch the data, and where are they?

Koji discloses every sub-processor on its public sub-processor page (cloud host, LLM provider, transcription provider, email delivery, etc.). For EU customers, key points:

• Data residency: studies can be configured to keep transcripts within the EU; LLM inference may happen in a US region under Standard Contractual Clauses with additional safeguards.
• Bring Your Own Key (BYOK): enterprise customers can route LLM calls through their own contracted OpenAI / Anthropic accounts so the LLM relationship is direct. See bring your own key.
• DPA on file: Koji signs a Data Processing Agreement on request for any plan.
• No training on customer data: Koji's LLM contracts disable training on customer prompts and outputs.

If your organization has strict residency rules (financial services, public sector), discuss BYOK and EU-region routing during procurement.

DPIA: do you need one?

A Data Protection Impact Assessment is mandatory under Art. 35 when processing is "likely to result in a high risk" to participants. Most simple AI user research (voluntary, no sensitive categories, anonymized output) doesn't cross that threshold. You should run a DPIA if:

• You're collecting health data, sexual orientation, political views, or other Art. 9 special categories.
• You're researching vulnerable groups (children, patients, employees in power-imbalanced contexts).
• The interview is mandatory (employees in mandatory feedback, customers tied to service access).
• The AI makes any consequential decision automatically.

For everything else, document the lawful basis, consent flow, and retention in a lightweight Record of Processing Activities (Art. 30) and you're typically covered.

How Koji compares to running AI research with raw ChatGPT

Some teams paste customer interview transcripts into raw ChatGPT to analyze them. Under GDPR, this is risky:

• Pasting personal data into a general-purpose ChatGPT account is a transfer to a sub-processor you may not have authorized.
• Free-tier ChatGPT trains on inputs by default.
• There's no DPA, no consent record, no retention policy, no deletion path.

Koji, in contrast, is purpose-built for compliant research: contracted LLM use with training disabled, consent records, per-study retention, deletion workflow, EU residency option, and a DPA available. See can I paste user interviews into ChatGPT for the deeper comparison.

Practical setup checklist for EU teams

Before publishing your first study:

1. Draft a participant-facing privacy notice covering the seven elements above.
2. Configure the Koji intake form to require explicit consent.
3. Set per-study retention (audio, transcript, themes).
4. Confirm your DPA is signed.
5. If your DPO requires EU residency, request EU-region routing or enable BYOK.
6. Document the lawful basis and retention in your Record of Processing Activities.
7. Train CS / research on handling Subject Access Requests within 30 days.

With those seven steps, your AI user research program meets the GDPR bar without slowing discovery to a crawl.

Related Resources

• Intake forms and consent — configure GDPR-ready consent screens
• Research consent form templates — EU-ready notice language
• Personalized interview links — pseudonymize participants without losing context
• Bring your own key — route LLM calls through your own contracted account
• Exporting research data — produce Subject Access Request exports
• Can I paste user interviews into ChatGPT? A GDPR guide
• Structured questions guide — design briefs that minimize personal data collection