Agent Builder sends the text of conversations to whichever LLM provider you configured (OpenAI, Anthropic, xAI, Google, or Mistral). No conversation data is retained by Agentic beyond a 30-day period. To maintain your conversation history and audit log, data is kept for 30 days — any other data flows directly from your server to the LLM provider you choose.
If you enable an AI agent on your website’s front end, messages from your site visitors are also sent to your LLM provider. This has implications under GDPR and similar privacy laws if your site has EU visitors.
What Data Agent Builder Processes
Understanding exactly what data flows through Agent Builder is the first step toward GDPR compliance. The plugin handles three categories of data:
- Conversation content — The text of every message sent by users and responses from the AI assistant. This is transmitted to your configured LLM provider (e.g., OpenAI or Anthropic) via their API. Agentic does not intercept or store this content beyond the retention period you configure.
- Session and identity data — User ID (for logged-in users), session tokens, and timestamps are stored in your WordPress database to maintain conversation history and the audit log. For anonymous visitors, a session identifier is stored in a browser cookie.
- IP addresses — Visitor IP addresses are logged as part of the audit trail. You can enable IP anonymisation (last octet removed) in Settings → Security → Data & Privacy to reduce the identifiability of this data.
GDPR Settings
Agent Builder includes a dedicated GDPR configuration screen at Settings → Security → Data & Privacy. The key controls are:
- Chat history retention — Set how many days conversation history is kept before being automatically deleted. Default is 30 days. Set to 0 to disable history storage entirely.
- Audit log retention — Set how many days the audit log is retained. The audit log records which tools were used, by which agent, and which user triggered them.
- IP anonymisation — When enabled, the last octet of each visitor’s IP address is removed before storage (e.g., 192.168.1.123 becomes 192.168.1.0).
- Consent notice — Display a consent notice in the chat widget before a visitor’s first message is sent. The notice informs visitors that their messages will be processed by an AI system. Customise the text and require an explicit acknowledgement checkbox if needed.
Data Subject Rights
Under GDPR, individuals have the right to access, correct, and delete their personal data. Agent Builder supports these rights through:
- Data export — WordPress’s built-in personal data export tool (Tools → Export Personal Data) includes Agent Builder conversation history for any registered user.
- Data erasure — WordPress’s personal data erasure tool (Tools → Erase Personal Data) removes all Agent Builder conversation history and session data for the specified user.
- Manual deletion — Administrators can delete conversation history for any user directly from Agent Builder → Audit Log by filtering by user and deleting the relevant records.
Third-Party Data Processors
When a visitor sends a message to an AI agent on your site, that message is transmitted to the LLM provider you have configured. This makes your chosen LLM provider a data processor under GDPR. You must have a Data Processing Agreement (DPA) in place with them:
- OpenAI — DPA available at platform.openai.com. Enable zero data retention in your OpenAI account settings to prevent OpenAI from using API data for training.
- Anthropic — DPA available in the Anthropic console. API data is not used for training by default.
- Google Gemini — DPA covered by Google Cloud terms. Enable data processing controls in Google Cloud console.
- xAI / Mistral — Review their respective terms of service and DPA documentation.
For the full list of sub-processors used by the Agentic platform (including Google Cloud TTS for Text-to-Speech and other services), see the Subprocessors page.
Lawful Basis for Processing
As the site owner, you are the data controller. You must identify and document your lawful basis for processing visitor conversation data. The most common bases are:
- Legitimate interests — If the AI agent provides a service visitors would reasonably expect (e.g., a support chat), you may be able to rely on legitimate interests. Document your legitimate interests assessment (LIA).
- Consent — Use the consent notice feature to obtain explicit consent before processing begins. This is the most defensible basis for general-purpose chat agents.
- Contract performance — If the agent is used as part of a service delivery (e.g., answering questions about an order), contract performance may apply.
Read our GDPR & Data Protection Policy →
Frequently Asked Questions
Does Agentic store my visitors’ conversations on its servers?
No. Conversation content is stored only in your WordPress database, on your own server. Agentic’s infrastructure (used for TTS, image generation, and vector storage) does not retain conversation text. The only data transmitted to Agentic’s servers is anonymised usage telemetry (feature flags, error reports) if you have not opted out of that in Settings.
Can I use Agent Builder if my site has EU visitors?
Yes, but you must take steps to ensure compliance. At minimum: (1) enable the consent notice so visitors acknowledge AI processing before chatting, (2) sign a DPA with your LLM provider, (3) update your privacy policy to disclose AI chat processing, and (4) ensure your LLM provider’s data processing region is acceptable under your jurisdiction’s transfer rules.
How do I delete all chat history for a specific user?
Go to Tools → Erase Personal Data in your WordPress admin. Enter the user’s email address and submit an erasure request. WordPress will process the request and Agent Builder will remove all conversation history, session data, and audit log entries associated with that email. For anonymous visitors, data can be deleted from Agent Builder → Audit Log filtered by session ID or date range.
Does enabling a front-end chat widget automatically mean I need consent?
Not automatically — it depends on your lawful basis. If you rely on consent as your basis, yes, you must present the consent notice before processing. If you rely on legitimate interests and your LIA supports it, a privacy notice (in your site’s privacy policy) disclosing AI processing may suffice. Consult a GDPR-qualified legal professional if you are unsure which basis applies to your use case.
Are conversations sent to the AI provider encrypted in transit?
Yes. All API calls from Agent Builder to LLM providers (OpenAI, Anthropic, Google, etc.) are made over HTTPS with TLS 1.2 or higher. No conversation content is transmitted in plaintext. Your server must have a valid SSL certificate; Agent Builder will not fall back to HTTP for API calls.