Seranoa
← All articles
AI Governance5 min read

The Data Your AI Holds Is Still Your Problem

Deploying an AI agent doesn't transfer your GDPR obligations. Here's what you actually own, and what that means in practice.

You set up an AI agent to handle inbound messages. It works. Leads get answered at midnight, appointments get booked, nothing falls through the cracks. You move on.

Then someone asks: where does that conversation go?

And you realize you don't actually know.

Let's be direct about what GDPR means when an AI is involved in your client conversations. Not the legal theory — the practical reality, for a solo professional running a small business in 2026.

When a lead sends a message through your website, your Instagram, your intake form — and your AI agent picks it up — that interaction contains personal data. A name. An email. A phone number. Sometimes a situation: I'm going through a divorce and need to sell the apartment. That's sensitive. That's regulated. And it doesn't stop being regulated just because a machine read it first.

You are what GDPR calls the data controller. The AI platform — Seranoa, or anyone else — is a data processor. The distinction matters more than most people realize.

As the controller, you decide why data is collected and what it's used for. As the processor, we follow your instructions and handle the infrastructure. But here's the part that gets quietly ignored: you can't delegate the accountability. You can delegate the work. Not the responsibility.

What this actually looks like in practice

Say a prospect reaches out on a Tuesday evening. Your agent responds, qualifies the lead, asks a few questions. That exchange — their name, their need, their contact details — gets stored somewhere. The question isn't whether you have a system. The question is whether you can answer the following:

  • Who has access to that data?
  • How long is it kept?
  • What happens if that person asks you to delete it?
  • Can you actually delete it?

If you can't answer those four questions cleanly, you have a compliance gap. Not a theoretical one. A real one, the kind that becomes a problem the moment a client gets annoyed and decides to exercise their rights.

And clients are increasingly aware they have rights. The right to access their data. The right to correction. The right to erasure. The right to know an automated system was involved in processing their information.

That last one is underestimated. GDPR's Article 22 covers automated decision-making. If your AI is doing more than just responding — if it's scoring leads, prioritizing who you call back first, flagging someone as unqualified — that starts to look like automated decision-making with meaningful consequences. You need a lawful basis for that. And in some cases, you need to disclose it.

The contracts nobody reads until something goes wrong

Every AI platform you use should have a Data Processing Agreement — a DPA — in place with you. This isn't optional under GDPR. It's required whenever a processor handles personal data on your behalf.

At Seranoa, we provide one. Most reputable platforms do. But I've talked to real estate agents, consultants, coaches who have no idea whether they've signed one. They clicked through onboarding and moved on.

If you're using any AI tool that touches client data — conversation data, lead data, intake data — check that a DPA exists. If it doesn't, or if the vendor can't tell you where your data is stored and who can access it, that's information you need before the next message comes in.

The part I think about the most

Compliance frameworks are written for large organizations with legal teams. Most of the professionals I work with are running everything themselves. They don't have a DPO. They don't have a compliance officer. They have a calendar, a phone, and a business to grow.

So the standard advice — conduct a DPIA, maintain records of processing activities, appoint a representative — lands like it was written for someone else.

But the underlying intent isn't complicated. It's this: know what data you collect, know why, know where it goes, and be able to explain it if someone asks.

If your AI agent is a black box to you — messages go in, appointments come out, and you have no visibility on anything in between — that's a governance problem disguised as a productivity win.

The tool should work for you. That means you need to understand what it's doing well enough to defend it.

At Seranoa, the conversations our agents handle stay visible. You can audit what was said. You can see what data was collected and why. You can delete a contact and know it's actually gone.

That's not a feature. That's the baseline.

If you're evaluating any AI agent platform for your practice — yours, a competitor's, ours — ask those four questions before you ask about pricing. The answers will tell you more than the demo.

Want to see how Seranoa handles your inbox while you focus on what matters?

Book a Free Call
RGPDconformitédonnées personnellesIA conversationnellegouvernance