GDPR and AI Memory: What You Need to Know

If you're building AI applications that serve European users, GDPR compliance is essential. Here's what you need to know about AI memory systems.

Key GDPR Principles

1. Lawful Basis

You need a legal basis to process personal data:

**Consent** - User explicitly agrees

**Contract** - Necessary to fulfill a contract

**Legitimate Interest** - Reasonable business need

2. Purpose Limitation

Data collected for one purpose can't be used for another without consent.

3. Data Minimization

Only collect and store what you need.

AI-Specific Considerations

Training Data

If you use personal data to train AI models, you need consent or another lawful basis.

Automated Decisions

Users have the right to human review of decisions made purely by AI.

Right to Erasure

Users can request deletion of their data. This includes:

Stored memories

Vector embeddings

Any cached responses

PiyAPI GDPR Features

// Delete user's data

await client.memories.deleteByNamespace({

namespace: `user_${userId}`,

includeEmbeddings: true,

});

// Export user's data (portability)

const export = await client.memories.export({

namespace: `user_${userId}`,

format: 'json',

});

Getting Compliant

1. Sign our [DPA](/dpa)

2. Enable EU data residency (Enterprise)

3. Configure retention policies

4. Enable audit logging

See our [compliance dashboard](/settings/safety) for more.