AI-hosted websites and GDPR: what a non-lawyer needs to know
A plain, factual guide to GDPR for a small AI-built website: what counts as personal data, the three places a generated site collects it, why where the data sits matters, and the short list you can actually act on. Not legal advice.
If an AI built your website and you are about to put it online, GDPR probably feels like a wall of legal text written for companies much bigger than yours. Most of it is. But the parts that reach a small marketing site, a portfolio or a local shop page are few, concrete and understandable without a law degree. This post explains those parts in plain language: what the regulation is actually about, the three places a generated site touches personal data, why the location of that data matters, and a short list you can act on today.
A note before anything else: this is factual background, not legal advice. It is written to help you ask the right questions, not to replace a professional when your situation genuinely needs one.
What GDPR is, in one paragraph
The General Data Protection Regulation is the EU law that governs how anyone handles the personal data of people in the EU. Its core idea is simple and reasonable: personal data belongs to the person it is about, and if you collect or process it, you take on responsibilities to handle it carefully, transparently and for a clear purpose. It applies to you if you have visitors or customers in the EU, regardless of where you or your host are based. A one-person business with a contact form is in scope, just at a far smaller scale than a bank.
What counts as personal data
Personal data is any information that can identify a living person, directly or indirectly. On a small website, the identifiers that turn up in practice are narrower than people fear but broader than they expect:
- A name and email address typed into a contact or newsletter form. The clearest case.
- An IP address. This is the one that surprises people. Under GDPR an IP address is personal data, which means anything that logs visitor IPs, most notably analytics, is processing personal data even if no one ever fills in a form.
- Anything in a message field. A visitor might type their phone number, their address or details about themselves into a free-text box. You are now holding that too.
If your site collects none of these, your obligations are light. The moment it collects any of them, the sensible parts of GDPR start to apply, and for an AI-generated site they almost always do, because of where that collection hides.
The three places a generated site collects data
An AI-built site looks like one static thing, but it typically touches personal data in three specific spots, and AI tools tend to wire up all three by default without mentioning it.
- Forms. The contact form is a data collection point by definition. The question is where the submission goes. AI tools often connect a generated form to a third-party handler the model knew about, which means visitor data flows to a company you never chose, possibly outside the EU.
- Analytics. Generated sites frequently arrive with a tracking snippet included, unasked. Because visitor IPs are personal data, the analytics provider becomes a processor of your visitors' data, and its location and rules become part of your compliance picture.
- Embedded third-party content. Fonts loaded from an external provider, a map embed, a video player. Each one can quietly send the visitor's IP to another company as the page loads.
The pattern is the same in all three: the AI made a convenient default choice, and that choice silently added a processor of personal data that you are now responsible for. The first practical GDPR task for any AI-built site is to find these three spots and know exactly where each one sends data.
Why where the data sits matters
GDPR does not forbid sending data outside the EU, but it treats such transfers as something that needs a legal basis and paperwork, because once data leaves the EU it can fall under other countries' laws, including ones that let authorities compel access. Keeping the processing inside the EU is the posture that avoids the whole transfer question. It is not a legal requirement in every case, but it is the simplest way to stay clearly on the right side of the line, and for a small business with EU customers it removes an entire category of risk and homework.
This is why the location of your host, your form handler and your analytics is not a technicality. Three EU processors are a short, clean story. One EU host plus a US form handler plus a US analytics provider is three different jurisdictions stitched into one small website, each of which you would have to account for if anyone ever asked. The concrete difference between "the files sit in the EU" and "everything about the site sits in the EU" is worth understanding before you launch.
The short list you can actually act on
For a typical small AI-built site, honest and proportionate compliance comes down to a handful of steps, none of which require a lawyer:
- Find your three data points. List every form, every analytics snippet and every external embed, and note where each sends data. This is an hour of looking, and it is the single most useful thing you can do.
- Prefer EU processors and first-party tools. A forms relay and analytics provided by your host, running in the EU, collapse two of the three risks into your existing hosting relationship. First-party privacy-preserving analytics also tends to sidestep the cookie-banner question entirely.
- Write a plain privacy notice. Say what you collect, why, and who processes it. Honesty in plain language beats a copied legal template you do not understand.
- Only collect what you need. The safest data is the data you never gathered. If a form does not need a phone number, do not ask for one.
- Get a real answer on where things run. Ask your host, in writing, where the site and its data actually sit, and whether a Data Processing Agreement is available. A vague answer is itself an answer.
Where AI-Hosted fits, factually
AI-Hosted is powered by VibeDeploy and operated by Serso BV, a Belgian company (enterprise number BE0899100423, registered at Bosstraat 52, 3560 Lummen, Belgium), on infrastructure inside the EU. That means the site's files, the account and deploy data, the forms relay and the analytics all run within EU jurisdiction under an EU operator, which is what turns two of the three data points above into a single-jurisdiction story rather than a scattered one. Who runs the platform, and under which entity, is set out on the about page.
Because forms deliver through the platform's own relay and analytics are first-party and privacy-preserving, an AI-built site hosted here starts from the shorter list by default rather than inheriting a chatbot's third-party choices. The wider context of how a generated site becomes a properly operated one is in what is an AI-hosted website, and the operational readiness pass that sits next to the privacy pass is in what to check before you put an AI-generated site in front of customers.
Plans are flat at 15, 39 or 129 euro per month including VAT, on the pricing page, with a 14-day free trial that needs no card. GDPR for a small AI-built site is not a legal project. It is a short inventory and a few sensible defaults, decided once, instead of inherited by accident. If your situation is genuinely complex, that is exactly the point at which a real professional is worth the call.
Put your AI-built site on a real domain
AI-Hosted, powered by VibeDeploy, runs your AI-built website on European infrastructure with a custom domain, automatic SSL, forms and analytics. The 14-day trial needs no card.
Related reading
What to check before you put an AI-generated site in front of customers
The site looks finished in the preview. Before customers see it, seven things have to be true: working forms, real analytics, HTTPS, uptime, backups, correct metadata and a tested rollback. The production checklist.
Custom domains for AI-built websites: how it actually works
A preview link is not an address you own. What a custom domain is, how DNS and automatic SSL turn an AI-built site into a real one, and why the domain is the step that makes a launch count.
What is an AI-hosted website?
A plain definition of AI-hosted websites, five questions that decide whether a site is really online, and the preview-link cases that fail the test.