Free tool

Is your chatbot compliant with Law 25 and GDPR?

Check what you already do: the tool computes your compliance level and lists the items to fix first. Self-assessment in 2 minutes, no sign-up.

📌 Key takeaways

Your checklist

Check each measure already in place. "Critical" items weigh more.

Estimated compliance level
0 %
At risk

Items to fix first

    The higher the score, the more your setup covers the common requirements of Law 25 and GDPR.

    ⚖️ Disclaimer: this checker provides an indicative self-assessment to spot the most common gaps. It is not legal advice. For a full review, consult a professional or the Commission d'accès à l'information (Law 25) and the CNIL (GDPR).

    Questions? Let's talk.

    Our team answers your questions and helps you take the next step.

    Contact us

    A chatbot built for compliance

    ChatDirect hosts your data 100% in Canada, with a privacy-by-design approach — for a chatbot compliant with Law 25 and GDPR.

    Start the free trial (14 days)

    Does a chatbot need to be Law 25 compliant?

    Yes. As soon as a chatbot collects personal information — a name, an email, a message — it falls under Quebec's Law 25 and Europe's GDPR. The key obligations: consent, privacy policy, controlled hosting, access and deletion rights, and incident handling.

    The most commonly missed requirements

    Three gaps come up constantly among SMBs: no responsible person for the protection of personal information is designated (yet mandatory under Law 25), consent is implicit rather than clear, and data is hosted abroad without controlling the transfer.

    Why local hosting simplifies everything

    Hosting data in Canada — as ChatDirect does — avoids transfers to foreign servers and removes much of the risk. Combined with a privacy-by-design approach, it's the foundation of a compliant chatbot. Learn more in our privacy policy.

    FAQ

    Does a chatbot need to be Law 25 compliant?

    Yes, as soon as it collects personal information (name, email, message). It must then respect consent, privacy policy, controlled hosting, access/deletion rights and incident handling.

    What does Law 25 require of an SMB?

    Designate a responsible person for the protection of personal information, publish a privacy policy, obtain clear consent, ensure privacy by default and manage confidentiality incidents.

    Where should data be hosted to comply with Law 25?

    Ideally in Canada. Law 25 regulates communication of information outside Quebec; local hosting avoids transfers to foreign servers and simplifies compliance, as it does for GDPR.

    Does this checker replace legal advice?

    No. It's an indicative self-assessment to spot common gaps. For a full review, consult a professional or the Commission d'accès à l'information.