Deployer Compliance Guide
This guide is for organizations and individuals who deploy bots using the Mendelbot platform. It explains your compliance obligations under the EU AI Act and GDPR.
Your Role
When you use Mendelbot to create and deploy bots:
| Regulation | Your Role | Mendelbot's Role |
|---|---|---|
| EU AI Act | Deployer | Provider |
| GDPR | Data Controller (for your end users) | Data Processor |
This means you have direct obligations toward the people who interact with your bots.
EU AI Act Obligations
1. AI Literacy (Article 4) — In effect since Feb 2, 2025
You must ensure that anyone in your organization who operates or manages AI systems has a sufficient understanding of how they work.
What this means for you:
- Understand the basics of how Mendelbot's AI works (see How Mendelbot Uses AI)
- Be aware of AI limitations (hallucination, inconsistency, context limits)
- Know what data is sent to AI model providers
- Train any staff who interact with or manage your bots
How to document compliance:
- Keep a record of who reviewed this guide and when
- A simple internal note or spreadsheet is sufficient
- Formal certifications are not required
2. Transparency (Article 50) — Applies from Aug 2, 2026
Your bots must inform end users that they are interacting with an AI system.
What this means for you:
- Configure your bot to include an AI disclosure in its first message or greeting
- Make it clear that responses are AI-generated, not human-written
- The disclosure is not required if it's already obvious the user is talking to a bot (e.g., a clearly labeled bot account on Discord)
Suggested disclosure text:
For direct chat bots:
This is an AI-powered assistant. Responses are generated by artificial
intelligence and may not always be accurate. For important matters,
please verify information independently.For group/moderation bots:
This group uses an AI-powered bot for [purpose]. Messages may be
processed by AI. Use /privacy for details.Mendelbot features to help:
- Agent greeting messages (configurable per agent)
- The
/helpcommand mentions AI-powered assistance - Platform bot profiles can be labeled as bots
3. Risk Assessment
If you use Mendelbot bots for any of the following purposes, they may fall under the high-risk category and require additional compliance measures:
| Use Case | EU AI Act Category | Additional Obligations |
|---|---|---|
| Customer service chatbot | Limited risk | Transparency only |
| Internal knowledge assistant | Limited risk | Transparency only |
| HR/recruitment screening | High risk (Annex III) | Conformity assessment, human oversight, logging |
| Credit or insurance assessment | High risk (Annex III) | Conformity assessment, human oversight, logging |
| Law enforcement support | High risk (Annex III) | Conformity assessment, human oversight, logging |
| Educational assessment/grading | High risk (Annex III) | Conformity assessment, human oversight, logging |
If your use case is high-risk, you must conduct a conformity assessment and implement human oversight measures. Contact legal counsel for guidance specific to your situation.
Mendelbot is designed for limited-risk conversational use cases. Using it for high-risk purposes is your responsibility and may require measures beyond what the platform provides.
GDPR Obligations
As the data controller for your end users, you must:
1. Inform Users About Data Collection
Your bot should tell users what data is collected and why. Options:
- First-message notice
/privacycommand- Link to your privacy policy
2. Provide Data Deletion
Users have the right to have their data deleted. Options:
/deletecommand (built into Mendelbot)- Manual deletion on request (within 30 days)
3. Have a Legal Basis
You need a legal basis for processing user data:
- Legitimate interest: Providing the service the user initiated
- Contract: If the user agreed to terms before using the bot
- Consent: If you collect data beyond what's needed for the service
4. Data Processing Agreement
By using Mendelbot, you agree to the data processing terms in our Terms of Service. Mendelbot processes end-user data solely to provide the service on your behalf.
5. Sub-Processors
Mendelbot uses the following sub-processors:
| Sub-Processor | Purpose | Data Sent | Location |
|---|---|---|---|
| Regolo | LLM responses (open-source models) | Message content, conversation context | EU (Italy) — fully EU company |
| OVH | Server hosting (VPS) | All application data | EU (France) — fully EU company |
| Cloudflare | CDN, DNS, DDoS protection | Web traffic (proxied) | Global (US company, EU PoPs) |
| Ollama (self-hosted) | Embeddings | Message content | Same server (no external transfer) |
All AI model processing is handled by Regolo, an Italian company operating entirely within the EU. Regolo does not retain prompts or responses after processing. No user message content is sent to US-based AI providers.
Compliance Checklist
Before Deploying a Bot
- Understand how the AI model works (review AI Transparency)
- Classify your use case (limited risk vs. high risk)
- Configure an AI disclosure message for your bot
- Set up a privacy notice or
/privacycommand response - Ensure the
/deletecommand is enabled - Have a privacy policy that covers AI-processed data
- Document your AI literacy review (who read this guide, when)
If You Have Employees Managing Bots
- Share this guide and the AI Transparency page with them
- Record the training in your AI literacy log
- Ensure they understand the AI model's limitations
- Designate who handles data deletion requests
Ongoing
- Review this guide when Mendelbot announces changes to AI models or features
- Keep your privacy policy updated if you change AI providers or use cases
- Monitor your bot's behavior for unexpected outputs
- Respond to user data requests within 30 days
Templates
Privacy Notice for Your Bot
Privacy Notice: This bot is powered by Mendelbot, an AI assistant platform.
What we collect: Your messages and conversation history.
Why: To provide AI-powered responses to your questions.
AI processing: Your messages are processed by open-source AI models hosted
in the EU to generate responses.
Retention: Conversations are retained for [your retention period].
Your rights: Use /delete to erase your data, or contact [your contact info].
More info: [link to your privacy policy]AI Disclosure (First Message)
Hi! I'm [bot name], an AI-powered assistant. My responses are generated
by artificial intelligence and may not always be perfect. For important
decisions, please verify information independently.
How can I help you today?AI Literacy Training Record
AI Literacy Record - [Your Organization]
| Date | Person | Material Reviewed |
|------------|-------------|--------------------------------------|
| YYYY-MM-DD | [Name] | Mendelbot AI Transparency page |
| YYYY-MM-DD | [Name] | Mendelbot Deployer Compliance Guide |
| YYYY-MM-DD | [Name] | [Any additional training] |Questions
If you have questions about your compliance obligations:
- Review the AI Transparency page for technical details
- Consult the EU AI Act full text for legal requirements
- Seek legal advice for high-risk use cases or complex situations
- Contact Mendelbot support for platform-specific questions
This guide is informational and does not constitute legal advice. Consult qualified legal counsel for compliance questions specific to your organization and jurisdiction.
Last updated: February 2026