DEV Community

VoiceFleet
VoiceFleet

Posted on • Originally published at voicefleet.ai

Building a GDPR-Compliant AI Receptionist: What We Learned

#ai #gdpr #healthtech #webdev

If you're building any kind of AI voice agent for European healthcare, GDPR isn't optional — it's the foundation. Here's what we learned building an AI receptionist that handles real patient calls in Ireland.

The Challenge

An AI receptionist for a dental practice processes:

  • Voice data (recordings or real-time transcription)
  • Health data (appointment types, symptoms mentioned)
  • Personal data (names, phone numbers, DOBs)

Under GDPR, voice recordings containing health info are special category data (Article 9). That means standard consent isn't enough — you need explicit consent or a healthcare exemption.

Architecture Decisions That Matter

1. EU-only hosting

No data leaves the EU. Ever. We use EU-West infrastructure for everything: STT, LLM inference, TTS, and storage. This isn't just compliance theatre — it's a hard requirement.

Call → EU SIP endpoint → EU ASR → EU LLM → EU TTS → Caller
         ↕
    EU Database (encrypted at rest)
Enter fullscreen mode Exit fullscreen mode

2. Minimal data retention

  • Call transcripts: auto-deleted after 30 days (configurable)
  • Voice recordings: only stored if practice explicitly enables it
  • Patient matching: uses fuzzy matching on name + DOB, never stores unnecessary identifiers

3. Real-time consent

The AI introduces itself as an AI assistant at the start of every call. Patients can opt out and be transferred to a human at any point. This satisfies the transparency requirements of Articles 13-14.

4. Data Processing Agreements

The practice is the data controller. We're the processor. DPA is baked into the terms, not a separate document you have to request.

The EU AI Act Angle

Since August 2025, the EU AI Act adds another layer. AI systems in healthcare aren't automatically "high-risk" under the Act, but an AI that influences appointment scheduling decisions could be classified that way depending on interpretation.

Our approach: build as if we're high-risk (documentation, human oversight, bias testing) even if the final classification says otherwise.

Practical Tips for Devs

  1. Don't use US-based STT/TTS APIs for EU healthcare — even with adequacy decisions, the optics are terrible and DPCs are aggressive
  2. Log everything about your AI's decisions — not the patient data, but why the AI did what it did
  3. Build the "transfer to human" escape hatch first — regulators love seeing it
  4. DPIA before launch — Data Protection Impact Assessment isn't optional for this kind of processing

Resources

We built VoiceFleet to handle all of this out of the box for dental and restaurant practices. Happy to answer questions in the comments.

Top comments (0)