Privacy Policy & GDPR Compliance
  • 6 Minutes to read
  • Comments
  • Dark

Privacy Policy & GDPR Compliance

  • Comments
  • Dark

At Tidio, we take your data privacy and security very seriously. We're prepared for the European General Data Protection Regulation (GDPR), which came into force on May 25th, 2018.

In this article, you'll learn:

Take a look at our Privacy Policy page to learn more. 

Is Tidio GDPR compliant?

Yes, we are fully compliant with GDPR since May 25th, 2018!

What exactly is GDPR?

The General Data Protection Regulation (GDPR) is the result of years of work by the European Union to unify and strengthen data protection for all citizens within EU borders.

GDPR gives you more control over how your data is used, while to us, it will constitute a change of the legal environment in which we operate. That makes this change desirable and very beneficial to both parties, regardless of it being mandatory.

Our company has done everything to ensure that our product, policies, and procedures are compliant with those regulations after May 25th, 2018.

Feel free to have a read from the official GDPR description here.

How does GDPR work?

First of all, GDPR affects and applies to every single organization that processes the personal data of EU citizens, whether kept within the EU or outside of it. Any person-related information that can be used to identify is subject to GDPR regulation, and its job is to ensure that processing any personal data (collecting, transferring, storage, and use) is made in the most secure way possible.

GDPR is in place to prevent any kind of data leakage or violation and will ensure that every company maximizes its security around customers' data.

What has Tidio done to be compliant?

We want to focus on giving you the tools to choose what you wish to do with the data and to what extent you wish to provide or process it.

We went through the lengthy audit alongside our attorneys and GDPR advisors,  which ensures that we're fully compliant.

What do I need to do?

Make sure that your Terms of Service and Privacy Policy properly communicate to your customers how exactly you are using Tidio. If you collect personal data from your customers and process them via our app, you should inform your customers about their entitlements under GDPR. We recommend you ensure your policies and internal documentation are up-to-date and as clear as possible. You can use this template in terms of your website:

This website is using Tidio, a chat platform that connects users with the customer support of [your company name]. We are collecting email addresses/names/phone numbers [remove based on your Pre-Chat Survey settings] only with the consent of the users, in order to start the chat. The messages and data exchanged are stored within the Tidio application. For more information, please refer to their Privacy Policy.
[Your company name] is not making use of these messages or data other than to follow up on users’ registered issues or inquiries. Your personal data will be processed and transmitted in accordance with the General Data Protection Regulation (GDPR).

For customers concerned with their local laws regarding IP addresses being shown. The IP is only saved if the visitor starts a chat with you, and you can add a consent note before the chat is started. 

"I understand and acknowledge that [your_company_name] (with its registered office in [your_office_address]) is the controller of my personal data. I understand and acknowledge that any of my personal data will be processed and transmitted in accordance with the General Data Protection Regulation (GDPR)."

Other than that, we will not require anything to be done on your end; we want to make sure that this process is done as smoothly as possible for all parties involved.


A few examples of what GDPR requires imposes, or provide.

Expanded individual rights

GDPR grants expanded rights for individuals in the European Union by allowing them, amongst other things, the right to be forgotten and the right to request a copy of any personal data stored in their database.

How to observe the right to be forgotten in your Tidio panel? 

GDPR gives your website's visitors the right to be forgotten - that means that your visitors might ask you to delete all their information from your Tidio panel. 

You can delete all the data about the visitor by going to the Contacts section in your Tidio panel > selecting that visitor on the list > and clicking on the delete button.

How to delete all the contact's information


The following step will delete all the information that you have gathered about the visitor in your Tidio panel, such as an email address, name, chat conversation history, etc. 

Compliance obligations

GDPR requires all organizations to implement appropriate security policies, keep records on data activities, and enter into written agreements with vendors to make sure that data is protected.

If you'd like to sign a Data Processing Agreement with us, please write an email to with the subject line "DPA," and we'll send you an electronic document to sign.

Data breach notifications

GDPR requires organizations to report certain data breaches to data protection authorities and, under certain circumstances, to the affected data subjects.

New requirements for profiling and monitoring

GDPR imposes additional obligations on all organizations engaged in profiling or monitoring the behavior of EU individuals.

Increased Enforcement

GDPR provides a central point of enforcement for all organizations operating in the EU or processing data of EU individual member states by requiring companies to work with a supervisory authority for cross-border data protection issues.

Frequently Asked Questions

Q: What is the EEA?

A: The EEA (European Economic Area) is the area in which the Agreement on the EEA provides the free movement of persons, goods, services, and capital within the European Single Market, including the freedom to choose a residence in any country within this area. The EEA was established on January 1st, 1994, upon the EEA Agreement having come into force.

You can read more about the EEA in the article about the European Economic Area.

Q: Is Tidio responsible for the data processing on your clients' end?

A: Tidio is under no circumstances responsible for that, as it is our clients' choice to either be compliant or not. We suggest that they add a compliance field to their pre-chat Survey in order to be compliant with GDPR.

Q: Who is held responsible in the case of data leak or breach of privacy policy?

A: If the data leak or security breach happened on our end - we are fully responsible for it. However, we are not responsible for the actions taken by our clients when it comes to GDPR. We simply provide the means for them to communicate with their own customers, while the way they handle their compliance and data is their own responsibility.

Q: What do your cookies track?

A: Currently, cookies are not used under normal conditions, as we store most widget data in the localStorage. A full list of what is being tracked is listed in our privacy policy.

Q: Where are your data and applications stored?

A:  All our data is stored on servers located in EEA member counties.

Q:  Is your data ever moved outside of the EEA?

A: Any potential transfer of clients' personal data is limited strictly to data used for accounting purposes and is conducted to third-party countries that guarantee an appropriate level of personal data protection approved by the European Commission. On top of that, we comply with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework. Please read more about it in our privacy policy.

Q: Do you transfer data between data centers?

A: No, we do not.

Q: Is your data encrypted at rest and in transit?

A: Data transfer is always processed with encrypted protocols and takes place on a private secure server. Data at rest is not encrypted.

Q: Who can access my data? Under what circumstances does that happen, and what do they see?

A: No unauthorized person has access to the data. Access is only granted to the technical team that is responsible for server stability. Access to those is highly monitored and tracked in our activity log, kept on a separate private server.


While we comply with the rules set in HIPAA, we don't have formal compliance documentation yet. This year, we have opened a dedicated office in the United States to be able to apply for it. We do not have any specific ETA for obtaining HIPAA compliance as we need to ensure all legal obligations are met by our company from the formal side. Thank you for your patience! 

If you still have some questions for our team after reading this article, don't hesitate to contact us.

Was this article helpful?