At Tidio, we take your data privacy and security very seriously. In today's increasingly digital world, security and privacy are two of the most critical concerns for individuals and businesses alike. As a popular live chat and chatbot platform, Tidio recognizes the importance of maintaining strong security and privacy policies to protect its users' sensitive information.
In this article, you'll learn:
- How Tidio is GDPR compliant
- What is GDPR
- How GDPR works
- What you need to do to be GDPR compliant
- California CIPA - How to ensure protection
- Is Tidio HIPAA compliant
- Data removal policy
Is Tidio GDPR compliant?
Yes, we are fully compliant with GDPR since May 25th, 2018!
What exactly is GDPR?
The General Data Protection Regulation (GDPR) is the result of years of work by the European Union to unify and strengthen data protection for all citizens within EU borders.
GDPR gives you more control over how your data is used, while to us, it will constitute a change of the legal environment in which we operate. That makes this change desirable and very beneficial to both parties, regardless of it being mandatory.
Our company has done everything to ensure that our product, policies, and procedures are compliant with those regulations after May 25th, 2018.
Feel free to have a read from the official GDPR description here.
How does GDPR work?
First of all, GDPR affects and applies to every single organization that processes the personal data of EU citizens, whether kept within the EU or outside of it. Any person-related information that can be used to identify is subject to GDPR regulation, and its job is to ensure that processing any personal data (collecting, transferring, storage, and use) is made in the most secure way possible.
GDPR is in place to prevent any kind of data leakage or violation and will ensure that every company maximizes its security around customers' data.
What has Tidio done to be compliant?
We want to focus on giving you the tools to choose what you wish to do with the data and to what extent you wish to provide or process it.
We went through the lengthy audit alongside our attorneys and GDPR advisors, which ensures that we're fully compliant.
What do I need to do?
[Your company name] is not making use of these messages or data other than to follow up on users’ registered issues or inquiries. Your personal data will be processed and transmitted in accordance with the General Data Protection Regulation (GDPR).
For customers concerned with their local laws regarding IP addresses being shown. The IP is only saved if the visitor starts a chat with you, and you can add a consent note before the chat is started.
"I understand and acknowledge that [your_company_name] (with its registered office in [your_office_address]) is the controller of my personal data. I understand and acknowledge that any of my personal data will be processed and transmitted in accordance with the General Data Protection Regulation (GDPR)."
Other than that, we will not require anything to be done on your end; we want to make sure that this process is done as smoothly as possible for all parties involved.
A few examples of what GDPR requires imposes, or provide.
Expanded individual rights
GDPR grants expanded rights for individuals in the European Union by allowing them, amongst other things, the right to be forgotten and the right to request a copy of any personal data stored in their database.
How to observe the right to be forgotten in your Tidio panel?
GDPR gives your website's visitors the right to be forgotten - that means that your visitors might ask you to delete all their information from your Tidio panel.
You can delete all the data about the visitor by going to the Contacts section in your Tidio panel > selecting that visitor on the list > and clicking on the delete button.
The following step will delete all the information that you have gathered about the visitor in your Tidio panel, such as an email address, name, chat conversation history, etc.
GDPR requires all organizations to implement appropriate security policies, keep records on data activities, and enter into written agreements with vendors to make sure that data is protected.
If you'd like to sign a Data Processing Agreement with us, please write an email to firstname.lastname@example.org with the subject line "DPA," and we'll send you an electronic document to sign.
Data breach notifications
GDPR requires organizations to report certain data breaches to data protection authorities and, under certain circumstances, to the affected data subjects.
New requirements for profiling and monitoring
GDPR imposes additional obligations on all organizations engaged in profiling or monitoring the behavior of EU individuals.
GDPR provides a central point of enforcement for all organizations operating in the EU or processing data of EU individual member states by requiring companies to work with a supervisory authority for cross-border data protection issues.
Frequently Asked Questions
Q: What is the EEA?
A: The EEA (European Economic Area) is the area in which the Agreement on the EEA provides the free movement of persons, goods, services, and capital within the European Single Market, including the freedom to choose a residence in any country within this area. The EEA was established on January 1st, 1994, upon the EEA Agreement having come into force.
You can read more about the EEA in the article about the European Economic Area.
Q: Is Tidio responsible for the data processing on your clients' end?
A: Tidio is under no circumstances responsible for that, as it is our clients' choice to either be compliant or not. We suggest that they add a compliance field to their pre-chat Survey in order to be compliant with GDPR.
A: If the data leak or security breach happened on our end - we are fully responsible for it. However, we are not responsible for the actions taken by our clients when it comes to GDPR. We simply provide the means for them to communicate with their own customers, while the way they handle their compliance and data is their own responsibility.
Q: What do your cookies track?
Q: Where are your data and applications stored?
A: All our data is stored on servers located in EEA member counties.
Q: Is your data ever moved outside of the EEA?
A: We are transferring the billing details of our customers to our subsidiary in the US - Tidio LLC, which has the same security level that Tidio Poland and needs to follow exactly the same policies that are in line with GDPR. Additionally, from a formal perspective, Tidio LLC has signed the appropriate SCC and DPA. This transfer is necessary for invoicing purposes
Some of our support agents are located outside EEA, they are required to sign our Data Security Policy + DPA + SCC. This transfer is necessary to provide support 24h a day. To learn more, see a document explaining the SCC (Standard Contractual Clauses) and DPA agreement.
Q: Do you transfer data between data centers?
A: No, we do not.
Q: Is your data encrypted at rest and in transit?
A: Data transfer is always processed with encrypted protocols and takes place on a private secure server. Data at rest is not encrypted.
Q: Who can access my data? Under what circumstances does that happen, and what do they see?
A: No unauthorized person has access to the data. Access is only granted to the technical team that is responsible for server stability. Access to those is highly monitored and tracked in our activity log, kept on a separate private server.
California CIPA - How to ensure protection
Please note that the following information is provided for general informational purposes only and should not be construed as legal advice.
If you're a website owner, you must be aware of a recent surge in class action lawsuits filed under the California Invasion of Privacy Act (CIPA), particularly concerning "live chat" functionality on customer-facing websites. CIPA was enacted in 1967 to address privacy concerns, including wiretapping, eavesdropping, and non-consensual call recording.
The latest wave of CIPA lawsuits is being filed under Section 631, titled "Wiretapping," which makes it unlawful to tap into any telegraph or telephone wire, line, or cable without the consent of all parties to the communication. Unlike its federal counterpart, CIPA does not require proof of actual damages, which has made it an appealing option for plaintiffs.
To avoid being targeted with a lawsuit under CIPA, website operators should take steps to minimize the risk:
- Use Secure Chat Services: Website owners should ensure the chat service is secure and encrypted to protect user data. They should also ensure that Third-party vendors should be vetted to ensure they comply with all applicable data privacy laws and provide secure services.
- Monitor Compliance: It is important to monitor compliance with wiretapping statutes and other applicable data privacy laws. Regular audits should be conducted to ensure that all third-party vendors and chat services comply with the company's data privacy policies.
Following these guidelines, website owners can minimize the legal risk associated with chat feature usage and provide a secure and transparent user experience.
While we comply with the rules set in HIPAA, we don't have formal compliance documentation yet. This year, we have opened a dedicated office in the United States to be able to apply for it. We do not have any specific ETA for obtaining HIPAA compliance as we need to ensure all legal obligations are met by our company from the formal side. Thank you for your patience!
Data removal policy
Due to different factors, such as exchanging personal information during a conversation, your customer may want to ask for the deletion of a chat, their order data, or other information they provided you with.
Removing orders data from Tidio
To fully remove data about your clients’ orders from your Tidio account, you need to uninstall our app from your store. You can find detailed instructions on how to do it here.
Your Shopify clients’ data in Tidio
By default, data about your clients is not automatically sent to Tidio. However, if you manually imported your clients' data to Tidio - you can manually delete it directly from the contacts section of your panel.
Deleting your account
Under Article 17 of the UK GDPR, you have the right to have personal data erased.This is also known as the ‘right to be forgotten’. The right only applies to data held when the request is received.
To have your data erased - you need to delete your Tidio account. To entirely delete your Tidio account, you need to be a project owner of the account. To continue with the deletion procedure, head to the Settings > Project & Billing > Preferences section, where you'll see a red delete project button.
You'll delete the whole project from our database, together with the operators, by clicking on the delete project button.
If you’d like our team to delete the account for you - please contact us email@example.com