Privacy Policy and GDPR Compliance

At Tidio, we take your data privacy and security very seriously. In today's increasingly digital world, security and privacy are two of the most critical concerns for individuals and businesses alike. As a popular live chat and flow platform, Tidio recognizes the importance of maintaining strong security and privacy policies to protect its users' sensitive information.

In this article, you'll learn:

• How Tidio is GDPR compliant
• What GDPR is
• How GDPR works
• What you need to do to be GDPR compliant 
• Privacy Policy - Frequently Asked Questions
• California CIPA - How to ensure protection
• Florida FSCA - How to ensure protection
• Is Tidio HIPAA compliant
• Data removal policy

Take a look at our Privacy Policy page to learn more. 

Is Tidio GDPR compliant?

Yes, we have been fully compliant with GDPR since May 25th, 2018!

What exactly is GDPR?

The General Data Protection Regulation (GDPR) is the result of years of work by the European Union to unify and strengthen data protection for all citizens within EU borders.

GDPR gives you more control over how your data is used, while to us, it will constitute a change of the legal environment in which we operate. That makes this change desirable and very beneficial to both parties, regardless of it being mandatory.

Our company has done everything to ensure that our product, policies, and procedures are compliant with those regulations after May 25th, 2018.

Feel free to have a read from the official GDPR description here.

How does GDPR work?

First of all, GDPR affects and applies to every single organization that processes the personal data of EU citizens, whether kept within the EU or outside of it. Any person-related information that can be used to identify is subject to GDPR regulation, and its job is to ensure that processing any personal data (collecting, transferring, storage, and use) is made in the most secure way possible.

GDPR is in place to prevent any kind of data leakage or violation and will ensure that every company maximizes its security around customers' data.

What has Tidio done to be compliant?

We want to focus on giving you the tools to choose what you wish to do with the data and to what extent you wish to provide or process it.

We went through the lengthy audit alongside our attorneys and GDPR advisors,  which ensures that we're fully compliant.

What do I need to do?

Make sure that your Terms of Service and Privacy Policy properly communicate to your customers how exactly you are using Tidio. If you collect personal data from your customers and process them via our app, you should inform your customers about their entitlements under GDPR. We recommend you ensure your policies and internal documentation are up-to-date and as clear as possible. You can use this template in terms of your website:

This website is using Tidio, a chat platform that connects users with the customer support of [your company name]. We are collecting email addresses/names/phone numbers [remove based on your Pre-Chat Survey settings] only with the consent of the users, in order to start the chat. The messages and data exchanged are stored within the Tidio application. For more information, please refer to their Privacy Policy.
[Your company name] is not making use of these messages or data other than to follow up on users’ registered issues or inquiries. Your personal data will be processed and transmitted in accordance with the General Data Protection Regulation (GDPR).

For customers concerned with their local laws regarding IP addresses being shown. The IP is only saved if the visitor starts a chat with you, and you can add a consent note before the chat is started. 

"I understand and acknowledge that [your_company_name] (with its registered office in [your_office_address]) is the controller of my personal data. I understand and acknowledge that any of my personal data will be processed and transmitted in accordance with the General Data Protection Regulation (GDPR)."

Other than that, we will not require anything to be done on your end; we want to make sure that this process is done as smoothly as possible for all parties involved.

Examples

A few examples of what GDPR requires, imposes, or provides.

Expanded individual rights

GDPR grants expanded rights for individuals in the European Union by allowing them, amongst other things, the right to be forgotten and the right to request a copy of any personal data stored in their database.

How to observe the right to be forgotten in your Tidio panel? 

GDPR gives your website's visitors the right to be forgotten - that means that your visitors might ask you to delete all their information from your Tidio panel. 

You can delete all the data about the visitor by going to the Contacts section in your Tidio panel > selecting that visitor on the list > and clicking on the delete button.

The following step will delete all the information that you have gathered about the visitor in your Tidio panel, such as an email address, name, chat conversation history, etc. 

Compliance obligations

GDPR requires all organizations to implement appropriate security policies, keep records on data activities, and enter into written agreements with vendors to make sure that data is protected.

If you'd like to sign a Data Processing Agreement with us, please write an email to support@tidio.net with the subject line "DPA," and we'll send you an electronic document to sign.

Data breach notifications

GDPR requires organizations to report certain data breaches to data protection authorities and, under certain circumstances, to the affected data subjects.

New requirements for profiling and monitoring

GDPR imposes additional obligations on all organizations engaged in profiling or monitoring the behavior of EU individuals.

Increased enforcement

GDPR provides a central point of enforcement for all organizations operating in the EU or processing data of EU individual member states by requiring companies to work with a supervisory authority for cross-border data protection issues.

Frequently Asked Questions

Q: What is the EEA?

A: The EEA (European Economic Area) is the area in which the Agreement on the EEA provides the free movement of persons, goods, services, and capital within the European Single Market, including the freedom to choose a residence in any country within this area. The EEA was established on January 1st, 1994, upon the EEA Agreement having come into force.

You can read more about the EEA in the article about the European Economic Area.

Q: Is Tidio responsible for the data processing on your clients' end?

A: Tidio is under no circumstances responsible for that, as it is our clients' choice to either be compliant or not. We suggest that they add a compliance field to their pre-chat Survey in order to be compliant with GDPR.

Q: Who is held responsible in the case of data leak or breach of privacy policy?

A: If the data leak or security breach happened on our end - we are fully responsible for it. However, we are not responsible for the actions taken by our clients when it comes to GDPR. We simply provide the means for them to communicate with their own customers, while the way they handle their compliance and data is their own responsibility.

Q: What do your cookies track?

A: Currently, cookies are not used under normal conditions, as we store most widget data in the localStorage. A full list of what is being tracked is listed in our privacy policy.

Q: Where are your data and applications stored?

A:  All our data is stored on servers located in EEA member counties.

Q:  Is your data ever moved outside of the EEA?

A: We are transferring the billing details of our customers to our subsidiary in the US - Tidio LLC, which has the same security level that Tidio Poland and needs to follow exactly the same policies that are in line with GDPR. Additionally, from a formal perspective, Tidio LLC has signed the appropriate SCC and DPA. This transfer is necessary for invoicing purposes

Some of our support agents are located outside EEA, they are required to sign our Data Security Policy + DPA + SCC. This transfer is necessary to provide support 24h a day. To learn more, see a document explaining the SCC (Standard Contractual Clauses) and DPA agreement.

Q: Do you transfer data between data centers?

A: No, we do not.

Q: Is your data encrypted at rest and in transit?

A: Data transfer is always processed with encrypted protocols and takes place on a private secure server. Data at rest is also encrypted, shielding it from unauthorized access.

Q: Who can access my data? Under what circumstances does that happen, and what do they see?

A: No unauthorized person has access to the data. Access is only granted to the technical team that is responsible for server stability. Access to those is highly monitored and tracked in our activity log, kept on a separate private server.

California CIPA - How to ensure protection

If you're a website owner, you must be aware of a recent surge in class action lawsuits filed under the California Invasion of Privacy Act (CIPA), particularly concerning "live chat" functionality on customer-facing websites. CIPA was enacted in 1967 to address privacy concerns, including wiretapping, eavesdropping, and non-consensual call recording.

The latest wave of CIPA lawsuits is being filed under Section 631, titled "Wiretapping," which makes it unlawful to tap into any telegraph or telephone wire, line, or cable without the consent of all parties to the communication. Unlike its federal counterpart, CIPA does not require proof of actual damages, which has made it an appealing option for plaintiffs.

To avoid being targeted with a lawsuit under CIPA, website operators should take steps to minimize the risk:

1. Obtain consent
   

   To comply with wiretapping statutes, website owners should obtain consent from all parties involved in chat conversations. This includes informing users that their conversations may be observed or recorded for quality assurance or analytical purposes. The best way to obtain consent is through an opt-in process where users must acknowledge and accept the terms of use before engaging in a chat conversation.
   
   

2. Use secure chat services
   

   Website owners should ensure the chat service is secure and encrypted to protect user data. They should also ensure that Third-party vendors should be vetted to ensure they comply with all applicable data privacy laws and provide secure services.
   
   

3. Implement a privacy policy
   

   Website owners should implement a privacy policy that clearly outlines the company's data collection practices, including how the chat conversations are monitored and recorded. The privacy policy should be easily accessible and prominently displayed on the website.
   
   

4. Monitor compliance
   

   It is important to monitor compliance with wiretapping statutes and other applicable data privacy laws. Regular audits should be conducted to ensure that all third-party vendors and chat services comply with the company's data privacy policies.
   
   

5. Consult with legal counsel
   

   Website owners should consult with legal counsel to ensure their chat feature usage complies with all applicable laws and regulations. Legal counsel can provide guidance on obtaining consent, implementing a privacy policy, and monitoring compliance with data privacy laws.

Following these guidelines, website owners can minimize the legal risk associated with chat feature usage and provide a secure and transparent user experience. 

Florida FSCA - How to ensure protection

Please note that the following information is provided for general informational purposes only and should not be construed as legal advice.

If you operate a website accessible in Florida, you should be aware of the Florida Security of Communications Act (FSCA), a law that governs the interception and recording of oral and electronic communications within the state. Like California’s CIPA, the FSCA aims to protect individuals from unauthorized monitoring and recording of their communications. Florida is a “two-party consent” state, which means that all parties to a communication must give their consent before it can be lawfully recorded or intercepted.

Below are some key recommendations to help ensure your website’s chat functionality complies with the FSCA:

1. Obtain consent
   

   Prominently disclose monitoring: Similar to CIPA, FSCA requires that each person participating in the communication must be informed that their chat may be recorded or monitored.
   Use clear opt-in mechanisms: Provide an unambiguous consent process. For instance, display a notice or checkbox that users must acknowledge before initiating a chat.
   
   

2. Use secure chat services
   

   Encryption and data protection: Choose chat platforms that offer encryption or secure protocols to protect the confidentiality of communications.
   Vendor compliance: If you use third-party chat service providers, make sure they understand and agree to follow your data privacy and security requirements in compliance with FSCA and other applicable laws.
   
   

3. Implement a comprehensive privacy policy
   

   Be transparent about data collection: Clearly explain in your privacy policy how chat data is collected, stored, and used.
   Prominent placement: Make the policy easy to find—place clear links or references on your chat window or in your website footer.
   
   

4. Monitor and audit your practices
   

   Regular reviews: Conduct periodic reviews or audits of your chat functionality to ensure ongoing compliance with FSCA requirements.
   Vendor oversight: Verify that any external service providers remain compliant with your established privacy and security protocols.
   
   

5. Implement logging and retention policies
   

   Secure storage: Make sure that recorded chats are stored securely and access is restricted to authorized personnel only.
   Retention schedules: Develop a clear data retention schedule—avoid storing chat logs longer than necessary.
   
   

6. Consult with legal counsel
   

   State-specific requirements: Florida’s laws can differ significantly from other jurisdictions. A lawyer familiar with federal and Florida-specific privacy laws can help you navigate any nuances.
   Updating policies and procedures: Seek legal advice before making changes to your website’s chat features or data-handling practices.

By following these guidelines, you can reduce the risk of exposure to FSCA-related claims and provide a secure, transparent chat experience for users in Florida. Because privacy laws evolve and can vary by state, it is always wise to seek professional legal advice to ensure compliance with all applicable regulations.

HIPAA

While we comply with the rules set in HIPAA, we don't have formal compliance documentation yet. This year, we have opened a dedicated office in the United States to be able to apply for it. We do not have any specific ETA for obtaining HIPAA compliance as we need to ensure all legal obligations are met by our company from the formal side. Thank you for your patience! 

Data removal policy

Due to different factors, such as exchanging personal information during a conversation, your customer may want to ask for the deletion of a chat, their order data, or other information they provided you with.

Removing orders data from Tidio

To fully remove data about your clients’ orders from your Tidio account, you need to uninstall our app from your store. You can find detailed instructions on how to do it here.

Your Shopify clients’ data in Tidio

By default, data about your clients is not automatically sent to Tidio. However, if you manually imported your clients' data to Tidio - you can manually delete it directly from the contacts section of your panel.

Deleting your account

Under Article 17 of the UK GDPR, you have the right to have personal data erased.This is also known as the ‘right to be forgotten’. The right only applies to data held when the request is received. 

To have your data erased - you need to delete your Tidio account. To entirely delete your Tidio account, you need to be a project owner of the account. To continue with the deletion procedure, head to the Settings > Project & Billing > Preferences section, where you'll see a red delete project button.

You'll delete the whole project from our database, together with the operators, by clicking on the Delete project button.

If you’d like our team to delete the account for you - please contact us at support@tidio.net