search

GDPR Compliance

Here at Tidio, we take your data privacy and security very seriously. We’re prepared for the European General Data Protection Regulation (GDPR), which came into force on May 25th, 2018.

Is Tidio GDPR compliant?

Yes, we are fully compliant with GDPR since May 25th, 2018!

What exactly is GDPR?

The General Data Protection Regulation (GDPR) is the result of years of work by the European Union to unify and strengthen data protection for all citizens within EU borders.

GDPR gives you more control over how your data is used, while to us it will constitute a change of the legal environment in which we operate. That makes this change desirable and very beneficial to both parties, regardless of it being mandatory.

Our company has done everything to ensure that our product, policies, and procedures are compliant with those regulations after May 25th, 2018.

Feel free to have a read from the official GDPR description here.

How does GDPR work?

First of all, GDPR affects and applies to every single organisation that processes personal data of EU citizens, whether kept within the EU or outside of it. Any person-related information that can be used to identify is subject to GDPR regulation and its job is to ensure that processing any personal data (collecting, transferring, storage, and use) is made in the most secure way possible.

GDPR is in place to prevent any kind of data leakage or violation and will ensure that every company maximises their security around customers’ data.

What has Tidio done to be compliant?

We want to focus on giving you the tools to choose what you wish to do with the data and to what extent you wish to provide or process it.

We went through the lenghty audit alongside our attorneys and GDPR advisors,  which ensures that we’re fully compliant.

What do I need to do?

Make sure that your Terms of Service and Privacy Policy properly communicate to your customers how exactly you are using Tidio. If you collect personal data from your customers and process them via our app, you should inform your customers about their entitlements under GDPR. We recommend you ensure your policies and internal documentation are up-to-date and as clear as possible. You can use this template in the terms of your website:


This website is using Tidio, a chat platform that connects users with the customer support of [your company name]. We are collecting email addresses/names/phone numbers [remove based on your Pre-Chat Survey settings] only with the consent of the users, in order to start the chat. The messages and data exchanged are stored within the Tidio application. For more information, please refer to their Privacy Policy.
[Your company name] is not making use of these messages or data other than to follow up on users’ registered issues or inquiries. Your personal data will be processed and transmitted in accordance with the General Data Protection Regulation (GDPR).


For customers concerned with their local laws regarding IP addresses being shown. The IP is only saved if the visitor starts a chat with you and you can add a consent note before the chat is started. 


“I understand and acknowledge that [your_company_name] (with its registered office in [your_office_address]) is the controller of my personal data. I understand and acknowledge that any of my personal data will be processed and transmitted in accordance with the General Data Protection Regulation (GDPR).”


Other than that we will not require anything to be done on your end; we want to make sure that this process is done as smoothly as possible for all parties involved.

A few examples of what GDPR requires, imposes, or provides:

Expanded individual rights

GDPR grants expanded rights for individuals in the European Union by allowing them, amongst other things, the right to be forgotten and the right to request a copy of any personal data stored in their database.

Compliance obligations

GDPR requires all organisations to implement appropriate security policies, keep records on data activities, and enter into written agreements with vendors to make sure that data is protected.

If you’d like to sign a Data Processing Agreement with us, please write an email to [email protected] with the subject line “DPA” and we’ll send you an electronic document to sign.

Data breach notifications

GDPR requires organisations to report certain data breaches to data protection authorities and, under certain circumstances, to the affected data subjects.

New requirements for profiling and monitoring

GDPR imposes additional obligations on all organisations engaged in profiling or monitoring behaviour of EU individuals.

Increased Enforcement

GDPR provides a central point of enforcement for all organisations operating in the EU or processing data of EU individual member states by requiring companies to work with a supervisory authority for cross-border data protection issues.

Frequently Asked Questions

Q: What is the EEA?

A: The EEA (European Economic Area) is the area in which the Agreement on the EEA provides the free movement of persons, goods, services, and capital within the European Single Market, including the freedom to choose residence in any country within this area. The EEA was established on January 1st, 1994 upon the EEA Agreement having come into force.

You can read more about the EEA here.

Q: Is Tidio responsible for the data processing on your clients’ end?

A: Tidio is under no circumstances responsible for that, as it is our clients’ choice to either be compliant or not. We suggest that they add a compliance field to their Pre-Chat Survey in order to be compliant with GDPR.

Q: Who is held responsible in the case of data leak or breach of privacy policy?

A: If the data leak or security breach happened on our end – we are fully responsible for it. Otherwise; we are not responsible for the actions taken by our clients when it comes to GDPR. We simply provide the means for them to communicate with their own customers, while the way they handle their compliance and data is their own responsibility.

Q: What do your cookies track?

A: Currently, cookies are not used under normal conditions, as we store most widget data in the localStorage. A full list of what is being tracked is listed in our privacy policy.

Q: Where are your data and applications stored?

A:  All our data is stored on servers located in EEA member counties.

Q:  Is your data ever moved outside of the EEA?

A: Any potential transfer of clients’ personal data is limited strictly to data used for accounting purposes, and is conducted to third-party countries that guarantee an appropriate level of personal data protection approved by the European Commission. On top of that, we comply with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework. Please read more about it in our privacy policy.

Q: Do you transfer data between data centres?

A: No, we do not.

Q: Is your data encrypted both at rest and in transit?

A: Data transfer is always processed with encrypted protocols and takes place on a private secure server. Data at rest is not encrypted.

Q: Who can access my data? Under what circumstances does that happen and what do they see?

A: No unauthorised person has access to the data. Access is only granted to the technical team who is responsible for server stability. Access to those is highly monitored and tracked in our activity log, kept on a separate private server.

If you have any questions or doubts, please contact us via chat on our website or at [email protected]

Can't find what you're looking for?

CONTACT SUPPORT