Data privacy & GDPR

Here you can find details about how Smartsupp handles personal data, our GDPR compliance and policies. To make things easy to understand, we wrote down frequently asked questions about data privacy and GDPR below.

What is GDPR?

GDPR (or the General Data Protection Regulation) is a directive from the European Union (EU) that sets rules on how companies shall process personal data of EU citizens. GDPR came into effect on May 25th, 2018.

If you have any questions about GDPR itself, you can find out detailed info here. It’s especially useful to read through the FAQ and see what constitutes personal data under GDPR. There are many other topics covered, as well.

Is Smartsupp GDPR compliant?

Yes, Smartsupp is GDPR compliant. That means it’s perfectly legal to use Smartsupp in European Union or any other country.

Does Smartsupp process personal data of my visitors?

It depends on how you use Smartsupp. But generally, yes. Visitors might fill personal data in pre-chat and offline form or during a chat conversation. Details about personal data processing can be found in our Data processing agreement (DPA).

Where does Smartsupp store personal data?  

Personal data are stored in Germany a member state of the European Union.

See point 5.3 and Appendix 3 of our Data processing agreement (DPA) for details.

Does Smartsupp use 3rd parties (sub-processors) for processing personal data? 

Yes. As any modern sofware company we use professional server hosting and cloud infrastructure providers to make sure our data is secured by the latest standards. See Appendix 3 of our Data processing agreement (DPA) for a list of sub-processors we use.

What kind of personal data of visitors are processed by Smartsupp?

That depends on how you use Smartsupp.

Smartsupp allows you to collect name, e-mail address and phone number of visitors via pre-chat and offline form.

Other than that, Smartsupp may collect various technical information as IP address (can be disabled in settings), pages browsed,  device type, browser type, screen resolution etc.

Additionally visitors can send any of their personal data in a chat conversation.

Details about what types of personal data we process can be found in Appendix 1 of our Data processing agreement (DPA).

Are there any types of personal data I am NOT allowed to collect via Smartsupp?

Yes, there are. You are NOT allowed to process any personal data as specified in Article 9 of GDPR directive. Such data include sensitive information about race, religion, medical information or payment information as credit card numbers. It’s your responsibility to ensure you don’t process sensitive personal data via Smartsupp.

Details about what types of personal data you are forbidden to process via Smartsupp can be found in Appendix 1 of our Data processing agreement (DPA).

Does Smartsupp process personal data of my employees?

If you have created agent accounts for your employees or you entered personal data of your employees inside Smartsupp, then yes. Typically that is email address used for login and name and photo of the employee visible to visitors when chatting.  Again, it depends what personal data of your employees you filled in Smartsupp yourself.

Do I need to have a DPA (data processing agreement) with Smartsupp?

Yes. When using Smartsupp you are legally bound by our Data processing agreement (DPA) which you can download here.

If would like to sign a custom DPA, contact us at

That depends on how you use Smartsupp.

a) I use personal data only for support purposes – if you use personal data of visitors collected via Smartsupp only for support purposes (answering visitor questions or resolving their issues), you don’t need to collect consent from visitors. Notice about personal data processing is shown to visitors in chat by default. It’s recommended you link that notice to your privacy policy where you specify how you process personal data of your visitors via Smartsupp.

b) I use personal data for other than support purposes – if you want to use collected personal data for other purpose then to provide support (e.g. for marketing purposes as sending newsletters), you need to collect voluntary consent from your visitors.

Does Smartsupp have a DPO (data protection officer)? 

We have appointed a Data Protection Officer to enhance data protection.  The Data Protection Officer at our company is Legitas s.r.o., IČO: 08870641, se sídlem Na Zderaze 1275/15, Nové Město, 120 00 Praha 2, za kterou jedná Mgr. Petra Stupková, general manager.

You can contact her at

How does Smartsupp secure personal data?

Smartsupp protects personal information with use of latest industry standards and security measures. is using SSL/TLS encryption and runs on secured https protocol. Details about data security can be found in Appendix 2 of our Data processing agreement (DPA).

Who owns personal data processed by Smartsupp? 

You own personal data collected via Smartsupp on your website. Under GDPR you are data controller, who solely owns data of your visitors and customers. Smartsupp is a processor of those data on your behalf.  This means you have control and also responsibility over personal data you process via Smartsupp.

What is Smartsupp doing to limit processing of personal data and improve privacy protection of my visitors? 

On 25th May we are taking following steps to ensure protection of personal data of visitors:

a) Tracking of IP addresses disabled – we have disabled tracking of IP addresses on all Smartsupp accounts. New accounts have tracking of IP addresses disabled by default. You can choose to re-enable it in Smartsupp settings.

b) Notice about personal data processing in chat – we show Notice about personal data processing to visitors in chat by default on all Smartsupp accounts. You should link the notice to your privacy policy, where you specify how you process personal data of your visitors in Smartsupp.

Do I have to inform to visitors on my website about processing of personal data via Smartsupp?

Yes. As you are Data Controller of any personal data processed via Smartsupp, you have to inform visitors about how you are processing the data. You need to specify following:

  • Who is Data Controller (you) and Data Processor (Smartsupp). List identification of each entity as company name, VAT ID and address. Details about Smartsupp can be found here.
  • What type of personal data are you processing? In other words, what data do you require from your visitors in Smartsupp chat (e.g. name, email address, date of birth, etc.).
  •  How long are you storing the processed personal data for? (see your chat history period in Smartsupp settings).
  • What is the purpose of processing of personal data? (In this case to provide customer support. If you want to use the personal data for other purpose, e.g. sending marketing emails, you need to collect consent from your visitors)
  • How can visitors contact you with request for listing or deletion of their personal data.

While using Smartsupp, temporary files, known as Cookie files, can be stored and processed. We do not store any personal data in cookies.

Cookies are associated with the domain where the widget is integrated. They help to identify the visitor and they are unique per domain (or subdomains).

Here you can find a specific description of Smartsupp cookies.

Functional cookies

Name Description Validity

The main purpose of this cookie is to identify the website’s visitors. Based on this we can pair the same visitors when the page is reloaded. This also helps visitors to not lose current conversation even after page reload, so they can continue where they finished without worrying to start again.

This allows us to display referer, browser info and visits count in visitor info in the dashboard.

6 months

Local Storage – persistent storage until it is deleted by an application or a user

Name Level 1 Name Level 2 / Description Description
_ss.enableSounds Stores user preference whether chat box should play sounds.
ssupp_<CHAT_KEY> Stores data related to visitor and user preferences. See stored values below: The message is triggered when your visitor sends a message.
message Stores messages that are in a draft so when the user reloads the page, the message should persist rather than get discarded.
opened Stores value of chat open / closed so when the user reloads the page, chat box will return to the previous state.
vid Same as ssupp.vid cookie.

Analytical cookies

When Smartlook recordings are used, the following cookies are stored.

Name  Description Validity
SL_C_23361dd035530_KEY project key This website uses Smartlook. Analytical tool that uses cookies, text files stored on your device, used to analyze your behavior on the website. These cookies provide a way to anonymously connect the visits of each visitor. Smartlook will use this information to provide insights into your usage of this website solely for the operator of this website. More information can be found at the Terms of Service and Privacy Policy directly on the Smartlook website. 2 years
SL_C_23361dd035530_SID current session ID 2 years
SL_C_23361dd035530_VID visitor ID 2 years

Marketing cookies

Name Description Validity
ssupp.visits This cookie is used to store the number of previous visits of the visitor. Based on this we can target them more accurately with auto messages and chatbots. 6 months

Local storage

Name Level 1 Name Level 2 / Description Description
ssupp_<CHAT_KEY> Stores data related to visitor and user preferences. See stored values below:
visits Same as ssupp.visits cookie. This is marketing information and it should not be enabled in case of consent is not given for marketing cookies.