Data privacy & GDPR

Here you can find details about how Smartsupp handles personal data, our GDPR compliance and policies. To make things easy to understand, we wrote down frequently asked questions about data privacy and GDPR below.

What is GDPR?

GDPR (or the General Data Protection Regulation) is a new directive from the European Union (EU) that sets rules on how companies shall process personal data of EU citizens. GDPR will come into effect on May 25, 2018, by which point all businesses in the EU have to become GDPR compliant.

If you have any questions about GDPR itself, you can find out detailed info here. It’s especially useful to read through the FAQ and see what constitutes personal data under GDPR. There are many other topics covered, as well.

Is Smartsupp GDPR compliant?

Yes, Smartsupp is GDPR compliant. That means it’s perfectly legal to use Smartsupp in European Union or any other country.

Does Smartsupp process personal data of my visitors?

It depends on how you use Smartsupp. But generally, yes. Visitors might fill personal data in pre-chat and offline form or during a chat conversation. Details about personal data processing can be found in our Data processing agreement (DPA).

Where does Smartsupp store personal data?  

Personal data are stored in Germany and Czech republic. Both countries are member states of European Union.

Only exception is transactional emails as offline emails or chat transcripts. We use Mandrill (service of Mailchimp) for sending transactional emails and Mandrill stores the data in USA under EU-US Privacy shield.

See point 5.3 and Appendix 3 of our Data processing agreement (DPA) for details.

Does Smartsupp use 3rd parties (sub-processors) for processing personal data? 

Yes. As any modern sofware company we use professional server hosting and cloud infrastructure providers to make sure our data is secured by the latest standards. See Appendix 3 of our Data processing agreement (DPA) for list of sub-processors we use.

What kind of personal data of visitors are processed by Smartsupp?

Again, that depends on how you use Smartsupp.

Smartsupp allows you to collect name, e-mail address and phone number of visitors via pre-chat and offline form.

Other than that, Smartsupp may collect various technical information as IP address (can be disabled in settings), pages browsed,  device type, browser type, screen resolution etc.

Additionally visitors can send any of their personal data in a chat conversation.

Details about what types of personal data we process can be found in Appendix 1 of our Data processing agreement (DPA).

Are there any types of personal data I am NOT allowed to collect via Smartsupp?

Yes. You are NOT allowed to process any personal data as specified in Article 9 of GDPR directive. Such data include sensitive information about race, religion, medical information or payment information as credit card numbers. It’s your responsibility to ensure you don’t process sensitive personal data via Smartsupp.

Details about what types of personal data you are forbidden to process via Smartsupp can be found in Appendix 1 of our Data processing agreement (DPA).

Does Smartsupp process personal data of my employees?

If you have created agent accounts for your employees or you entered personal data of your employees inside Smartsupp, then yes. Typically that is email address used for login and name and photo of the employee visible to visitors when chatting.  Again, it depends what personal data you filled in Smartsupp yourself.

Do I need to have a DPA (data processing agreement) with Smartsupp?

Yes. When using Smartsupp you are legally bound by our Terms of Service and Data processing agreement (DPA), which you can download here.

If would like to sign a custom DPA, contact us at privacy@smartsupp.com.

That depends on how you use Smartsupp.

a) I use personal data only for support purposes – if you use personal data of visitors collected via Smartsupp only for support purposes (answering visitor questions or resolving their issues), you don’t need to collect consent from visitors. Notice about personal data processing is shown to visitors in chat by default. It’s recommended you link that notice to your privacy policy where you specify how you process personal data of your visitors via Smartsupp.

b) I use personal data for other than support purposes – if you want to use collected personal data for other purpose then to provide support (e.g. for marketing purposes as sending newsletters), you need to collect voluntary consent from your visitors.

Does Smartsupp have a DPO (data protection officer)? 

Yes. Our DPO is David Houfek. You can contact him at dpo@smartsupp.com.

How does Smartsupp secure personal data?

Smartsupp protects personal information with use of latest industry standards and security measures. is using SSL/TLS encryption and runs on secured https protocol. Details about data security can be found in Appendix 2 of our Data processing agreement (DPA).

Who owns personal data processed by Smartsupp? 

You own personal data collected via Smartsupp on your website. Under GDPR you are data controller, who solely owns data of your visitors and customers. Smartsupp is a processor of those data on your behalf.  This means you have control and also responsibility over personal data you process via Smartsupp.

What is Smartsupp doing to limit processing of personal data and improve privacy protection of my visitors? 

On 25th May we are taking following steps to ensure protection of personal data of visitors:

a) Tracking of IP addresses disabled – we have disabled tracking of IP addresses on all Smartsupp accounts. New accounts have tracking of IP addresses disabled by default. You can choose to re-enable it in Smartsupp settings.

b) Option to limit chat history – You can set for how long you want to store chat history (includes personal data of visitors) in Smartsupp settings. We limit storing of chat history on Free accounts to 3 months. All new paid accounts have 1 year chat history by default.

c) Notice about personal data processing in chat – we show Notice about personal data processing to visitors in chat by default on all Smartsupp accounts. You should link the notice to your privacy policy, where you specify how you process personal data of your visitors in Smartsupp.

Do I have to inform to visitors on my website about processing of personal data via Smartsupp?

Yes. As you are Data Controller of any personal data processed via Smartsupp, you have to inform visitors about how you are processing the data. You need to specify following:

  • Who is Data Controller (you) and Data Processor (Smartsupp). List identification of each entity as company name, VAT ID and address. Details about Smartsupp can be found here.
  • What type of personal data are you processing? In other words, what data do you require from your visitors in Smartsupp chat (e.g. name, email address, date of birth, etc.).
  •  How long are you storing the processed personal data for? (see your chat history period in Smartsupp settings).
  • What is the purpose of processing of personal data? (In this case to provide customer support. If you want to use the personal data for other purpose, e.g. sending marketing emails, you need to collect consent from your visitors)
  • How can visitors contact you with request for listing or deletion of their personal data.

While using Smartsupp, temporary files, known as Cookie files, can be stored and processed. We do not store any personal data in cookies.

ssupp.vid – Visitor ID (expires in 6 months)
ssupp.chatid – Conversation ID (expires when browser is closed)
ssupp.group – last group of visitor (expires when browser is closed)
ssupp.opened – is chat box opened (expires when browser is closed)
ssupp.barclicked – When chat box is opened, needed for automatic messages (expires when browser is closed)
ssupp.message – stores content in text area if page is refreshed (expires when browser is closed)
ssupp.unreaded – Number of unread messages (expires when browser is closed)
ssupp.position – Position of chat box, if moved by visitor (expires when browser is closed)

If you are also using Smartlook recordings, these cookies can be stored:

SL_C_23361dd035530_KEY – Project key (expires in 2 years)
SL_C_23361dd035530_SID – Session ID, that is assigned to each new session that is being recorded (expires in 2 years)
SL_C_23361dd035530_VID – Visitor ID, assigned to each new visitor (expires in 2 years)