Here you can find details about how Smartsupp handles personal data, our GDPR compliance and policies. To make things easy to understand, we wrote down frequently asked questions about data privacy and GDPR below.
GDPR (or the General Data Protection Regulation) is a directive from the European Union (EU) that sets rules on how companies shall process personal data of EU citizens. GDPR came into effect on May 25th, 2018.
If you have any questions about GDPR itself, you can find out detailed info here. It’s especially useful to read through the FAQ and see what constitutes personal data under GDPR. There are many other topics covered, as well.
Yes, Smartsupp is GDPR compliant. That means it’s perfectly legal to use Smartsupp in European Union or any other country.
It depends on how you use Smartsupp. But generally, yes. Visitors might fill personal data in pre-chat and offline form or during a chat conversation. Details about personal data processing can be found in our Data processing agreement (DPA).
Personal data are stored in Germany a member state of the European Union.
See point 5.3 and Appendix 3 of our Data processing agreement (DPA) for details.
Yes. As any modern sofware company we use professional server hosting and cloud infrastructure providers to make sure our data is secured by the latest standards. See Appendix 3 of our Data processing agreement (DPA) for a list of sub-processors we use.
That depends on how you use Smartsupp.
Smartsupp allows you to collect name, e-mail address and phone number of visitors via pre-chat and offline form.
Other than that, Smartsupp may collect various technical information as IP address (can be disabled in settings), pages browsed, device type, browser type, screen resolution etc.
Additionally visitors can send any of their personal data in a chat conversation.
Details about what types of personal data we process can be found in Appendix 1 of our Data processing agreement (DPA).
Yes, there are. You are NOT allowed to process any personal data as specified in Article 9 of GDPR directive. Such data include sensitive information about race, religion, medical information or payment information as credit card numbers. It’s your responsibility to ensure you don’t process sensitive personal data via Smartsupp.
Details about what types of personal data you are forbidden to process via Smartsupp can be found in Appendix 1 of our Data processing agreement (DPA).
If you have created agent accounts for your employees or you entered personal data of your employees inside Smartsupp, then yes. Typically that is email address used for login and name and photo of the employee visible to visitors when chatting. Again, it depends what personal data of your employees you filled in Smartsupp yourself.
Yes. When using Smartsupp you are legally bound by our Data processing agreement (DPA) which you can download here.
If would like to sign a custom DPA, contact us at email@example.com.
That depends on how you use Smartsupp.
b) I use personal data for other than support purposes – if you want to use collected personal data for other purpose then to provide support (e.g. for marketing purposes as sending newsletters), you need to collect voluntary consent from your visitors.
We have appointed a Data Protection Officer to enhance data protection. The Data Protection Officer at our company is Richard Schmidt, Attorney at Law. You can contact him at firstname.lastname@example.org.
Smartsupp protects personal information with use of latest industry standards and security measures. is using SSL/TLS encryption and runs on secured https protocol. Details about data security can be found in Appendix 2 of our Data processing agreement (DPA).
You own personal data collected via Smartsupp on your website. Under GDPR you are data controller, who solely owns data of your visitors and customers. Smartsupp is a processor of those data on your behalf. This means you have control and also responsibility over personal data you process via Smartsupp.
What is Smartsupp doing to limit processing of personal data and improve privacy protection of my visitors?
On 25th May we are taking following steps to ensure protection of personal data of visitors:
a) Tracking of IP addresses disabled – we have disabled tracking of IP addresses on all Smartsupp accounts. New accounts have tracking of IP addresses disabled by default. You can choose to re-enable it in Smartsupp settings.
b) Option to limit chat history – You can set for how long you want to store chat history (includes personal data of visitors) in Smartsupp settings. We limit storing of chat history on Free accounts to 3 months. All new paid accounts have 1 year chat history by default.
Yes. As you are Data Controller of any personal data processed via Smartsupp, you have to inform visitors about how you are processing the data. You need to specify following:
- Who is Data Controller (you) and Data Processor (Smartsupp). List identification of each entity as company name, VAT ID and address. Details about Smartsupp can be found here.
- What type of personal data are you processing? In other words, what data do you require from your visitors in Smartsupp chat (e.g. name, email address, date of birth, etc.).
- How long are you storing the processed personal data for? (see your chat history period in Smartsupp settings).
- What is the purpose of processing of personal data? (In this case to provide customer support. If you want to use the personal data for other purpose, e.g. sending marketing emails, you need to collect consent from your visitors)
- How can visitors contact you with request for listing or deletion of their personal data.
While using Smartsupp, temporary files, known as Cookie files, can be stored and processed. We do not store any personal data in cookies.
ssupp.vid – Visitor ID (expires in 6 months)
ssupp.chatid – Conversation ID (expires when browser is closed)
ssupp.group – last group of visitor (expires when browser is closed)
ssupp.opened – is chat box opened (expires when browser is closed)
ssupp.barclicked – When chat box is opened, needed for automatic messages (expires when browser is closed)
ssupp.message – stores content in text area if page is refreshed (expires when browser is closed)
ssupp.unreaded – Number of unread messages (expires when browser is closed)
ssupp.visits – number of previous visits, necessary to track for automatic messages (expires after 6 months)
AWSALB – generated by AWS (Amazon Web Services), needed for sending the requests to the server correctly (expires after 7 days)
AWSALBCORS – generated by AWS (Amazon Web Services), needed for sending the requests to the server correctly (expires after 7 days)
If you are also using Smartlook recordings, these cookies can be stored:
SL_C_23361dd035530_KEY – Project key (expires in 2 years)
SL_C_23361dd035530_SID – Session ID, that is assigned to each new session that is being recorded (expires in 2 years)
SL_C_23361dd035530_VID – Visitor ID, assigned to each new visitor (expires in 2 years)