Data privacy & GDPR

Here you can find details about how Smartsupp handles personal data, our GDPR compliance and policies. To make things easy to understand, we wrote down frequently asked questions about data privacy and GDPR below.

What is GDPR?

GDPR (or the General Data Protection Regulation) is a directive from the European Union (EU) that sets rules on how companies shall process personal data of EU citizens. GDPR came into effect on May 25th, 2018.

If you have any questions about GDPR itself, you can find out detailed info here. It’s especially useful to read through the FAQ and see what constitutes personal data under GDPR. There are many other topics covered, as well.

Is Smartsupp GDPR compliant?

Yes, Smartsupp is GDPR compliant. That means it’s perfectly legal to use Smartsupp in European Union or any other country.

Does Smartsupp process personal data of my visitors?

It depends on how you use Smartsupp. But generally, yes. Visitors might fill personal data in pre-chat and offline form or during a chat conversation. Details about personal data processing can be found in our Data processing agreement (DPA).

Where does Smartsupp store personal data?  

Personal data are stored in Germany a member state of the European Union.

See point 5.3 and Appendix 3 of our Data processing agreement (DPA) for details.

Does Smartsupp use 3rd parties (sub-processors) for processing personal data? 

Yes. As any modern sofware company we use professional server hosting and cloud infrastructure providers to make sure our data is secured by the latest standards. See Appendix 3 of our Data processing agreement (DPA) for a list of sub-processors we use.

What kind of personal data of visitors are processed by Smartsupp?

That depends on how you use Smartsupp.

Smartsupp allows you to collect name, e-mail address and phone number of visitors via pre-chat and offline form.

Other than that, Smartsupp may collect various technical information as IP address (can be disabled in settings), pages browsed,  device type, browser type, screen resolution etc.

Additionally visitors can send any of their personal data in a chat conversation.

Details about what types of personal data we process can be found in Appendix 1 of our Data processing agreement (DPA).

Are there any types of personal data I am NOT allowed to collect via Smartsupp?

Yes, there are. You are NOT allowed to process any personal data as specified in Article 9 of GDPR directive. Such data include sensitive information about race, religion, medical information or payment information as credit card numbers. It’s your responsibility to ensure you don’t process sensitive personal data via Smartsupp.

Details about what types of personal data you are forbidden to process via Smartsupp can be found in Appendix 1 of our Data processing agreement (DPA).

Does Smartsupp process personal data of my employees?

If you have created agent accounts for your employees or you entered personal data of your employees inside Smartsupp, then yes. Typically that is email address used for login and name and photo of the employee visible to visitors when chatting.  Again, it depends what personal data of your employees you filled in Smartsupp yourself.

Do I need to have a DPA (data processing agreement) with Smartsupp?

Yes. When using Smartsupp you are legally bound by our Data processing agreement (DPA) which you can download here.

If would like to sign a custom DPA, contact us at

That depends on how you use Smartsupp.

a) I use personal data only for support purposes – if you use personal data of visitors collected via Smartsupp only for support purposes (answering visitor questions or resolving their issues), you don’t need to collect consent from visitors. Notice about personal data processing is shown to visitors in chat by default. It’s recommended you link that notice to your privacy policy where you specify how you process personal data of your visitors via Smartsupp.

b) I use personal data for other than support purposes – if you want to use collected personal data for other purpose then to provide support (e.g. for marketing purposes as sending newsletters), you need to collect voluntary consent from your visitors.

Does Smartsupp have a DPO (data protection officer)? 

We have appointed a Data Protection Officer to enhance data protection.  The Data Protection Officer at our company is Richard Schmidt, Attorney at Law. You can contact him at

How does Smartsupp secure personal data?

Smartsupp protects personal information with use of latest industry standards and security measures. is using SSL/TLS encryption and runs on secured https protocol. Details about data security can be found in Appendix 2 of our Data processing agreement (DPA).

Who owns personal data processed by Smartsupp? 

You own personal data collected via Smartsupp on your website. Under GDPR you are data controller, who solely owns data of your visitors and customers. Smartsupp is a processor of those data on your behalf.  This means you have control and also responsibility over personal data you process via Smartsupp.

What is Smartsupp doing to limit processing of personal data and improve privacy protection of my visitors? 

On 25th May we are taking following steps to ensure protection of personal data of visitors:

a) Tracking of IP addresses disabled – we have disabled tracking of IP addresses on all Smartsupp accounts. New accounts have tracking of IP addresses disabled by default. You can choose to re-enable it in Smartsupp settings.

b) Notice about personal data processing in chat – we show Notice about personal data processing to visitors in chat by default on all Smartsupp accounts. You should link the notice to your privacy policy, where you specify how you process personal data of your visitors in Smartsupp.

Do I have to inform to visitors on my website about processing of personal data via Smartsupp?

Yes. As you are Data Controller of any personal data processed via Smartsupp, you have to inform visitors about how you are processing the data. You need to specify following:

  • Who is Data Controller (you) and Data Processor (Smartsupp). List identification of each entity as company name, VAT ID and address. Details about Smartsupp can be found here.
  • What type of personal data are you processing? In other words, what data do you require from your visitors in Smartsupp chat (e.g. name, email address, date of birth, etc.).
  •  How long are you storing the processed personal data for? (see your chat history period in Smartsupp settings).
  • What is the purpose of processing of personal data? (In this case to provide customer support. If you want to use the personal data for other purpose, e.g. sending marketing emails, you need to collect consent from your visitors)
  • How can visitors contact you with request for listing or deletion of their personal data.

While using Smartsupp, temporary files, known as Cookie files, can be stored and processed. We do not store any personal data in cookies.

Cookies are associated with the domain where the widget is integrated. They help to identify the visitor and they are unique per domain (or subdomains).

ssupp.vid – Visitor ID (expires in 6 months) Not considered as analytical. The main purpose of this cookie is to identify visitors and it is required for the widget to be loaded after refresh.
ssupp.visits – number of previous visits, necessary to track for automatic messages (expires after 6 months). These technical cookies are used to identify returning visitors. They count the number of previous visits and based on this information different automatic messages or chatbots can be triggered.

If you are also using Smartlook recordings, these cookies can be stored:

SL_C_23361dd035530_KEY – Project key (expires in 2 years)
SL_C_23361dd035530_SID – Session ID, that is assigned to each new session that is being recorded (expires in 2 years)
SL_C_23361dd035530_VID – Visitor ID, assigned to each new visitor (expires in 2 years)

As Smartlook is an analytical software, these cookies are considered to be analytical. Smartlook requires them to be able to convert visitors’ recordings into sessions that can be played in Smartlook.