Which Live Chat Applications are Ready for the GDPR?

I look at 15 popular Live Chat applications and assess their readiness for the GDPR.

Last updated: November 2018

In this article I look at 15 Live Chat applications and report their readiness for the GDPR. My report is based on information supplied by the provider. The content in this article is created for informational purposes only. I do not intend to provide legal or professional advice.

Before I get to the assessments, it's important to explain what the GDPR is and why's it's relevant to lots of businesses. (You can jump to the assessment if you already know what the GDPR is.)


What is the GDPR?

The General Data Protection Regulation (GDPR) is a new EU data protection law which determines how companies use and protect EU citizens’ data. It comes into effect on May 25, 2018.

Does this apply to my company?

Any company holding or processing data of any person in the EU is affected by this regulation, regardless of where the company is based. Non-compliance could lead to a fine of 4% of global annual revenue, or EUR 20 million.

What does this have to do with Live Chat?

First, some terminology: Under the GDPR your customer is referred to as a Data Subject. As you are providing services directly to your customer, you are the Data Controller. When you use a software vendor (such as a Live Chat vendor) which processes your customer’s personal data, that software vendor is referred to as a Data Processor. Under the Data Protection Directive (which was the predecessor to the GDPR), the burden was on the Controller to ensure that their vendors satisfactorily followed data regulations. However, under the GDPR, the Processor is now also liable for non-compliance. The good news is that this means that live chat vendors have an incentive to bring their systems into line with the GDPR. The bad news is that it doesn’t mean that you can simply assume that they will do this, as you are only able to use Processors that provide sufficient guarantees that they are compliant (or at least will be by May 25th).

So I just need to find a GDPR-compliant Live Chat provider?

No. Live Chat is ultimately just a tool that you are hiring: you need to ensure that you are using it in a way that is compliant with the GDPR. For example, it is your responsibility to remove sensitive data shared by your customers via live chat even though the feature to do this is enabled by the provider.


GDPR Readiness Assessments

For each application I looked at, I attempted to find out the following:

  • Has the vendor published a plan stating how they are preparing for GDPR?
  • Are customers' rights under the GDPR covered by application features or processes? These rights include the right to erasure (aka the 'right to be forgotten'), the right to rectification and the right of access.
  • Has the vendor updated their Data Processing Agreements (DPAs) for GDPR?
  • Has the vendor appointed a Data Protection Officer?
  • Where data is stored outside the EU, has the vendor self-certified under the Privacy Shield programme?
  • Does the vendor meet industry standards for security, such as SOC 2, ISO 27001 or CSA?

Key

  • Implemented
  • Planned by May 25th
  • No information found
  • Not compliant
  • Privacy Policy
  • Security Standards

Summary of the Results

I looked at 15 Live Chat applications in total. All of the providers I looked at have published a statement on their website outlining their GDPR plan and their current status. The majority of applications appear to be compliant already. Only 1 provider is still working towards compliance as far as I can tell. The individual results are published below.


Crisp

GDPR-compliant

Crisp has published a page detailing exactly how they enforce the GDPR regulation to protect the user data they store.


  • Individuals' rights under the GDPR are enforced.
  • Access requests replied to in under 1 week (within the legal limit of 1 month).
  • Verified that their own data processors are GDPR-compliant.
  • Will notify their customers within a maximum of 24 hours after finding out about and fixing a data breach.
  • Data Protection Officer appointed.
  • All data (apart from connection logs) held on servers in the EU.
  • Privacy Policy

Zendesk Chat

GDPR-compliant

Zendesk provides information about how they meet GDPR regulation both at a company level as well as in their chat product.


  • Data Processing Agreement has been updated to include additional provisions required by the GDPR.
  • Zendesk will ensure customers are made aware of data breaches in accordance with GDPR time frames.
  • Self-certified under the EU-US Privacy Shield and the Swiss-US Privacy Shield.
  • Customers can access, rectify errors in as well as delete personal data.
  • Zendesk has documented and implemented internal mechanisms for limiting the processing of personal data to only certain specified uses relating to Zendesk products and services.
  • Chat transcripts and Chat reporting data can be exported.
  • No information on whether a Data Protection Officer has been appointed.
  • Security and Privacy Policy

LiveAgent

GDPR-compliant

LiveAgent has published a page detailing how they enforce the GDPR regulation to protect the user data they store.


  • Data Protection Officer appointed, alongside a compliance team.
  • Can provide a signed Data Processing Agreement.
  • React to Data breaches immediately, by notifying affected parties, DPO and local institutions.
  • Data currently stored in UK data centres. Will be migrated to continental Europe by May 25th.
  • Customer data deletion requests processed without delay.
  • Data Processing Agreements signed with each sub-processor or subcontractor.
  • Provide features for customers to delete personal data held in profiles, tickets or accounts.
  • Security and Privacy Policy
  • ISO 27001

Intercom

GDPR-compliant

Intercom has published a help page summarising how they are GDPR compliant.


  • Data Processing Agreements have been updated to meet GDPR requirements.
  • Self-certified under the EU-US Privacy Shield and the Swiss-US Privacy Shield.
  • Data Protection Officer appointed.
  • Has the necessary features in order that its customers can delete and export individual user data.
  • Privacy Policy
  • SOC 2, CSA

LiveChat

GDPR-compliant

LiveChat has published a page detailing their progress towards GDPR compliance.


  • Pre-chat survey feature gives you the ability to ask for data protection consent before a chat.
  • Self-certified under the EU-US Privacy Shield and the Swiss-US Privacy Shield.
  • The product has the necessary features so that its customers can use it in a GDPR-compliant way.
  • Data Protection Officer appointed.
  • Data Processing Agreements updated.
  • Privacy Policy

Olark

GDPR-compliant

Olark has published a help page detailing how they comply with the GDPR.


  • Already has tools in place to address deletion and correction requests.
  • Self-certified under the EU-US Privacy Shield and the Swiss-US Privacy Shield.
  • Data Processing Agreements in place.
  • No information on whether a Data Protection Officer has been appointed.
  • Privacy Policy

Userlike

GDPR-compliant

UserLike has published a blog post detailing how they enforce the GDPR regulation to protect the user data they store.


  • Includes features to enforce data privacy during chats.
  • Includes features for access to, export of and deletion of personal data.
  • Based on a GDPR-compliant infrastructure with personal data stored in the EU.
  • Data Processing Agreements in place.
  • Data Protection Officer appointed.
  • Security and Privacy Policy
  • ISO 27001

Drift

GDPR-compliant

Drift has published a page listing all of the actions that they have taken in order to be GDPR compliant.


  • Self-certified under the EU-US Privacy Shield and the Swiss-US Privacy Shield.
  • Updated Data Processing Agreements are available for customers to sign upon request.
  • Customers can choose to capture consent from all customers, only EU customers, or none at all.
  • Admins can retrieve or delete end-user data. This can also be done via the API.
  • Data Protection Officer appointed.
  • Privacy Policy
  • SOC 2 in progress

HappyFox

GDPR-compliant

HappyFox has published a page detailing what they have implemented in order to become GDPR-compliant.


  • Self-certified under the EU-US Privacy Shield.
  • Data Protection Officer appointed.
  • Customers have data management tools in HappyFox Chat to managing personal data and consent.
  • Privacy Policy

HelpCrunch

GDPR-compliant

HelpCrunch has published a page detailing what they have implemented in order to become GDPR-compliant.


  • Includes features for access to, export of and deletion of personal data.
  • All data stored on the territory of the EU.
  • HelpCrunch has updated their Data Processing Agreement.
  • Users can export all the personal information held about them from the application.
  • Any errors or inaccuracies in personal data held by HelpCrunch will be changed within 30 days.
  • Upon request, HelpCrunch will provide an export of your data in a convenient format (CSV, JSON or XML).
  • Privacy Policy

Freshchat

GDPR-compliant

Freshworks (the company behind FreshChat) has published a page stating their commitment to being GDPR-compliant prior to the date GDPR goes into effect.


  • Self-certified under the EU-US Privacy Shield and the Swiss-US Privacy Shield.
  • No information about progress on specific actions for GDPR-compliance although more information is available on request.
  • Privacy Policy
  • ISO 27001. SOC 2 in progress.

Smartsupp

GDPR-compliant

Smartsupp published a blog post listing all of their activities to prepare for the GDPR.


  • Personal data is stored in the European Union.
  • Privacy Policy lists all personal information being collected.
  • Data Processing Agreement updated.
  • Tools in place for customers to manage personal data and consent.
  • Data Protection Officer appointed.
  • Privacy Policy

SnapEngage

GDPR-compliant

SnapEngage has published a page announcing new features for easier gdpr compliance.


  • Self-certified under the EU-US Privacy Shield and the Swiss-US Privacy Shield.
  • Accounts can on request be hosted on their EU servers.
  • Companies can request consent from their customers before they initiate a chat.
  • Admins can search for a visitor's email address and delete their data from chat logs.
  • Admins can set the appropriate data retention period for their organization.
  • No information on specific GDPR implementation details such as Data Protection Officers.
  • Privacy Policy

Zoho SalesIQ

GDPR-compliant

Zoho has published a page detailing how their features comply with the GDPR by default.


  • Visitors on the site will be notified that they are being tracked. The visitor can choose to allow or disallow tracking and continue browsing the website either way.
  • The visitor's consent must be received in order to store and process the information provided in the chat.
  • To ensure user privacy and data security, password protection is enabled by default for all attachments shared using SalesIQ.
  • One of Zoho SalesIQ's features uses a third-party service, Google Translate, to help associates translate text while chatting with the visitor. The visitor is informed when the associate is using Google Translate.
  • This option is available when emails are sent from the chat window or when chat is initiated through an email. The visitor will be asked to specifically opt in to continue.
  • The operator can choose to mask visitors' IP addresses to protect their privacy and avoid unnecessarily collecting personally identifiable information.
  • If credit card details are shared by the visitor on chat, they will be masked — not displayed on the screen — to ensure privacy.
  • Privacy Policy
  • ISO 27001, SOC 2.

Pure Chat

Compliance In Progress

Pure Chat has published a page detailing where they currently comply and what they're still working on.


  • Provide a feature to toggle the collection of website visitor information.
  • Have built features to allow the deletion of contacts, users and chat transcripts.
  • Data Processing Agreement updated.
  • No information on whether a Data Protection Officer has been appointed.
  • No information on updated Data Processing Agreements.
  • Not certified under the EU-US Privacy Shield or the Swiss-US Privacy Shield.
  • Privacy Policy
Matt

Article by Matt

I've developed AhoyLabs to help businesses like yours find the best software for your needs. My work is supported by affiliate commissions.


Article Updates

  • Nov 14, 2018 HelpCrunch, Zoho & SnapEngage updated
  • May 25, 2018 Update on GDPR-day
  • May 15, 2018 Updated Intercom information
  • May 01, 2018 First version