See our other products: BotEngine - chatbot platform | helpdesk.com - support ticket system | KnowledgeBase - help center for website

GDPR

Frequently Asked Questions

01. What has LiveChat done about the GDPR?

We take our responsibilities under the GDPR seriously. That’s why we have taken steps to identify which measures we need to implement to be compliant with the GDPR. Here : https://www.livechatinc.com/general-data-protection-regulation/ is a quick summary of what we’ve done.

02. What organisation provides services and stores my data? Is LiveChat a data controller or a data processor?

Services are provided and your personal data are stored by LiveChat, Inc. (One International Place Suite 1400 Boston, MA 02110-2619 United States of America). You can contact us via chat or at: support@livechatinc.com. LiveChat is a data processor since we do not decide of the purposes of processing your (including your users/visitors) data. It is you who decide to use our software thus you decide to supply us with the personal data to facilitate a communication between you and your customers. We only process the data in purpose to provide, maintain and improve our services as well as to secure yours and our potential claims. In some exceptional cases LiveChat may also act as a data controller. It is explained fully in our Privacy Policy: http://www.livechatinc.com/privacy-policy/

03. What data does LiveChat process?

While registering to one of our product websites, (www.livechatinc.com, www.chat.io, www.botengine.ai, www.knowledgebase.ai) we request you to provide us with such information as: first name, last name, company business name, address, website address, e-mail address and credit/payment card information. This is basic data we process and store. We also store your chat content and the information you ask your clients for in a pre-chat survey. You can find full description of the data processing in our Privacy Policy: http://www.livechatinc.com/privacy-policy/

04. What is the basis for personal data processing? Is customers consent required?

The basis for data processing by LiveChat is an Agreement between you and us which is concluded when you sign up (create an account). The Agreement is Terms and Conditions and Privacy Policy:
https://www.livechatinc.com/terms-and-conditions/
http://www.livechatinc.com/privacy-policy/
This is why another consent for data processing by LiveChat is not required. However, you may need to gain consent for data processing from your customers/users/visitors. We have created a tool to help you gain such consent. If you think you need it, please refer to point 10.

05. Am I a data controller or a data processor?

Firstly, you need to figure out if you process or provide personal data of the EU citizens. For instance, if you are an Australian company and you only process Australian citizens data, GDPR does not apply to you. However, if you process personal data of the European citizens, you need to comply with this regulation. You or your company (organisation) may then act as a data controller. It happens when you are a natural or legal person, public authority, agency or other body and you, alone or jointly with others, determines the purposes and means of the processing of personal data. But you may act as a data controller. It happens when - as a natural or legal person, public authority, agency or other body - you processes personal data on behalf of the controller. Simply, when you do not determine the purposes of processing but use data according to the controllers’ instructions.

06. Do I need to enter into a Data Processing Agreement/Addendum?

Regardless of being a data controller or a data processor, when you transfer the personal data to us (and you do so using our service) you may enter into DPA with us if you transfer any EU citizens personal data.

07. Do you have a GDPR compliant Data Processing Agreement/Addendum for us to sign?

Yes, we have prepared this document for our customers. You can review and sign a copy of LiveChat’s Data Processing Addendum here: https://app.hellosign.com/s/183ca49b. Instructions for execution are set out in the Addendum. If you have any questions about its contents you can email: dpa@livechatinc.com

08. How my personal data are used/processed in LiveChat? How can I execute my right to be forgotten?

LiveChat stores and processes personal data of its customers and people employed while using LiveChat, Inc. products – agents. We store such data as: first name, last name, e-mail address, IP number, browser information, operating system, geolocation, payment/credit card details (and other information listed in our Privacy Policy https://www.livechatinc.com/privacy-policy/). We process these data only in purposes listed in our Privacy Policy. We do not sell your data. LiveChat also stores the chat history. It allows you to have constant access to the history of your conversations. However if you intend to delete any of your chat you can check https://www.livechatinc.com/kb/prepare-chat-gdpr#be-forgotten to get information on how to do it. You can also freely decide whether you want to have your chats permanently deleted from a system. Then just send us a request at support@livechatinc.com and we will delete your data within 30 days.

09. What can I do to become GDPR compliant using LiveChat? How to prepare the chat for GDPR?

LiveChat also stores/process personal data of your visitors (end users of your chat). Especially we store a data provided in pre-chat survey, so if you collect your visitors personal data through the pre-chat survey you may need to gain their consent. You can find the instruction how to customise your pre-chat survey to comply with this rule here: https://www.livechatinc.com/kb/prepare-chat-gdpr. If you wish and if they meet your company’s requirements, you can use one of (or more than one) the clauses we have prepared for you. The clauses can be found here: https://www.livechatinc.com/kb/chat-surveys#pre-chat-gdpr

10. Where does LiveChat store personal data? Are personal data processed outside the EU?

LiveChat stores its customers’ data mainly in a data center in Dallas (Texas) U.S. We also have a data center in Europe (Frankfurt). When you sign up and create an account in one of our services your data are automatically collected and stored in our U.S. data center (regardless you are signing up from EU or other part of the world). If you want to have your data stored in the EU, you need to sign up via https://my.livechatinc.com/signup?region=fra. Also, note that currently it’s not possible to transfer your chats to the other data center, but we can help in creating a new account for you thus your personal data provided for creating the new account as well as future conversations will be stored in a European data center. Additionally similar to many SaaS providers, we use a top-tier, third-party data hosting providers (Amazon S3, IBM Softlayer and Google) to host our online services.

11. Does LiveChat share any of personal data with any sub processors (other entities)?

To make our services work properly, we use other companies’ services (generally a software). We do so to improve our tools, enable and simplify their usage. If there is a necessity to give other processor an access to a part of your data firstly we make sure that this company will gain only an actually necessary data (i.e. only an email address for email service provider). Secondly we enter into agreement with such company (sub-processor) to make sure they provide at least the same level of protection as we do. You can find more information about rules of subprocessing in our DPA and here is a current list of our subprocessors: https://www.livechatinc.com/kb/livechat-third-party-data-processors/

12. Does LiveChat plan to appoint a Data Protection Officer?

DPO has been already appointed, info about that can be found in our privacy policy: https://www.livechatinc.com/privacy-policy/

13. What security measures does LiveChat implement to protect the data? Are the data encrypted and if so, to what standards?

As a company offering its services in SaaS model, we are aware that security of our customers and their data is crucial. We treat security as a basic aspect of our business. We know that it is a matter of trust. This is why we have implemented a number of safeguards even before GDPR was adopted. Currently, we made sure our safeguards comply with the Regulation and adjust some new if necessary. We encourage you to familiarize yourself with our security overview: https://www.livechatinc.com/kb/livechat-security-and-data-storage/.

14. How does LiveChat comply with the EU export restrictions?

When personal data is hosted or processed outside of the European Economic Area, GDPR requires that it remains protected by appropriate safeguards in line with EU law. There are a few ways that LiveChat achieves this. Firstly, most of our EU customers' data is processed in the United States (where our Headquarters are located). The United States is recognised by the EU as an 'adequate' country (i.e. safe country) to receive and process EU personal data, pursuant to European Commission Decision 2013/65/EU. According to the GDPR a transfer of personal data to a third country may take place where the Commission has decided that the third country ensures an adequate level of protection. Such transfer shall not require any specific authorisation. In the event we process EU customers data in other territories, we ensure appropriate safeguards are in place that are prescribed by GDPR – i.e., by entering into the Data Processing Agreements with the entity the data is transferred to, or by ensuring the entity is Privacy Shield certified (for transfers to US based entities).

15. Is LiveChat Privacy Shield certified?

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. We are Privacy Shield certified to the Department of Commerce. You can find our certification here: https://www.privacyshield.gov/participant?id=a2zt0000000L16xAAC&status=Active

16. How long do you hold the personal data for?

We explain it in our Privacy Policy, Terms and Conditions (which both are an Agreement between you and us) and our DPA: https://www.livechatinc.com/privacy-policy/ https://www.livechatinc.com/terms-and-conditions/ https://app.hellosign.com/s/183ca49b It’s possible to request periodic data purge; in order to do that, please write a request to support@livechatinc.com with information: which chats should be deleted, how often do you want to delete them, what time these chats and tickets should be deleted (hour + timezone).

17. What are your processes for identifying and remediating vulnerabilities in your application and the underlying software and infrastructure?

a) Running an external audit, fixing all found vulnerabilities, testing the implemented fix and iterating this procedure until the issue is fixed;
b) Periodic systems scanning with tools for automatic issue recognition.

18. What process should we follow if we suspect that a security breach has occurred?

Contact support@livechatinc.com by email or chat.

19. Who is responsible for Information Security?

LiveChat has appointed a Data Protection Officer. You can find more information about DPO and data protection in out Privacy Policy.

20. It is possible to take a full copy of my data in a standard format (e.g. CSV)? It is possible to export all chats and tickets using your API in a JSON format, that can be easily converted to CSV?

Yes, it is possible, please refer to https://www.livechatinc.com/kb/prepare-chat-gdpr/ to check how you can get your LiveChat data.

21. Do you have any DDoS protection in place?

Yes, we do have DDOS protection provided by Akamai.

22. Is the application single tenant or multi-tenant? If multi-tenant, what steps have been taken to secure the data from being accessed by other tenants?

The application is multi-tenant, data for each license is accessible only to accounts assigned to the license, so the person that wants the access to a license data, needs a corresponding login and password. This is the basic logic behind the whole application infrastructure, it’s not possible to access other users’ data, as the access request without needed credentials will be considered unauthorized call and denied. Also one set of credentials (login + password) can be used for one license only.

Rate us! Rate this chat to help us become better support. +