Do I need to disclose Crisp in my privacy policy?

Yes. Crisp collects personal data from your website visitors, including chat messages, email addresses, IP addresses, and device information. Under GDPR and similar privacy laws, you must transparently disclose all data collection tools in your privacy policy and obtain appropriate visitor consent before Crisp operates on your site.

What specific data does Crisp collect?

Crisp collects chat messages, email addresses (if provided by visitors), IP addresses, device information (browser, OS, device type), and pages visited before or during chat interactions. This data is used to enable the live chat functionality and maintain conversation history for support purposes.

Does Crisp require a cookie consent banner?

Yes. Crisp uses functional cookies (crisp-client/*) with a 6-month lifespan to identify chat sessions and maintain chat state. Under GDPR and ePrivacy Directive requirements, you must obtain explicit consent before placing these cookies on visitor devices, typically through a cookie consent banner.

Who processes my data and where is it stored?

Crisp IM SAS, an EU-based company located in France, processes the data as a third-party data processor. By default, visitor data remains within the European Union, ensuring compliance with GDPR data residency expectations and EU data protection standards.

Live Chat

Privacy policy clauses for Crisp

Crisp is a live chat and customer support widget that enables real-time communication between website visitors and support teams. Websites use Crisp to provide instant customer assistance, capture visitor inquiries, and improve customer service efficiency.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Crisp collects

Your privacy policy must disclose each of the following data types when you use Crisp.

Chat messages

Email (if provided)

IP address

Device info

Pages visited

When does Crisp trigger privacy obligations?

Crisp Installation Triggers Immediate Data Collection

The moment you embed Crisp's chat widget on your site or app, you begin collecting chat messages, visitor IP addresses, device information, and pages visited—without any user action required. This automatic collection triggers GDPR Article 6 (lawful basis) and Article 13/14 (transparency) obligations immediately, even if no visitor ever opens the chat.

### GDPR applies if:

Common compliance pitfalls

Cookie	Duration	Category	Purpose
crisp-client/*	6 months	functional	Chat identification

Pitfall 1: Treating Chat Messages as "Just Analytics"

Many founders lump Crisp into their general analytics consent category and assume it's covered by a single "functional cookies" banner. Chat message content, however, is sensitive user data that may contain personal health info, payment card details, or other sensitive categories. Under GDPR Article 9 and CCPA Section 1798.120 (sensitive data), you may need *explicit* consent separate from device-info consent. If Crisp is bundled with Google Analytics under one toggle, you've created a false dichotomy—auditors will flag that message content shouldn't require the same consent as session cookies. Additionally, you must document what happens to chat transcripts: are they retained for 6 months, 1 year, or deleted on-demand? If your policy says "deleted after 30 days" but Crisp defaults to longer storage, that's a policy-practice mismatch regulators catch immediately.

Pitfall 2: Missing the Data Processing Agreement (DPA)

Crisp IM SAS is a data processor (GDPR Article 28) because it stores chat messages and device data on your behalf. You must have a written DPA in place *before* data flows to Crisp. Many indie founders never request one, assuming "EU company = automatically GDPR-safe." Crisp does provide a DPA, but it must be signed and attached to your records. Without it, you're in violation of Article 28(3) even if Crisp's infrastructure is perfect. The consequence is substantial: GDPR fines up to 4% of global annual revenue or €20M (whichever is higher) for processor violations, and DPA absence is a strict liability finding—no good-faith defense.

Pitfall 3: Not Disclosing to Users Before Chat Opens

Under GDPR Article 14 and CCPA Section 1798.100(d), you must inform users that you collect their IP, device info, and messages *before or at the point of collection*—not hidden in a generic privacy policy footer. If your privacy policy exists but Crisp collects data the instant a visitor lands on your homepage (before they click chat), that's a timing violation. Best practice: add a visible notice on the page or in the chat widget itself stating "Chat messages are stored by Crisp IM SAS (France) for 6 months" before the user types. Auditors specifically check whether consent or notice timing matches actual data collection timing; Crisp's automatic IP/device collection happens *before* explicit user interaction, so your notice must precede widget load.

Privacy policy clauses for Crisp

What data Crisp collects

When does Crisp trigger privacy obligations?

Crisp Installation Triggers Immediate Data Collection

First Concrete Step

Where data goes

Cookies set by Crisp

Common compliance pitfalls

Pitfall 1: Treating Chat Messages as "Just Analytics"

Pitfall 2: Missing the Data Processing Agreement (DPA)

Pitfall 3: Not Disclosing to Users Before Chat Opens

Legal note

Sample privacy policy clause

What regulators look for

Audit Priorities: DPA Enforcement, Cookie Consent, and Processor Verification

Frequently asked questions

Do I need to disclose Crisp in my privacy policy?

What specific data does Crisp collect?

Does Crisp require a cookie consent banner?

Who processes my data and where is it stored?

Don't ship without Bandit.