Do I need to disclose Tidio in my privacy policy?

Yes. Tidio collects personal data from your website visitors, making it a data processing service that requires disclosure under GDPR, CCPA, and similar privacy laws. You must inform users that their information is collected through Tidio and explain how it will be used.

What specific data does Tidio collect from visitors?

Tidio collects chat messages exchanged during live chat sessions, visitor email addresses, and general visitor information such as browser type, device type, and page viewed. This data is used to facilitate customer support conversations and improve service quality.

Does Tidio require a cookie consent banner?

Tidio does not use cookies to track visitors. However, you may still need consent for collecting email and other personal data through chat interactions, depending on your jurisdiction and whether data collection is necessary for functionality or requires affirmative consent.

Who processes my data with Tidio, and where is it stored?

Tidio LLC, based in the United States and Poland, acts as your data processor. Data collected through Tidio may be transferred to and processed in the United States or Poland. You should ensure an appropriate data processing agreement is in place with Tidio to comply with GDPR and other regulations.

Live Chat

Privacy policy clauses for Tidio

Tidio is a live chat and chatbot platform that enables real-time customer support on websites. It allows businesses to communicate with visitors, answer questions, and provide assistance through both automated chatbots and human agents.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Tidio collects

Your privacy policy must disclose each of the following data types when you use Tidio.

Chat messages

Visitor info

When does Tidio trigger privacy obligations?

Installing Tidio on your website or app immediately initiates collection of chat messages, visitor metadata (IP address, device type, browsing behavior), and email addresses from users who interact with the chat widget. This triggers GDPR obligations if any visitor is in the EU, UK, or EEA—regardless of where your business is based—because Tidio processes personal data on your behalf (GDPR Article 28). You become a joint controller with Tidio for determining the purposes and means of that processing (GDPR Article 26), making a Data Processing Agreement (DPA) mandatory before launch. CCPA applies if you operate a for-profit service, collect personal information from California residents, and meet any of three thresholds: $25M+ annual revenue, buy/sell data on 100k+ residents/households, or derive 50%+ of revenue from selling personal data. Tidio's collection of visitor info and emails likely triggers at least the first threshold for most SaaS. Your first concrete step: draft a privacy policy that specifically names Tidio, discloses what chat data and visitor info it collects, and obtain a signed DPA from Tidio LLC before the widget goes live. Do not rely on Tidio's generic terms of service—execute an amendment addressing GDPR Article 28 requirements and CCPA data handling.

Where data goes

You must name the following processor(s) in your privacy policy and link to their privacy policy.

Privacy policy clauses for Tidio

What data Tidio collects

When does Tidio trigger privacy obligations?

Where data goes

Common compliance pitfalls

Missing or vague DPA with Tidio

Insufficient consent and disclosure for chat data

Forgetting to update your privacy policy with Tidio specifics

Sample privacy policy clause

What regulators look for

Frequently asked questions

Do I need to disclose Tidio in my privacy policy?

What specific data does Tidio collect from visitors?

Does Tidio require a cookie consent banner?

Who processes my data with Tidio, and where is it stored?

Don't ship without Bandit.