Tawk.to and Data Protection – What Belongs in the Privacy Policy
Tawk.to live chat: data processed, GDPR legal bases, DPA and what website operators must include in the privacy policy.
Tawk.to and Data Protection – What Belongs in the Privacy Policy
Anyone using the Tawk.to live chat on their website must document in the privacy policy which personal data this JavaScript widget collects and how it is processed. This includes technical data such as IP addresses, browser data, device information and the chat messages themselves. This guide shows what legal and informational basis website operators must establish and what special features Tawk.to involves – from the legal basis to third-country transfers to practical settings.
A. Purpose and Function of Tawk.to
Tawk.to is a free live chat tool that allows website operators to enable their visitors to chat directly via a widget on the page. The integration works very simply: the operator copies a line of JavaScript code into the HTML page of their website, and the chat widget is immediately active. Visitors then see a chat window in which they can communicate with the operator's agents in real time.
The widget loads automatically when the website is visited and establishes a connection to the Tawk.to servers – regardless of whether the visitor actually opens a chat window. In addition to the live chat function, Tawk.to also offers a dashboard for the operator, where chats can be managed, agents coordinated and visitor data viewed. For larger teams, the system enables unlimited agents and is therefore also usable for companies without large budgets.
B. Mandatory Disclosures in the Privacy Policy
Under the General Data Protection Regulation (GDPR), every website operator must be transparent towards visitors when using technologies that process personal data. This also applies to live chat tools such as Tawk.to.
Required disclosures under Art. 13, 14 GDPR:
- Name and contact details of the controller (the website operator)
- Purposes of processing
- Legal bases of processing
- Categories of personal data collected
- Information about the recipient (Tawk.to Inc.)
- Storage duration or criteria for determining the storage duration
- Data subject rights (access, rectification, erasure, restriction, data portability, objection)
- Notice of the right to lodge a complaint with the supervisory authority
Many website operators use generic "text templates" for privacy policies. This is problematic because every website uses different tools and processes different data. Individual adaptation is legally required and provides certainty.
Privacy policy in minutes — easy to maintain, no subscription.
Instead of an unreadable text block per tool: a topic-oriented, hybrid approach with a clear list of recipients — maintainable, transparent, GDPR-compliant.
- No subscription, no hidden costs
- Easy to maintain thanks to a topic-based structure instead of tool-by-tool blocks
- Curated by Dr. Thomas Helbing, certified specialist for IT law
The generator is offered by matterius GmbH. matterius is not a law firm and does not provide legal advice.
C. Provider
Company name: Tawk.to Inc.
Headquarters: 187 East Warm Springs Road SB 298, Las Vegas, Nevada 89119, USA
Status: US company
For German and European website operators, Tawk.to Inc. is the direct contractual party. There is no European subsidiary acting as a processor – the data processing is carried out directly by the US company.
Data Privacy Framework (DPF): Tawk.to Inc. has self-certified under the EU-U.S. Data Privacy Framework, the UK Extension and the Swiss-U.S. Data Privacy Framework. These certifications provide a legal framework for the transfer of data from the EU, UK and Switzerland to the USA.
Privacy Policy and legal documents:
D. Data Processing – Workflow
The processing of data by Tawk.to takes place in several steps:
The JavaScript widget loads when the website is accessed and immediately establishes a connection to the Tawk.to servers. Technical data is automatically captured: IP address, browser type, operating system, device information and other user-agent data. If the visitor opens a chat window and replies, chat messages are also captured along with email and name (if provided by the visitor).
All data is stored on Tawk.to servers in the USA. Chats and tickets are encrypted (SHA-256 SSL) and remain stored on the servers as long as they are not actively deleted. There is no automatic deletion after a deadline – the storage duration is unlimited unless the operator manually deletes chats in their dashboard.
Tawk.to uses the data to provide the live chat service, to communicate with visitors, for error analysis and to improve the service. The operator can access all chat content, visitor data and contact information via their dashboard.
Tawk.to shares data with subcontractors and partners, particularly for hosting, support and service improvements. A detailed list of subcontractors is included in the Privacy Policy or can be requested from the operator of Tawk.to.
Only administrators of the operator account can delete chats. Deleted chats are moved to a trash folder and can later be permanently deleted. In some regions, Tawk.to must retain records for a certain time, even after deletion by the operator, to comply with legal obligations.
E. Data Collected
The following types of data are collected by Tawk.to:
Web server log data:
IP addresses (unless deactivated), timestamps of page accesses, HTTP referrer (where the visitor came from), HTTP request information, size and status of the server response.
Page and click paths:
Information about the currently visited page (URL), duration of visit on the page, sequence of pages accessed on the website.
Device data:
Device type (desktop, tablet, smartphone), manufacturer, model, operating system and version.
Browser information:
Browser name, browser version, browser plug-ins, cookies, web storage data.
Coarse location data:
Country and possibly city, derived from the IP address (geolocation).
User content:
Chat messages (text, possibly also files or links), name provided by the visitor, email address (if entered in the chat form), custom fields, if configured by the operator (e.g. phone number, message, reason for inquiry).
F. Purposes of Use
Tawk.to and the operator use the collected data for the following purposes:
Provision of functionality:
Enabling live chat communication between visitor and agent in real time.
Communication:
Answering customer inquiries, technical support, customer service, processing of inquiries and complaints.
Security and abuse prevention:
Detecting and preventing spam, fraud, abuse and technical attacks; monitoring system integrity.
Product improvement:
Analysis of chat patterns, frequency, content to improve the service, user-friendliness and AI-based functions.
Customer support:
Tracking inquiries, ticketing, export and archiving of conversation histories.
G. Legal Bases
The processing of data by Tawk.to takes place on the basis of various legal bases:
Article 6(1)(f) GDPR (legitimate interest):
The operator has a legitimate interest in offering its visitors a live chat service and in being able to reach them promptly. This falls under the provision of communication channels and customer service. The processing is necessary for the operator to provide this service.
Article 6(1)(b) GDPR (pre-contractual measures):
If a business relationship is initiated through the chat tool (e.g. consultation, sale, conclusion of contract), technical and communicative data may be collected for pre-contractual preparation.
Special feature: cookies and tracking (§ 25 TDDDG):
Tawk.to uses cookies and other tracking technologies. For non-essential cookies, the operator in Germany regularly requires the visitor's prior consent (under § 25 TDDDG / ePrivacy Directive). Essential cookies for the functionality of the chat widget can be set without consent.
The legal basis in individual cases depends on the design of the website: If the chat is exclusively used to answer pre-contractual inquiries, Art. 6(1)(b) GDPR may suffice. If the focus is on customer retention and service improvement, Art. 6(1)(f) GDPR is more likely. An individual review per website is required.
H. Special Features and Notes
Data Processing Agreement (DPA):
Tawk.to provides a Data Processing Agreement (DPA). This can be accessed at https://www.tawk.to/data-protection/dpa-data-processing-addendum/ or agreed with Tawk.to. Concluding a DPA is recommended and partly required to make the processing lawful as processor activity.
Third-country transfer (USA):
All data is transferred to and processed in the USA. This falls under a third-country transfer scenario. Tawk.to has subjected itself to the EU-U.S. Data Privacy Framework (DPF), which forms a basis for the lawfulness of the transfer. Alternative safeguards (such as Standard Contractual Clauses, SCCs) should also be documented.
Storage duration:
Chats are stored indefinitely until they are actively deleted by the operator. This is an important point for the privacy policy: it should be made transparent to visitors that their chat messages are not automatically deleted.
Configuration of the chat widget:
The operator can make various settings:
- Offline form: Which fields should be collected (name, email, message)?
- IP tracking: Should the visitor's IP address be recorded? (Can be deactivated.)
- Visitor data: What additional information is captured about the visitor's landing page?
- Pre-chat form: Can be customized to capture only necessary data.
Important note on chat content:
Visitor data in the chat can be sensitive: credit card numbers, passwords, health information, legal information. The operator should instruct agents not to capture sensitive data in unencrypted chat. The privacy policy should address these risks.
Widget loads without interaction:
The JavaScript widget is loaded when the page is visited and connects to Tawk.to servers – even if the visitor does not actively interact with the chat. This means that a connection to a US provider is established immediately upon page load. This should be made transparent.
I. Frequently Asked Questions about Tawk.to and Data Protection
J. Conclusion
Tawk.to is a popular, free live chat tool that many website operators use – without always being aware of the data protection implications. Visitors to a website with the Tawk.to widget recognize immediately when the page loads that a connection is being established to a US server and that their technical data is being collected.
For operators: A detailed privacy policy is not optional, but a duty under the GDPR. This should not be assembled from generic text templates, but should reflect what data Tawk.to actually collects, who is the controller and who is the processor, on what legal basis the processing is based and how visitors can exercise their rights.
A professional generator or specialized advice helps to create a legally compliant and transparent privacy policy – tailored to the specific website and the tools used.
Privacy policy in minutes — easy to maintain, no subscription.
Instead of an unreadable text block per tool: a topic-oriented, hybrid approach with a clear list of recipients — maintainable, transparent, GDPR-compliant.
- No subscription, no hidden costs
- Easy to maintain thanks to a topic-based structure instead of tool-by-tool blocks
- Curated by Dr. Thomas Helbing, certified specialist for IT law
The generator is offered by matterius GmbH. matterius is not a law firm and does not provide legal advice.
Disclaimer: This text provides general information about data protection and Tawk.to. It does not constitute legal advice. The specific lawfulness of using Tawk.to depends on the individual situation, configuration and applicable local laws. For a binding assessment, legal advice is recommended. As of: April 2026.
Authorship
This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.
matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.
Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.
According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.
Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.
His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.
For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.
More about Dr. Helbing: www.thomashelbing.com
SurveyMonkey Embeds and Data Protection – What Belongs in the Privacy Policy
SurveyMonkey Embeds: processed data, GDPR legal bases, DPA and mandatory disclosures for the privacy policy when embedding surveys.
The Trade Desk and Data Protection – What Belongs in the Privacy Policy
Concise guide to The Trade Desk: data processed, purposes, legal bases (GDPR) and what website operators must include in their privacy policy.