Tidio and Data Protection – What Belongs in the Privacy Policy

If a website operator uses Tidio, they process user content (chat input), server log data, click paths, device data and contact data for the purposes of communication, customer support and possibly contract initiation, regularly based on legitimate interests under Art. 6(1)(f) GDPR; where tracking and chatbot components are profiling in nature, consent under Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG comes into consideration. This page explains which data Tidio processes, what website operators use it for and which mandatory information regarding Tidio belongs in the website's privacy policy.

A. Purpose and Functionality of Tidio

Tidio is a communication platform that bundles live chat, AI-powered chatbots (notably under the product name Lyro) and helpdesk functions for website operators. The aim is to offer website visitors a direct contact and service channel and at the same time to handle standard enquiries automatically via bots. Tidio integrates into the website via a JavaScript snippet and provides a chat widget there.

According to the provider, the core functions include live chat with agents, rule-based and AI-powered chatbots, e-mail and helpdesk ticketing, a visitor overview (live view) and chat-performance analytics. This page focuses on the integration function: the chat widget embedded in the website with live chat and chatbot functionality. Pure backend helpdesk functions without website integration are not covered in depth here.

B. Mandatory Information in the Privacy Policy When Using Tidio

Beyond general information about the controller, data subject rights and the supervisory authority, the GDPR requires a number of specific items of mandatory information in connection with concrete tools such as Tidio: the purposes of processing (Art. 13(1)(c) GDPR), the legal bases (Art. 13(1)(c) GDPR) and – where processing is based on legitimate interests (Art. 6(1)(f) GDPR) – the specific legitimate interests pursued (Art. 13(1)(d) GDPR).

Further mandatory information concerns recipients or categories of recipients (Art. 13(1)(e) GDPR), transfers to unsafe third countries and their legal basis (Art. 13(1)(f) GDPR), the storage period or determination criteria (Art. 13(2)(a) GDPR) and – where data is not collected directly from the data subject – the categories of data (Art. 14(1)(d) GDPR). The following sections break down these items for Tidio.

It is not necessary to list every tool – including Tidio – with its own text module and named reference in the privacy policy. The "text-module-per-tool" approach produces long, repetitive lawyer-drafted texts, makes the privacy policy hard to maintain and barely readable. A topic-oriented approach is more appropriate: it describes processing operations collectively (server operation, newsletter, tracking, chat …) and lists specific recipients used – including Tidio – in an appendix. The matterius generator follows precisely this methodology.

C. Provider of Tidio

According to the provider's publicly available information, the contracting partner for German website operators is, depending on the contract variant, either Tidio LLC, based in the USA, or Tidio Poland sp. z o.o., based at Szafarnia 11/F8, 80-755 Gdańsk, Poland. Which group entity is the contracting partner depends on the order confirmation or the terms in the Tidio account and should be reviewed by the website operator individually. If the US entity is involved, a third-country transfer must be assumed; according to public information, the EU-US Data Privacy Framework status can be verified at https://www.dataprivacyframework.gov/s/participant-search.

Tidio's privacy notice is available at https://www.tidio.com/privacy-policy/; a Data Processing Agreement (DPA) is provided at https://www.tidio.com/legal/dpa/. Sub-processors (e.g. cloud infrastructure, model providers for chatbot AI) are documented in the provider's sub-processor list.

D. Data Processing by Tidio – Step by Step

1. Collection: When a page with the embedded Tidio snippet is loaded, the chat widget is loaded. According to the provider, Tidio sets cookies and/or local-storage entries for session recognition. If the visitor initiates the chat, input (text, possibly uploaded files), click paths, device and browser information and server log data are collected. With chatbot interactions, input is forwarded to the AI component.
2. Storage: Chat histories are stored in Tidio's infrastructure. Hosting is provided in cloud data centres according to the provider; a transfer to the USA is possible depending on the sub-processor used.
3. Use: The website operator accesses chat histories and tickets via the Tidio dashboard to handle enquiries. Tidio uses data for function provision, security and – as part of the contractual relationship – platform improvement.
4. Disclosure: Tidio uses sub-processors (cloud infrastructure, possibly AI-model providers for chatbot functions). According to public information, transfer to external advertising networks is generally not envisaged.
5. Deletion: Chat histories can be deleted via the Tidio dashboard; retention periods are partly configurable. After the end of the contract, data is deleted or returned in accordance with the DPA.

E. Data Collected by Tidio

In a typical Tidio integration, the following are processed in particular: IP address, date and time, URLs called up, referrer, user agent, screen resolution, cookie/session IDs, chat input (text, possibly files), name and e-mail address (where provided by the user in the pre-chat form) and possibly information on the device type used. In the live view, the website operator can also see the current location at city/municipality level and the page currently being visited.

These data can be classified into the following standardised data-type classes:

• Server log data: IP address, date, time, URL requested, referrer, user agent, technical metadata.
• Click paths: pages from which the chat was opened, clicks within the widget.
• Interaction data: typing indicators, input in input fields, reactions to bot messages.
• Device data: device type, operating system, screen resolution, touch support.
• Browser information: browser name, browser version, language settings.
• Coarse location data: location at city/municipality level derived from the IP address.
• User content: chat messages, uploaded images or files, answers in bot flows.
• User-account data: for logged-in users or users with a pre-chat form: name, e-mail address, possibly phone number.
• Technical telemetry data: technical error messages, widget loading times.

F. Purposes of Use When Deploying Tidio

Website operators typically use Tidio to address visitors directly on the website regarding service, product or contract questions, to handle standard enquiries automatically via chatbot and to manage tickets in a central helpdesk interface. In addition, chat data is evaluated internally to improve answer templates and bot flows.

These purposes can be classified into the following standardised purpose classes:

• Function provision: technical provision of the chat widget, adjustment of the chat window, error detection.
• Communication: handling of chat enquiries, customer service, support.
• Contract performance: where the chat serves the initiation or performance of a contract between user and website operator.
• Security and abuse prevention: detection and defence against bot and spam attacks, authentication of users, session management.
• General product improvement: evaluation of typical enquiries to create FAQs and to optimise website content.
• Compliance with retention obligations and exercise of rights: for chats with a contractual context.

G. Legal Bases for Using Tidio

According to the publicly available functional descriptions, Tidio falls primarily into the tool category of chat, supplemented by AI-powered chatbot components.

Legitimate interests under Art. 6(1)(f) GDPR with interests in efficiency (fast communication channel), improvement (service optimisation) and personalisation (adaptation to the user's enquiry) are regularly to be considered; where the chat serves the initiation or performance of a contract, Art. 6(1)(b) GDPR (contract performance) additionally comes into consideration.

Where Tidio sets cookies or comparable identifiers that are not strictly necessary for providing the chat service (e.g. for cross-session recognition or for product-improvement evaluation), consent under Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG may be required. Consent is also often recommended in practice for extensive chatbot tracking functions involving profile creation. The choice of legal basis depends on the individual case and must be reviewed by the website operator.

H. Specific Considerations and Notes on Tidio

• DPA: Tidio provides a Data Processing Agreement (https://www.tidio.com/legal/dpa/); concluding it is regularly required, since Tidio typically acts as a processor for the chat data.
• Third-country transfer: Where the US entity Tidio LLC is involved or where US sub-processors are used, a transfer to the USA must be assumed; in that case, the DPF status (verifiable at https://www.dataprivacyframework.gov/s/participant-search) and/or Standard Contractual Clauses are relevant.
• AI components / Lyro: When using AI bot functions, input is transmitted to model providers; the website operator should check which sub-processors are involved in the AI pipeline and whether input is used for training the models.
• Pre-chat form: Collection of name and e-mail in the pre-chat form should be limited to what is necessary; mandatory fields must be designed transparently.
• Live view: The live-view function shows active visitors on the website, which may go beyond the mere provision of a chat channel and requires an appropriate legal basis.
• Retention period: Chat histories should be deleted regularly as soon as they are no longer needed for handling the enquiry; where a contractual context exists, statutory retention periods may apply.
• Settings for the website operator: Activation of data-protection-relevant options in the Tidio dashboard (e.g. cookie control, evaluation options), integration into the consent banner if consent is chosen.

I. FAQ on Tidio and Data Protection

J. Conclusion and Call to Action regarding Tidio

Tidio bundles live chat, chatbot and helpdesk into one platform and processes both classic communication data and behavioural and device data of website visitors. When using Tidio, website operators should ensure the conclusion of a Data Processing Agreement, critically assess the third-country constellation, carefully configure the chatbot and AI components and apply an appropriate retention period for chat histories.

For website operators, it usually makes little sense to include a separate text module in the privacy policy for every tool – including Tidio. This makes the privacy policy long, unclear, hard to maintain and conflicts with the transparency requirement of Art. 12(1) GDPR. A structured, topic-oriented approach that explains chat and communication tools collectively and lists Tidio as a recipient in an appendix is more appropriate. The matterius generator supports precisely this methodology.

K. Curator