Learn how Crisp handles GDPR compliance, data processing, privacy rights, and related security practices.

The European Union General Data Protection Regulation, usually called GDPR, harmonizes data privacy rules across the EU. Crisp is a French company and applies GDPR and French data protection requirements to the way it stores and protects customer data.

Where Crisp data is processed

Crisp is operated by Crisp IM SAS, a French company. Crisp stores product data on servers hosted in the European Union. Messaging data is stored in the Netherlands, and plugin data is stored in Germany.

Crisp also uses relay servers outside the EU to reduce latency for users far from EU servers. These relay servers do not store product data; they only keep connection logs such as IP address, connection date, user agent, and source website.

Crisp also operates related services such as Mirage for AI features and Enrich for data enrichment. Crisp built and operates these services to reduce the number of external processors involved in customer data workflows.

Crisp and GDPR in 12 points

This section summarizes how Crisp handles the main GDPR topics customers usually ask about. It is not a substitute for your own legal review.

1. Awareness

Crisp employees responsible for software development and infrastructure maintenance are aware of GDPR requirements. Code reviews and internal checks help reduce the risk of privacy or security issues being introduced before deployment.

You can also review Crisp Security Practices for more details about security practices.

2. Information Crisp holds

Crisp stores data related to two parties: Crisp customers, meaning operators using Crisp, and customers' end-users, meaning people who interact with those companies through Crisp.

Information held on Crisp customers

Crisp may collect account information such as:

• Profile information → first name, last name, and profile picture
• Payment and invoicing information → company address, country, and billing details; credit card numbers are stored by Stripe

Crisp does not log customer activity except for system logs such as IP address, user agent, and time of connection. These logs are used for debugging and lawful purposes and are retained for a maximum of 1 year.

Information held on customers' end-users

End-user information may include:

• Email address → when provided by the end-user
• Phone number → when provided by the end-user
• Message exchanges → conversations between the end-user and the Crisp customer
• Last activity date and time → used to operate the conversation and profile
• Profile information → when resolved from public information shared by the end-user online

Crisp can resolve end-user identity information such as first name, last name, avatar, or company from public data sources. This enrichment is handled through Enrich, a service owned and operated by Crisp.

3. Communicating privacy information

Crisp communicates its own privacy terms in the Crisp Privacy information. Crisp customers are responsible for communicating their own privacy terms to their end-users on their websites or applications.

4. Individuals' rights

Crisp considers and enforces GDPR rights for its customers.

These rights include:

• Right to be informed → Crisp informs users about how their data is used
• Right of access → users can access their data from Crisp apps
• Right of rectification → users can contact Crisp to request corrections
• Right of erasure → users can contact Crisp to request deletion
• Right to restrict processing → Crisp limits processing based on applicable requirements
• Right to data portability → users can contact Crisp to request a data export
• Right to object → Crisp handles objection requests from users and end-users
• Right not to be subject to automated decision-making including profiling → Crisp does not use this kind of automated decision-making

5. Subject access requests

Crisp replies to access requests, positively or negatively, within 1 week. The GDPR legal limit is 1 month.

These requests are handled free of charge for Crisp customers, whether they are on a free or paid plan.

6. Lawful basis for processing personal data

Crisp stores user data when there is a lawful basis, such as a conversation entered into by both parties or information provided by consent.

Crisp customers are responsible for ensuring they lawfully collect and reuse end-user data. For example, if an email collected through the chatbox is reused for marketing, the customer must collect the required consent.

7. Consent

Consent is provided when users explicitly perform an action or provide information.

Crisp customers can also submit user data through the frontend JavaScript API or backend REST API, such as assigning an email, avatar, or name to a chatbox session. That data must already have been collected by the customer in a lawful and consented way before being passed to Crisp.

Crisp provides privacy settings and developer options to help teams with stricter privacy requirements. For chatbox cookie behavior, read Crisp chatbox Cookie & IP policy.

8. Children

Crisp provides business-to-business services and does not offer online services directly to children.

Children may still use a Crisp Chatbox on a Crisp customer's website or application. In that case, the customer is responsible for checking its own audience, activity, and legal requirements around children.

9. Data breaches

Crisp monitors unauthorized system access and applies preventive measures to reduce the attack surface of its services. Security researchers can submit reports to security@crisp.chat by following the Security Practices documentation.

Crisp security measures include:

• Firewalls and network isolation → infrastructure is segmented and protected
• Restricted server access → trusted administrators use protected access paths
• Dependency monitoring → security fixes are reviewed and applied when needed
• Two-Factor Authentication → sensitive accounts are protected with stronger authentication
• Separated data stores and backends → sensitive services are isolated where needed
• Encrypted backups → platform backups are encrypted and stored privately

10. Data protection by design

Security is considered when Crisp designs and develops new systems. The goal is to protect the integrity of production systems and the user data stored or processed by those systems.

11. Data Protection Officer

Crisp designated a Data Protection Officer for GDPR-related matters.

DPO information:

• Name → Valerian Saliou
• Role → Co-founder & CTO
• Email → dpo@crisp.chat
• Location → Crisp offices in France

12. International information

Crisp may process data from individuals across EU member states through its customers. Crisp's main establishment is France, so its supervisory authority is based in France.

Crisp company information:

• Company → Crisp IM SAS
• ID / SIREN → 833085806
• Address → 2 Boulevard de Launay, 44100 Nantes, France
• Email → corp@crisp.chat
• Phone → +33240031187

Frequently Asked Questions

Still have questions which were not covered in this article? Here is a collection of the most frequently asked questions on this topic.

Where can I sign Crisp's Data Processing Agreement?

You can sign the DPA from your Crisp workspace. Open Crisp, then go to Settings → Workspace Settings → Data, Limits & Legal and review Contract Agreements.

For the full process, read How to sign my GDPR Data Processing Agreement (DPA).

Where is Crisp data hosted?

Crisp product data is hosted in the European Union. Messaging data is stored in the Netherlands, and plugin data is stored in Germany.

Relay servers outside the EU may be used to reduce latency, but they do not store product data.

Who should I contact for GDPR questions?

Contact Crisp support first. Support will answer GDPR-related questions and route them internally when needed.

For formal DPO contact, the listed email is dpo@crisp.chat.

Updated on: 03/05/2026