Use this checklist to configure Crisp in a privacy-conscious way when you support customers under GDPR and ePrivacy requirements.

When your team uses Crisp, you may process personal data such as names, emails, IP addresses, conversation content, files, custom data, and customer context. Crisp provides legal resources and product controls to support compliance, while your company remains responsible for deciding what data to collect, what legal basis applies, who can access it, and how long it should be kept.

Sign your DPA with Crisp

Under GDPR, Crisp acts as your data processor when it processes your end-users' personal data on your behalf. Your company remains the data controller, so the first legal setup step is to download, sign, and upload the Data Processing Agreement attached to the right Crisp workspace.

Download and upload the agreement

To download and upload the DPA:

1. Open Crisp, then go to Settings → Workspace Settings → Data, Limits & Legal → Contract Agreements
2. Click See Agreement
3. Download the GDPR contract shown in the list
4. Sign the PDF electronically, or print, sign, and scan it
5. Upload the signed PDF in the same Contract Agreements section
6. Wait for the upload confirmation

Only workspace owners can upload the signed DPA. DPA contracts are managed per workspace, so make sure you are signing it from the workspace that actually processes the relevant customer data.

You can follow the dedicated guide here: Where do I find my GDPR Data Processing Agreement (DPA)?. You can also review Crisp EU GDPR compliance status for broader GDPR information about Crisp.

Review chatbox cookies and consent behavior

Crisp chatbox cookies use the crisp-client/* prefix and are used to keep the chat session working across pages and visits. By default, they expire after 6 months and are renewed when a visitor with an existing cookie returns to a page where the chatbox loads. Crisp does not set tracking cookies for the chatbox by default, but you remain responsible for any tracking, segmentation, analytics, or advertising behavior you add through your own implementation.

Use Total Privacy Mode when you need delayed initialization

Open Crisp, then go to Settings → Chatbox Settings → Chatbox Security and enable Total Privacy Mode when your privacy rules require the chatbox session to start only after visitor interaction.

With Total Privacy Mode, Crisp defers session initialization until the visitor manually opens the chatbox to start a conversation. If your website requires consent before loading third-party services, you can also delay loading the Crisp chatbox script through your consent management platform.

Make sure your cookie banner and cookie policy describe your real setup. You can use the Crisp Cookie Policy and the Cookie Policies developer guide as references when documenting the technical behavior.

Send only data you are allowed to share

Crisp lets you send user identity, segments, custom data, events, and other context through the JavaScript SDK, REST API, imports, plugins, and integrations. Only send data that is necessary for your support use case and that your company is allowed to share with Crisp.

Before sending user data to Crisp, check that:

• Legal basis → you have a valid legal basis for collecting and sharing the data, such as consent, contract necessity, or another basis validated by your legal team
• Purpose → the data is useful for support, routing, security, reporting, or another clearly documented purpose
• Scope → you only send what agents, workflows, integrations, or Hugo actually need
• Timing → if your implementation relies on consent, data is pushed only after consent is granted
• Lifecycle → data is updated, reset, or removed when the user's account state changes

For example, only use a command such as $crisp.push(["set", "user:email", ["user@example.com"]]); after your own app is allowed to share that authenticated email with Crisp. The same principle applies to nicknames, phone numbers, company details, custom attributes, order data, and segments.

Useful companion guides: How to automatically set users email addresses, Getting started with Custom Datas, and How to use the $crisp chatbox JavaScript SDK.

Handle erasure requests carefully

Under GDPR, users may ask you to delete personal data you hold about them. In Crisp, this can involve contact profiles, conversations, files, custom data, segments, and data synced through connected tools.

Remove contact profiles

Open Crisp, then go to Contacts and search for the user by email, name, phone number, or another identifier. Select the relevant profile, open Actions, click Remove selected profiles, and confirm the action.

Remove conversation content

If the request also covers conversation history, open Inbox, find the relevant conversation, then delete it from the conversation list using the delete action. If you handle erasure requests at higher volume, use the Crisp REST API to automate profile and conversation removal.

Remember to check connected tools too. If a CRM, e-commerce plugin, workflow, API job, or data import can sync the same personal data back into Crisp, remove or update it at the source as well.

Useful companion guides: How to select and manage multiple contacts in Crisp, How to delete a conversation, and the REST API Reference.

Define retention rules for Crisp data

Crisp keeps conversation history by default, so deletion and retention should be part of your internal compliance process. Your retention policy should explain what your team keeps, why it is kept, where it is stored, and when it should be removed.

A practical Crisp retention policy should cover:

• Conversations → how long chat, email, social, and form conversations remain available
• Contact profiles → when inactive, duplicate, test, or obsolete profiles should be removed
• Files and attachments → whether uploaded documents, screenshots, or exports need shorter retention
• Custom data and segments → which values can stay attached to profiles over time
• Automations → whether API jobs or internal reviews are needed to clean old data consistently
• Exceptions → how your team handles legal holds, fraud investigations, audits, or regulated retention periods

If you operate in a regulated industry such as healthcare, finance, insurance, or legal services, align your Crisp retention process with your sector-specific requirements before deleting or keeping data long-term.

Restrict team access to customer data

Not everyone in your team needs the same level of access. Keep sensitive workspace permissions limited, enforce strong authentication, and review operator access regularly.

Open Crisp, then go to Settings → Workspace Settings → Operators and Teams to review your workspace operators and roles.

Review these controls regularly:

• Roles → keep the Owner role limited to trusted admins; use Member for regular agents whenever possible
• Two-Factor Authentication → enable it from Settings → Account → Account Information, and enforce it for the workspace from Settings → Workspace Settings → Operators and Teams
• Deletion permissions → enable Prevent non-owner operators to remove data (conversations & contacts) if destructive actions should be restricted to owners
• Routing and sub-inboxes → use them to organize work by brand, team, language, topic, or escalation path when it reduces unnecessary exposure
• Separate workspaces → use separate workspaces when brands, products, or teams need stronger operational separation
• Offboarding → remove former employees, contractors, and unused accounts as soon as access is no longer needed

Useful companion guides: How to change agent roles (Owner vs Member) and How to enable Two Factor Authentication (2FA).

Use Hugo transparently

If Hugo handles conversations automatically, make the experience clear for visitors and keep human escalation easy to reach. This is both a trust best practice and an important part of a privacy-conscious AI setup.

Disclose AI usage in the chatbox

Open Crisp, then go to Settings → Chatbox Settings → Chatbox Appearance → Welcome Message and adapt your greeting so visitors understand when they are first talking with an AI assistant.

Example: "You're initially chatting with our AI assistant. A human agent is always available if needed."

Configure human escalation

Open AI Agent → Agent → Settings → Auto-Escalation and review the available escalation options, such as Offer human when Hugo can't find an answer and Automatically escalate when the user is frustrated or asks for a human.

For sensitive or regulated topics, use AI Agent → Guidance → Routing to create routing rules that move the conversation to a human inbox or start a controlled workflow.

Keep AI training resources clean

Use approved, up-to-date resources in AI Agent → Train, and avoid adding unnecessary personal data to Q&A snippets, files, website imports, instructions, or examples. If you reuse real customer content for training resources, minimize or anonymize it first and confirm that you have a valid basis to do so.

Useful companion guides: How to change the chatbox welcome message, How to configure Escalation with Hugo AI Agent, and Getting started with Hugo AI Agent.

Update your privacy and cookie policies

Your public policies should match how Crisp is actually used on your website and inside your support operations. Review them whenever you change chatbox behavior, add integrations, use Hugo, change retention rules, or start pushing new customer data into Crisp.

Your policies should explain:

• Processor relationship → that Crisp is used as a third-party processor for customer support and messaging
• Data categories → names, emails, IP addresses, conversation content, uploaded files, custom data, segments, and any other data you send
• Purposes → support, account assistance, routing, security, reporting, automation, and other purposes that apply to your setup
• Cookies → the crisp-client/* cookies, why they are used, how long they last, and whether you use Total Privacy Mode or a consent manager
• Retention → how long conversations, contacts, attachments, and custom data are kept
• User rights → how users can request access, correction, deletion, or objection
• AI usage → when Hugo or other AI features may assist with conversations
• Co-browsing and privacy choices → whether features such as Magic Browse or MagicType are enabled, and how visitor privacy choices are handled

If you use Magic Browse or related privacy-sensitive chatbox features, review Settings → Chatbox Settings → Chatbox Security → User privacy choices (MagicType, MagicBrowse) and document the behavior in your public notices. You can also read Magic Browse feature compliance with GDPR.

Summary checklist

Need help?

For Crisp product setup questions, start a conversation from this page or contact us at support@crisp.chat. For legal decisions specific to your jurisdiction, business model, or customer base, work with your legal counsel or Data Protection Officer. Crisp can provide product and technical guidance, but your company remains responsible for its compliance choices as the data controller.

Updated on: 23/06/2026