Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
7moor is a Chinese cloud communications and contact centre platform offering voice, SMS, IVR, live chat, and AI customer service tools. EU operators using 7moor transfer personal data to mainland China, which has no GDPR adequacy decision.
7moor is a cloud communications and contact centre suite operated from Beijing, comparable in scope to Twilio or Genesys but focused on the Chinese market. It bundles voice telephony, SMS, IVR, AI bots, omnichannel routing, and a JavaScript live chat widget that EU sites can embed. When a European website integrates 7moor for sales support or after sales care, end user data such as phone numbers, IP addresses, chat content, and call recordings is processed by 7moor as a processor on behalf of the publisher.
7moor sets session and visitor cookies to maintain chat continuity, recognise returning callers, and link web events to backend tickets. The platform also collects voice recordings, SMS bodies, IVR inputs, IP addresses, browser fingerprints, and timestamps. Depending on the integration, CRM identifiers, order references, and free text messages may also flow through the API. All of this is regarded as personal data under GDPR, and call recordings can additionally qualify as confidentiality of communications under ePrivacy Art. 5(1).
Embedding a 7moor widget triggers ePrivacy Art. 5(3): the script and its cookies are read or written on the user device, so prior informed consent is required unless the cookie is strictly necessary for a service the user has explicitly requested. Recording calls or chats engages GDPR Arts. 5, 6, 13 and, for any health, biometric, or political content, Art. 9. Because 7moor is a non EU vendor, the controller must also comply with Arts. 28 (processor contract), 30 (records), and 44 to 49 (international transfers).
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Before the chat or call widget loads, the cookie banner must offer a clear refuse option of equivalent prominence to accept, name 7moor as a recipient, and disclose that data leaves the EU for China. Per CNIL, BfDI, and AEPD guidance, refusing must not block access to the rest of the site. Live chat and call recording disclosures should appear in real time, and users must be informed of their rights to access, rectify, and erase their data, including the recordings.
There is no adequacy decision for China, so any 7moor deployment relies on Standard Contractual Clauses combined with a documented Transfer Impact Assessment. Under PIPL, the Data Security Law, and the National Intelligence Law, Chinese authorities can compel access to data hosted on 7moor servers. EU controllers should apply supplementary measures: end to end encryption with EU held keys, pseudonymisation of identifiers, minimisation of recorded content, short retention, and contractual challenge clauses, and they should reassess the transfer risk regularly.
Sign a GDPR Art. 28 data processing agreement with 7moor that incorporates the 2021 SCCs and addresses sub processors. Run a DPIA, log the TIA, and limit fields sent through the chat and voice APIs. Configure the consent platform to gate the 7moor JavaScript and to forward consent state to the API. Update the privacy policy to mention China, retain recordings only as long as needed, train agents on data minimisation, and offer EU users an alternative channel if they refuse the transfer.
Websites using 7moor must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA under GDPR Art. 35 is strongly recommended whenever 7moor processes EU customer voice recordings, chat transcripts, or telephony metadata, since data is routed to mainland China and may include sensitive details. Document the lawful basis, the Transfer Impact Assessment, supplementary measures (encryption in transit, key custody in the EU), retention, and access by Chinese authorities under PIPL and the Data Security Law. Consult CNIL, BfDI, AEPD, and EDPB Recommendations 01/2020 for transfer guidance.
Sample consent text
We use 7moor to power live chat, voice calls, and customer support analytics. With your consent, we set cookies and may transfer your messages, phone metadata, and call recordings to servers in mainland China under Standard Contractual Clauses. You can accept, refuse, or change your choice at any time in our cookie settings.
Third-party domains contacted
7moor.comsaas.7moor.comim.7moor.comstatic.7moor.comcdn.7moor.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| 7MOOR_SESSION | third_party | Session | Maintains the live chat or webcall session between the visitor and the 7moor servers. |
| 7moor_visitor_id | third_party | 1 year | Recognises returning visitors so that prior chat history and ticket context can be linked. |
| 7moor_consent | third_party | 6 months | Stores the user choice on chat tracking and call recording disclosure. |
| _7m_route | third_party | 1 hour | Routes the visitor to the same agent or queue while the conversation is active. |
7moor places tracking cookies for advertising — comply with GDPR using FlowConsent.
Yes. The 7moor live chat and webcall widgets set session and visitor cookies to maintain conversations and recognise returning users. Some integrations also set short lived analytics cookies. Because they are not strictly necessary for a service the user has requested, prior consent is required under ePrivacy Art. 5(3).
In almost every case, yes. The widget loads JavaScript and writes cookies, which triggers ePrivacy consent. The processing of chat content, voice recordings, and IP addresses also requires a GDPR Art. 6 lawful basis, usually consent for marketing chat or contract performance for inbound support.
For proactive marketing chat and call analytics, consent under Art. 6(1)(a) is the safest basis. For purely reactive inbound customer service that the user initiated, Art. 6(1)(b) contract or Art. 6(1)(f) legitimate interest can apply, provided you document the balancing test and respect ePrivacy on the cookie layer.
Yes. 7moor is hosted in mainland China, which has no GDPR adequacy decision. Transfers must rely on Standard Contractual Clauses plus a Transfer Impact Assessment and supplementary measures such as encryption, pseudonymisation, and minimisation of voice and chat content.
A DPIA is strongly recommended given the systematic monitoring of communications, the volume of voice data, and the high risk transfer to China. Document data flows, retention, the TIA, and the technical and organisational measures, and consult CNIL, BfDI, or AEPD if residual risk remains high.
Place the 7moor script behind a consent management platform, block it until the user accepts, and forward consent state to the API. Sign a DPA with SCCs, run a TIA, encrypt recordings, limit retention, and update the privacy policy and the in widget notice with full transparency about China hosting.
Yes. EU hosted contact centre platforms include Diabolocom, Odigo, Aircall, Vonage Contact Center, Talkdesk EU, and self hosted stacks based on Asterisk or FreeSWITCH. They reduce transfer risk but still require an ePrivacy compliant consent layer for any tracking cookies.
List 7moor explicitly with its purpose (cloud contact centre, live chat, voice, SMS), the cookies it sets, their duration, the data categories sent through the API, the destination country (China), the transfer mechanism (SCCs), and the link to 7moor privacy notice. Refresh the policy whenever the integration scope changes.