Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
amoCRM (rebranded Kommo in international markets) is a messenger-first CRM developed by QSOFT. It combines pipeline management, multi-channel messaging (WhatsApp, Telegram, Instagram, Facebook), and an embeddable chat widget for websites. amoCRM is particularly popular among small and medium-sized businesses in Russia, the CIS region, and Latin America, with a growing European footprint through the Kommo brand.
amoCRM is a messenger-first CRM created by QSOFT in 2009 and rebranded as Kommo for international markets in 2022. It bundles a sales pipeline, lead capture, automated workflows, and a centralised inbox for messengers (WhatsApp, Telegram, Instagram, Facebook Messenger, Viber, LINE). On websites, amoCRM appears as an embeddable chat widget and as web form integrations. It is widely used by SMBs in CIS and LATAM, and has a growing European footprint.
From the visitor: IP address, user agent, browsing path on the host site, full chat transcripts, attachments, contact details (name, email, phone, social handles), referrer information, and (with messenger integrations) the messenger ID. From the agent side: identity, performance metrics, deal status. The chat widget also sets persistent cookies for visitor identification and session continuity.
The chat widget cookies and the page-tracking script qualify as non-essential under TTDSG and ePrivacy and require prior consent. The lead and customer data submitted through the widget is processed under contract performance (for active customer relationships) or legitimate interest with a documented LIA (for cold leads), but the integration of historical Russian or current US data flows must be documented carefully. Messenger integrations import personal data from Meta and other channels, adding their own consent layers.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Kommo (the international entity) processes data in the United States. Legacy amoCRM tenants may still rely on Russian infrastructure. The EU has no adequacy decision for Russia, so any processing on Russian infrastructure must rely on SCCs plus additional safeguards and is subject to heightened scrutiny. US processing relies on SCCs and the EU-US Data Privacy Framework where Kommo Inc. is certified. A Transfer Impact Assessment is essential for any EU deployment.
Confirm the tenant region (request US/Kommo for EU customers if legacy Russian residency exists), sign the Kommo DPA and SCCs, run a Transfer Impact Assessment, gate the chat widget behind a CMP, document a clear LIA for cold lead processing, configure short retention for chat transcripts, train sales agents on data minimisation, and audit messenger integrations for the data they bring back from third-party platforms.
Websites using amoCRM must obtain user consent under GDPR regulations.
DPIA considerations
amoCRM processes lead and customer data submitted through web forms, chat widgets, and messenger integrations. Key DPIA considerations: (1) the chat widget collects visitor metadata (IP, user agent, browsing path, conversation transcripts) and sets persistent cookies; (2) lead data can include sensitive information depending on the business (health appointments, financial services, legal context); (3) the historical Russian processing and current US processing both fall outside the EEA, requiring SCCs and a Transfer Impact Assessment; (4) integration with WhatsApp, Instagram, and other messengers replicates personal data into Meta-controlled ecosystems; (5) automated lead scoring and pipeline routing can amount to profiling under GDPR. A DPIA is recommended for any non-trivial deployment.
Sample consent text
Our website uses the amoCRM (Kommo) chat widget to handle customer messages and leads. When you start a conversation or submit a form, amoCRM stores your messages, contact details, and interaction data on its servers. Depending on your tenant region, data may be processed in the United States. Transfers outside the EEA rely on Standard Contractual Clauses. You can decline non-essential cookies via our cookie banner.
Third-party domains contacted
amocrm.comamocrm.rukommo.comwww.kommo.comcdn.amocrm.comchat.amocrm.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| amocrm_visitor_id | Functional / Identification | 1 year | Persistent visitor identifier used by the amoCRM chat widget to associate the visitor with a lead record and reload the conversation history. |
| amocrm_session | Functional / Session | Session | Stores the current chat session identifier so the visitor can navigate or refresh without losing the conversation. |
| amocrm_lead_id | Functional / CRM linkage | 1 year | Links the visitor to a specific lead in the amoCRM pipeline once contact details have been captured. |
| amocrm_chat_widget_* | Functional / Preference | Up to 1 year | Stores widget display preferences (collapsed/expanded, language, last agent) so the widget restores its state across visits. |
| amocrm_analytics_* | Analytics | 13 months | Tracks widget interactions for performance reporting in the amoCRM dashboard. Only active when analytics features are enabled. |
amoCRM places tracking cookies for advertising — comply with GDPR using FlowConsent.
The chat widget sets visitor identification cookies (amocrm_session, amocrm_visitor_id), conversation state cookies, and (when enabled) analytics cookies tying the visitor to a lead in the CRM. Some cookies persist for up to one year.
Yes for the chat widget cookies and visitor tracking, which are non-essential under ePrivacy and TTDSG. Yes for marketing communications sent through amoCRM. The CRM workflows themselves can rely on contract performance once a customer relationship is established.
Consent (Art. 6(1)(a)) for the chat widget cookies and marketing emails. Contract performance (Art. 6(1)(b)) for active customer workflows. Legitimate interest (Art. 6(1)(f)) for cold lead qualification, with documented LIA.
Yes. Kommo Inc. (the international entity) processes data in the United States. Legacy amoCRM tenants may still rely on Russian infrastructure. Both require SCCs; Russian processing has no EU adequacy decision and demands additional safeguards.
A DPIA is recommended for any deployment with messenger integrations (WhatsApp, Instagram), cold outreach scoring, or sensitive-vertical leads. Document the integration map, the data categories, the retention, and the transfer mechanisms.
Confirm the tenant region (prefer Kommo US over legacy Russia for EU customers), sign the Kommo DPA and SCCs, run a TIA, gate the widget behind a CMP, document an LIA for cold leads, configure short retention for transcripts, train your sales team, and audit messenger integrations.
Alternatives include HubSpot CRM (US, EU residency option), Pipedrive (Estonia), Salesforce Essentials (US, EU residency), Zoho CRM (US/India/EU options), Brevo CRM (France), Sellsy (France), and EU open-source options like Vtiger and SuiteCRM.
List the amoCRM chat cookies with name, purpose, duration, and category. Specify the controller (Kommo Inc., US) and (where applicable) the legacy Russian processing. Reference SCCs and DPF for transfers. Provide a CMP toggle to refuse the widget.