Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Chatwoot is an open source customer engagement suite combining live chat, shared inbox, helpdesk and chatbot capabilities. Its embedded widget loads a JavaScript SDK, opens a WebSocket connection to the Chatwoot server and stores cw_conversation in cookies and local storage to keep a returning visitor connected to their conversation. As a customer support widget, it requires consent for visitors who have not yet engaged.
Chatwoot is an open source, multi channel customer engagement suite. It bundles a website live chat widget, a shared inbox for email, WhatsApp, Facebook Messenger, Instagram and Twitter, helpdesk articles and AI assisted bots. Many European SaaS companies and ecommerce stores either self host Chatwoot in their own infrastructure or use the Chatwoot Cloud SaaS (with EU and US regions).
The widget stores the cw_conversation cookie and the cw_user_xxx local storage entries on the publisher domain to keep the visitor associated with their conversation. The websocket carries the messages, page context and visitor identifiers (set by setUser API calls if you authenticate end users) to the Chatwoot backend.
Loading the chat widget without a user interaction is not strictly necessary for the visitor''s requested service, so European DPAs (CNIL, Garante) consider that prior consent is required under Article 5(3) ePrivacy. Once the visitor opens the chat and types a message, processing the conversation falls under contract performance or legitimate interest in providing customer support.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Block sdk.js through your CMP until the visitor accepts the necessary or functional cookies category. A frequent compliant pattern is the click to chat alternative: a static button on the page replaces the widget, and the actual Chatwoot SDK is only loaded after the user clicks it, which constitutes an explicit consent.
Self hosting Chatwoot in the EU keeps all conversation data inside your infrastructure. Chatwoot Cloud uses AWS, with EU regions available on paid plans; the default US region implies a transfer that must be covered by Standard Contractual Clauses or the EU U.S. Data Privacy Framework, plus disclosure in your privacy policy.
Gate the widget on a CMP signal or click to chat trigger, set retention periods on conversations and contacts, configure the data export and deletion APIs to honour data subject requests, and document Chatwoot Inc. as a processor (or yourself for the self hosted edition) in your records of processing.
Websites using Chatwoot must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA should be considered when Chatwoot is integrated with CRM, customer health scoring or AI bots that process conversation transcripts at scale. Cloud editions outside the EU also raise transfer risks worth assessing.
Sample consent text
We use Chatwoot to offer live chat support. With your consent, the widget will load on your device, store the cw_conversation cookie and forward your messages to our Chatwoot server. You can refuse or withdraw your consent at any time from the cookie settings.
Third-party domains contacted
app.chatwoot.comcdn.chatwoot.comself-hosted Chatwoot instance (controller domain)Cookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| cw_conversation | first_party | 1 year | Stores the Chatwoot conversation token to keep returning visitors connected to their conversation thread. |
| cw_user_* | first_party | 1 year | Stores visitor identifier and basic context (name, email if provided) to attribute messages to the right contact in Chatwoot. |
Chatwoot uses cookies for user preferences — inform visitors with a consent banner.
The Chatwoot widget stores the cw_conversation cookie and the cw_user_xxx local storage entries on the publisher domain to keep the visitor associated with their conversation. The cookie is required for the chat to function once the user has engaged.
Yes, in most cases. European DPAs consider that auto loading the chat widget is not strictly necessary and requires prior consent under Article 5(3) ePrivacy. A click to chat pattern can substitute the consent banner by capturing explicit user intent.
Once the visitor types a message, processing the conversation can rely on contract performance or legitimate interest in providing customer support. Loading the widget passively still requires consent.
Not when Chatwoot is self hosted in the EU. Chatwoot Cloud uses AWS with EU and US regions; the US region triggers a transfer that must rely on Standard Contractual Clauses or the EU U.S. Data Privacy Framework.
A DPIA is recommended when Chatwoot is integrated with CRM, customer scoring or AI bots that process transcripts at scale. Pure live chat with EU hosting and limited retention typically does not trigger a mandatory DPIA.
Block the SDK until consent or use click to chat, set retention periods on conversations, configure data export and deletion APIs to honour data subject rights, and document the legal basis in your records of processing.
EU friendly alternatives include Crisp (France), LiveChat (Poland), Zammad (Germany) or your own self hosted Rocket.Chat instance, all of which offer EU data residency.
Add a section that names Chatwoot, lists the cookie cw_conversation with purpose and duration, mentions the local storage entries and clarifies whether the data stays in your EU instance or is transferred to Chatwoot Cloud.