Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Crisp Live Chat is a customer messaging platform developed by Crisp IM SAS, a French company based in Nantes. All data is processed within the European Union, making it one of the more privacy-friendly live chat options. Despite its EU data residency, Crisp sets session cookies and collects visitor behavioural data, requiring compliance with ePrivacy Directive consent rules. With proper consent management, Crisp can be deployed in full conformity with GDPR and national ePrivacy laws.
Crisp Live Chat is a customer messaging and live chat platform developed by Crisp IM SAS, a company incorporated in France and headquartered in Nantes. It provides website visitors with a real-time chat widget through which they can contact support or sales teams. Crisp also offers chatbots, a shared inbox, CRM integrations, email campaigns, and knowledge base features. All infrastructure and data processing occurs within the European Union, which makes Crisp a privacy-favourable choice compared to US-headquartered live chat alternatives.
Crisp sets session-based cookies to maintain chat continuity across page navigations: crisp-client/session/{website-id} (session identification, 6 months) and related session state cookies. It collects visitor IP addresses, page URLs browsed, browser type, device type, and the content of chat messages exchanged. If visitors identify themselves during a chat, their name, email address, and any information they share becomes part of the Crisp CRM record. Crisp also tracks page view sequences and session duration to provide context to support agents.
Because Crisp is based in France and processes data exclusively within the EU, it avoids the data sovereignty risks associated with US-based services. However, GDPR still applies fully: the session cookies Crisp sets are not strictly necessary for the website itself, they are necessary for the chat service. Under the ePrivacy Directive, cookies that are strictly necessary for a service explicitly requested by the user may be exempt from consent requirements. If the chat widget loads automatically on every page without user request, the session cookie likely requires consent. If it only activates when the user clicks to open the chat, a strictly-necessary exemption may apply.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For most deployment configurations, Crisp requires consent under the ePrivacy Directive because the chat widget loads and sets cookies on every page view regardless of whether the visitor initiates a chat. The safest approach is to obtain consent before loading the Crisp script. Alternatively, configure Crisp to use a minimised launcher mode that only fully initialises and sets session cookies when the user actively clicks the chat bubble. In either case, disclose Crisp in your cookie policy, identify Crisp IM SAS as the data processor, and document the lawful basis in your Records of Processing Activities.
Crisp stores all conversation data, contact records, and analytics on servers located within the European Union. There are no transfers of personal data to third countries outside the EU or EEA. This eliminates the need to rely on Standard Contractual Clauses or other GDPR Chapter V transfer mechanisms for core Crisp functionality. Website operators should nonetheless execute a Data Processing Agreement with Crisp (available in the Crisp dashboard) to formalise the controller-processor relationship and satisfy GDPR Article 28 requirements.
Sign a Data Processing Agreement with Crisp via your account settings. If your consent management platform controls cookie loading, add Crisp to the functional or chat category and gate its loading on consent. Alternatively, evaluate whether your deployment qualifies for the strictly-necessary exemption. Update your cookie policy to list Crisp session cookies, their purpose and duration, and identify Crisp IM SAS as the data processor. Configure Crisp's data retention settings to align with your privacy policy. If you use Crisp AI or analytics add-ons, reassess the legal basis as these features involve additional profiling.
Websites using Crisp Live Chat must obtain user consent under GDPR regulations.
DPIA considerations
Crisp's EU-only data processing significantly lowers DPIA risk. A DPIA may still be warranted if: (1) the chat collects special category data shared by users, (2) AI or behaviour-analysis add-ons are enabled, (3) visitor volumes are very large. Assess: lawfulness of session cookies under ePrivacy Directive, adequacy of consent mechanisms, and data retention configuration.
Sample consent text
I consent to Crisp Live Chat storing a session cookie to enable the chat feature and improve my support experience. All data is processed within the EU by Crisp IM SAS. I can withdraw consent at any time.
Third-party domains contacted
app.crisp.chatapp.crisp.chatclient.crisp.chatclient.crisp.chatstatic.crisp.chatCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| crisp-client/session/{website_id} | functional | 6 months | Maintains chat session continuity for returning visitors, preserving conversation history across pages and visits |
| crisp-client/session | Functional | Session | Identifies and maintains the visitor's live chat session with the Crisp widget |
| crisp-client/expire | Functional | 6 months | Tracks session expiry to restore chat history for returning visitors |
Crisp Live Chat uses cookies for user preferences — inform visitors with a consent banner.
Crisp sets a session cookie named crisp-client/session/{website_id} that stores the visitor session identifier. This functional cookie has a duration of approximately 6 months and is used to maintain chat continuity across pages and visits. Crisp does not set advertising or third-party tracking cookies by default.
It depends on the legal basis you rely on. Crisp can be loaded under legitimate interest for pure live chat functionality, but this requires a documented balancing test. If Crisp is used for behaviour tracking, profiling, or retargeting, explicit consent is required under the ePrivacy Directive and GDPR.
For basic chat functionality, legitimate interest (Article 6(1)(f) GDPR) is the most commonly cited legal basis, supported by a documented balancing test. If you use Crisp for analytics or marketing automation, the legal basis shifts to consent (Article 6(1)(a) GDPR). Always document your chosen basis in your Records of Processing Activities.
Crisp SAS is a French company and its infrastructure is primarily hosted in the EU. Chat data is processed in Europe. However, you should verify the current Data Processing Agreement with Crisp and check for any sub-processors located outside the EU, particularly for email delivery or analytics integrations.
A DPIA is required if your use of Crisp involves systematic monitoring of visitors, profiling, or processing special category data through chat interactions. For standard live chat with no profiling or sensitive data, a DPIA may not be mandatory but is recommended as good practice. Consult your DPO if in doubt.
Obtain a signed Data Processing Agreement from Crisp before deployment. If relying on legitimate interest, document your balancing test. Configure Crisp to minimise data collection by disabling optional analytics features. If consent is your legal basis, use your CMP to block the widget from loading until the visitor consents.
EU-based alternatives include Intercom (SCCs available) and Chatwoot (open-source, self-hostable for full data control). For maximum privacy, a self-hosted Chatwoot or Rocket.Chat instance on EU infrastructure eliminates third-party data transfers entirely and gives you full control over data retention policies.
Yes. Your cookie policy must disclose the crisp-client/session cookie, its purpose, duration, and whether data is processed outside the EU. Specify the legal basis (legitimate interest or consent), reference Crisp SAS as the data processor, and link to Crisp's privacy policy. Update your RoPA to include Crisp with a signed DPA.