Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Engati is an AI powered customer engagement and chatbot platform that combines website live chat, conversational AI, WhatsApp Business and voicebot capabilities. Operators embed an Engati JavaScript widget that opens a real time channel to Engati cloud, captures visitor messages, contact details and contextual signals (page, referrer, IP), and routes the conversation to bots or human agents. Because Engati stores conversation history, may pre populate forms with contact information and uses cookies and local storage to identify returning visitors, prior consent is required under the GDPR and ePrivacy Directive for any deployment that targets European users.
Engati is a software as a service customer engagement platform headquartered in India, with offerings that include website live chat, conversational AI bots, WhatsApp Business automation, voicebots, and integrations with CRM and helpdesk tools. Operators embed a small JavaScript snippet that loads the Engati widget from cdn.engati.com, opens a WebSocket to engati.com (or the regional EU mirror), and exposes a chat bubble. Once the visitor sends a message, the widget streams the conversation to Engati cloud where bots powered by large language models or rule based dialogue trees produce replies, optionally escalating to human agents.
Engati typically sets a first party cookie under your domain (engati_visitor_id) used to recognise returning chatters and resume conversations across pages and sessions, plus a session cookie (engati_session) and a consent flag (engati_consent). It also reads or writes entries in localStorage to mirror these IDs when third party cookies are blocked. The data processed by Engati includes the visitor IP address, browser user agent, screen size, language, referring URL, current URL, a fingerprint hash, all messages typed in the chat, file attachments uploaded by the visitor, contact details voluntarily shared (email, phone, name), and the operator metadata (agent ID, ticket reference). When the platform AI features are enabled, transcripts may be sent to large language model providers for summarisation or intent detection.
Loading the Engati widget always involves storing or accessing information on the visitor terminal, which triggers Article 5(3) of the ePrivacy Directive. The CNIL, AEPD and Italian Garante consider that proactive chat invitations (auto opening bubbles, behavioural triggers) require prior consent because they involve analytics about the visitor before any service request. A reactive chat icon that the visitor must click first can be classified as strictly necessary and exempt from consent, but only if no analytics or marketing cookies are set in the meantime. Once a conversation starts, the operator becomes data controller for the messages exchanged and Engati becomes a processor under Article 28 GDPR, which makes a written DPA mandatory.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Engati primary infrastructure runs on AWS Mumbai (India), with a US region for some workloads and an EU region available for enterprise plans on request. India does not benefit from a European Commission adequacy decision, so transfers must rely on the EU Standard Contractual Clauses (Modules 2 and 3) accompanied by a transfer impact assessment in line with Schrems II and the EDPB Recommendations 01/2020. Operators handling European personal data should explicitly request the EU residency option, document encryption at rest using AES 256, encryption in transit using TLS 1.2 or higher, and review the list of subprocessors (AWS, OpenAI, Google Cloud, Meta WhatsApp, Twilio).
To stay compliant, gate the Engati widget loading behind your CMP and load it only when the visitor accepts the customer support or functionality category. Disable the auto open feature unless consent has been collected. Configure the widget to display a privacy notice on first interaction with information about the data controller, the processor (Engati Technologies Pvt. Ltd.), the transfer to India, the retention duration of transcripts and the right to deletion. Provide an opt out link in your privacy policy that calls the Engati subject access endpoint and removes the visitor cookies.
Sign a DPA, request EU residency where available, configure short retention (90 days for transcripts unless you have a documented reason to keep them longer), enable agent role based access controls, train agents on the prohibition of asking for special category data via chat, restrict file upload types, log every export of transcripts, and conduct a yearly review of the Engati subprocessor list. Document the AI use cases (intent classification, summarisation) in the record of processing activities and prepare a fallback workflow that lets users contact a human only when they refuse the AI features.
Websites using Engati must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended in two scenarios. First, when Engati is configured as a customer support entry point that records and analyses long form conversations using its AI features, the systematic processing of free text messages on a large scale meets the EDPB criterion of innovative use of new technological solutions. Second, when Engati is integrated with a CRM to score leads or trigger marketing actions, the resulting profiling reaches the threshold of Article 35 GDPR. The DPIA should map the data categories collected by the chat (identity, contact, conversation history, attachments, IP, page context), the retention configured in the Engati console, the international transfers to India and the US, the use of large language models to summarise transcripts, and the human review process applied to bot suggestions.
Sample consent text
Our website uses Engati to provide live chat and AI assistance. With your consent, Engati will load on your browser, set first party cookies, and process the messages you exchange with us together with your IP address, page URL and any contact details you share. Conversation transcripts and attachments are stored on Engati infrastructure in India and may be transferred to the United States. You can chat without an account, request deletion of your transcript at any time, or refuse the cookie and use the standard contact form instead.
Third-party domains contacted
engati.comcdn.engati.comapp.engati.comapi.engati.comws.engati.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| engati_visitor_id | first_party | 12 months | Persistent visitor identifier used by Engati to recognise returning chatters across pages and sessions and to resume conversations. |
| engati_session | first_party | Session | Short lived session cookie used to maintain the WebSocket connection state between the browser and the Engati cloud. |
| engati_consent | first_party | 6 months | Stores the user consent state for the Engati chat widget and prevents the platform from setting non essential cookies when consent is missing or has been withdrawn. |
| _engati_uid | third_party | 12 months | Cross domain visitor identifier set on engati.com to synchronise chat history across multiple operator properties using the same Engati workspace. |
Engati uses cookies for user preferences — inform visitors with a consent banner.
Engati typically writes a first party cookie under your domain (engati_visitor_id) used to recognise the visitor across pages and sessions, plus a session cookie (engati_session) and a consent flag (engati_consent). It mirrors these IDs in localStorage to survive third party cookie restrictions, and on subdomains it may use a third party cookie scoped to engati.com to synchronise the chat across multiple properties of the same operator.
It depends on the configuration. A reactive chat icon that the visitor must click first can be considered strictly necessary if no analytics or marketing cookies are set in the meantime. A proactive widget that opens automatically, triggers based on visitor behaviour, or stores an identifier before any user interaction requires prior consent under Article 5(3) ePrivacy and Article 6(1)(a) GDPR, in line with CNIL and AEPD guidance on chatbots.
For consent based functions the basis is Article 6(1)(a) GDPR. Once a visitor proactively starts a conversation, the basis becomes Article 6(1)(b) (performance of a pre contractual or contractual support request). Legitimate interest (Article 6(1)(f)) may be used for fraud prevention, but never to override the visitor wish to refuse the chat or to feed marketing pipelines.
Yes. Engati primary infrastructure is in India (AWS Mumbai), with secondary processing in the United States and EU residency available on Enterprise plans. Indian transfers rely on Standard Contractual Clauses plus a transfer impact assessment because there is no adequacy decision, and US transfers leverage the EU US Data Privacy Framework when subprocessors such as AWS or OpenAI are certified.
A DPIA is recommended when Engati is used at scale to record long form conversations, when transcripts are analysed by AI features, or when chat data is fed into a CRM for lead scoring. The DPIA should map data categories, retention, transfers to India and the US, the use of large language models, and the human review of bot suggestions, in line with Article 35 GDPR.
Sign the Engati DPA, request EU residency where available, gate the widget through your CMP, disable the auto open feature until consent is collected, configure short retention for transcripts (typically 90 days), enable role based access for agents, train agents to avoid asking for special category data, and verify with browser developer tools that the widget loads only after the marketing or functionality category is accepted.
EU based alternatives include Crisp (France, EU hosting), Userlike (Germany, EU hosting), Tidio with EU residency, and self hosted options like Chatwoot or Rocket.Chat. Privacy first AI assistants such as Mistral Le Chat for France or Aleph Alpha for Germany may also be combined with a self hosted live chat to limit transfers outside the EEA.
Add a dedicated entry for each Engati cookie (engati_visitor_id, engati_session, engati_consent) with name, scope, retention and purpose. Disclose the joint role between operator (controller) and Engati (processor), the international transfer to India, the SCCs in place, the retention of transcripts, and the link to request deletion. Refresh the policy whenever the Engati subprocessor list or retention defaults change.