Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsent
Free plan · 10-min setup
Intercom is a US-based customer messaging platform providing live chat, in-app messaging, chatbots, email campaigns, and customer support tools. The Intercom Messenger widget is widely embedded on SaaS product websites. GDPR compliance requires consent for tracking cookies before the widget loads, a DPA with Intercom, and SCCs for US data transfers. EU data residency is available on Enterprise plans. Intercom provides GDPR-specific features including data deletion APIs and consent management.
Intercom is a customer messaging platform that combines live chat, chatbots, in-app messaging, email campaigns, a help centre, and customer support tools in a single product. It is widely used by SaaS companies for onboarding, customer support, proactive engagement, and marketing outreach. The Intercom Messenger (the chat bubble that appears on websites and apps) is one of the most recognisable customer engagement interfaces on the web.
Intercom collects visitor IP addresses, browser and device information, page visit history, user identifiers (user_id, email passed via the Intercom JS code), conversation content and history, custom attributes sent by the application, and behavioural events. For logged-in users, rich profile data including usage patterns, subscription status, and engagement history is typically synced to Intercom.
Intercom sets cookies for visitor identification and session tracking that require consent before loading on EU-facing websites. For authenticated application users who have an active session, legitimate interest may support the Intercom Messenger for support functions. For anonymous website visitors and marketing tracking, consent is required. Intercom provides a consent mode option to prevent cookie setting until consent is obtained.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Intercom offers EU data residency for Enterprise customers. When enabled, all customer and conversation data is stored within the EU. For standard deployments, US infrastructure is used requiring SCCs. Request EU data residency if processing significant volumes of EU personal data.
Sign the Intercom DPA and SCCs. Block Intercom loading until cookie consent on public pages. Configure EU data residency on Enterprise plans. Only pass necessary user attributes to Intercom — avoid sending sensitive data. Implement Intercom User Deletion API for erasure requests. Disclose Intercom in your privacy policy covering conversation data, cookie tracking, and any email campaigns sent via Intercom.
Websites using Intercom must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for Intercom deployments that combine visitor tracking, behavioural profiling, automated messaging, and large-scale customer data processing. The breadth of data collected across the Intercom platform warrants documented risk assessment.
Sample consent text
We use Intercom to provide customer support and send relevant product updates. Intercom uses cookies to identify you and personalise your experience. Data is processed in the US. You can opt out of non-essential Intercom tracking in your cookie preferences.
Third-party domains contacted
widget.intercom.ioapi-iam.intercom.iojs.intercomcdn.comuploads.intercomusercontent.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| intercom-id | persistent | 9 months | Unique visitor identifier used to recognise returning users and link sessions across visits |
| intercom-session | persistent | 7 days | Session token renewed on each visit to maintain chat session continuity |
| intercom-device-id | persistent | 9 months | Device fingerprint used to associate behavioural data with a specific device across sessions |
Intercom uses cookies for user preferences — inform visitors with a consent banner.
Yes for tracking cookies and marketing messages. Intercom cookies require consent before loading on public EU pages. Legitimate interest may cover in-product support for authenticated users. Marketing campaigns require separate consent.
Intercom sets intercom-id (9 months), intercom-session (1 week), and intercom-device-id (9 months), all requiring consent under the ePrivacy Directive.
Yes for Enterprise customers. Standard deployments use US infrastructure requiring SCCs.
Consent for tracking cookies. Legitimate interest may apply for in-product support initiated by identified users. Consent for marketing messages.
Use CMP tag blocking or call window.Intercom("boot", {...}) conditionally only after consent confirmation.
Yes. Sign the Intercom DPA available from Intercom's legal page. It includes SCCs for EU-US transfers.
Use the Intercom Delete User API to remove the user and all associated conversations. Document all requests.
Crisp (France), Userlike (Germany), and HelpCrunch (EU region) offer live chat and support with EU data residency.