Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Krible is a Russian customer engagement platform offering web chat, callback button and co-browsing features for websites. Founded in 2008 and headquartered in Moscow, it helps businesses interact with visitors in real time. The widget sets functional and analytics cookies, and personal data is processed on Russian servers, which raises significant compliance questions under the GDPR and the ePrivacy Directive for European publishers.
Krible is a Russian customer engagement platform that has operated from Moscow since 2008. It provides website publishers with a JavaScript widget that combines live chat, a callback request button and co-browsing tools, allowing support agents to interact with visitors in real time and even share their browser view. The service is positioned as a competitor to other on-site engagement suites such as LiveChat or JivoChat, and is mainly used by Russian language e-commerce sites, banks and online services. When the widget is embedded, the visitor's browser establishes a connection to Krible servers and exchanges identifiers, page context and chat content with them.
Krible sets functional cookies for the chat session, the visitor identifier and the callback dialogue state, plus analytics cookies that track returning visitors, the pages they viewed before opening the chat and the time spent on the site. Server side, Krible records IP addresses, user agent strings, approximate geolocation derived from IP, full chat transcripts, any contact details typed into the widget and timestamps for every interaction. Co-browsing additionally streams DOM snapshots of the page the visitor is on. All of this constitutes personal data under Article 4 GDPR.
Article 5(3) of the ePrivacy Directive, transposed into national law across the European Economic Area, requires prior consent before storing or reading cookies that are not strictly necessary for a service explicitly requested by the user. Krible's analytics and visitor tracking cookies fall outside the strictly necessary exemption, so they cannot be set before the visitor has clicked Accept on a compliant consent banner. The processing of chat content and IP addresses also requires a valid GDPR legal basis and a transparent privacy notice listing Krible as a recipient and Russia as the destination country.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Russia has never benefited from a European Commission adequacy decision, and Russian Federal Law 152-FZ on Personal Data does not provide a level of protection equivalent to the GDPR. Russian authorities have broad access powers to data processed on national territory, including under the so called Yarovaya laws, which require operators to retain communications and provide them to security services on request. Following the Schrems II judgment, exporters relying on Standard Contractual Clauses must perform a transfer impact assessment and add supplementary measures. For Russia, most European supervisory authorities consider that no realistic combination of measures restores GDPR equivalent protection, leaving explicit consent under Article 49(1)(a) as the only practical derogation, with all its limitations.
Deploying Krible on a European audience site without prior consent is non-compliant. The consent banner must reject non-essential cookies by default, list Krible separately, name Russia as the destination, and explain the elevated risk so that consent is genuinely informed. A Data Protection Impact Assessment under Article 35 GDPR is strongly recommended, since the combination of systematic visitor monitoring, third country transfer to a high risk jurisdiction and potential capture of sensitive content typed in chat ticks several DPIA criteria from the EDPB list.
For most European publishers the proportionate option is to replace Krible with a European or self hosted alternative such as Crisp, Chatwoot or LiveChat with EU hosting, which avoids the third country transfer entirely. If Krible must remain, gate the widget behind a granular consent banner, block the script until consent is given, document the legal basis in the record of processing activities, complete a transfer impact assessment, and update the cookie policy to disclose Krible, the categories of data collected and the transfer to Russia in plain language.
Websites using Krible must obtain user consent under GDPR regulations.
DPIA considerations
A Data Protection Impact Assessment is strongly recommended before deploying Krible on a European website. Personal data, including IP addresses, behavioural data and chat content, is transferred to Russia, a third country without an adequacy decision and with documented surveillance and access powers that are not equivalent to those in the European Economic Area. The DPIA should address the systematic nature of monitoring, the categories of data collected (potentially including special categories shared in chat), the absence of supplementary technical measures such as end to end encryption, the realistic likelihood of public authority access, and whether the processing is strictly necessary or could be carried out with a European provider.
Sample consent text
We use Krible, a Russian live chat and callback service, to enable our visitor support widget. Krible sets cookies on your device and transfers your data, including your IP address, browsing activity on this site and any messages you send through the widget, to servers in Russia. Russia is not covered by a European adequacy decision and offers a lower level of data protection than the EU. By clicking Accept you give your explicit consent to this transfer under Article 49(1)(a) GDPR.
Third-party domains contacted
krible.comcdn.krible.comapi.krible.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| krible_session | functional | Session | Identifies the current chat session and links incoming messages with the visitor and the support agent. |
| krible_visitor | analytics | 1 year | Persistent visitor identifier used to recognise returning users across pages and visits. |
| krible_state | functional | 30 days | Stores the open or minimised state of the chat widget and the callback dialogue. |
| krible_track | analytics | 6 months | Records page visits, referrers and time on site for the visitor analytics dashboard. |
Krible uses cookies for user preferences — inform visitors with a consent banner.
Krible typically sets a session cookie that identifies the chat conversation, a persistent visitor cookie that recognises returning users across visits, a state cookie that remembers whether the widget was open or minimised, and a tracking cookie used for visitor analytics such as pages viewed and time spent. The exact names can vary between releases, but only the chat session cookie is plausibly strictly necessary, and only when the visitor has actively opened the chat.
Yes. Because Krible loads a third party JavaScript widget that sets non-essential cookies and transmits IP addresses and browsing data to Russia, prior, freely given, specific, informed and unambiguous consent is required under Article 5(3) of the ePrivacy Directive and Article 6(1)(a) GDPR. The widget script must be blocked until the visitor has accepted, and a refusal must be just as easy as acceptance.
For cookie storage and access, the only valid legal basis is consent (Article 5(3) ePrivacy). For the underlying personal data processing (chat content, IP, behavioural data), consent under Article 6(1)(a) GDPR is the most defensible basis because legitimate interest is hard to balance against the surveillance risks linked to Russia. The international transfer further requires either explicit consent under Article 49(1)(a) or another Article 49 derogation.
Krible operates from Moscow and uses Russian infrastructure. Visitor IP addresses, chat content, callback requests and analytics data are transmitted to and stored on servers located in Russia. There is no European Commission adequacy decision for Russia, and Russian law grants security services broad access powers over data held on national territory, so any transfer must be assessed and documented as a third country transfer to a high risk jurisdiction.
A DPIA is strongly recommended and in most cases mandatory. The combination of systematic monitoring of website visitors, transfer of personal data to a third country without an adequacy decision and very high surveillance risk, and the potential capture of sensitive content typed in chat triggers several criteria from the EDPB DPIA guidelines. Documenting the assessment also helps demonstrate accountability under Article 5(2) GDPR.
Block the Krible script in your tag manager or CMP until explicit consent has been collected; list Krible as a separate vendor mentioning Russia as destination; configure a granular consent banner where reject is as visible as accept; complete a transfer impact assessment and a DPIA; sign a written data processing agreement covering Article 28 GDPR obligations; and update your privacy and cookie policies with the categories of data, retention periods and information about transfers.
European or EU hosted live chat tools such as Crisp (France), Chatwoot (self hosted, France origin), LiveChat with EU servers, Userlike (Germany) and Tidio (Poland) avoid the third country transfer issue entirely. They typically offer comparable features (chat, callback, visitor analytics, sometimes co-browsing), simpler GDPR documentation and a standard EU data processing agreement.
Add a dedicated entry for Krible listing the cookies set, their purposes, lifetimes, the controller and the destination country. Explicitly state that data is transferred to Russia, that there is no adequacy decision and that consent is the legal basis. Provide a link to Krible's privacy policy, the date of the last review and an easy way to withdraw consent through the CMP. Re-prompt for consent after material changes.