Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Kustomer is a customer service CRM owned by Meta that powers chat, email and social support through an embeddable widget and unified inbox.
Kustomer is a customer service CRM founded in New York and acquired by Meta in 2022. It unifies chat, email, social and voice support around a customer timeline, and offers AI assistance, intent detection and self service. Kustomer is embedded into websites via a JavaScript chat widget and integrates with Meta channels including Messenger, Instagram and WhatsApp Business.
The Kustomer chat widget writes cookies such as kustomer-session-id, kustomer-client-id and kustomer-visitor-id, plus localStorage entries for the conversation state. Kustomer receives the visitor IP, the page URL, the chat content, attached files, the authenticated identifier if you provide one and any customer attribute pushed through the SDK. Voice and integrated WhatsApp data feeds the same customer timeline.
Loading the chat widget writes to the user device, so Article 5(3) of the ePrivacy Directive requires consent on public pages. Chat content and customer attributes are personal data under the GDPR. The Meta ownership materially raises the Schrems II risk: even if the Kustomer instance is in the EU, the Meta group may access data from the US under US surveillance laws.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Public widget: consent before loading. Authenticated support inside a paid product: contract performance for the helpdesk function. Marketing automation features such as proactive prompts based on browsing behaviour require a separate consent purpose. Inform users that Kustomer is part of Meta and that data flows through US infrastructure.
Kustomer runs on AWS with US default regions. EU residency on AWS Ireland or Frankfurt is contractually possible and recommended for EU operators. Even with EU residency, support and administrative access by Meta personnel in the US triggers transfer rules. Cover transfers with the EU US Data Privacy Framework and Standard Contractual Clauses; sign the Kustomer/Meta data processing addendum.
Pick EU residency, run a thorough transfer impact assessment given the Meta ownership, document the data flows, mask sensitive identifiers (card numbers, IDs) in transcripts, restrict access to administrative dashboards, set short retention on chat conversations, and offer customers a clear way to request deletion of their timeline.
Websites using Kustomer must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is strongly recommended given the Meta ownership: chat transcripts, customer attributes and conversation history can be enriched with cross context data, which heightens risk under GDPR and Schrems II.
Sample consent text
We use Kustomer (owned by Meta) for customer support. Kustomer writes cookies on your device, processes your messages and IP address, and shares them with Kustomer Inc. and Meta Platforms in the United States. We only load the widget if you accept.
Third-party domains contacted
kustomerapp.comcdn.kustomerapp.comapi.kustomerapp.comkustomer.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| kustomer-session-id | third_party | session | Session identifier for the Kustomer chatter |
| kustomer-client-id | third_party | 1 year | Anonymous client identifier across visits |
| kustomer-visitor-id | third_party | 1 year | Visitor identifier used to thread conversations |
Kustomer uses cookies for user preferences — inform visitors with a consent banner.
Kustomer writes kustomer-session-id, kustomer-client-id and kustomer-visitor-id, plus localStorage entries for the chat state. Authenticated portals add a session cookie scoped to the customer subdomain.
On public pages, yes. The widget writes to the user device and processes personal data; Article 5(3) ePrivacy applies. Authenticated customer support inside a paid product runs on contract performance.
Consent for public widgets and proactive marketing prompts. Contract performance for authenticated helpdesk. Sensitive data requires Art. 9 GDPR. Always disclose Meta ownership.
Yes. Even with EU residency on AWS, Meta personnel can access data from the US. Cover transfers with the EU US Data Privacy Framework, Standard Contractual Clauses and a transfer impact assessment, with a heightened scrutiny because of Meta.
Strongly recommended given Meta ownership, broad data integration (Messenger, Instagram, WhatsApp) and AI assistance features.
Pick EU residency, run a robust transfer impact assessment, segment consent purposes (chat versus marketing), mask sensitive content in transcripts, set short retention, restrict admin access and document the joint controller boundary with Meta.
For customer service CRM, EU alternatives include Zendesk EU residency, Freshdesk EU, Intercom EU pod, Help Scout EU, Sellsy (France), Crisp (France), and self hosted options like Chatwoot.
List the kustomer cookies (session, client, visitor identifiers) and localStorage entries. State that Kustomer is part of Meta and that the EU US Data Privacy Framework covers the transfer.