Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Quiq Messaging is a US conversational AI and customer messaging platform from Quiq Inc. that lets brands engage visitors through web chat, SMS, WhatsApp and Apple Messages. The web widget writes first party cookies and uses local storage to identify the conversation. Quiq is hosted in the United States, so European deployments must address consent under ePrivacy and US transfer obligations under Schrems II.
Quiq Messaging is a customer engagement platform operated by Quiq Inc., a software vendor based in Bozeman, Montana. It lets brands engage visitors through web chat, SMS, Facebook Messenger, WhatsApp, Apple Messages for Business and Google Business Messages, with a unified agent desktop and an asynchronous conversation model. The platform also includes Quiq AI Studio, a generative AI workbench that automates a portion of the conversations and allows agents to assist customers more efficiently. The integration on a website typically takes the form of a JavaScript widget loaded from a Quiq CDN.
The Quiq web widget writes first party local storage entries and cookies that include the conversation identifier (typically quiq-conversation-id), the anonymous visitor identifier (quiq-anon-id) and an agent session token. The platform also collects the IP address, the user agent, the timestamp of each message, the page from which the chat was opened and the entire content of every message exchanged. When generative AI is enabled, transcripts are processed through a large language model which may persist the prompts for quality monitoring.
Cookies that are strictly necessary to maintain an active chat session can be loaded without consent under Article 5(3) of the ePrivacy Directive when the visitor explicitly opens the chat. Cookies used for proactive engagement, behavioural targeting or cross site tracking require consent. Conversation transcripts contain personal data and sometimes special category data, so the controller must inform the visitor under Articles 13 and 14 GDPR, identify the legal basis (typically contract performance for the chat itself and consent for any AI training) and document the retention period.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Quiq Inc. is a US controller subject to FISA 702 and Executive Order 14086. Conversations are stored on AWS infrastructure in the United States. Transfers rely on the EU US Data Privacy Framework where Quiq is self certified, complemented by Standard Contractual Clauses where the framework does not apply. European controllers must perform a Transfer Impact Assessment, document the supplementary measures put in place (encryption keys held in the EU, pseudonymisation of contact details, restricted US support access) and reference both mechanisms in the record of processing activities.
Activate the chat widget only after the visitor has explicitly opened it or after they have accepted the relevant cookie category through your Consent Management Platform. Configure short retention periods for transcripts, mask payment card numbers and other sensitive identifiers, restrict the use of generative AI to non sensitive scenarios, sign a Data Processing Agreement and the Standard Contractual Clauses with Quiq Inc., document the Transfer Impact Assessment and reference Quiq in the cookie banner detailed view and in the privacy notice.
Websites using Quiq Messaging must obtain user consent under GDPR regulations.
DPIA considerations
Quiq processes conversation transcripts that often include personal data, contact information and sometimes special category data such as health or financial requests. Combined with generative AI features that may train models on the transcripts, this raises the risk profile. Consider a DPIA covering the consent flow, the AI logic, the retention period, the access of US support staff and the supplementary measures applied to mitigate Schrems II risks.
Sample consent text
We use Quiq Messaging to provide instant chat support. By starting a conversation you agree that the messages, your contact details and the conversation metadata are sent to Quiq Inc., a processor located in the United States, where they are stored to deliver and improve the service. You can withdraw your consent at any time, and the conversation will be retained only for the legal periods stated in our privacy policy.
Third-party domains contacted
quiq-api.comgoquiq.comcentricient.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| quiq-conversation-id | first_party | 1 year | Stores the identifier of the active chat conversation so that messages persist across navigation and reloads. |
| quiq-anon-id | first_party | 1 year | Stores an anonymous visitor identifier used to link returning visitors to their previous conversations. |
| quiq-session-id | first_party | Session | Stores the active WebSocket session identifier used for real time message delivery between visitor and agent. |
Quiq Messaging uses cookies for user preferences — inform visitors with a consent banner.
The Quiq web widget writes a conversation identifier (typically quiq-conversation-id), an anonymous visitor identifier (quiq-anon-id) and an agent session token. It also stores connection metadata in local storage. Identifiers can persist from a session to several months depending on the configuration of the conversation continuity feature.
Cookies that are strictly necessary to support a chat the user has just opened can rely on the Article 5(3) ePrivacy exemption. Identifiers used for proactive engagement, cross site stitching or analytics require an explicit opt in collected through your Consent Management Platform before the widget is loaded.
The conversation itself is processed under contract performance (Article 6(1)(b) GDPR) when it is part of customer support. Quality monitoring and AI training rely on legitimate interest (Article 6(1)(f)) or explicit consent (Article 6(1)(a)) when special category data may be processed. Document the legal basis for each purpose.
Yes. Quiq Inc. processes conversations on AWS infrastructure in the United States. Transfers rely on the EU US Data Privacy Framework where Quiq is self certified and on Standard Contractual Clauses for residual flows. Run a Transfer Impact Assessment and document supplementary measures.
A DPIA is recommended in most cases. The combination of US transfers, generative AI processing, large scale messaging and possible special category data triggers several criteria of the EDPB Guidelines on DPIA, the CNIL list and the AEPD list. Cover the consent flow, the AI logic, the retention period and the access of US support staff.
Block the widget behind your Consent Management Platform until the chat is opened or the appropriate cookie category is accepted. Limit the use of generative AI on sensitive flows, mask payment data, configure short retention periods, sign Standard Contractual Clauses and a Data Processing Agreement, and reference Quiq in your privacy notice.
You can consider European alternatives such as Userlike, ChayAll, Crisp (France), Tidio for chat, or open source solutions like Chatwoot self hosted in the EU. Each tool has different feature sets, integrations and AI capabilities, so map your use case before switching.
Add a dedicated entry for Quiq Inc. listing the cookies, the local storage entries, the purpose, the retention period and the United States as the country of storage. Reference the EU US Data Privacy Framework and Standard Contractual Clauses, and link to the Quiq privacy notice for further details.