Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Rocket.Chat is an open-source team communication and customer messaging platform that can be self-hosted on your own infrastructure or used via Rocket.Chat Cloud. When self-hosted on EU servers, Rocket.Chat offers the strongest data sovereignty of any major chat platform, with no third-country data transfers. Even when self-hosted, the Livechat widget sets cookies and collects visitor data, requiring consent under the ePrivacy Directive before the widget loads.
Rocket.Chat is an open-source communications platform that combines team messaging, video conferencing, file sharing, and a Livechat customer support widget in a single deployable package. It is used by over 12 million users across thousands of organisations worldwide, including many government agencies and regulated enterprises that require full data control. Its key differentiator from cloud-native chat platforms is that the entire stack can be self-hosted on infrastructure controlled by the operator, meaning data never leaves the organisation''s own environment. This makes it the most GDPR-friendly large-scale chat platform available, provided it is deployed on EU infrastructure.
The Rocket.Chat Livechat widget sets session and visitor identification cookies to maintain conversation continuity and recognise returning visitors. It also uses localStorage for widget state. The data collected depends on the deployment configuration: at a minimum, IP addresses, browser information, and conversation content are processed. If visitor identity fields are enabled (name, email), this data is stored in the Rocket.Chat database on the host server. When self-hosted, all this data remains on the operator''s own servers with no external transmission. When using Rocket.Chat Cloud, the same data is processed on AWS infrastructure in the US.
Even when self-hosted, the Rocket.Chat Livechat widget sets cookies and accesses localStorage before any user interaction, triggering the ePrivacy Directive requirement for prior consent. Under GDPR, the collection of IP addresses and conversation content constitutes personal data processing requiring a lawful basis. When self-hosted in the EU, the data controller and processor are typically the same organisation, which significantly simplifies the compliance picture by eliminating sub-processor disclosure requirements and third-country transfer obligations.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Consent must be obtained before the Livechat widget script loads, regardless of whether Rocket.Chat is self-hosted or cloud-hosted. For self-hosted deployments, the consent notice can be simpler, noting that the chat is powered by software running on the organisation''s own servers with data stored in the EU. For Rocket.Chat Cloud, the notice must additionally disclose the US data transfer and the applicable safeguard. The widget must be fully suppressed until consent is recorded and disabled immediately if consent is withdrawn.
Self-hosting Rocket.Chat on EU infrastructure is the gold standard for GDPR compliance in the chat category. When deployed on your own EU servers, there are no third-country transfers, no sub-processor disclosures required for the core chat function, and the organisation retains full control over data retention, deletion, and access. Rocket.Chat supports deployment on major EU cloud providers including OVHcloud, Hetzner, and EU regions of AWS and Azure. For organisations that cannot self-host, Rocket.Chat Cloud uses AWS in the US with SCCs as the transfer mechanism.
For self-hosted deployments: deploy on EU infrastructure; block the Livechat widget until consent is obtained; update your privacy policy to describe the chat as powered by software on your own servers in the EU; document the processing activity in your Records of Processing Activities with yourself as both controller and processor; configure data retention policies directly in the Rocket.Chat admin panel. For Rocket.Chat Cloud: additionally sign a DPA with Rocket.Chat, document the US transfer and SCC safeguard in your RoPA, and include Rocket.Chat in your sub-processor list.
Websites using Rocket.Chat must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for self-hosted Rocket.Chat deployments with minimal data collection, as the risk profile is low when data stays on EU infrastructure under the operator's full control. A DPIA becomes advisable when using Rocket.Chat Cloud (US data transfer), when integrating with third-party services, or when processing sensitive data in conversations at scale.
Sample consent text
We use Rocket.Chat to provide live chat support on this website. The chat widget sets cookies and collects data such as your IP address and conversation history, stored on our own servers. Please accept to enable the live chat feature.
Third-party domains contacted
rocket.chatopen.rocket.chatCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| rc_uid | persistent | 1 year | Unique visitor identifier used to recognise returning Livechat users and link sessions |
| rc_token | persistent | 1 year | Authentication token used to maintain session continuity for returning Livechat visitors |
| rc_room_type | session | Session | Session-level identifier for the active Livechat conversation room |
Rocket.Chat uses cookies for user preferences — inform visitors with a consent banner.
The Rocket.Chat Livechat widget sets session cookies to maintain the active conversation state and a persistent visitor identifier cookie to recognise returning chat users. It also uses localStorage for widget preferences and conversation context. When self-hosted, these cookies are first-party and all associated data remains on your own server. The specific cookie names and durations are configurable in the Rocket.Chat admin panel.
Yes. Even when self-hosted, the Livechat widget loads on page entry and sets cookies before any user interaction, triggering the ePrivacy Directive requirement for prior consent. Consent must be obtained via a CMP before the widget script initialises. When self-hosted in the EU, the consent notice can be simpler since there is no third-country transfer to disclose.
Consent under Article 6(1)(a) GDPR is the appropriate legal basis for the visitor tracking and identification cookies set by the Livechat widget. Legitimate interest under Article 6(1)(f) may apply for the strictly functional session cookie used to maintain a conversation explicitly started by the user. When self-hosted with minimal data collection, the balancing test for legitimate interest is easier to pass.
This depends entirely on your deployment choice. When self-hosted on EU infrastructure, there are no third-country transfers and full data sovereignty is maintained. When using Rocket.Chat Cloud, data is processed on AWS in the United States and SCCs apply as the transfer mechanism. Self-hosting on EU servers is strongly recommended for organisations subject to strict GDPR requirements.
For self-hosted deployments with minimal data collection on EU infrastructure, a DPIA is generally not required as the risk profile is low. A DPIA becomes advisable when using Rocket.Chat Cloud due to the US transfer, when integrating with third-party services that extend the processing scope, or when the platform is used to process sensitive personal data in conversations at significant scale.
For self-hosted: deploy on EU infrastructure such as OVHcloud, Hetzner, or EU regions of AWS or Azure; block the Livechat widget until consent is obtained; configure data retention and deletion policies in the admin panel; document the processing in your RoPA. For Rocket.Chat Cloud: additionally sign a DPA with Rocket.Chat, document the US AWS transfer with SCCs in your RoPA, and include Rocket.Chat in your sub-processor disclosure.
Rocket.Chat's self-hosting capability is its primary GDPR advantage. No other major chat platform allows you to run the entire stack on your own EU infrastructure with no data leaving your environment. This eliminates third-country transfer risks, sub-processor chain complexity, and dependence on a vendor's data retention policies. The open-source licence also allows full code audit for security and privacy verification.
Add an entry for the Rocket.Chat Livechat session cookie and visitor identifier cookie in your cookie policy, listing their name, category (functional), duration, and purpose. If self-hosted, note that data is stored on your own servers in the EU. If using Rocket.Chat Cloud, disclose the transfer to US AWS servers and the SCC safeguard. For self-hosted deployments, you may not need to reference a third-party processor at all since you control the entire data flow.