Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Superchat is a German messaging and customer communication platform that aggregates WhatsApp Business, SMS, email, and other channels into a unified inbox. As a German company with EU infrastructure, the core platform data is GDPR-compliant. However, WhatsApp Business API messages are processed by Meta (US), requiring SCCs. Marketing messages sent via any channel require prior consent under both GDPR and the ePrivacy Directive.
Superchat is a Berlin-based business messaging platform that provides a unified inbox for customer communications across WhatsApp Business, SMS, email, Instagram, and other channels. It allows businesses to manage all customer conversations from a single interface, send automated follow-up messages, and run broadcast marketing campaigns. Superchat''s core platform operates on EU infrastructure, but WhatsApp Business API messages flow through Meta''s global network.
Superchat processes contact names, phone numbers, email addresses, and the full content of customer messages across all channels. For WhatsApp Business API, Meta processes message metadata and routes messages through Meta''s global infrastructure. Superchat stores conversation history, contact profiles, and campaign engagement data on EU servers.
Superchat''s core platform data is GDPR-compliant due to EU infrastructure. The WhatsApp Business API introduces a US transfer via Meta, requiring SCCs. Marketing messages via WhatsApp, SMS, or email require prior consent under both GDPR and the ePrivacy Directive. Transactional messages related to an existing service relationship may rely on contract performance or legitimate interest.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Marketing messages via any channel require prior explicit consent. WhatsApp specifically requires opt-in through approved channel opt-in flows under Meta''s WhatsApp Business Policy. Contacts must explicitly agree to receive messages before any marketing communication is sent. The consent mechanism and opt-in record must be maintained and available to demonstrate upon request.
Superchat''s own infrastructure is EU-based. WhatsApp Business API messages are processed by Meta (US), requiring Standard Contractual Clauses for that data flow. Sign both Superchat''s DPA and Meta''s WhatsApp Business data processing addendum. Document both transfers in your RoPA.
Obtain prior consent before sending any marketing messages. Implement WhatsApp opt-in flows compliant with Meta''s policy. Sign DPAs with both Superchat and Meta. Update your privacy policy to describe both Superchat and Meta as processors. Document the WhatsApp data transfer in your RoPA. Maintain consent records for all messaging contacts.
Websites using Superchat must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is advisable when Superchat is used for large-scale marketing messaging campaigns via WhatsApp, as this involves both EU to US data transfer (Meta) and the processing of mobile phone numbers and message content at scale.
Sample consent text
We use Superchat to communicate with you via WhatsApp, SMS, and other messaging channels. Your messages and contact details may be processed by Superchat (Germany) and, for WhatsApp messages, by Meta (United States). Please accept to enable messaging features.
Third-party domains contacted
superchat.deapi.superchat.deapp.superchat.deCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| sc_session | session | Session | Superchat session cookie used to maintain the active chat widget state |
Superchat uses cookies for user preferences — inform visitors with a consent banner.
Superchat collects contact information (phone numbers, emails, names), conversation history across all channels, team notes and tags, and engagement metrics. WhatsApp message metadata is also processed by Meta. All Superchat platform data is stored on EU servers in Germany.
For WhatsApp marketing messages, explicit opt-in consent is required under both GDPR and WhatsApp Business Policy. For customer-initiated service conversations, legitimate interest or contract performance may apply. For the website widget, ePrivacy consent is required before the script loads.
Contract performance (Art. 6(1)(b)) for service conversations. Legitimate interest (Art. 6(1)(f)) for customer-initiated support. Consent (Art. 6(1)(a)) for WhatsApp marketing messages. ePrivacy consent for website chat widget cookies.
Superchat stores all platform data on EU servers in Germany. However, WhatsApp Business API messages are routed through Meta's infrastructure, which may involve US transfers for message content and metadata. Both Superchat and Meta should be disclosed in your privacy policy.
Generally not for standard business messaging. A DPIA becomes advisable when processing sensitive customer data through messaging channels in regulated sectors, or when running large-scale automated campaigns that could significantly affect individuals.
Obtain explicit opt-in before sending WhatsApp marketing messages. Provide a privacy notice about Superchat and Meta processing. Obtain ePrivacy consent before loading the website widget. Sign a DPA with Superchat. Update your privacy policy. Configure contact data retention. Document processing in your RoPA noting EU data location.
Superchat stores all platform data on EU servers in Germany, eliminating third-country transfer risks for contact and conversation data. The WhatsApp API routing through Meta is the only indirect US transfer, which is inherent to any WhatsApp Business provider.
Use Superchat's opt-in features to collect explicit WhatsApp consent. The opt-in must clearly state the contact is agreeing to receive WhatsApp messages from your business, describe message types, and be separate from other consents. Store opt-in records with timestamps. Provide a simple opt-out in every message.