Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Tidio is a customer communication platform combining live chat, AI-powered chatbots, and email marketing automation. Embedded via a JavaScript widget, it tracks visitor behaviour to trigger automated responses and build contact profiles. Under GDPR and the ePrivacy Directive, consent is required before loading Tidio because it sets persistent identification cookies, profiles visitor behaviour for marketing automation, and transfers personal data to Tidio LLC in the United States.
Tidio is a customer communication platform that combines live chat, AI-powered chatbots, and email marketing automation into a single embeddable widget. Website owners integrate Tidio via a JavaScript snippet that loads from code.tidio.co. Tidio identifies returning visitors, triggers automated chatbot sequences based on visitor behaviour, and stores contact data for follow-up email campaigns. The platform is operated by Tidio LLC, incorporated in the United States, and runs on Amazon Web Services infrastructure. Tidio is especially popular with e-commerce businesses that use its automation to reduce cart abandonment and qualify leads.
Tidio sets persistent cookies including tidio_cid (a unique contact identifier), _tidioid (a visitor tracking identifier for marketing automation), and tidio_state (widget state and preferences). It collects the visitor IP address, browser type, pages visited, time spent on each page, and device information. When a visitor engages with the chatbot or fills in a contact form, Tidio captures name, email address, and the full conversation transcript. This data is stored in the Tidio contact database and may be used to trigger automated email sequences. The combination of behavioural tracking and marketing automation constitutes profiling under GDPR.
The Tidio widget loads automatically on page visit and sets persistent identification cookies before any visitor interaction. Under Article 5(3) of the ePrivacy Directive, this requires prior consent. Under GDPR, the processing of personal data for marketing automation and behavioural profiling requires consent as the legal basis under Article 6(1)(a), since these purposes cannot be justified by legitimate interest when they involve unsolicited automated marketing. Any chatbot flow that results in automated decisions about the visitor may also trigger obligations under GDPR Article 22 regarding automated individual decision-making.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Tidio LLC is incorporated in the United States and processes all data on AWS infrastructure. EU website owners embedding Tidio are therefore making a third-country data transfer subject to GDPR Chapter V. Tidio offers Standard Contractual Clauses (SCCs) and has certified under the EU-US Data Privacy Framework (DPF). Website owners must confirm that a valid Data Processing Agreement is signed with Tidio and must disclose the US transfer and applicable transfer mechanism in their privacy policy.
Consent must be obtained before the Tidio widget loads for EU visitors. The Tidio JavaScript snippet must be blocked by default in a CMP and only injected after the visitor accepts the relevant cookie category. Tidio itself provides a GDPR mode in its settings that delays cookie writing, but this does not substitute for blocking the script before consent. Visitors must be clearly informed about Tidio data collection in the consent notice. Consent withdrawal must result in the widget being removed from the page and all associated processing ceasing.
To use Tidio in compliance with GDPR and ePrivacy: (1) Block the Tidio script by default and use a CMP to inject it only after consent. (2) Enable the GDPR mode in Tidio settings as an additional layer of protection. (3) Sign the Data Processing Agreement with Tidio from your account settings. (4) List all Tidio cookies in your cookie policy with accurate names, durations, and purposes. (5) Disclose Tidio data processing and the US transfer in your privacy policy, referencing SCCs or DPF as applicable. (6) Review any chatbot automation flows to ensure they comply with Art. 22 GDPR if they produce decisions affecting visitors. (7) Consider alternative self-hosted chat tools if you need to avoid third-country transfers entirely.
Websites using Tidio must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA should be considered for websites using Tidio's marketing automation features, particularly where behavioural profiling is combined with email marketing and visitor identification. The processing of personal data for automated decision-making in chatbot flows may also require a DPIA under Art. 35 GDPR.
Sample consent text
We use Tidio to provide live chat and automated support on this website. Tidio uses cookies to identify returning visitors and may use your data for marketing automation. Data is processed by Tidio LLC in the United States. Please accept to enable the chat widget.
Third-party domains contacted
tidio.cowidget.tidio.cotracking.tidio.coCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| tidio_cid | persistent | 1 year | Assigns a unique contact identifier to the visitor for live chat and marketing automation |
| _tidioid | persistent | 1 year | Stores the Tidio visitor identity to personalise chat interactions and track engagement |
| tidio_state | session | session | Preserves the chat widget open or closed state during the current browsing session |
| tidio_session | session | session | Maintains the current Tidio chat session data including conversation context |
Tidio uses cookies for user preferences — inform visitors with a consent banner.
Yes. Tidio sets persistent identification cookies and begins collecting visitor behavioural data as soon as the widget loads on the page, before any visitor interaction. Under the ePrivacy Directive, prior consent is required for these non-essential cookies. Under GDPR, the marketing automation and behavioural profiling features also require consent. You must block the Tidio script until consent is granted.
Tidio sets tidio_cid (a unique contact identifier, 1 year), _tidioid (a visitor tracking identifier for marketing automation, 1 year), tidio_state (widget state and preferences, 1 year), and tidio_session_<id> (a session-level conversation tracker, session duration). These cookies enable visitor identification across sessions, marketing automation triggering, chatbot personalisation, and chat history management.
Consent under Article 6(1)(a) GDPR is the required legal basis for Tidio marketing automation, behavioural tracking, and visitor profiling. Legitimate interest may apply only to strictly necessary session cookies, subject to a documented balancing test. Given that Tidio primary value proposition includes marketing automation triggered by visitor behaviour, consent is the appropriate basis for the overall processing. Tidio offers a GDPR mode in its settings but this does not replace proper consent collection via a CMP.
Yes. Tidio LLC is incorporated in the United States and processes all data on AWS infrastructure. EU website owners embedding Tidio are making a third-country data transfer subject to GDPR Chapter V. Tidio relies on Standard Contractual Clauses (SCCs) and has certified under the EU-US Data Privacy Framework (DPF). You must sign the Tidio Data Processing Agreement, disclose the transfer in your privacy policy, and reference the applicable mechanism (SCCs or DPF).
A DPIA should be considered for websites using Tidio marketing automation features, especially where behavioural profiling is combined with email marketing and visitor identification. If any Tidio chatbot flow makes automated decisions affecting visitors (routing, pricing, content personalisation), this may independently trigger the DPIA requirement under Article 35 GDPR due to the automated decision-making component under Article 22.
Block the Tidio JavaScript snippet by default using a CMP and inject it only after advertising or marketing consent is granted. Enable Tidio built-in GDPR mode in your Tidio dashboard as an additional safeguard. Sign the Tidio Data Processing Agreement available in your account settings. Ensure that withdrawing consent removes the Tidio widget and stops all associated data processing in real time.
Yes. Chatwoot is an open-source live chat platform that can be self-hosted on EU infrastructure, eliminating third-country data transfers. Crisp offers EU-hosted options for live chat without marketing automation. For simpler chatbot functionality without cross-border data flows, a self-hosted solution using an open-source chatbot framework on EU servers is the most privacy-compliant approach.
In your cookie policy, list each Tidio cookie (tidio_cid, _tidioid, tidio_state, tidio_session) with its name, category (marketing or functional), duration, and purpose. In your privacy notice, include Tidio as a data processor, describe its marketing automation and visitor profiling activities, state the legal basis (consent), disclose the US data transfer and the applicable mechanism (SCCs or DPF), and reference your signed Data Processing Agreement.