User data is safely stored in Europe. The Crisp core infrastructure is hosted in Amsterdam, The Netherlands. The Crisp plugin infrastructure is hosted in Frankfurt, Germany. User data is stored in our core infrastructure. We do not transfer user data outside of the EU.
1. Collection and processing of personal data
The term “personal data” refers to such information which, directly or indirectly, may refer to individuals. Examples of such data are name, image, personal ID number, contact details, competition entries, selections made, behaviour or IP address. Personal data processing refers to any action that we or a third party that we have engaged take with the personal data, such as collection, registration and storage.
Personal data may only be processed for specified and explicitly stated purposes and may not be subsequently processed for any purpose that goes beyond these purposes. At Crisp, we process personal data for the purpose of providing the Features. Personal data may also be used for marketing and follow up as well as for our sales and product development with the aim of improving our products and services.
Finally, personal data is also processed for statistical purposes to see how users use the Site and our Features as well as to display content.
Crisp safeguards personal data with a high level of security and has to this end taken appropriate technical and security measures to protect personal data from unauthorised access, amendment, dissemination or destruction.
2. Respect of Privacy
Here's what we do to protect data privacy:
- Before or at the time of collecting personal information, we will identify the purposes for which information is being collected.
- We will collect and use of personal information solely with the objective of fulfilling those purposes specified by us and for other compatible purposes, unless we obtain the consent of the individual concerned or as required by law.
- We collect data about visitors of websites using the Crisp chat client. This data is collected anonymously and is not directly bound to any identifiable user, whether it be its personal identity, or its network information.
- We will only retain personal information as long as necessary for the fulfillment of those purposes.
- We will collect personal information by lawful and fair means and, where appropriate, with the knowledge or consent of the individual concerned.
- Personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete, and up-to-date.
- We will protect personal information by reasonable security safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
- We will make readily available to customers information about our policies and practices relating to the management of personal information.
3. GDPR Policy
Crisp strictly implements the GDPR regulation, that aims at protecting user data and providing a right to modify and delete such data, as well as to consent to data collection.
Our users can sign a Data Processing Agreement with us, for which documentation is available on our How to sign my GDPR Data Processing Agreement (DPA)? article.
4. Restrictions on the disclosure of personal data
We may appoint external partners to perform tasks on our behalf, such as providing IT services or helping with marketing, administration of press releases, data analysis or statistics. The performance of these services may mean that our partners may be able to gain access to personal data. Companies that process personal data on our behalf must always sign an agreement with us so that we are able to ensure a high level of protection of personal data, even with our partners.
Crisp may also disclose personal data to third parties, for example public authorities, if it concerns criminal investigations or if we are otherwise required to disclose such data by law or public authority decision. Crisp will not disclose personal data to any extent other than described in this section.
5. Chatbox Cookie & IP Policy
- Cookies are necessary for chatbox functionalities; they are needed to restore the chat session and messages of a chatbox user when browsing between website pages and/or coming back on the website a few days after.
- Cookies have a default expiration time of 6 months, which is renewed if and when the user comes back to the website and loads the chatbox.
- Cookies bind an user to a single session. If that session contains messages, it is permanent (unless deleted by a website agent); otherwise the session is temporary and is destroyed 30 minutes after the last website access.
- Cookies are not used for tracking purposes. They are solely used to bind an user to a server-side session storage, which is then used for messaging purposes, in the event either the user or a website agent starts a conversation.
- The user IP address is stored in the server-side session storage that's bound to the cookie. If the user leaves without using the chatbox messaging features, the session (and thus the IP address) will be automatically removed from Crisp servers upon session expiration (ie. 30 minutes after last access; as stated above).
- The user IP address is kept indefinitely in the event the user started a chat session with a website on Crisp. We are legally required by the law of France to log those IPs in the event of a legal request (for a minimum duration of 1 year). Though, we keep those IP address longer as we need to aggregate them to protect our chatbox service against botnets and spam attacks, which occur frequently. The Crisp service could not function at the level our customers expect from us without statistics on those collected IP.
The Site may sometimes contain links to external websites or services that we do not control. Any person following a link to an external website, is encouraged to review the principles for processing of personal data and information about cookies that apply to the website in question.
We are committed to conducting our business in accordance with these principles in order to ensure that the confidentiality of personal information is protected and maintained.