In this section, you will find all the documents that are binding when you use our main services as a customer. If you have questions about the rules on which we provide you with the Services, want to know how we handle your data, or have inquiries about intellectual property, check the documents below.
No, the Agreement does not have to be signed to be binding. Your right to access and use the Services is expressly conditioned on your acceptance of the Agreement. Remember, the Agreement is effective as of the earliest of the date you register for the Services, by clicking the “Create account” button (or a similar button or checkbox that confirms you agree/accept/sign up” for the Services), accessing the Services, or the effective date specified in the Order Form (the “Effective Date”).
From time to time, we may change the provisions of the Agreement. You should remember that the updated version supersedes all prior versions and is effective and binding immediately after posting on the website. We advise you to review it periodically.
The Agreement is effective on the earliest of the day of your sign-up to our services or from the date specified in the Order Form.
In case anything goes wrong, let’s contact us, and we will try to amicably resolve any claims, disputes, disagreements, or other matters. If it doesn’t work, all issues will be governed by the laws of the State of Massachusetts, United States of America.
You must be at least sixteen (16) years of age to be able to register and access our service. We do not knowingly provide services to anyone under sixteen (16). If it comes to our knowledge that a person under the abovementioned age is accessing or using the services, with no liability whatsoever towards such a person, we will prohibit and block such an account without any prior notice.
Here you can find all the documents referring to how we process personal data including the GDPR-related requirements. In this section, you can find details on how we collect, transfer, and further use personal information.
Services are provided, and your personal data are processed by LiveChat, Inc. (101 Arch Street, 8th Floor, Boston, MA 02110, United States of America). You can contact us via chat or at email@example.com (or via a support email).
Firstly, you need to figure out if you process or provide the personal data of EU citizens. If you process the personal data of European citizens, you must comply with this regulation. You or your company (organization) may act as a data controller. It happens when you are a natural or legal person, public authority, agency, or other body, and you, alone or jointly with others, determine the purposes and means of the processing of personal data. You may also act as a data processor. It happens when – as a natural or legal person, public authority, agency, or other bodies – you process personal data on behalf of the data controller. Simply, when you do not determine the purposes of the processing but use data according to the controllers’ instructions.
We do not sign the DPA as a separate agreement anymore - the DPA is already an integral part of the Agreement, meaning it does not require a separate signature. The reason why we have included the DPA in the Agreement is the need to simplify the work and “keep it simple.”
We store and process the personal data of your customers or users within your connection while using our services. We especially store data provided in the pre-chat survey, chat content, and ticket content. Thus, if you collect your customer or users’ personal data and transfer them to us, you may need to gain their consent and notify them you use our services. You can find the instructions on how to customize your pre-chat survey to comply with this rule in Prepare your chat to the GDPR. If you wish and if they meet your company’s requirements, you can use one of (or more than one) the clauses we have prepared for you. The clauses can be found in Chat Forms.
You can find more information about sub-processing rules in our DPA and check which sub-processors have access to the personal data of your customers/users/visitors under the following list.
Data Protection Officer is Maciej Malesa LiveChat, Inc. 101 Arch Street, 8th Floor, Boston, MA 02110, United States of America, firstname.lastname@example.org
While the EU-U.S. DPF is a standalone transfer mechanism that can be used instead of the Standard Contractual Clauses (SCCs) we're not letting our guard down. We are still continuing to maintain our ongoing supplementary measures, including safeguards like the Standard Contractual Clauses (SCC) to make sure your personal data is safe when it travels, as keeping your data secure is a top priority for us.
Yes, we have. Regardless of being a data controller or a data processor, when you transfer EU/EEA or UK or California citizen’s personal data to us (and you do so while using our services), we have prepared a Data Processing Addendum incorporated by reference to the Agreement, so you don’t have to take any further action. Our Data Processing Addendum includes updated SCCs, as approved by the European Commission in June 2021, that comply with the newest recommendations of the European Commission and are relevant for your use us as a data processor if you’re based in the EU/EEA or California.
To make our services work properly, we use other third-party services. We do so to maintain our services, improve our tools, and enable and simplify their usage. If there is a necessity to give sub-processors access to a part of your data, firstly, they will gain only the necessary data enabling them to provide us with their services. Secondly, we enter into a separate agreement to make sure our sub-processors have at least the same level of protection as we do. Please note some of our sub-processors process their data outside the EU.
We are committed to complying with GDPR and accordingly to transferring personal data lawfully and with an adequate security level. This is why we work only with inspected third-party services providers. We have verified all the sub-processors we currently cooperate with. Besides the ‘location requirement’ (we cooperate mostly with companies from the EU or the US), every time before we start cooperation with a new sub-processor, we make sure it is GDPR compliant (if applicable). We also enter into agreements with our sub-processors that guarantee adequate obligations due to data protection. Only if we are sure your data will be transferred and stored securely, will we work with the provider and, if needed, apply additional measures (i.e., Standard Contractual Clauses) to transfer data in line with the GDPR.
When personal data is hosted or processed outside of the European Economic Area and the UK, GDPR requires that it remains protected by appropriate safeguards in line with EU law. We meet these requirements by implementing the appropriate safeguards required by the GDPR. Please go to International Data Transfer to get more information.
The adequacy decision for EU-US DPF reaffirms that personal data transmitted to US companies participating in the framework is held to an adequate level of protection. This means that data is able to flow safely between EU and US companies certified by the US Department of Commerce.
LiveChat, as an active Swiss-U.S. Privacy Shield participant automatically becomes a participant in the Swiss-US Data Privacy Framework (Swiss-US DPF) and has successfully self-certified to the UK Extension to the EU-US DPF. The UK Adequacy Decision for the EU-US Data Privacy Framework was issued on October 12, 2023, so we may receive personal data from the UK and Gibraltar in reliance on the UK Extension to the EU-U.S. DPF.However, since the Swiss-U.S. DPF have not yet received public adequacy decisions and therefore cannot be relied on for data transfers to these regions, we continue to rely on our existing Swiss-US transfer mechanisms as described in our DPA until the Swiss-U.S. DPF receives a public adequacy decision.We will update this FAQ as soon as the Swiss-US DPF receives a public adequacy decision.
Questions about security? You are in the right place. Here you will learn where we store data, where our servers are located, how we provide security as well as to whom and in what circumstances we can share data.
As a company offering its services in SaaS model we are aware that the security of our customers and their data is crucial. We treat security as a basic aspect of our business. We know that it is a matter of trust. Currently, we made sure our safeguards comply with the regulation and adjusted some new ones if necessary. More information about our technical and security measures you may find in Exhibit B of the Data Processing Addendum.
Running an external audit, fixing all found vulnerabilities, testing the implemented fix, and iterating this procedure until the issue is fixed and periodic systems scanning with tools for automatic issue recognition.
Yes, we have a DR plan; each part of the system can be restored within 24 to 48 hours (considering a complete disaster). Moreover, each instance of the whole infrastructure is multiplied, so losing a single instance will not cause the service to degrade. Provided time refers to the flood scale of the disaster.
Yes, we do have DDoS protection provided by Akamai.
Yes, we have breach detection, investigation, and internal reporting procedure in place. In case of any management incident, we are ready to react immediately to protect your data from unjustified disclosure or any other infringement.
Please contact us promptly via email@example.com or chat with us on our website.
You can ask us for a copy of your data. For example, it is possible to download a copy of the data in JSON and to do that, please refer to Prepare your chat for GDPR! | LiveChat Help Center to check how you can get your data.
The application is multi-tenant, so the data for each license is accessible only to accounts assigned to the license; the person that wants access to license data, needs a corresponding login and password. This is the basic logic behind the whole application infrastructure, and it’s not possible to access other users’ data, as the access request without needed credentials will be considered an unauthorized call and denied. Also, one set of credentials (login + password) can be used for one license only.
Here you can find more information about our company standards, values, and general recommendations about how to use our services.