In GDPR lingo, we take on the role of "data processor" and we abide by all the rules that follow from that. Because we can't tell when someone is sharing their shoe size or their most intimate secrets, we simply treat all message data as potentially "Personally Identifiable Information" and act accordingly.
Note that because we're a "data processor", our customers (i.e. you) are still responsible for getting your user's permission for collecting said data (depending on your reading of the law, this is implicitly given by their choice to use your messaging feature, or you'll have to ask for explicit consent).
We recommend that you send us as little user data as possible. For example, do not send us a user's email address if you don't intend to use our email notification feature, do not send a phone number unless you want SMS notifications, and so on.
In line with GDPR principles, we do not collect or store any data that is not needed for providing a good cross-device messaging service. Notably, we don’t "track" your users for marketing purposes. If a user files a "right to be forgotten" request, you can either use our REST API to irrevocably remove all their data, or ask us to do it for you.
Chapter 9 of our Terms of Service covers security and privacy as per the GDPR and similar legislation elsewhere. We do not have a separate DPA.
By default, we store all your data in the EU. See here for an up-to-date list.
CEO at Crowdyhouse
Whether you're building a marketplace, on-demand business, e‑commerce, crowdfunding, travel and events platform, TalkJS is the chat tool for you.