The management and protection of personal data of both our service users and their website visitors, are subject to the terms of this agreement and the relevant provisions of General Data Protection Regulation (GDPR) (EU) 2016/679. The GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union. It applies to companies based in the EU and global companies that process personal data about individuals in the EU. The regulation applies from 25 May 2018.
Is GDPR affecting you?
If you process personal data of any person in the EU, GDPR will apply to you regardless of whether you’re based in the European Union or not.
Beyond strengthening user data privacy across EU nations, GDPR will require new or additional obligations on organizations
that handle EU citizens' personal data, regardless of where the organizations are located.
Features to help you comply with GDPR
As a data processor, onWebChat has released features that help you comply with the GDPR regulation.
Admin agents have the ability to delete visitors and all related data, such as chats and offline messages.
Also, you can export all data for a visitor of your website.
Features for us to comply with GDPR
We must comply with GDPR, so we have released features like automated deletion of agent accounts and all related data.
Also we are releasing a new export feature, so we can export for you, all data related to your onWebChat account.
According to the General Data Protection Regulation (GDPR), you have the right to access, correct, transfer and delete your data.
Right to Human Intervention:
Our service is designed as a hybrid model. Users and visitors always have the option to bypass the AI chatbot and request a human agent, ensuring that no significant decisions are made solely by automated processing.
Data Processing Agreement (DPA):
We offer a standard DPA for our business customers to ensure compliance with Article 28 of the GDPR. You can request our DPA at support@onwebchat.com.
AI Data Processing & Privacy
Regarding our AI services powered by OpenAI, we act as the Data Processor. We have configured our integration so that any data submitted via the API is NOT used to train the AI models. Data is stored by OpenAI for a maximum of 30 days for safety monitoring purposes only and then permanently deleted. All AI-generated interactions are subject to the same GDPR rights as standard chats (Access, Deletion, Portability).
| Subprocessor/Third party service | Purpose | Country | Transfer Mechanism |
| Hetzner | Server/Data hosting | Germany | GDPR-compliant EU hosting |
| Zoho | Email hosting | USA | Standard Contractual Clauses (SCCs) |
| Google Inc | Cloud analytics | USA | SCCs / Data Privacy Framework |
| OpenAI | AI chatbot functionality (GPT-5.1) | USA | Standard Contractual Clauses (SCCs) |
| Braintree Payments (PayPal) | Payment processing | USA | SCCs / Data Privacy Framework |
| Amazon | Automated email sending and data backups | USA / Europe (Ireland) | SCCs / GDPR Compliant Nodes |
onWebChat website may use the following cookies on your browser when you visit our website:
PHPSESSID: used by PHP to keep track of sessions (session)
_ga , _gat , _gid: used by Google analytics to distinguish visitors
accept-cookies: set to true if we have visitor's consent to store cookies (2 years)
onwebchatf: store browser http_referer info (from where a visitor came) (10 days)
aff: if the visitor comes from an affiliator, stores the affiliator id (90 days)
onwebemail: used if selected "keep me sign in" - the email of the user (60 days)
onwebhash: used if selected "keep me sign in" - hash of encrypted password (60 days)
lang: used to remember the visitors' selected language (session)
For the functionality of live chat widget, the following cookies may be used. Also, the following cookies may be used by our users' websites (websites using onWebChat service), so you may need to inform your visitors about that.
Necessary notice: chat cookies such as onwbchtexpress.sid and io are strictly necessary for the functionality of the service, so they may not always require consent before loading. However, they should still be disclosed in your website cookie banner and cookie policy.
onwbchtexpress.sid : It's the identifier for your current onWebChat session (session)
io : keep socket.io session (session)
onwbchtclientid : It is a unique id so that onWebChat can identify visitors (1 year)
onwbchtsessionrandom : A random number used to identify visitors (used only on some browsers) (1 year)
onwbchtblocked : It is used to store if this visitor is blocked by an agent (6 months)
onwbchtSound : It is used to store sound On/Off preference of the visitor (if the visitor visit again this website or opens a new tab) (3 months)
onwbchtlastvisit : The last date visitor visited this website (3 months)
onwbchttimesVisited : How many times a visitor has visited this website (3 months)
inChatC : A flag indicating if this visitor is currently chatting. (4 hours)
hasTriggeredC : a flag indicating if a trigger has been shown (only when using triggers) (4 hours)
Also, the next cookies may be stored (for 1 day) if the visitors' browser doesn't support sessionStorage (iOS Safari):
sessionstorage.maxChat : a flag indicating if the visitor has maximized the chat window (so that it will be the same if he opens a new tab)
sessionstorage.chattext : the text of the chat, so that visitor can see the chat if he opens a website page on a new tab
sessionstorage.hideImage : a flag indicating if the visitor has hidden the image (on chat window)
sessionstorage.mustSendTriggerText : a flag indicating that the text of the trigger should be sent to the agent (for displaying the chat dialog)
sessionstorage.hasStartedWriting : a flag indicating if the visitor has started writing in the text area
sessionstorage.triggerText : the text of the trigger that has been shown to the visitor
sessionstorage.hasTriggered : a flag indicating if a trigger has been shown
sessionstorage.hasWrSeByTr : a flag indicating if the text "served by ..." has been written to the visitor chat
sessionstorage.secOnSite : how many seconds the visitor is on the website (only when used triggers for the whole website)