GDPR Compliant Live Chat Software
Built for UK Law from the Ground Up
Live chat software that takes data protection seriously. UK-hosted, ICO-registered, UK DPA 2018 compliant — with a signed Data Processing Agreement available from day one.
No credit card required. Cancel anytime.
Our GDPR Compliance — In Plain English
These are facts you can verify, not marketing claims. Every statement below is backed by documentation we will provide on request.
UK Data Storage
All customer data — chat logs, visitor information, and session metadata — is stored exclusively on servers located in the United Kingdom. We do not transfer or replicate data to the US, EU, or any third country.
ICO Registered
IMSupporting is registered with the Information Commissioner's Office (ICO) as a data controller and processor. Our ICO registration confirms we meet the legal requirements for processing personal data in the UK under the Data Protection Act 2018.
DPA Ready to Sign
A UK-law governed Data Processing Agreement is available for all Business and Enterprise customers. We can provide our standard DPA for legal review before you commit to a plan. Custom DPA terms available for Enterprise customers.
Encryption Standard
All data is encrypted in transit using TLS 1.3 and encrypted at rest using AES-256. Backups are encrypted and kept within UK boundaries. Database access is restricted by role-based access controls with full audit logging.
Cyber Essentials Plus
We hold a current Cyber Essentials Plus certification — independently verified by an NCSC-accredited assessor. This is required for UK government contracts involving personal data and demonstrates our security controls have passed external scrutiny.
Right to Erasure
We support all UK GDPR data subject rights: access, rectification, erasure, restriction, portability, and objection. Data erasure requests are processed within 30 days. Account deletion triggers automatic data purge within 30 days per GDPR requirements.
GDPR Features Built into the Chat Platform
Compliance isn't an add-on. These capabilities are included in every IMSupporting plan.
Consent Management
Configure chat consent flows that collect explicit user consent before starting a conversation. Consent records are stored with timestamps. The visual workflow builder lets you design GDPR-compliant pre-chat consent screens without any coding.
Data Minimisation
Only collect the data fields you actually need. The workflow builder lets you choose exactly which fields to collect — name, email, phone, or nothing at all. AI agents are configured to avoid capturing unnecessary personal data.
Retention Controls
Set automatic data retention periods. Chat transcripts, visitor logs, and session data can be automatically purged after your chosen retention window — 30 days, 6 months, 1 year, or custom — ensuring you don't retain data longer than necessary.
Data Export (Portability)
Export all chat transcript data in machine-readable formats (JSON, CSV) to fulfil Subject Access Requests and data portability rights. Exports are complete and structured, making it easy to respond to UK GDPR Article 20 requests within the required timeframe.
Operator Access Controls
Role-based access control ensures operators only see the data relevant to their role. Access logs track who viewed which conversations and when. This supports Article 25 (Data Protection by Design) and reduces insider-risk exposure.
Breach Notification Support
Our audit logs enable rapid investigation and documentation of any security incident. In the unlikely event of a data breach, we commit to notifying affected Business and Enterprise customers within 24 hours — well within the 72-hour ICO reporting window.
Trusted by Regulated UK Sectors
IMSupporting is used by organisations where data protection isn't optional — it's mission-critical.
NHS & Healthcare
NHS Information Governance standards require data to stay within UK jurisdiction. Our Cyber Essentials Plus certification and UK hosting make IMSupporting appropriate for NHS Trusts, GP practices, dentists, and private healthcare providers.
Healthcare live chat details →Local Councils & Government
UK local authorities handling citizen data are bound by UK GDPR and the Public Services Network standards. IMSupporting's UK data residency, ICO registration, and Cyber Essentials Plus make it suitable for council procurement.
Council live chat details →Legal & Professional Services
Solicitors, barristers, and the wider legal sector handle highly sensitive client data. SRA and BSB regulated firms need robust data protection. Client privilege and confidentiality are maintained with access controls, encrypted storage, and UK jurisdiction.
Solicitor live chat details →Financial Services
FCA-regulated firms, insurance brokers, and financial advisors need to demonstrate strong data governance and UK data residency. Our DPA, ICO registration, and Cyber Essentials certification support FCA compliance obligations and due diligence requirements.
Education
Universities and schools handling student and staff data under UK GDPR and the Children's Act need trusted, UK-based data processors. IMSupporting satisfies JISC and data protection officer requirements for UK educational institutions.
Education live chat details →Property & Estate Agents
NAEA and RICS members handling buyer, renter, and landlord data need UK-compliant data processors. Client due diligence data, contact details, and enquiry records kept exclusively in UK data centres, with full audit trails for compliance reviews.
Property live chat details →GDPR Compliance Checklist
When evaluating any live chat platform for GDPR compliance, ask these questions. Here's how IMSupporting answers them.
Yes — UK data centres only. No offshore transfers.
Yes — registered UK data controller and processor.
Yes — UK-law DPA available for Business and Enterprise plans.
Yes — TLS 1.3 in transit, AES-256 at rest.
Yes — export tools for access requests; deletion within 30 days.
Yes — Cyber Essentials Plus (independently verified).
Yes — customers notified within 24 hours of confirmed breach.
Yes — configurable automatic data retention and purge.
Yes — full audit trail with operator access logs.
Yes — built-in consent flows in the chat workflow builder.
GDPR & Data Protection — FAQ
Is IMSupporting GDPR compliant?
Yes. IMSupporting is fully compliant with both UK GDPR and the UK Data Protection Act 2018. All data is hosted in UK data centres, processed under UK law, and covered by our ICO registration. We provide a signed Data Processing Agreement for Business and Enterprise customers.
Who is the data controller — us or IMSupporting?
Your organisation remains the data controller for your customers' personal data collected via the chat widget. IMSupporting acts as a data processor on your behalf, processing data according to your instructions and subject to our DPA. This relationship is formally documented in the Data Processing Agreement.
Can I get a copy of your DPA before signing up?
Yes. Email legal@imsupporting.com or sales@imsupporting.com and we will send you a copy of our standard Data Processing Agreement for your legal team to review. There is no obligation to sign up — DPA review is a standard part of our procurement process for regulated sectors.
Does the live chat widget use cookies? Do we need cookie consent?
The widget uses session cookies to maintain chat continuity. Under the UK's Privacy and Electronic Communications Regulations (PECR) and UK GDPR, these must be disclosed in your cookie policy. We provide documentation helping you categorise and disclose these cookies correctly. Our cookie policy page has sample wording you can adapt. See our Cookie Policy for details.
What happens to our data if we cancel?
You can export all your data at any time. After cancellation, your data is retained for 30 days (to allow reactivation) and then permanently deleted from all systems, including backups. This deletion is irreversible and complies with UK GDPR Article 17 (right to erasure). You will receive a deletion confirmation email.
Do you ever share customer data with third parties?
No. We do not sell, share, or transfer your customers' personal data to third parties for any commercial purpose. Sub-processors (e.g., infrastructure providers) are identified in our DPA, are all UK or EEA-based, and are bound by equivalent data protection obligations. We do not use customer data for AI training.
Start with GDPR Compliance Built In
Free 14-day trial. No credit card required. UK data residency and GDPR compliance from your very first chat.
ICO registered · Cyber Essentials Plus · DPA available · UK law governed
Related resources: