Privacy and compliance

GDPR-compliant live chat starts with owning the data

Live chat collects personal data by nature: names, emails, IP addresses, page history, and everything the visitor types. With a hosted provider that data sits in a processor's cloud. With self-hosted ZChat it stays in your own SQL Server database, which makes most GDPR questions dramatically shorter to answer.

Built-in tooling

The GDPR workflows ZChat handles for you

Access requests (Article 15)

One admin action exports everything matching a visitor's email, including sessions, messages, and offline enquiries, as a ZIP of JSON files with a manifest, ready to hand to the data subject.

Erasure requests (Article 17)

The erase action anonymises every record tied to the email: personal fields are cleared while anonymous statistics stay intact, so reporting is not destroyed by a deletion request.

Visitor consent

The widget includes a cookie-consent step, and visitor-supplied fields are validated and capped before anything is stored.

Audit trail

Privacy exports, erasures, and other privileged admin actions are recorded in an audit log with actor and target: evidence you can show when someone asks who did what.

Data minimisation

Visitor page URLs and referrers are sanitised before storage, IP metadata is scoped to admins, secrets are redacted from admin responses, and public API responses carry no-store headers.

No third-country transfer

Self-hosting in your own region means chat data does not cross borders through a processor's infrastructure; the transfer-mechanism question often disappears entirely.

Why self-hosting simplifies the GDPR conversation

Fewer processors. Every hosted tool in your support stack is a data processor that needs a DPA, a sub-processor list, and a transfer assessment. Chat that runs on your own server under your existing hosting arrangements removes one of the most data-heavy entries from that list.

Retention you actually control. Because transcripts live in your database, your retention policy is enforced with your own tools on your own schedule, not limited to whatever retention options a vendor exposes.

Answers you can verify. "Where is the data? Who can access it? When is it deleted?" become questions about your own infrastructure, which your team can answer and demonstrate directly. If you choose local AI with Ollama, even chatbot conversations never leave your network.

ZChat provides the technical controls described on this page; GDPR compliance as a whole also depends on your organisation's policies and processes. This page is product information, not legal advice.

A data subject request, end to end

What handling a request looks like in ZChat

  1. 1. Verify the requester using your normal identity process.
  2. 2. Export: run the privacy export for their email; hand over the ZIP (sessions, messages, offline enquiries, manifest).
  3. 3. Erase: if they asked for deletion, run the erasure; personal fields are anonymised across all matching records.
  4. 4. Evidence: the audit log now shows the export and erasure with timestamp, actor, and target for your records.
Owned customer support software

Deploy live chat on your own terms, not on someone else's pricing model.

ZChat gives you the installable server, web dashboard, website widget, and desktop agent tools in one self-hosted product you buy once and keep. Run it on infrastructure you trust and connect AI only if and how you want it.

Deployment

Install on Windows or Linux, behind IIS or Nginx, in a VM, or in Docker if that fits your stack.

Commercial model

One-time purchase, perpetual license, and no monthly per-agent bill attached to growth.

AI Flexibility

Use Ollama locally or connect OpenAI and Anthropic with your own provider accounts.