1. Help Center
  2. GDPR Compliance

Web1on1 & GDPR FAQ's

Frequently asked questions about data protection regulations

Go straight to: 

Frequently Asked Questions about Web1on1's GDPR compliance

The EU General Data Protection Regulation (EU GDPR) is the result of many years of work by the European Union to unify and strengthen data protection for all EU citizens. It was also incorporated into UK data protection laws as UK GDPR following the UK's official exit from the European Union in 2021.

GDPR gives people more control over how their data is used and determines how companies like Web1on1 must protect the data they hold and process. GDPR came into effect on the 25th May 2018 and since then Web1on1 has fulfilled all the required regulations and is fully GDPR compliant.

Below you will find a list of frequently asked questions regarding GDPR compliance. 

Is Web1on1 a data controller or a data processor?

Web1on1 stores personal data securely in the course of providing its messaging services to its clients. Web1on1 is a data processor since we do not decide the purposes of processing the data we collect on behalf of our clients from their chat visitors. It is the client who decides to use our software, and personal data is supplied to us to facilitate communication between the client companies and their own customers or potential customers. We process the data only to provide, maintain, and improve our services to clients. In some exceptional cases Web1on1 may also act as a data controller. It is explained fully in our Privacy Policy

What data does Web1on1 process?

While registering for our product/services we request you to provide us with such information like the first name, last name, company business name, address, website address, email address, and credit/payment card information. This is the basic data of yours that we process and store. We also store the data you insert into the service, such as your chat content,  tickets content, knowledge base articles, chatbot scenarios, files or any other content inserted into the service. We also store your customers/visitors data such as email addresses or other data you ask your clients for via the product/service you use (i.e. in a pre-chat survey). You can find a full description of the data processing in our Privacy Policy.

What is the basis for personal data processing? Is customer consent required?

The basis for your personal data processing by Web1on1 is an agreement between you and us which is concluded when you sign up to the product/service by creating an account. The agreement is constituted by “Terms and Conditions” and “Privacy Policy”.

This is why a separate consent for your data processing by Web1on1 is not required. However, you may need to gain consent for data processing and transferring from your customers/ users/ visitors. It depends on whether you need to be GDPR compliant or not if you collect your customers/users/visitors data, and what are your data processing basis. To help you comply with the GDPR requirements, we have created a tool (working with Web1on1 service) which helps you gain such consent. If you think you need it, please refer to point 9. If you use the service other than Web1on1 you may need to at least notify your customers about using Web1on1’s services.

Am I a data controller or a data processor?

Firstly, you need to figure out if you process or provide personal data of EU citizens. For instance, if you are an Australian company and you only process Australian citizens' data, GDPR does not apply to you. However, if you process personal data of European citizens, you need to comply with this regulation. You or your company (organization) may then act as a data controller. It happens when you are a natural or legal person, public authority, agency or other body, and you, alone or jointly with others, determine the purposes and means of the processing of personal data. You may also act as a data processor, which happens when – as a natural or legal person, public authority, agency or other bodies – you process personal data on behalf of the controller. Simply, when you do not determine the purposes of the processing but use data according to the controllers’ instructions.

Do I need to enter into a Data Processing Agreement/Addendum?

Regardless of being a data controller or a data processor, when you transfer the personal data to us (and you do so using our services) you may need to enter into DPA with us if you transfer any EU citizens personal data. You can do this in the messaging platform by navigating to: Settings (left menu) > Configuration > GDPR Section

Do you have a GDPR compliant Data Processing Agreement for us to sign?

Yes, we have prepared this document for our customers. You can review and sign a copy of Web1on1's Data Processing Addendum in Web1on1 under Organisation configuration > GDPR. Instructions for execution are set out in the Addendum. If you have any questions about its contents you can email: privacy@web1on1.chat


Click here to enlarge

How are my personal data used / processed in Web1on1? How can I execute my right to be forgotten?

Web1on1 stores and processes personal data of its customers and people employed while using Web1on1 services – agents. We store such data as a first name, last name, email address, IP number, browser information, operating system, geolocation, payment/credit card details (and other information listed in our Privacy Policy. We process these data only in purposes listed in our Privacy Policy. We do not sell your data.

Web1on1 also stores the data you inserted into the service via the system (i.e. the chat history, forms content, ChatBot scenarios, files depending on the service you use as well as your customers’ personal data if supplied by you). It allows you to have constant access to the history of your conversations and other content. However, if you intend to delete any of your chat, form, chatbot scenario, article, or other content you can check the GDPR section within the App to get information on how to do it. You can also freely decide whether you want to have your data and content permanently deleted from a system.

See also Data Retention Policy

Where does Web1on1 store personal data? Are personal data processed outside the EU?

Web1on1 stores its customers’ data in data centers in the EU (Belgium and The Netherlands). Your data storage location depends on which service you use. When you sign up and create an account in Web1on1 your data are automatically collected and stored in our EU data center (regardless you are signing up from the EU, the US or other parts of the world). Additionally, similarly to many SaaS providers, we use a top-tier, third-party data hosting providers (Google Cloud Platform, and MongoDB) to host our online services.

Does Web1on1 share any personal data with any sub-processors (other entities)?

To make our services work properly we use other companies’ services (generally software). We do so to maintain the services, improve our tools, enable, and simplify its usage. If there is a necessity to give processors access to a part of your data, firstly, we make sure that this company will gain only necessary data (i.e. only an email address for the email service provider). Secondly, we enter into an agreement with such company to make sure they provide at least the same level of protection as we do. You can find more information about rules of sub-processing in our DPA and under the following link you can find a current list of our sub-processors.

How does Web1on1 choose and verify sub-processors?

We are committed to comply with GDPR and accordingly to transfer personal data lawfully. This is why we work only with third party service providers from Europe (EOG) or countries recognized by the European Commission as providing an adequate level of protection of personal data (mostly the United States). We have verified all the sub-processors we cooperate with currently. Besides the above ‘location requirement’ we made sure they are GDPR compliant and, if based in the US, incorporate Standard Contractual Clauses (replacing the US-EU and US-Swiss Privacy Shield), or,  if based in another country recognized as secured, are the subject of a similar agreement and adequate obligations due to the data protection). Also, before appointing a new sub-processor, we make sure the data will be securely and lawfully transferred. We choose providers only based in EOG and the US (or another secure country such as Canada, Switzerland, New Zealand). We verify if the provider is GDPR compliant or maintains Standard Contractual Clauses. Only if we are sure your data will be transferred and stored securely we will work with the provider. 

Has Web1on1 appointed a Data Protection Officer?

A DPO, or Privacy Officer, has been appointed and the information about that can be found in our Privacy Policy.

What security measures does Web1on1 implement to protect the data? Are the data encrypted and if so, to what standards?

As a company offering its services in SaaS model, we are aware that the security of our customers and their data is crucial. We treat security as a basic aspect of our business. We know that it is a matter of trust. This is why we have implemented a number of safeguards even before GDPR was adopted. Currently, we made sure our safeguards comply with the Regulation and adjust some new if necessary. We encourage you to familiarize yourself with our the Technical Measures Section of our Privacy Policy

Does Web1on1 carry out external penetration tests on the application? If so, how frequently?

Web1on1 uses external auditors to verify the adequacy of its security measures, including the security of the physical data centers. This audits are performed at least annually and include penetration tests.

How long do you hold the personal data for?

By default, conversation messages, results, reports and associated metadata older than 18 months are automatically and permanently deleted.  Personal information contained in contact forms is also deleted unless the visitor has re-engaged in a conversation in the meantime, although their older messages will be deleted.

Alternatively, we allow you to set you own data retention period upon request.

Further information is found in our Privacy Policy, Terms and Conditions and our Data Protection Agreement.

Does Web1on1 have an incident management process in place?

Yes, we have it in place. In case of any management incident, we are ready to take action immediately to protect your data from unjustified disclosure or any other infringement.

What are your processes for identifying and remediating vulnerabilities in your application and the underlying software and infrastructure?

a) Running an external audit, fixing all found vulnerabilities, testing the implemented fix and iterating this procedure until the issue is fixed;

b) Periodic systems scanning with tools for automatic issue recognition.

What process should we follow if we suspect that a security breach has occurred?

Contact our Support Team via our Help Center chatbot or other chats on our websites.

Have you had any information security breaches in the last 12 months?

No, we haven’t any. You can follow the website https://status.web1on1.chat where we report about any security issues and incidents.

Who is responsible for Information Security?

Web1on1 has appointed a Data Protection Officer. You can find more information about DPO and data protection in our Privacy Policy.

Do you have a Disaster Recovery plan? How quickly could you restore from a data backup if you suffered a major loss and what is the maximum amount of data that might be lost?

We do have a DR plan, each part of the system can be restored from 24 to 48 hours (considering a complete disaster). Moreover, each instance of the whole infrastructure is multiplied, so losing a single instance will not cause service degrading. Provided time refers to a flood scale of the disaster.

Are we able to take a full copy of our data in a standard format (e.g. CSV)? Is it possible to export all chats and tickets using your API in a JSON format, that can be easily converted to CSV?

Regardless of the service you use, you can get a copy of your data through our API.

Is the application a single tenant or multi-tenant? If multi-tenant, what steps have been taken to secure the data from being accessed by other tenants?

The application is multi-tenanted. Data for each license is accessible only to accounts assigned to the license, so a person who wants access to license data can only do so with a valid login and password. Also, one set of credentials (login + password) can be used for one license only.

Cookies at Web1on1

Web1on1 uses cookies to provide you with the best software service possible. Cookies are used while using services rendered by Web1on1 or browsing any of the websites where our services are installed. These are pieces of information sent by the server, stored on a user’s computer for the purpose of automatic identification of a particular user when using our services or browsing the website. We have decided to set different expiration date depending on the type of your activity on the website but remember you can simply delete cookies from your browser anytime. You can read more about our cookie policy in our Privacy Policy.


Legal note: Please note that the materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem.


Need additional help?
Click here to book support the shop and summon Web1on1 Experts (more info about professional services)