Intercom is a customer messaging platform that loads a substantial JavaScript bundle on every page where it is deployed, collecting behavioral data from the moment of initialization. When a visitor opens the messenger and provides an email address, that data is linked to a full contact record. Disclosure obligations cover both the anonymous tracking phase and the identified messaging phase.
Last reviewed by Lokker Privacy Engineering
Not legal advice
The example language on this page is provided for educational purposes only. It is not legal advice and does not create an attorney-client relationship. Privacy laws vary by jurisdiction, sector, and the specific technologies you deploy. Always have a qualified privacy counsel or attorney review your privacy policy language to ensure it accurately reflects your actual data practices and complies with applicable law. Policy text alone does not make you compliant: your technical controls must match what the policy describes.
Data collection
This is what your privacy policy needs to describe. Be specific: vague references to "usage data" or "technical information" are not sufficient in most jurisdictions.
Anonymous visitor data from the moment the Intercom messenger loads: page views, referral source, device metadata
Intercom session identifiers stored in intercom-id, intercom-session, and intercom-device-id cookies
Conversation content: messages sent through the chat widget
User identity when provided: name, email address, and custom attributes passed via identify()
Lead data captured via qualifying questions in the messenger bot
Behavioral events and page history linked to the contact record
Email interaction data when Intercom sends emails on your behalf
Processing purposes
Privacy laws require you to specify the purpose for each category of data processing. These are the purposes typically associated with Intercom.
Customer support and live chat
Lead qualification and inbound sales
Customer onboarding via in-app messaging and product tours
Proactive outreach triggered by behavioral signals
Email marketing to contacts in the Intercom inbox
Jurisdiction notes
These are representative notes, not exhaustive legal guidance. Laws continue to evolve and your counsel should review the current requirements for each jurisdiction where your visitors reside.
United States
Intercom collects personal information from the moment the messenger loads, including contact data when visitors engage with the chat widget. Under the CCPA and CPRA, this constitutes personal information collection. If Intercom data is used for marketing outreach or lead qualification, GPC signals and opt-out rights must be honored. The messaging content exchanged with users is personal data with potentially sensitive content.
EU and UK (GDPR)
Intercom requires a legal basis for each processing activity. Loading the messenger and collecting anonymous behavioral data requires consent under the ePrivacy Directive. Processing contact data for customer support may be justified by contract or legitimate interests. Processing for marketing email requires consent. Your policy must identify Intercom R&D Unlimited Company (Ireland) as the EU data processor, state the legal basis for each use case, and describe the data transfer to Intercom Inc. in the United States under Standard Contractual Clauses.
Example language
The examples below are starting points for discussion with legal counsel. They are not approved or jurisdiction-complete language. Your policy must accurately reflect your actual technical configuration and comply with the laws of the jurisdictions where your visitors reside.
Customer messaging and chat table row
Intercom (Intercom R&D Unlimited Company): Customer messaging platform providing live chat, customer support, and in-app messaging. Loads behavioral tracking on every page. Contact data and conversations are stored in Intercom on our behalf. Category: Functional or marketing.
Full customer messaging and support disclosure paragraph
We use Intercom, a customer communications platform provided by Intercom R&D Unlimited Company (Ireland). Intercom's messenger script loads on our website and collects information about your visit, including pages viewed and device metadata, regardless of whether you interact with the chat widget. If you open the Intercom messenger and submit your name, email address, or other information, that data is stored in Intercom and associated with a contact record. Conversation content exchanged through the messenger is stored by Intercom on our behalf. We may use Intercom to send follow-up email messages and in-app notifications to contacts in our Intercom inbox. Intercom processes data under a data processing agreement as a data processor. Data is transferred to Intercom Inc. in the United States under Standard Contractual Clauses. Where consent is required by applicable law for tracking-based features, the Intercom messenger will only activate after you have provided consent through our consent management platform.
Configuration checklist
An accurate policy is only useful if the technical controls behind it work correctly. These are the configuration points to verify for Intercom.
Decide whether Intercom is Strictly Necessary (if the site is a support portal where chat is essential) or Functional/Marketing (if the messenger is primarily for lead capture). This determines whether consent is required before loading.
If Intercom is not Strictly Necessary, it must not load before CMP consent is received. Intercom's messenger bundle is large and makes requests to api.intercom.io on initialization.
If Intercom is used for marketing email outreach, the marketing consent category must be satisfied before contact data is processed for that purpose.
Test whether Intercom's initialization requests to api.intercom.io and widget.intercom.io occur in the reject and no-interaction states using Consent Validator.
If user identity is passed to Intercom via boot() with identityVerification enabled, ensure that identity data is only passed after the user is authenticated and after consent for the relevant processing purpose.
Policy vs practice
These are common gaps between Intercom privacy policy language and what actually happens in the browser. Checking only inside each SaaS admin (CMP, tag manager, or vendor console) rarely answers whether the full stack works together. Lokker tests from the outside: consent state, tag firing, and network requests viewed as one system.
What the policy says
Policies describe Intercom only as a customer support chat tool, without disclosing that the messenger script tracks anonymous visitor behavior from the moment it loads.
Policies classify the Intercom messenger as Strictly Necessary infrastructure because "customer support requires it."
Policies state that visitor data is only collected when a visitor submits the contact form in the Intercom messenger.
What Lokker validates
Intercom's JavaScript bundle initializes and contacts Intercom servers on every page load, before any conversation starts. Lokker tests whether Intercom fires in the no-interaction state and whether behavioral data is collected before consent is given.
Strictly Necessary requires that the tool is essential for delivering the service the visitor explicitly requested. A chat widget used primarily for lead generation or marketing outreach does not qualify. Lokker helps identify what Intercom actually does in each consent state to inform the correct category assignment.
Intercom collects anonymous behavioral data from the moment the script loads, regardless of whether the visitor opens the widget. Lokker captures the Intercom initialization request and any subsequent data collection before any user interaction occurs.
Consent Validator tests your site from the outside, not inside each vendor admin. It runs automated flows across accept, reject, no-interaction, and GPC states and checks whether Intercom loads through your CMP and tag manager, whether consent signals are honored, and whether any call to that vendor still occurs when the visitor has opted out.
Questions
References
Regulatory guidance, enforcement decisions, and legal cases referenced on this page.
Regulatory guidance
European Data Protection Board
Explore further
Same category
Validate technical compliance
Confirm that the Intercom messenger widget does not load before consent and does not collect visitor data before any conversation begins.