Intercom is one of the most widely deployed customer messaging platforms. Its JavaScript widget initializes on page load, sets cookies for visitor identification, and sends page-view and user-attribute data to Intercom servers continuously as visitors browse. Teams that install it for support chat often do not realize how much behavioral and identity data it collects from all visitors, not just those who open the chat.
Marketing and Analytics
Intercom is a customer messaging and support platform that provides in-app chat, automated messaging, product tours, and help center functionality, with a JavaScript SDK that loads on every page of the host site.
Trademark
Intercom is a trademark of Intercom, Inc.. Lokker is not affiliated with or endorsed by Intercom, Inc..
Risk and failure modes
The Intercom widget is active from page load, not only when the visitor opens the chat. That distinction matters because page view events, referrer data, and visitor identifiers are collected during passive browsing, often without the user initiating any interaction.
Intercom sets long-lived cookies that identify returning visitors across sessions. These identifiers are shared with Intercom servers on each page load, creating a cross-session profile regardless of whether the user has ever interacted with the chat.
Every page the visitor navigates to sends a page event to Intercom. For sites with many pages and no consent gate on this behavior, the full browsing trail of unauthenticated visitors may be transmitted to a third party.
Developers often pass user email, name, and account attributes into the Intercom initialization call. If this runs before consent, identifiable personal data moves to Intercom servers immediately on login.
The Intercom SDK collects device type, browser, operating system, and screen resolution as part of its visitor profiling. This data moves to Intercom regardless of whether the visitor opens the chat.
Consent and configuration
Most legal teams focus on what the chat says. The compliance issue is what the widget collects in the background from every page load. Consent validation must test whether the entire Intercom SDK is gated, not only the visible chat interface.
The Intercom SDK must not load at all in reject and no-interaction states; suppressing the chat bubble while the script runs does not satisfy the requirement.
User attribute calls that pass email or account data must be gated independently of the core SDK load.
Page-view events that send navigation data to Intercom must be blocked under GPC and opt-out consent states in applicable US jurisdictions.
In GDPR markets, the Intercom SDK should not initialize until explicit consent is obtained for the relevant processing categories.
Regional compliance
European data protection authorities have investigated and fined companies for chat and messaging tools that collected data before consent. US state laws in California, Colorado, Virginia, and others extend opt-out rights to cross-context behavioral advertising data that Intercom's visitor profiling may feed. Healthcare and financial services organizations carry additional obligations when Intercom-captured page URLs can reveal health or account context.
How Lokker helps
Lokker tests whether Intercom initializes and sends data in pre-consent, reject, and GPC states, and whether user attribute data moves to Intercom servers before a valid consent signal is present.
Consent Validator runs automated browser sessions in no-interaction, accept, reject, and GPC states and captures whether Intercom loads, what cookies it sets, and what network requests it makes in each state.
Explore Consent ValidatorPrivacy Edge identifies where Intercom is deployed and surfaces pages where user attributes are passed at initialization, so teams can prioritize the highest-risk pages for consent remediation.
Explore Privacy EdgeGuardian intercepts the Intercom SDK and its API endpoints so the widget cannot load and no visitor data can move to Intercom servers in an unauthorized consent state.
Explore GuardianExplore Lokker
Each product links to its full details so you can explore features, view a demo, and understand how it applies to your Intercom deployment.
Validation
Tests whether Intercom initializes and sends data outside valid consent states.
Explore Consent ValidatorIntelligence
Detects Intercom across the portfolio and flags pages with user attribute calls at initialization.
Explore Privacy EdgeEnforcement
Blocks the Intercom SDK and its API connections before any visitor data leaves the browser.
Explore GuardianMarketing and Analytics
Before you deploy
Marketing teams often evaluate tools on performance and features. These privacy questions are worth settling before the script goes live, because fixing them after a complaint is significantly more expensive.
Is your CMP configured to block the entire Intercom SDK in pre-consent and reject states, or does it only hide the chat bubble?
Does your developer integration pass user email or account attributes before checking for a consent signal?
Have you reviewed what page-view events Intercom sends and whether those qualify as behavioral tracking under your applicable laws?
Does your privacy notice disclose that a chat widget collects visitor identifiers and page navigation data from all visitors, not only those who use chat?
Next step
Lokker runs automated browser-level consent flows and scans the network layer to confirm whether Intercom fires in states where it should not.