Is Intercom GDPR Compliant? What You Must Do

Intercom is GDPR-compliant as a processor, but it doesn't make your site compliant automatically. Learn the DPA, EU hosting limits, and cookie consent steps you must take.


by Billal Hossain • 1 July 2026


Intercom is GDPR-compliant as a data processor. It provides a Data Processing Agreement with the 2021 Standard Contractual Clauses and offers EU data hosting in Dublin. It also holds SOC 2 Type II and ISO 27001:2022 certifications. Compliance on your own site is not automatic, though.

As the data controller, you carry obligations Intercom cannot meet for you. You accept the DPA, set a lawful basis, and name Intercom in your privacy and cookie policy. Most importantly, you gate the Intercom Messenger behind a consent banner before its cookies load.

Is Intercom GDPR Compliant? The Short Answer

Intercom is GDPR-compliant as a data processor. It processes personal data on your behalf under a DPA that meets GDPR Article 28 requirements. You are the data controller and carry a separate set of obligations that Intercom cannot fulfill for you.

The compliance question splits into two layers:

  1. The conversation-data layer. Intercom's processor obligations: the DPA, data hosting region, certifications, and data-subject tools. Intercom handles these.
  2. The website cookie layer. The Intercom Messenger sets first-party tracking cookies on your domain from the moment it loads. Gating those cookies behind a consent banner is your obligation as the controller.

Both layers must be addressed before your use of Intercom is GDPR-compliant. Intercom is one of many tools that set cookies on a typical website. Audit whether your whole tech stack is GDPR compliant at the same time.

Intercom as a Data Processor: What It Gives You

Intercom is a data processor for the customer data you send to it. As GDPR Article 28 requires, Intercom provides a written contract, implemented security measures, and mechanisms for data-subject rights.

The Intercom DPA and Standard Contractual Clauses

Intercom's DPA incorporates the Standard Contractual Clauses issued by the European Commission on June 4, 2021. The DPA is built into Intercom's Terms of Service, so no separate signature is needed; accepting the Terms constitutes acceptance of the DPA.

The contracting entity on Intercom's side is Intercom R&D Unlimited Company, registered in Dublin, Ireland. Intercom does not accept alterations to its standard DPA, so the relationship is take-it-or-leave-it on terms.

For EU-US data transfers, Intercom participates in the EU-US Data Privacy Framework (DPF), the UK Extension to the EU-US DPF, and the Swiss-US DPF. These participation certifications supplement the SCCs.

EU Data Hosting and Where Your Data Lives

Intercom hosts data in three AWS regions: us-east-1 (North Virginia, USA), eu-west-1 (Dublin, Ireland), and ap-southeast-2 (Sydney, Australia). You can tell which region your workspace uses by checking your URL: app.intercom.com means US hosting, app.eu.intercom.com means EU hosting.

EU Regional Data Hosting is not the default. It is available only on Intercom's Advanced and Expert annual plans. It also requires provisioning a new workspace through Intercom's sales team. There is no migration path from an existing US workspace to the EU. You must create a new workspace and transfer your data and settings manually.

EU Regional Data Hosting is also partial, not total. Even with it enabled, several data categories still flow to the US.

  • Your billing data (name, email address, credit card details)
  • Workspace admin data used for customer support
  • Usage metadata (features used, message types sent)
  • Infrastructure telemetry

For most SMBs on Intercom's standard plans, conversation and contact data are processed in the US. The SCCs and DPF certifications cover that transfer.

Security Certifications and Data-Subject Tools

Intercom holds the certifications below. All are self-serve accessible at its Trust Center.

  • SOC 2 Type II
  • ISO 27001:2022
  • ISO 27018 (cloud privacy)
  • ISO 27701 (privacy information management)
  • ISO/IEC 42001:2023 (AI management system)
  • HIPAA attestation
  • CCPA
  • HDS (French healthcare data hosting standard)

On data-subject rights, Intercom lets you export all data linked to an individual. It also lets you permanently delete all data linked to a user via the API. Visitor data auto-expires after 9 months of inactivity, supporting GDPR retention requirements without manual work.

What You Must Do as the Data Controller

As the data controller, these obligations sit with you. Intercom's processor tools do not satisfy them on your behalf.

The steps required to use Intercom in a GDPR-compliant way are:

  1. Accept Intercom's DPA by accepting its Terms of Service.
  2. Set a lawful basis for each category of processing: a legitimate interest or consent for live chat; explicit consent for marketing messages.
  3. Update your privacy policy and cookie policy to name Intercom as a data processor and describe the data collected via the Messenger.
  4. Obtain cookie consent before the Intercom Messenger loads on your site (covered in the next section).
  5. Set a lawful basis for Intercom email or push messaging campaigns if you run them.
  6. Honor data-subject requests: provide data exports and deletions within GDPR timeframes.
  7. Document your processing of personal data via Intercom in your Article 30 records of processing activities.

The controller obligation that catches most teams off guard is item 4: cookie consent. Chat widgets like Intercom load and set cookies before any consent is collected. That makes them a common compliance gap on otherwise careful sites. The same controller duty applies to other embedded tools, such as whether Google Analytics is GDPR compliant on your site.

Store owners face the same question with Shopify GDPR compliance. WordPress site owners ask whether WordPress is GDPR compliant out of the box when they install plugins like Intercom's chat widget.

The Intercom Messenger Cookies on Your Website

The Intercom Messenger sets first-party tracking cookies on your domain the moment it loads. These are your cookies: they are assigned to your website's domain and are your responsibility under GDPR and the ePrivacy Directive.

Which Cookies the Intercom Messenger Sets

Intercom documents three cookies set by the Messenger on your domain:

Cookie namePurposeStorage typeDefault duration
intercom-id-[app_id]Anonymous visitor identifierlocalStorage entryNo expiry (does not expire via browser cookie TTL)
intercom-session-[app_id]Session trackerBrowser cookie1 week (controllable)
intercom-device-id-[app_id]Device identifierBrowser cookie270 days (refreshed on each ping)

A critical precision point: intercom-id-[app_id] is a localStorage entry, not a browser cookie. Clearing browser cookies does not remove it. It persists until the user clears localStorage manually or the browser is reset.

All three identifiers are first-party: they are set on your domain, not on intercom.com, and cannot be read by Intercom on other sites.

Why Those Cookies Need Consent Before the Widget Loads

GDPR and the ePrivacy Directive require prior consent for non-essential cookies. The Intercom Messenger is not necessary to operate your website: it is a customer communications tool. That makes the intercom-id-, intercom-session-, and intercom-device-id- cookies non-essential, and they require opt-in consent before they load.

The practical implication: the Intercom Messenger script must not initialize until the visitor has given consent. If the widget boots on page load before consent is granted, cookies are being set without the required legal basis.

Intercom's own documentation pushes this decision back to you. Its guidance on how to categorize the Messenger cookies is blunt. "Categorizing Intercom Messenger cookies in your consent tool is a legal and compliance decision that's yours to make." The obligation is the operator's.

Intercom does provide a consent-gating mechanism for this. Before consent is granted, you set disabled: true in the Intercom configuration.

``javascript window.intercomSettings = { app_id: 'your_app_id', disabled: true } ``

When disabled: true is set, Intercom loads but does not boot. No cookies are used, and the visitor cannot see or interact with the Messenger. Once the visitor grants consent, you boot Intercom normally with disabled: false. This mechanism requires your cookie banner to trigger the boot call at the right moment.

A GDPR Checklist for Using Intercom

This checklist consolidates both layers. It pairs the processor-side steps Intercom provides with the controller-side steps you must complete.

  1. Accept Intercom's Terms of Service to bind the ToS-embedded DPA (SCCs included; no separate signature needed).
  2. If you have EU users and require EU data residency, provision an EU workspace on an Advanced or Expert annual plan via Intercom's sales team.
  3. Update your privacy policy to name Intercom as a data processor, describe the categories of personal data it processes, and state the lawful basis.
  4. Update your cookie policy to list the three Intercom Messenger cookies (intercom-id-, intercom-session-, intercom-device-id-) and categorize them as non-essential.
  5. Gate the Intercom Messenger behind a cookie consent banner: boot with disabled: true until the visitor consents, then trigger disabled: false on consent.
  6. Set a lawful basis for each Intercom messaging channel you use: chat (legitimate interest or consent), email campaigns (consent or a specific legal basis), and push notifications (consent).
  7. Handle data-subject requests within GDPR timeframes: use Intercom's export and delete tools for individual users.
  8. Record your use of Intercom in your Article 30 records of processing activities.

How Consently Handles Consent for the Intercom Messenger

Consently handles the website cookie-consent layer for the Intercom Messenger. It supplies the consent banner and the script blocking that prevent intercom-id-, intercom-session-, and intercom-device-id- from loading until the visitor opts in.

To be clear about scope: Consently is a Consent Management Platform for your website's cookies. It does not manage Intercom's conversation-data processing, alter Intercom's DPA, or satisfy your Article 30 documentation obligation. Those controller duties remain with you and with Intercom directly.

Consently does two things for the Intercom use case.

Cookie consent banner. Consently's GDPR opt-in banner presents visitors with a consent choice before any non-essential script loads. The banner runs on every page where the Intercom widget would otherwise boot. Visitors can accept, reject, or configure their preferences. Each consent is logged with a timestamp, an identifier, and the accepted scope, creating an audit trail.

Automatic script and iframe blocking (cookie auto-blocking). Consently's auto-blocking holds non-essential scripts until a valid opt-in is recorded. This includes the Intercom Messenger script. It satisfies the disabled: true requirement at the infrastructure level: the Messenger never boots without consent, however the page loads. Consently's scanner also detects the Intercom cookies in its cookie audit, so you can confirm they are categorized correctly.

See how a cookie consent banner gates the Intercom Messenger on your site, or start a free trial to set up cookie consent in minutes.

FAQs

Is Intercom GDPR Compliant?

Intercom is GDPR-compliant as a data processor. It provides a DPA incorporating 2021 SCCs, EU data hosting on qualifying plans, and SOC 2 Type II and ISO 27001:2022 certifications. Compliance is not automatic for your site. You must accept the DPA, gate Messenger cookies behind a consent banner, and meet the controller obligations described above.

Is Intercom a Data Controller or a Data Processor?

Intercom is a data processor for the customer data you send to it. You are the data controller for that data. Intercom is also a data controller for its own account data. That is the billing and admin information about your relationship with Intercom as a customer.

Do I Need a DPA With Intercom?

Yes. GDPR Article 28 requires a written contract between a controller and a processor. Intercom's DPA is embedded in its Terms of Service and incorporates the Standard Contractual Clauses of June 4, 2021. Accepting the Terms satisfies the DPA requirement; no separate signature is needed. The contracting entity is Intercom R&D Unlimited Company, Dublin, Ireland.

Does the Intercom Messenger Use Cookies?

Yes. The Intercom Messenger sets three first-party identifiers on your domain. The first is intercom-id-[app_id], a localStorage entry with no expiry. The second is intercom-session-[app_id], a browser cookie with a 1-week default. The third is intercom-device-id-[app_id], a browser cookie that persists 270 days. All are set on your domain, not on intercom.com.

Can I Host My Intercom Data in the EU?

Yes, but with conditions. Intercom's EU Regional Data Hosting places conversation, visitor, and contact data in AWS eu-west-1 (Dublin, Ireland). This option is available only on Advanced and Expert annual plans. There is no migration path from a US workspace, so you must create a new EU workspace. Billing data, admin data, and usage metadata still flow to the US even on EU-hosted workspaces. Your workspace URL shows your region: app.eu.intercom.com means EU hosting.

Do I Need Consent Before Loading the Intercom Chat Widget?

Yes. The Intercom Messenger is non-essential to your website's operation, so its cookies require prior opt-in consent under GDPR and ePrivacy rules. Gate the Messenger by setting disabled: true in your Intercom configuration before the visitor consents, then call Intercom('boot', { disabled: false }) when the visitor accepts. A cookie consent banner connected to Intercom's disabled flag handles this automatically.

AUTHOR

Billal Hossain is a software engineer with hands-on experience building Consently from start to finish. His work gives him a practical understanding of consent management platforms, cookie consent, and how businesses can create more compliant, user-friendly websites.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.