If you sell to anyone in the EU or UK, your support tool processes personal data — names, email addresses, and whatever customers type into a ticket. That puts it squarely under the GDPR. The good news: for a small business, “compliant support” is mostly a handful of sensible defaults, not a legal project. Here’s the practical checklist.
This is a plain-English guide, not legal advice. When in doubt, talk to a professional.
1. Have a lawful basis
You need a legal reason to process the data. For support, this is almost always legitimate interest (answering a request the customer initiated) or contract (supporting a product they bought). You don’t usually need separate consent to reply to someone who emailed you — but you do need to say what you do with the data in your privacy policy.
2. Minimise what you collect
GDPR’s data-minimisation principle says: collect only what you need. A support ticket needs a name, an email, and the message. It does not need to silently track the customer across your site, fingerprint their device, or log data “just in case”. If your support tool sets marketing cookies or builds a behavioural profile to do its job, that’s a red flag.
3. Skip the cookie banner you don’t need
Cookie consent banners are required for non-essential cookies (analytics, ads, cross-site tracking). A support widget that works without any of those doesn’t trigger that requirement. Fewer cookies means a simpler site, a better experience, and one less compliance surface. Favour tools that are cookieless by default.
4. Know where the data lives
For EU customers, data stored on EU infrastructure keeps things simple — no need to lean on transfer mechanisms for international data flows. Ask your vendor where ticket data is stored and processed.
5. Set a retention policy
Don’t keep tickets forever by default. Decide how long you need resolved conversations and delete or anonymise after that. Also make sure you can honour a deletion request (the “right to be forgotten”) — a customer can ask you to erase their data, and you need a way to do it.
6. Sign a DPA for anything serious
When a tool processes personal data on your behalf, it’s a processor and you’re the controller. A Data Processing Agreement (DPA) is the contract that sets out how they handle it. For business use, make sure your support vendor offers one.
The shortcut: pick a tool that’s compliant by default
You can make almost any tool GDPR-compliant with enough configuration. The faster path is to choose one that ships compliant out of the box: no tracking cookies, no consent banner required, EU data storage, minimal data collection, and a DPA available when you need it. Then most of this checklist is handled for you, and you spend your time on support instead of compliance.
That’s the bar we built SimpleSupport to: GDPR by default, cookieless, with a DPA on the Business plan. Start free — or read what counts as a support ticket.