Cookie management policy

What is a cookie?

The "cookie" is a small computer file, categorized as a tracker, that is placed and read when visiting a website or a web or mobile platform, regardless of the type of device used (computer, smartphone, tablet, etc.).

Although "cookies" are frequently mentioned, it is more accurate to refer to the family of "trackers" which includes cookies and encompasses various types of small files installed on users' devices.

Trackers include, among others:

• HTTP cookies and variables

• Flash cookies

• Invisible pixels or "web beacons"

• The result of fingerprinting (the calculation of a unique machine identifier based on its configuration elements for tracking purposes)

• Access to device information via APIs (LocalStorage, IndexedDB, advertising identifiers such as IDFA or Android ID, GPS access, etc.)

• Any other identifier generated by software or an operating system (serial number, MAC address, unique device identifier – IDFV)

The use of these tools is subject to the consent of any user of an online communication service, as long as the trackers placed on their device are not strictly necessary for the operation of the communication service in question.

This key principle of the rights of online communication service users was established by Article 5(3) of Directive 2002/58/EC (amended in 2009) and transposed into French law by Article 82 of the Data Protection Act.

The notion of "consent" as outlined in these provisions, must be understood according to the definition and conditions set out in Articles 4(11) and 7 of the GDPR. It must therefore be freely given, specific, informed, and unambiguous, and the user must be able to withdraw it at any time, with the same ease with which it was given.

In order to clarify and explain the applicable law regarding the placement and reading of trackers on users' devices, the CNIL adopted guidelines on September 17, 2020.

What trackers are used by Dydu?

a- In the local storage:

All the elements of the localstorage have a maximum lifetime of 6 months (configurable by your CP/CSM, via the application.localStorageKeepTimeInMs key) from the last interaction with the chatbox, unless the user empties his localstorage manually. Almost all keys start with dydu.chatbox, and all can have a suffix linking a key/value to a chatbox (useful if several chatboxes are on the same page). For example, dydu.chatbox.gdpr.preview is a key used by the chatbox whose identifier is ‘preview’.

Last updated: 19 May 2025

** Necessary if the chatbox is subject to SAML or OIDC authentication.

*** Necessary for the functioning of the live chat.

b- In session storage :

How to Manage Dydu Cookies?

Step 1: Identify the data controller

In accordance with Articles 24 and 28 of the GDPR, Dydu acts as a "subcontractor on behalf" of its client, the data controller. Therefore, the Dydu client is the data controller regarding the placement and reading of Dydu Bot cookies. The client must always be proactive in managing the cookies on their site, whether they are Dydu cookies or those from other integrated online communication services.

Nevertheless, in its capacity as a subcontractor, Dydu is committed to effectively collaborating with its clients by providing them with cookie management recommendations and ensuring that the tools it markets are easily configurable by its clients for compliant use with applicable cookie legislation.

Step 2: Identify the Trackers generated by the relevant Dydu solution

Cf : table in Part “What Trackers Are Placed by the Dydu Solution?” In section “a,” the trackers stored in local storage are described, and in section “b,” the trackers stored in session storage.

Step 3: Distinguish Cookies with or Without Consent

Under Article 82 of the "Informatique et Libertés" Law and according to the interpretation provided by the CNIL in its guidelines on cookies and trackers dated September 17, 2020, there are three types of trackers:

1. Trackers that are exempt from consent:

These are trackers that are strictly necessary for providing an online communication service explicitly requested by the user, or trackers that aim to enable or facilitate the transmission of communication by electronic means. These trackers do not require consent, but informing users about their use is recommended.

For the Dydu Chatbot Solution, the following trackers apply:

In the case of an OIDC or SAML connection, the following trackers are necessary for user authentication:

In the case of using the DYDU live chat service, the following trackers are necessary for maintaining the live chat during web browsing:

The client may also determine that the online communication service provided by Dydu as a whole (Chatbot, Live chat, Voicebot, etc.) is not essential to their website or platform. In this case, they must configure their TMS (Tag Management System) to ensure that the placement of Dydu cookies is subject to user consent, as outlined in “STEP 4” below.

1. Trackers requiring prior consent:

These are, in contrast, all trackers that do not fall within the aforementioned exemption. They may be related, for example, to the display of personalized advertising or social media sharing features. In the absence of consent, these trackers cannot be placed and/or read on the user's device.

For the Dydu chatbot solution, no tracker falls into this scenario.

1. The specific case of audience measurement or statistical trackers exempt from consent:

The CNIL acknowledges that traffic and/or performance statistics are "essential in many cases for the proper functioning of the site or application and therefore for the provision of the service." It exempts certain audience measurement cookies (statistics) from user consent provided that these trackers:

• Have a purpose strictly limited to measuring the audience of the site or application (performance measurement, detection of navigation issues, optimization of technical performance or usability, estimation of server power required, analysis of viewed content), exclusively for the benefit of the publisher.

• Serve to produce only anonymous statistical data.

For the Dydu chatbot solution, the following trackers apply:

In accordance with the CNIL guidelines, the aforementioned trackers are indeed used to produce purely anonymous statistics, which in no way allow for the identification or rendering identifiable of a user within the scope of this statistical processing*. They are also limited solely to measuring the audience of the Chatbot and establishing performance and traffic statistics for the Chatbot.

Regarding the exclusivity criterion of this functionality, Dydu expressly commits to never consulting or reusing the statistics generated from the placement and reading of these trackers for its own benefit. To formally establish this guarantee, Dydu provides the client with a specific written commitment in section "4. The Dydu Commitment" of this policy. This agreement may be attached directly to the contract between the client and Dydu.

However, the client may choose to go beyond Dydu’s and the CNIL’s recommendations and decide to require user consent for the statistical trackers of the Dydu tool. In this case, they must distinguish between functional trackers and statistical trackers in the configuration of their TMS, as outlined in “STEP 4” below.

*Important Note: In the context of certain client projects, the Dydu Solution may exceptionally operate following user authentication. In this case, if the authenticated user uses the Solution, their trackers will no longer necessarily be "anonymous" as they will be linked to a user ID (depending on the options chosen by the Client in the configuration of their project). To maintain the statistical tool of the solution in its anonymous version, Dydu provides the Client with a feature for the automatic anonymization of conversations. This anonymization can be immediate (recommended by Dydu) or at a specified deadline (not exceeding 30 days), with this dual choice remaining solely at the discretion of the Client, who is the data controller.

Step 4: Configure consent collection and tracker placement

The Dydu solution requires the placement of functional trackers. It cannot operate without the prior placement of the following trackers:

Other cookies will be stored when the chatbox is opened:

In the case of an OIDC or SAML connection, the following trackers are necessary for user authentication:

These trackers are essential for the visibility of the chatbox and the initiation of the chatbot.

At this point, two options are presented to the Client:

1. They can determine that the Dydu solution is essential to their online communication service (website, application, intranet, etc.) and allow the trackers to be placed automatically during the user’s first visit (without prior consent, but with the provision of information, see “STEP 5”);

2. Alternatively, they can determine that the Dydu solution is not essential and decide to require prior informed consent from the user for the placement of trackers. In this case, the client must identify and integrate the cookies into their TMS:

   • All other trackers being functional or exempt from prior consent, the user’s intention to use the chatbot will justify the placement of these cookies.

   • The Client can also distinguish in their TMS between functional cookies and statistical cookies to offer specific consent for each of these categories.

All of these tasks are the responsibility of the client, with Dydu only able to provide simple advisory support on these specific points. The client is solely responsible for their cookie management policy and the configuration of their TMS. Managing Dydu trackers in isolation would make no sense; the client must always centralize the management of their trackers within a common TMS tool for all the services they offer on their site or platform.

Nevertheless, Dydu ensures the proper visibility/detection of its trackers by the main TMS tools on the market (TARTEAUCITRON, DIDOMI, QUANTCAST, ONETRUST, COOKIEBOT). In the case of a TMS tool developed by the Client themselves, Dydu can assist the client in integrating or detecting their trackers through this tool.

PRACTICAL INFORMATION

The Client must ensure that their TMS tool complies with the following CNIL guidelines:

• No placement of non-essential trackers without prior user consent (the simple continuation of browsing is not considered valid consent)

• Refusal must be as easy as acceptance (if there is a "accept all" button, then a "reject all" button should be next to it)

• Consent withdrawal must be possible, easily, and at any time

• Respect for the user's right to information (purposes, duration, recipients, etc.)

• Retention of a record of each consent (valid proof in case of an audit)

Step 5: Inform the user about the placement of trackers on their device

Regardless of the solution chosen by the client, they must always inform their users about the placement of cookies. If cookies are placed without prior user consent (essential for the functioning of the relevant services), this information can be provided based on their TMS or the privacy or cookie management policy.

The client must ensure that all Dydu trackers are included in their cookie management policy (or, if not, in their privacy policy). This user information is essential for the compliance of the Dydu service.

If the client designates Dydu cookies as non-essential, they must ensure that users are informed prior to any placement. This information must at a minimum cover the purposes of the trackers, their lifespan, and the "recipients."

Dydu supports the client in this information process and includes a default information notice/disclaimer on the homepage of its chatbots. This feature is offered in the new base version of the Dydu chatbox (CV5) and can be customized by the Client.

--- Attention!

Some clients using earlier versions have not yet chosen to include this information notice/disclaimer. Dydu reminds them that this feature is strongly recommended for transparency regarding the information processing implemented by the chatbot. A new communication will be sent to encourage them again to adopt this feature.

Here is an example of an information/consent notice on a Bot's homepage:

Dydu can also assist the client in drafting a customized information notice.

Dydu's Commitment

Dydu places the utmost importance on protecting individuals' privacy. For over 10 years, it has prioritized security and data protection, both within its teams and in choosing its technical partners. Therefore, it is committed to reassuring its clients through its cookie management policy. Dydu pledges to always collaborate with its clients to ensure that their tools comply with applicable standards, particularly the new CNIL guidelines dated September 17, 2020. It is also committed to continuously evolving its solutions to adapt to any legislative changes in this area (e.g., the adoption of the E-Privacy Regulation). Dydu, through its teams and particularly its DPO service, maintains constant monitoring on these topics to best support its clients in their compliance efforts. Today, as a service provider, Dydu declares and guarantees its commitment to collaboration (in the sense of Article 28 of the GDPR) in order to provide its clients with a tool that meets the requirements of the CNIL guidelines from September 17, 2020.

Learn More About Dydu Cookies

This document aims to provide the Client with an initial understanding of Dydu's commitments regarding the management of cookies for its solutions (Chatbot, Livechat, Voicebot, Callbot, etc.).

If you have any issues or need further information, please contact Dydu's Data Protection Officer at the following email address: [email protected].