# Cookie management policy

## What is a cookie?

The "cookie" is a small computer file, categorized as a tracker, that is placed and read when visiting a website or a web or mobile platform, regardless of the type of device used (computer, smartphone, tablet, etc.).

Although "cookies" are frequently mentioned, it is more accurate to refer to the family of "trackers" which includes cookies and encompasses various types of small files installed on users' devices.

Trackers include, among others:

* HTTP cookies and variables
* Flash cookies
* Invisible pixels or "web beacons"
* The result of fingerprinting (the calculation of a unique machine identifier based on its configuration elements for tracking purposes)
* Access to device information via APIs (LocalStorage, IndexedDB, advertising identifiers such as IDFA or Android ID, GPS access, etc.)
* Any other identifier generated by software or an operating system (serial number, MAC address, unique device identifier – IDFV)

The use of these tools is subject to the consent of any user of an online communication service, as long as the trackers placed on their device are not strictly necessary for the operation of the communication service in question.

This key principle of the rights of online communication service users was established by Article 5(3) of Directive 2002/58/EC (amended in 2009) and transposed into French law by Article 82 of the Data Protection Act.

The notion of "consent" as outlined in these provisions, must be understood according to the definition and conditions set out in Articles 4(11) and 7 of the GDPR. It must therefore be freely given, specific, informed, and unambiguous, and the user must be able to withdraw it at any time, with the same ease with which it was given.

In order to clarify and explain the applicable law regarding the placement and reading of trackers on users' devices, the CNIL adopted [guidelines](https://www.cnil.fr/sites/cnil/files/atoms/files/lignes_directrices_de_la_cnil_sur_les_cookies_et_autres_traceurs.pdf) on September 17, 2020.

## What trackers are used by Dydu?

#### **a- In the local storage:** 

All the elements of the localstorage have a maximum lifetime of 6 months (configurable by your CP/CSM, via the `application.localStorageKeepTimeInMs` key) from the last interaction with the chatbox, unless the user empties his localstorage manually.\
Almost all keys start with dydu.chatbox, and all can have a suffix linking a key/value to a chatbox (useful if several chatboxes are on the same page).\
For example, `dydu.chatbox.gdpr.preview` is a key used by the chatbox whose identifier is ‘preview’.

Last updated: 15 December 2025

<table><thead><tr><th width="174">ID</th><th>Function</th><th width="201">Purpose</th><th>Duration </th><th>Essentiel</th></tr></thead><tbody><tr><td>dydu.chatbox.client</td><td>User ID </td><td>Randomly generated, or fixed data depending on external connector/authentication<br>Enables conversations to be linked to a person</td><td>Depending on configuration </td><td><ul class="contains-task-list"><li><input type="checkbox" checked></li></ul></td></tr><tr><td>dydu.chatbox.context</td><td>Identifier of the current conversation</td><td>Allows you to link user interactions or other variables to a conversation</td><td>Depending on configuration </td><td><ul class="contains-task-list"><li><input type="checkbox" checked></li></ul></td></tr><tr><td>dydu.chatbox.cookies</td><td>Consent to the storage of cookies</td><td>Retains information about whether consent has been given for the storage of cookies. If so, the disclaimer will not be requested again</td><td>Depending on configuration </td><td><ul class="contains-task-list"><li><input type="checkbox"></li></ul></td></tr><tr><td>dydu.chatbox.dragon</td><td>Position of the chatbox</td><td>Retains the position of the chatbox after it has been moved on the web page where it is embedded</td><td>Depending on configuration </td><td><ul class="contains-task-list"><li><input type="checkbox"></li></ul></td></tr><tr><td>dydu.chatbox.fontSize</td><td>Font size</td><td>Selects the font size used in the conversation area</td><td>Depending on configuration </td><td><ul class="contains-task-list"><li><input type="checkbox"></li></ul></td></tr><tr><td>dydu.chatbox.gdpr</td><td>Consent to Dydu's RGPD policy</td><td>Allows information to be retained about whether consent has been given for Dydu's RGPD policy. If so, the disclaimer will not be requested again</td><td>Depending on configuration </td><td><ul class="contains-task-list"><li><input type="checkbox"></li></ul></td></tr><tr><td>dydu.chatbox.interaction.last</td><td>Date of last interaction (timestamp)</td><td>Used to remember when the last interaction took place. Used to purge the localStorage, or to check whether a conversation is still in progress</td><td>Depending on configuration </td><td><ul class="contains-task-list"><li><input type="checkbox" checked></li></ul></td></tr><tr><td>dydu.chatbox.livechatType</td><td>Type of livechat currently used ***</td><td>Allows you to remember the type of livechat currently in use (websocket/polling). Necessary to switch from the bot to a human person</td><td>As long as livechat is active </td><td><ul class="contains-task-list"><li><input type="checkbox" checked></li></ul></td></tr><tr><td>dydu.chatbox.locale</td><td>Bot language</td><td>Retains the current language of the bot and the conversation</td><td>Depending on configuration </td><td><ul class="contains-task-list"><li><input type="checkbox" checked></li></ul></td></tr><tr><td>dydu.chatbox.onboarding</td><td>Onboarding display</td><td>Retains information about whether or not onboarding has been viewed, so that it is not displayed again</td><td>Depending on configuration </td><td><ul class="contains-task-list"><li><input type="checkbox"></li></ul></td></tr><tr><td>dydu.chatbox.open</td><td>Opening mode</td><td>Stores the chatbox opening mode (0: invisible, 1: minimized, 2: open, 3: full screen).<br>Default: 1 (minimized)</td><td>Depending on configuration </td><td><ul class="contains-task-list"><li><input type="checkbox" checked></li></ul></td></tr><tr><td>dydu.chatbox.operator</td><td>Identifier of the operator in discussion ***</td><td>Enables the livechat operator to be linked to the response to user questionnaires</td><td>As long as livechat is active </td><td><ul class="contains-task-list"><li><input type="checkbox" checked></li></ul></td></tr><tr><td>dydu.chatbox.pushRules</td><td>Rules for pushrules, by bot and consultation space</td><td>Allows you to retain the rules of the various pushrules configured</td><td>Depending on configuration </td><td><ul class="contains-task-list"><li><input type="checkbox" checked></li></ul></td></tr><tr><td>dydu.chatbox.pushRulesTriggered</td><td>Pushrules executed</td><td>Allows you to remember which pushrules have been executed, so that you don't have to re-execute them</td><td>Depending on configuration </td><td><ul class="contains-task-list"><li><input type="checkbox" checked></li></ul></td></tr><tr><td>dydu.chatbox.sidebar</td><td>Sidebar display</td><td>Used to remember whether the sidebar is open or not, useful when browsing the site to leave it open</td><td>Depending on configuration </td><td><ul class="contains-task-list"><li><input type="checkbox"></li></ul></td></tr><tr><td>dydu.chatbox.space</td><td>Consultation space</td><td>Holds the current consultation space for the conversation</td><td>Depending on configuration </td><td><ul class="contains-task-list"><li><input type="checkbox" checked></li></ul></td></tr><tr><td>dydu.chatbox.visit</td><td>Date of user visit</td><td>Allows you to remember the date of the user's first visit, so that it is only recorded once for the purposes of counting the number of visitors to the bot</td><td>Depending on configuration </td><td><ul class="contains-task-list"><li><input type="checkbox" checked></li></ul></td></tr><tr><td>dydu.chatbox.waitingQueue</td><td>User currently in the livechat queue ***</td><td>Retains information about whether the user is currently in the queue, allowing them to leave the queue manually</td><td>As long as livechat is active </td><td><ul class="contains-task-list"><li><input type="checkbox" checked></li></ul></td></tr><tr><td>dydu.chatbox.welcomeKnowledge</td><td>Welcome content</td><td>Holds the content of the welcome for the duration of the conversation</td><td>Depending on configuration</td><td><ul class="contains-task-list"><li><input type="checkbox"></li></ul></td></tr><tr><td>dydu.chatbox.oidc.urls</td><td>Authentication (OIDC) **</td><td>Used to remember the different urls to call to obtain an accessToken</td><td><p>Depending on configuration</p><p></p></td><td><ul class="contains-task-list"><li><input type="checkbox" checked></li></ul></td></tr><tr><td>dydu.chatbox.oidc.idToken</td><td>Authentication (OIDC) **</td><td>Allows the idToken to be retained once the OIDC connection has been successfully made. Sent to Dydu APIs to verify OIDC connection</td><td>Depending on configuration </td><td><ul class="contains-task-list"><li><input type="checkbox" checked></li></ul></td></tr><tr><td>dydu.chatbox.oidc.accessToken</td><td>Authentication (OIDC) **</td><td>Allows the accessToken to be retained once the OIDC connection has been successfully made. Sent to Dydu APIs to verify OIDC connection</td><td>Depending on configuration </td><td><ul class="contains-task-list"><li><input type="checkbox" checked></li></ul></td></tr><tr><td>dydu.chatbox.oidc.refreshToken</td><td>Authentication (OIDC) **</td><td>Used to retain the refreshToken once the OIDC connection has succeeded. Used to refresh the accessToken</td><td>Depending on configuration </td><td><ul class="contains-task-list"><li><input type="checkbox" checked></li></ul></td></tr><tr><td>dydu.chatbox.oidc.authData</td><td>Authentication (OIDC) **</td><td>Used to retain the redirection URL and the state used for authentication on the OIDC Provider</td><td>Depending on configuration </td><td><ul class="contains-task-list"><li><input type="checkbox" checked></li></ul></td></tr><tr><td>dydu.chatbox.oidc.pkce.codeChallenge</td><td>Authentication (OIDC) ** </td><td>Used to retain the challenge code calculated for the authentication request on the OIDC Provider</td><td>Persists as long as the connection with the OIDC Provider remains established </td><td><ul class="contains-task-list"><li><input type="checkbox" checked></li></ul></td></tr><tr><td>dydu.chatbox.oidc.pkce.codeVerifier</td><td>Authentication (OIDC) ** </td><td>Enables the code_verifier sent for code exchange and token refresh to be retained, calculated at the same time as the code_challenge</td><td>Persists as long as the connection with the OIDC Provider remains established </td><td><ul class="contains-task-list"><li><input type="checkbox" checked></li></ul></td></tr><tr><td>dydu.chatbox.oidc.retry</td><td>Authentication (OIDC) **</td><td>Allows you to set the number of OIDC authentication attempts before stopping</td><td>Depending on configuration</td><td></td></tr><tr><td>dydu.chatbox.auth.userInfo</td><td>Authentication (OIDC/SAML) ** </td><td>Used to retain information about the logged-in user, in particular to use the email address as a clientId</td><td>Persists as long as the connection with the OIDC Provider remains established </td><td><ul class="contains-task-list"><li><input type="checkbox" checked></li></ul></td></tr><tr><td>dydu.chatbox.saml.auth</td><td>Authentication (SAML) **</td><td>Guarantees that the user is authenticated with the SAML identity provider</td><td>Depending on configuration </td><td><ul class="contains-task-list"><li><input type="checkbox" checked></li></ul></td></tr></tbody></table>

\*\* Necessary if the chatbox is subject to SAML or OIDC authentication.

\*\*\* Necessary for the functioning of the live chat.

#### **b- In session storage :**&#x20;

<table><thead><tr><th>ID</th><th>Function </th><th>Purpose </th><th>Duration</th><th data-type="checkbox">Essential</th></tr></thead><tbody><tr><td>dydu.chatbox.banner</td><td>Displaying the banner</td><td>Choose whether or not to display the chatbox banner</td><td>Session duration</td><td>false</td></tr><tr><td>dydu.chatbox.retry.lazy.refreshed</td><td>Try loading the chatbox again</td><td>Holds information about whether the chatbox needs to be reloaded following an error</td><td>Session, and deleted if chatbox successfully loaded</td><td>false</td></tr><tr><td>dydu.chatbox.server</td><td>Current Dydu server index</td><td>Allows you to remember which Dydu server the API calls are made to (nothing/0: main server, >0: backups)</td><td>Session duration</td><td>true</td></tr><tr><td>dydu.chatbox.oidc.nonce</td><td>Authentication (OIDC) **</td><td>Allows the last generated nonce to be retained if the option is enabled</td><td>Session duration</td><td>true</td></tr></tbody></table>

### How to Manage Dydu Cookies?

#### Step 1: Identify the data controller

In accordance with Articles 24 and 28 of the GDPR, Dydu acts as a "subcontractor on behalf" of its client, the data controller. Therefore, the Dydu client is the data controller regarding the placement and reading of Dydu Bot cookies. **The client must always be proactive in managing the cookies on their site**, whether they are Dydu cookies or those from other integrated online communication services.

Nevertheless, in its capacity as a subcontractor, **Dydu is committed** to effectively collaborating with its clients by providing them with cookie management recommendations and ensuring that the tools it markets are easily configurable by its clients for compliant use with applicable cookie legislation.

#### Step 2: Identify the Trackers generated by the relevant Dydu solution

Cf : table in Part “What Trackers Are Placed by the Dydu Solution?” In section “a,” the trackers stored in local storage are described, and in section “b,” the trackers stored in session storage.

#### Step 3: Distinguish Cookies with or Without Consent

Under Article 82 of the "Informatique et Libertés" Law and according to the interpretation provided by the CNIL in its guidelines on cookies and trackers dated September 17, 2020, there are three types of trackers:

1. **Trackers that are exempt from consent:**

These are trackers that are strictly necessary for providing an online communication service explicitly requested by the user, or trackers that aim to enable or facilitate the transmission of communication by electronic means. These trackers do not require consent, but informing users about their use is recommended.

For the Dydu Chatbot Solution, the following trackers apply:

|       Name of the tracker       |  Function  |
| :-----------------------------: | :--------: |
|       dydu.chatbox.client       | Functional |
|       dydu.chatbox.context      | Functional |
|  dydu.chatbox.interaction.last  | Functional |
|       dydu.chatbox.locale       | Functional |
|        dydu.chatbox.open        | Functional |
|      dydu.chatbox.pushRules     | Functional |
| dydu.chatbox.pushRulesTriggered | Functional |
|        dydu.chatbox.space       | Functional |
|        dydu.chatbox.visit       | Functional |

In the case of an OIDC or SAML connection, the following trackers are necessary for user authentication:

|          Name of the tracker         |        Function        |
| :----------------------------------: | :--------------------: |
|      dydu.chatbox.oidc.authData      |    Functional (OIDC)   |
|       dydu.chatbox.oidc.idToken      |    Functional (OIDC)   |
|     dydu.chatbox.oidc.accessToken    |    Functional (OIDC)   |
|    dydu.chatbox.oidc.refreshToken    |    Functional (OIDC)   |
|        dydu.chatbox.oidc.urls        |    Functional (OIDC)   |
|        dydu.chatbox.oidc.nonce       |    Functional (OIDC)   |
|        dydu.chatbox.oidc.retry       |    Functional (OIDC)   |
| dydu.chatbox.oidc.pkce.codeChallenge |    Functional (OIDC)   |
|  dydu.chatbox.oidc.pkce.codeVerifier |    Functional (OIDC)   |
|      dydu.chatbox.auth.userInfo      | Functional (OIDC/SAML) |
|        dydu.chatbox.saml.auth        |    Functional (SAML)   |

In the case of using the DYDU live chat service, the following trackers are necessary for maintaining the live chat during web browsing:

|    Name of the tracker    |        Function       |
| :-----------------------: | :-------------------: |
|   dydu.chatbox.operator   | Functional (Livechat) |
| dydu.chatbox.waitingQueue | Functional (Livechat) |
| dydu.chatbox.livechatType | Functional (Livechat) |

The client may also determine that the online communication service provided by Dydu as a whole (Chatbot, Live chat, Voicebot, etc.) is not essential to their website or platform. In this case, they must configure their TMS (Tag Management System) to ensure that the placement of Dydu cookies is subject to user consent, as outlined in “STEP 4” below.

2. **Trackers requiring prior consent:**

These are, in contrast, all trackers that do not fall within the aforementioned exemption. They may be related, for example, to the display of personalized advertising or social media sharing features. In the absence of consent, these trackers cannot be placed and/or read on the user's device.

> For the Dydu chatbot solution, no tracker falls into this scenario.

3. **The specific case of audience measurement or statistical trackers exempt from consent:**

The CNIL acknowledges that traffic and/or performance statistics are "essential in many cases for the proper functioning of the site or application and therefore for the provision of the service." It exempts certain audience measurement cookies (statistics) from user consent provided that these trackers:

* Have a purpose strictly limited to measuring the audience of the site or application (performance measurement, detection of navigation issues, optimization of technical performance or usability, estimation of server power required, analysis of viewed content), exclusively for the benefit of the publisher.
* Serve to produce only anonymous statistical data.

For the Dydu chatbot solution, the following trackers apply:

|   Name of the tracker  |  Function  |
| :--------------------: | :--------: |
|   dydu.chatbox.client  | Statistics |
|   dydu.chatbox.locale  | Statistics |
|   dydu.chatbox.space   | Statistics |
| dydu.chatbox.pushRules | Statistics |

In accordance with the CNIL guidelines, the aforementioned trackers are indeed used to produce purely anonymous statistics, which in no way allow for the identification or rendering identifiable of a user within the scope of this statistical processing\*. They are also limited solely to measuring the audience of the Chatbot and establishing performance and traffic statistics for the Chatbot.

Regarding the exclusivity criterion of this functionality, Dydu expressly commits to never consulting or reusing the statistics generated from the placement and reading of these trackers for its own benefit. To formally establish this guarantee, Dydu provides the client with a specific written commitment in section "4. The Dydu Commitment" of this policy. This agreement may be attached directly to the contract between the client and Dydu.

However, the client may choose to go beyond Dydu’s and the CNIL’s recommendations and decide to require user consent for the statistical trackers of the Dydu tool. In this case, they must distinguish between functional trackers and statistical trackers in the configuration of their TMS, as outlined in “STEP 4” below.

\**Important Note: In the context of certain client projects, the Dydu Solution may exceptionally operate following user authentication. In this case, if the authenticated user uses the Solution, their trackers will no longer necessarily be "anonymous" as they will be linked to a user ID (depending on the options chosen by the Client in the configuration of their project). To maintain the statistical tool of the solution in its anonymous version, Dydu provides the Client with a feature for the automatic anonymization of conversations. This anonymization can be immediate (recommended by Dydu) or at a specified deadline (not exceeding 30 days), with this dual choice remaining solely at the discretion of the Client, who is the data controller.*

#### **Step 4: Configure consent collection and tracker placement**

The Dydu solution requires the placement of functional trackers. It cannot operate without the prior placement of the following trackers:

|    Tracker name    |                   Function                  |
| :----------------: | :-----------------------------------------: |
| dydu.chatbox.visit | Date on which the user's visit was recorded |

Other cookies will be stored when the chatbox is opened:

|          Tracker name         |               Function               |
| :---------------------------: | :----------------------------------: |
|      dydu.chatbox.client      |        Customer ID generation        |
|      dydu.chatbox.context     |        Conversation identifier       |
|       dydu.chatbox.gdpr       |   RGPD Disclaimer validated or not   |
| dydu.chatbox.interaction.last |       Date of last interaction       |
|      dydu.chatbox.locale      | Language of the bot and conversation |
|    dydu.chatbox.onboarding    |        Onboarding past or not        |
|       dydu.chatbox.open       |          Chatbox open status         |
| dydu.chatbox.welcomeKnowledge |         Welcome cache storage        |

In the case of an OIDC or SAML connection, the following trackers are necessary for user authentication:

|                                      |                        |
| :----------------------------------: | :--------------------: |
|      dydu.chatbox.oidc.authData      |    Functional (OIDC)   |
|        dydu.chatbox.oidc.urls        |    Functional (OIDC)   |
|       dydu.chatbox.oidc.idToken      |    Functional (OIDC)   |
|     dydu.chatbox.oidc.accessToken    |    Functional (OIDC)   |
|    dydu.chatbox.oidc.refreshToken    |    Functional (OIDC)   |
|  dydu.chatbox.oidc.pkce.codeVerifier |    Functional (OIDC)   |
| dydu.chatbox.oidc.pkce.codeChallenge |    Functional (OIDC)   |
|      dydu.chatbox.auth.userInfo      | Functional (OIDC/SAML) |
|        dydu.chatbox.saml.auth        |    Functional (SAML)   |

These trackers are essential for the visibility of the chatbox and the initiation of the chatbot.

At this point, two options are presented to the Client:

1. They can determine that the Dydu solution is essential to their online communication service (website, application, intranet, etc.) and allow the trackers to be placed automatically during the user’s first visit (without prior consent, but with the provision of information, see “STEP 5”);
2. Alternatively, they can determine that the Dydu solution is not essential and decide to require prior informed consent from the user for the placement of trackers. In this case, the client must identify and integrate the cookies into their TMS:
   * All other trackers being functional or exempt from prior consent, the user’s intention to use the chatbot will justify the placement of these cookies.
   * The Client can also distinguish in their TMS between functional cookies and statistical cookies to offer specific consent for each of these categories.

All of these tasks are the responsibility of the client, with Dydu only able to provide simple advisory support on these specific points. The client is solely responsible for their cookie management policy and the configuration of their TMS. Managing Dydu trackers in isolation would make no sense; the client must always centralize the management of their trackers within a common TMS tool for all the services they offer on their site or platform.

Nevertheless, Dydu ensures the proper visibility/detection of its trackers by the main TMS tools on the market (TARTEAUCITRON, DIDOMI, QUANTCAST, ONETRUST, COOKIEBOT). In the case of a TMS tool developed by the Client themselves, Dydu can assist the client in integrating or detecting their trackers through this tool.

**PRACTICAL INFORMATION**

The Client must ensure that their TMS tool complies with the following CNIL guidelines:

* No placement of non-essential trackers without prior user consent (the simple continuation of browsing is not considered valid consent)
* Refusal must be as easy as acceptance (if there is a "accept all" button, then a "reject all" button should be next to it)
* Consent withdrawal must be possible, easily, and at any time
* Respect for the user's right to information (purposes, duration, recipients, etc.)
* Retention of a record of each consent (valid proof in case of an audit)

**Step 5: Inform the user about the placement of trackers on their device**

Regardless of the solution chosen by the client, they must always inform their users about the placement of cookies. If cookies are placed without prior user consent (essential for the functioning of the relevant services), this information can be provided based on their TMS or the privacy or cookie management policy.

The client must ensure that all Dydu trackers are included in their cookie management policy (or, if not, in their privacy policy). This user information is essential for the compliance of the Dydu service.

If the client designates Dydu cookies as non-essential, they must ensure that users are informed prior to any placement. This information must at a minimum cover the purposes of the trackers, their lifespan, and the "recipients."

Dydu supports the client in this information process and includes a default information notice/disclaimer on the homepage of its chatbots. This feature is offered in the new base version of the Dydu chatbox (CV5) and can be customized by the Client.

**--- Attention!**

Some clients using earlier versions have not yet chosen to include this information notice/disclaimer. Dydu reminds them that this feature is strongly recommended for transparency regarding the information processing implemented by the chatbot. A new communication will be sent to encourage them again to adopt this feature.

Here is an example of an information/consent notice on a Bot's homepage:

<figure><img src="https://264031769-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPMvi3Izk7dvjl9HitZpp%2Fuploads%2F88h1XCOJDUw51GpM8WEZ%2Fimage.png?alt=media&#x26;token=e9f600be-80c2-40da-80b8-78ae6ebf786e" alt="" width="188"><figcaption></figcaption></figure>

Dydu can also assist the client in drafting a customized information notice.

### **Dydu's Commitment**

Dydu places the utmost importance on protecting individuals' privacy. For over 10 years, it has prioritized security and data protection, both within its teams and in choosing its technical partners. Therefore, it is committed to reassuring its clients through its cookie management policy. Dydu pledges to always collaborate with its clients to ensure that their tools comply with applicable standards, particularly the new CNIL guidelines dated September 17, 2020. It is also committed to continuously evolving its solutions to adapt to any legislative changes in this area (e.g., the adoption of the E-Privacy Regulation). Dydu, through its teams and particularly its DPO service, maintains constant monitoring on these topics to best support its clients in their compliance efforts. Today, as a service provider, Dydu declares and guarantees its commitment to collaboration (in the sense of Article 28 of the GDPR) in order to provide its clients with a tool that meets the requirements of the CNIL guidelines from September 17, 2020.

**Learn More About Dydu Cookies**

This document aims to provide the Client with an initial understanding of Dydu's commitments regarding the management of cookies for its solutions (Chatbot, Livechat, Voicebot, Callbot, etc.).

If you have any issues or need further information, please contact Dydu's Data Protection Officer at the following email address: <dpo@dydu.ai>.