Cookie management policy
What is a cookie?
The "cookie" is a small computer file, categorized as a tracker, that is placed and read when visiting a website or a web or mobile platform, regardless of the type of device used (computer, smartphone, tablet, etc.).
Although "cookies" are frequently mentioned, it is more accurate to refer to the family of "trackers" which includes cookies and encompasses various types of small files installed on users' devices.
Trackers include, among others:
HTTP cookies and variables
Flash cookies
Invisible pixels or "web beacons"
The result of fingerprinting (the calculation of a unique machine identifier based on its configuration elements for tracking purposes)
Access to device information via APIs (LocalStorage, IndexedDB, advertising identifiers such as IDFA or Android ID, GPS access, etc.)
Any other identifier generated by software or an operating system (serial number, MAC address, unique device identifier – IDFV)
The use of these tools is subject to the consent of any user of an online communication service, as long as the trackers placed on their device are not strictly necessary for the operation of the communication service in question.
This key principle of the rights of online communication service users was established by Article 5(3) of Directive 2002/58/EC (amended in 2009) and transposed into French law by Article 82 of the Data Protection Act.
The notion of "consent" as outlined in these provisions, must be understood according to the definition and conditions set out in Articles 4(11) and 7 of the GDPR. It must therefore be freely given, specific, informed, and unambiguous, and the user must be able to withdraw it at any time, with the same ease with which it was given.
In order to clarify and explain the applicable law regarding the placement and reading of trackers on users' devices, the CNIL adopted guidelines on September 17, 2020.
What trackers are used by Dydu?
a- In the local storage:
All items are permanent unless the user clears their local storage.
dydu.botID
Bot identifier
Allows for retaining the bot's external identifier.
Permanent
dydu.botsByID
Identifiers of the different bots with which the user has conversed, attached to their conversation ID
Allows the chatbot to resume history / continue a conversation.
Permanent
dydu.servers
List of available servers for the API Servlet
Allows Channels to provide a list of servers for the CV5 preview. Stored by Channels and is only useful for Channels.
Permanent
dydu.isChannels
Information about where the chatbox is located
Allows Channels to inform the Chatbox (for example, in preview) whether it is located on Channels or not. If yes, the Chatbox will read the bot ID and the server list from dydu.botId and dydu.servers. Otherwise, it will read the bot ID and the server list from its packaged bot.json file.
Permanent
dydu.context
Dialogue context
Without context, the chatbot will treat each user message as a new conversation.
Permanent
dydu.dragon
Chatbox position
Retains the position of the chatbox after it has been moved on the web page where it is embedded.
Permanent
dydu.fontSize
To increase or decrease font size
Restores the font size used in the conversation area upon reloading.
Permanent
dydu.gdpr
GDPR
Stores the user's GDPR consent choice.
Permanent
dydu.locale
Bot language
Required for changing the bot's language.
Permanent
dydu.onboarding
Onboarding display
This value indicates whether the onboarding has already been viewed or skipped, so it is no longer displayed. It could have been a true or false value.
Permanent
dydu.open
Opening mode
Stores the chatbox opening mode (0: invisible, 1: minimized, 2: open, 3: full screen).
Permanent
dydu.secondary
Sidebar
Necessary during page refresh. Saves its display state to restore it when the page is loaded.
Permanent
dydu.space
Consultation space
Necessary for changing the consultation space during a conversation.
Permanent
dydu_PUSH_global
Related to page visit statistics
This stored value allows for calculating certain statistics related to the user's visit to the page and the display of the bot.
Permanent
dydu_PUSH_session
Number of pages viewed and the time elapsed since the last page viewed.
Necessary for statistics.
Permanent
dydu-oauth-token-access
Authentication (OIDC)**
Ensures that the user is authenticated with the identity provider.
Permanent
dydu-oauth-token-refresh
Authentication (OIDC)**
Grants the ability to regenerate a new authentication key.
Permanent
pkce
Authentication (OIDC)**
Allows for storing the redirect URL and the state used for authentication with the OIDC Provider.
Permanent
dydu-code-challenge
Authentication (OIDC)**
Allows for storing the calculated code_challenge for the authentication request with the OIDC Provider.
Persists as long as the connection with the OIDC Provider remains established.
dydu-code-verifier
Authentication (OIDC)**
Allows for storing the code_verifier sent for the code exchange and token refresh, calculated at the same time as the code_challenge.
Persists as long as the connection with the OIDC Provider remains established.
dydu.saml.auth
Authentication (SAML)**
Ensures that the user is authenticated with the SAML identity provider.
Permanent
dydu_clientId
User identifier (randomly generated)
Necessary for Client statistics and for identifying a returning user.
Permanent
dydu_lastvisitfor_XXXXX
Value of the user's last visit
The XXX corresponds to the bot ID, allowing multiple chatboxes to coexist on the same domain. This data is used to determine the number of unique visitors and to calculate a ratio of users interacting with the chatbox.
Permanent
dydu.islivechaton
Livechat***
Ensures the proper functioning of the live chat during tab changes, redirects, or page refreshes.
Permanent
dydu.operator
Livechat
It ensures the sending of surveys from the live chat.
Permanent
dydu.livechatType
Livechat
It allows for identifying the type of live chat connection.
Permanent
dydu.waintingQueue
Livechat
It indicates whether the user is in a queue or not.
Permanent
pushruleTrigger_xxx
pushpull
Ensures that the push rule is triggered only once per conversation.
Permanent
dydu.css
CSS Override
Allows Channels to add the CSS override from the editor in the preview for real-time display.
Permanent
dydu.main
Main Theme Color
Enables Channels to modify the main color of the chatbox in real time for immediate display in the preview.
Permanent
** Necessary if the chatbox is subject to SAML or OIDC authentication.
*** Necessary for the functioning of the live chat.
b- In session storage :
dydu.welcomeKnowledge
Welcome sentence
Triggering the welcome sentence upon opening the chatbox
Session duration
How to Manage Dydu Cookies?
Step 1: Identify the data controller
In accordance with Articles 24 and 28 of the GDPR, Dydu acts as a "subcontractor on behalf" of its client, the data controller. Therefore, the Dydu client is the data controller regarding the placement and reading of Dydu Bot cookies. The client must always be proactive in managing the cookies on their site, whether they are Dydu cookies or those from other integrated online communication services.
Nevertheless, in its capacity as a subcontractor, Dydu is committed to effectively collaborating with its clients by providing them with cookie management recommendations and ensuring that the tools it markets are easily configurable by its clients for compliant use with applicable cookie legislation.
Step 2: Identify the Trackers generated by the relevant Dydu solution
Cf : table in Part “What Trackers Are Placed by the Dydu Solution?” In section “a,” the trackers stored in local storage are described, and in section “b,” the trackers stored in session storage.
Step 3: Distinguish Cookies with or Without Consent
Under Article 82 of the "Informatique et Libertés" Law and according to the interpretation provided by the CNIL in its guidelines on cookies and trackers dated September 17, 2020, there are three types of trackers:
Trackers that are exempt from consent:
These are trackers that are strictly necessary for providing an online communication service explicitly requested by the user, or trackers that aim to enable or facilitate the transmission of communication by electronic means. These trackers do not require consent, but informing users about their use is recommended.
For the Dydu Chatbot Solution, the following trackers apply:
dydu.open
Functional
dydu.space
Functional
dydu.context
Functional
dydu.botID
Functional
dydu.locale
Functional
dydu.botsByID
Functional
pushruleTrigger_xxx
Functional
In the case of an OIDC or SAML connection, the following trackers are necessary for user authentication:
dydu-oauth-token-access
Functional (OIDC)
dydu-oauth-token-id
Functional (OIDC)
dydu-oauth-token-refresh
Functional (OIDC)
dydu.saml.auth
Functional (SAML)
In the case of using the DYDU live chat service, the following trackers are necessary for maintaining the live chat during web browsing:
dydu.islivechaton
Functional (Livechat)
dydu.operator
Functional (Livechat)
The client may also determine that the online communication service provided by Dydu as a whole (Chatbot, Live chat, Voicebot, etc.) is not essential to their website or platform. In this case, they must configure their TMS (Tag Management System) to ensure that the placement of Dydu cookies is subject to user consent, as outlined in “STEP 4” below.
Trackers requiring prior consent:
These are, in contrast, all trackers that do not fall within the aforementioned exemption. They may be related, for example, to the display of personalized advertising or social media sharing features. In the absence of consent, these trackers cannot be placed and/or read on the user's device.
For the Dydu chatbot solution, no tracker falls into this scenario.
The specific case of audience measurement or statistical trackers exempt from consent:
The CNIL acknowledges that traffic and/or performance statistics are "essential in many cases for the proper functioning of the site or application and therefore for the provision of the service." It exempts certain audience measurement cookies (statistics) from user consent provided that these trackers:
Have a purpose strictly limited to measuring the audience of the site or application (performance measurement, detection of navigation issues, optimization of technical performance or usability, estimation of server power required, analysis of viewed content), exclusively for the benefit of the publisher.
Serve to produce only anonymous statistical data.
For the Dydu chatbot solution, the following trackers apply:
DYDU_clientId
Statistics
DYDU_lastvisitfor_XXXXX
Statistics
DYDU_PUSH_global
Statistics
DYDU_PUSH_session
Statistics
In accordance with the CNIL guidelines, the aforementioned trackers are indeed used to produce purely anonymous statistics, which in no way allow for the identification or rendering identifiable of a user within the scope of this statistical processing*. They are also limited solely to measuring the audience of the Chatbot and establishing performance and traffic statistics for the Chatbot.
Regarding the exclusivity criterion of this functionality, Dydu expressly commits to never consulting or reusing the statistics generated from the placement and reading of these trackers for its own benefit. To formally establish this guarantee, Dydu provides the client with a specific written commitment in section "4. The Dydu Commitment" of this policy. This agreement may be attached directly to the contract between the client and Dydu.
However, the client may choose to go beyond Dydu’s and the CNIL’s recommendations and decide to require user consent for the statistical trackers of the Dydu tool. In this case, they must distinguish between functional trackers and statistical trackers in the configuration of their TMS, as outlined in “STEP 4” below.
*Important Note: In the context of certain client projects, the Dydu Solution may exceptionally operate following user authentication. In this case, if the authenticated user uses the Solution, their trackers will no longer necessarily be "anonymous" as they will be linked to a user ID (depending on the options chosen by the Client in the configuration of their project). To maintain the statistical tool of the solution in its anonymous version, Dydu provides the Client with a feature for the automatic anonymization of conversations. This anonymization can be immediate (recommended by Dydu) or at a specified deadline (not exceeding 30 days), with this dual choice remaining solely at the discretion of the Client, who is the data controller.
Step 4: Configure consent collection and tracker placement
The Dydu solution requires the placement of functional trackers. It cannot operate or be visible to the user without the prior placement of the following trackers:
dydu.isLivechatOn
Livechat off/on
dydu.context
Context of the dialogue
dydu.locale
Bot language
dydu.open
Opening mode
dydu.botsById
Conversation monitoring
In the case of an OIDC or SAML connection, the following trackers are necessary for user authentication:
dydu-oauth-token-access
Functional (OIDC)
dydu-oauth-token-id
Functional (OIDC)
dydu-oauth-token-refresh
Functional (OIDC)
dydu.saml.auth
Functional (OIDC)
These trackers are essential for the visibility of the chatbox and the initiation of the chatbot.
At this point, two options are presented to the Client:
They can determine that the Dydu solution is essential to their online communication service (website, application, intranet, etc.) and allow the trackers to be placed automatically during the user’s first visit (without prior consent, but with the provision of information, see “STEP 5”);
Alternatively, they can determine that the Dydu solution is not essential and decide to require prior informed consent from the user for the placement of trackers. In this case, the client must identify and integrate the cookies into their TMS:
All other trackers being functional or exempt from prior consent, the user’s intention to use the chatbot will justify the placement of these cookies.
The Client can also distinguish in their TMS between functional cookies and statistical cookies to offer specific consent for each of these categories.
All of these tasks are the responsibility of the client, with Dydu only able to provide simple advisory support on these specific points. The client is solely responsible for their cookie management policy and the configuration of their TMS. Managing Dydu trackers in isolation would make no sense; the client must always centralize the management of their trackers within a common TMS tool for all the services they offer on their site or platform.
Nevertheless, Dydu ensures the proper visibility/detection of its trackers by the main TMS tools on the market (TARTEAUCITRON, DIDOMI, QUANTCAST, ONETRUST, COOKIEBOT). In the case of a TMS tool developed by the Client themselves, Dydu can assist the client in integrating or detecting their trackers through this tool.
PRACTICAL INFORMATION
The Client must ensure that their TMS tool complies with the following CNIL guidelines:
No placement of non-essential trackers without prior user consent (the simple continuation of browsing is not considered valid consent)
Refusal must be as easy as acceptance (if there is a "accept all" button, then a "reject all" button should be next to it)
Consent withdrawal must be possible, easily, and at any time
Respect for the user's right to information (purposes, duration, recipients, etc.)
Retention of a record of each consent (valid proof in case of an audit)
Step 5: Inform the user about the placement of trackers on their device
Regardless of the solution chosen by the client, they must always inform their users about the placement of cookies. If cookies are placed without prior user consent (essential for the functioning of the relevant services), this information can be provided based on their TMS or the privacy or cookie management policy.
The client must ensure that all Dydu trackers are included in their cookie management policy (or, if not, in their privacy policy). This user information is essential for the compliance of the Dydu service.
If the client designates Dydu cookies as non-essential, they must ensure that users are informed prior to any placement. This information must at a minimum cover the purposes of the trackers, their lifespan, and the "recipients."
Dydu supports the client in this information process and includes a default information notice/disclaimer on the homepage of its chatbots. This feature is offered in the new base version of the Dydu chatbox (CV5) and can be customized by the Client.
--- Attention!
Some clients using earlier versions have not yet chosen to include this information notice/disclaimer. Dydu reminds them that this feature is strongly recommended for transparency regarding the information processing implemented by the chatbot. A new communication will be sent to encourage them again to adopt this feature.
Here is an example of an information/consent notice on a Bot's homepage:
Dydu can also assist the client in drafting a customized information notice.
Dydu's Commitment
Dydu places the utmost importance on protecting individuals' privacy. For over 10 years, it has prioritized security and data protection, both within its teams and in choosing its technical partners. Therefore, it is committed to reassuring its clients through its cookie management policy. Dydu pledges to always collaborate with its clients to ensure that their tools comply with applicable standards, particularly the new CNIL guidelines dated September 17, 2020. It is also committed to continuously evolving its solutions to adapt to any legislative changes in this area (e.g., the adoption of the E-Privacy Regulation). Dydu, through its teams and particularly its DPO service, maintains constant monitoring on these topics to best support its clients in their compliance efforts. Today, as a service provider, Dydu declares and guarantees its commitment to collaboration (in the sense of Article 28 of the GDPR) in order to provide its clients with a tool that meets the requirements of the CNIL guidelines from September 17, 2020.
Learn More About Dydu Cookies
This document aims to provide the Client with an initial understanding of Dydu's commitments regarding the management of cookies for its solutions (Chatbot, Livechat, Voicebot, Callbot, etc.).
If you have any issues or need further information, please contact Dydu's Data Protection Officer at the following email address: dpo@dydu.ai.
Last updated
