Skip to main content
All CollectionsSecurity & PrivacyRegulatory compliance
How Chameleon helps customers be GDPR compliant
How Chameleon helps customers be GDPR compliant

How Chameleon fulfills its Data Processor responsibilities to customers to help you provide rights to your users.

Chameleon Team avatar
Written by Chameleon Team
Updated this week

Chameleon is committed to privacy and security and is GDPR compliant as of May 25th, 2018. Learn more about our GDPR compliance here

If you collect data about EU residents, you are likely to be considered a Data Controller under the new regulations. If you send that data to Chameleon, we become a Data Processor. 

We are committed to making it easier for you to comply by fulfilling our obligations to you and your users. 


Chameleon can help you inform users inside your product, about changes to your terms or policies, and to collect opt-ins for data usage. To learn more see below. 

To be compliant, companies have to provide the following rights to their users. If you receive a request from one of your users as per these rights, then Chameleon will help you fulfill it within our system. 

Note about identifying users

To identify users within Chameleon's system, the customer needs to provide Chameleon the unique user identifier (uid). Chameleon does not automatically collect any PII and no PII needs to be shared with Chameleon. If no PII is being shared with Chameleon, Chameleon does not have any way of identifying an individual within its data. Using Identity Verification to encode user IDs sent to Chameleon also offers another level of dissociating a user ID in the customer system with the user ID Chameleon has.

Individuals need to be informed about the collection and use of their personal data in a clear and transparent way. 

You can include the following information in your Terms & Conditions, your help articles, or wherever else you include information about how you use your user data when dealing with Chameleon: 

"We use Chameleon to help our users better learn our web application, using interactive product tours built with Chameleon. Chameleon provides an editor to build these tours, and also delivers them inside our application during their interaction. Chameleon does not automatically collect any personally identifiable information, and uses data we proactively send to Chameleon for the purposes of helping us deliver the right guidance to the right user at the right time. To learn more about Chameleon's security practices, cookie policies and regulatory compliance, please visit https://www.chameleon.io/security."

Individuals can request a copy of their personal data so they can be aware of / validate its lawful processing.

To download any user data, either email us at security@chameleon.io (from the email address associated with your Chameleon account) or download user data via this API

Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. 

To update or edit any user data, either email us at security@chameleon.io (from the email address associated with your Chameleon account) or send updated data via this API

Individuals can request the deletion of their personal data if it is no longer necessary (for the original purpose) or they no longer consent. 

To delete any user data, either:

  •  Email us at help@chameleon.io (from the email address associated with your Chameleon account). 

  • Use our API to automatically delete users. Read more here.

🎯 If you want to delete multiple users with a CSV file via our API, you can use this gist.

We will automatically delete all user data for all accounts that have not been active for 1 year. This is part of our data retention policy as outlined here.

Individuals can request a restriction on the usage of their personal data (not erasure) if they believe it to be inaccurate or unlawfully processed.

If a user requests their data not be sent to Chameleon please do not call chmln.identify  for their profile. Learn more about installing Chameleon here

Individuals are entitled to obtain their personal data (in a commonly used format) to reuse for their own purposes across different services.

If you receive a data request for user data sent to Chameleon, please download it via this API and send it to your user. 

Individuals can object to their data being processed for direct marketing or research. 

Chameleon does not ever use the user data you send for direct marketing or research and will never sell that data to any other parties.

Companies can only leverage automated decision-making (without the involvement of individuals) that creates legal or similarly significant effects upon individuals in very limited and specific circumstances.

Chameleon does not make any automated decisions based on personal data that cause significant effects on individuals.

If you are an EU-based customer then you may need to sign a Data Processing Agreement with us. To do so, please email us at security@chameleon.io so we can send you a copy of this to sign. 


Need more?

Did this answer your question?