
A live-chat product sits in a sensitive place. It can see the page a visitor is reading, the question they typed, the operator who replied, the file they attached, and the internal notes the team added later. If that data is handled casually, chat stops being a support tool and starts looking like a tracking layer. We do not want Convor to drift in that direction.
Collect less by default
The lazy product answer is to collect everything and sort it out later. That is convenient for dashboards and bad for trust. Operators need enough information to help: the current page, recent messages, declared contact details, useful tags, and sometimes a short browsing trail. They do not need every browser signal saved forever. The system should make the helpful path easy and the excessive path harder.
Convor keeps visitor continuity with a technical visitor record and browser fingerprint instead of treating an IP address as a customer identity. When a visitor provides an email or fills in a pre-chat form, that becomes explicit context. Before that, the product should be careful about what it claims to know.
Tenant boundaries cannot live only in the UI
Every conversation, message, visitor, webhook, upload, and setting belongs to an organization. The dashboard should show only the current organization, but the server has to enforce the same rule. Real-time channels need the same scoping. Webhook delivery needs it too. Multi-tenant privacy depends on boring checks repeated in the right places.
GDPR flows have to be usable
An export that requires someone to write SQL by hand is not a proper export feature. A deletion path that leaves files or visitor context behind is not a proper deletion path. Convor has dedicated routes and services for access, export, erasure, and visitor data because these requests arrive under time pressure. The team should not be inventing the process when a customer is already waiting.
Audit logs are part of the same story. Administrators need to know who changed a security setting, exported data, deleted a record, or modified a webhook. Without that trail, privacy controls are hard to trust and even harder to investigate after the fact.
Retention is not one setting
A transcript, an upload, a typing signal, an audit log, and an analytics aggregate do not deserve the same lifetime. Some records are part of customer history. Some are temporary. Some need a cleanup job. Some may also exist in backups. Treating all data the same is simpler in code and worse in operations.
For customers, privacy-first should not feel like missing features. Operators still get useful context. Administrators get controls and auditability. Visitors can ask a question without creating an account. That is the balance we are aiming for: enough data to support the person, not enough to quietly profile them.
Get new posts in your inbox
No spam. Unsubscribe anytime.
