• How and why we implement Intercom to only load when required (maintaining the privacy of our users)

At Spaces we’ve been looking into various way of offering support. Intercom seemed to be a great solution, but we were surprised to see the lack of privacy, in that they record personal information for anyone who simply sign in by default.

The Intercom rails gem collected user id, email, name, and sign up date by default. We contacted them about how we could increase the privacy, and the response was in short that we had to use their API with a far worse UX, if we even could get that to work in the first place.

Why this is a problem

We felt this was an unnecessary, to not say outright wrong handling of our users personal information. These kind of data should only ever be send to third-party when the user actively seeks out help through that third-party (thus actively accepting to share information, so we can provide this service).

The 101 of privacy on the internet is to trust no one. It’s not a question about if a company intentionally or unintentionally shares personal data. Any company can, and eventually will, fall into the grey zone of poor data handling. In particular, we’ve seen startups with little care for their customers personal information, and this is why the taste in our mouth is so bad when we discovered such data collection.

We encourage people to be suspicious of us at Spaces, because even with our best intention we may, and probably will, make mistakes in handling our users information. It happens when trying to balance user experience with privacy. A good way of handling your privacy is to have an email alias to use when registering at services, instead of using your personal email. Obviously, facebook and twitter auths offers us more details, but as long as you take proper care of your information there as well you should still be good.

A solution

This is how we did it in Rails 4.

This is the view for the intercom code:

<% if current_user and current_user.permitted_sharing_intercom? %>
<script>
  window.intercomSettings = {
    name: "<%= escape_javascript current_user.name %>",
    email: "<%= escape_javascript current_user.email %>",
    created_at: "<%= escape_javascript current_user.created_at.to_i.to_s %>",
    app_id: "<%= escape_javascript Rails.application.secrets.intercom_app_id %>"
  };
</script>
<script>(function(){var w=window;var ic=w.Intercom;if(typeof ic==="function"){ic('reattach_activator');ic('update',intercomSettings);}else{var d=document;var i=function(){i.c(arguments)};i.q=[];i.c=function(args){i.q.push(args)};w.Intercom=i;function l(){var s=d.createElement('script');s.type='text/javascript';s.async=true;s.src='https://widget.intercom.io/widget/<%= Rails.application.secrets.intercom_app_id %>';var x=d.getElementsByTagName('script')[0];x.parentNode.insertBefore(s,x);return s;}if(w.attachEvent){w.attachEvent('onload',l);}else{w.addEventListener('load',l,false);}
    <% if local_assigns[:async_load] %>
        if(document.readyState==="complete"){
            s = l();
            s.onload=function(){
                Intercom('show');
            }
            $("#intercom-share-launcher").remove();
        }
    <% end %>
    }})()</script>
<% else %>
<%= link_to permit_sharing_intercom_path, remote: true, id: "intercom-share-launcher", method: :post do %>
    <span></span>
<% end %>
<% end %>

As you can see we’ve a method to our user called permitted_sharing_intercom? to check if they have accepted beforehand or not. Additionally, we’ve modified the intercom js a bit, so that the intercom sidepanel will show up once loaded, as well as hide the previous link. In the controller we’re handling the AJAX call like this:

def permit_sharing_intercom
    current_user.permit_sharing_intercom!

    respond_to do |format|
      format.json { render json: {
        success: true,
        html: render_to_string('layouts/_intercom', formats: ["html"], layout: false, locals: { async_load: true })
      } }
      format.all {
        redirect_to edit_user_registration_path
      }
    end
  end

This is the CoffeeScript we use to handle the link to permit sharing. We’re making an eval on each script method. Please note that this might be a security issue, so be very aware of how you’re using it in your own situation.

$(document).ready =>
    $("#intercom-share-launcher").on("ajax:send", (e, data, status, xhr) ->
        $(this).addClass('ajax-loading')
    )
    $("#intercom-share-launcher").on("ajax:complete", (e, data, status, xhr) ->
        $(this).removeClass('ajax-loading')
    )
    $("#intercom-share-launcher").on("ajax:success", (e, data, status, xhr) ->
        div = document.createElement('div')
        div.innerHTML = data.html
        document.body.appendChild(div)
        for el in div.querySelectorAll("script")
            eval(el.innerHTML)
    )

Update (12th of Jan, 2015): We’ve removed Intercom from Spaces.

The Author

Dan Schultzer is an active experienced entrepreneur, starting the Being Proactive groups, Dream Conception organization, among other things. You can find him at twitter

Like this post? More from Dan Schultzer

Comments? We would love to hear from you, write us at @dreamconception.