• How and why we implement Intercom to only load when required (maintaining the privacy of our users)

At Spaces we’ve been looking into various ways of offering support. Intercom seemed to be a great solution, but we were surprised to see the lack of privacy, in that they record personal information for anyone who simply signs in by default.

The Intercom rails gem collected user id, email, name, and signup date by default. We contacted them about how we could increase the privacy, and the response was in short that we had to use their API, with a far worse UX, if we even could get that to work in the first place.

Why this is a problem

We felt this was an unnecessary way of handling our users’ personal information, if not outright wrong. This kind of data should only ever be sent to third-party when the user actively seeks out help through that third-party (thus actively accepting to share information, so that we can provide this service).

The 101 of privacy on the internet is to trust no one. It’s not a question about if a company intentionally or unintentionally shares personal data. Any company can, and eventually will fall into the grey zone of poor data handling. In particular, we’ve seen startups with little care for their customers’ personal information, and this is why we feel very uncomfortable when we discovered such data collection.

We encourage people to be suspicious of us at Spaces, because even with our best intention we may, and probably will make mistakes in handling our users’ information. It happens when trying to balance user experience with privacy. A good way of managing your privacy is to have an email alias to use when registering for services, instead of using your primary email. Obviously, Facebook and twitter auth offers us more details, but as long as you take proper care of your information there as well, you should still be good.

A solution

This is how we did it in Rails 4.

This is the view for the intercom code:

<% if current_user and current_user.permitted_sharing_intercom? %>
<script>
  window.intercomSettings = {
    name: "<%= escape_javascript current_user.name %>",
    email: "<%= escape_javascript current_user.email %>",
    created_at: "<%= escape_javascript current_user.created_at.to_i.to_s %>",
    app_id: "<%= escape_javascript Rails.application.secrets.intercom_app_id %>"
  };
</script>
<script>(function(){var w=window;var ic=w.Intercom;if(typeof ic==="function"){ic('reattach_activator');ic('update',intercomSettings);}else{var d=document;var i=function(){i.c(arguments)};i.q=[];i.c=function(args){i.q.push(args)};w.Intercom=i;function l(){var s=d.createElement('script');s.type='text/javascript';s.async=true;s.src='https://widget.intercom.io/widget/<%= Rails.application.secrets.intercom_app_id %>';var x=d.getElementsByTagName('script')[0];x.parentNode.insertBefore(s,x);return s;}if(w.attachEvent){w.attachEvent('onload',l);}else{w.addEventListener('load',l,false);}
    <% if local_assigns[:async_load] %>
        if(document.readyState==="complete"){
            s = l();
            s.onload=function(){
                Intercom('show');
            }
            $("#intercom-share-launcher").remove();
        }
    <% end %>
    }})()</script>
<% else %>
<%= link_to permit_sharing_intercom_path, remote: true, id: "intercom-share-launcher", method: :post do %>
    <span></span>
<% end %>
<% end %>

As you can see we have a method to our user called permitted_sharing_intercom? to check if they have accepted beforehand or not. Additionally, we’ve modified the intercom js a bit, so that the intercom side panel will show up once loaded, as well as hide the previous link. In the controller we’re handling the AJAX call like this:

def permit_sharing_intercom
    current_user.permit_sharing_intercom!

    respond_to do |format|
      format.json { render json: {
        success: true,
        html: render_to_string('layouts/_intercom', formats: ["html"], layout: false, locals: { async_load: true })
      } }
      format.all {
        redirect_to edit_user_registration_path
      }
    end
  end

This is the CoffeeScript we use to handle the link to permit sharing. We’re making an eval on each script method. Please note that this might be a security issue, so be very aware of how you’re using it in your own situation.

$(document).ready =>
    $("#intercom-share-launcher").on("ajax:send", (e, data, status, xhr) ->
        $(this).addClass('ajax-loading')
    )
    $("#intercom-share-launcher").on("ajax:complete", (e, data, status, xhr) ->
        $(this).removeClass('ajax-loading')
    )
    $("#intercom-share-launcher").on("ajax:success", (e, data, status, xhr) ->
        div = document.createElement('div')
        div.innerHTML = data.html
        document.body.appendChild(div)
        for el in div.querySelectorAll("script")
            eval(el.innerHTML)
    )

Update (12th of Jan, 2015): We’ve removed Intercom from Spaces.

The Author

Dan Schultzer is an active experienced entrepreneur, starting the Being Proactive groups, Dream Conception organization, among other things. You can find him at twitter

Like this post? More from Dan Schultzer

Comments? We would love to hear from you, write us at @dreamconception.