Do I need to disclose Branch in my privacy policy?

Yes. Branch collects personal data including device identifiers, IP addresses, and install attribution information. Because it processes user data for attribution tracking, you must disclose Branch in your privacy policy and explain what data it collects and why. This is required under GDPR, CCPA, and other privacy regulations.

What specific data does Branch collect?

Branch collects device fingerprints and identifiers, IDFA (iOS) and GAID (Android) when available, IP addresses, user agents, deep link parameters, click data, and install attribution information. On iOS, Branch requires App Tracking Transparency (ATT) consent before accessing the IDFA. All of this data enables Branch to attribute app installs to specific marketing campaigns.

Does Branch require a cookie consent banner?

Branch does not use cookies. However, you still need consent for the data collection it performs, particularly IDFA/GAID collection on mobile and device fingerprinting. On iOS, ATT consent is legally required before Branch can access the IDFA. GDPR consent is also required in EU jurisdictions before any data processing begins.

Who processes Branch data and where is it stored?

Branch Metrics Inc., a United States-based company, acts as the data processor. Data is transferred to and processed in the United States. You can review Branch's full privacy practices at https://branch.io/policies/privacy-policy/. If you operate under GDPR, ensure you have an appropriate legal mechanism (such as Standard Contractual Clauses) in place for this US data transfer.

Deep Linking & Attribution

Privacy policy clauses for Branch

Branch is a mobile deep linking and attribution platform that tracks how users discover and install mobile apps. Websites and apps use Branch to understand which marketing campaigns drive installations, measure campaign performance, and route users to relevant in-app content based on their referral source.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Branch collects

Your privacy policy must disclose each of the following data types when you use Branch.

Device fingerprint and identifiers

Install attribution and referral source

Deep link parameters and click data

IDFA/GAID (when available)

IP address and user agent

When does Branch trigger privacy obligations?

Installation and Data Flow Start

Branch begins collecting data the moment its SDK is initialized in your app or integrated via web script. Specifically, Branch immediately captures:

–Device fingerprint (a compound identifier built from device properties, OS version, and user agent)
–

Common compliance pitfalls

1. Missing or Incomplete Data Processing Agreement (DPA)

The mistake: Deploying Branch without a signed DPA, or assuming Branch's generic privacy policy satisfies GDPR Article 28 obligations.

Why it happens: Many founders treat Branch as a simple analytics tool and don't realize that device fingerprinting and identifier collection make them a processor relationship, not a service provider. The standard Branch privacy policy is not a DPA.

Consequence: Direct GDPR non-compliance. Regulators treat missing DPAs as one of the first red flags in audits. Fines under GDPR Article 83 can reach 4% of global revenue. Additionally, you may face liability if Branch suffers a breach and you cannot demonstrate a contractual processor relationship.

2. Collecting IDFA or GAID Without Explicit Consent

The mistake: Initializing Branch on iOS without implementing Apple's ATT prompt, or not requesting Android's advertising ID consent under applicable frameworks (e.g., Google Play policies).

Why it happens: Developers often assume Branch "handles" this or that user-level OS permissions are sufficient. ATT is not an OS permission; it is a separate consent requirement for identifier use.

Consequence: App rejection or removal from the App Store, and violation of Google Play developer policies. GDPR also applies: IDFA/GAID is personal data; without consent (ATT on iOS), collection breaches GDPR Article 6(1)(a).

3. Ambiguous or Missing Privacy Policy Disclosure

The mistake: Listing Branch as "third-party analytics" without naming it specifically or explaining that it collects device fingerprints and install attribution data (not just session analytics).

Why it happens: Founders rely on boilerplate "analytics" language and don't review what Branch actually collects. Device fingerprinting is not commonly discussed in generic privacy policies.

Consequence: GDPR Article 13/14 violation (lack of transparency). Regulators and users cannot identify what Branch does. If a user exercises GDPR Article 17 (right to erasure) or CCPA Section 1798.105 (deletion), you cannot efficiently instruct Branch what to delete because your disclosure was vague.

Privacy policy clauses for Branch

What data Branch collects

When does Branch trigger privacy obligations?

Installation and Data Flow Start

First Concrete Step

Where data goes

Common compliance pitfalls

1. Missing or Incomplete Data Processing Agreement (DPA)

2. Collecting IDFA or GAID Without Explicit Consent

3. Ambiguous or Missing Privacy Policy Disclosure

Legal note

Sample privacy policy clause

What regulators look for

Primary Audit Focuses

Enforcement Precedent

Frequently asked questions

Do I need to disclose Branch in my privacy policy?

What specific data does Branch collect?

Does Branch require a cookie consent banner?

Who processes Branch data and where is it stored?

Don't ship without Bandit.