Does Firebase Crashlytics require disclosure in a privacy policy?

Yes. Firebase Crashlytics collects and processes user device data during crash events, which constitutes personal data under GDPR and CCPA. You must disclose its use in your privacy policy, explain what data is collected, identify Google LLC as the processor, and describe the user's rights regarding that data.

What specific data does Firebase Crashlytics collect?

Firebase Crashlytics collects crash logs containing stack traces, device information (model, OS version, RAM), app version, device identifiers, and the application state at the time of the crash. This data is tied to user sessions and can indirectly identify individuals when combined with other analytics data.

Does Firebase Crashlytics require a cookie consent banner?

No. Firebase Crashlytics does not use cookies. However, you must still obtain appropriate consent under GDPR if you're processing personal data from EU users. This may require consent before crash data collection begins, depending on your legal basis and data protection framework.

Who processes Firebase Crashlytics data and where is it stored?

Google LLC (United States) processes Firebase Crashlytics data as your data processor. Data is transferred to and stored on Google's servers in the US. Under GDPR, you must have Standard Contractual Clauses (SCCs) or equivalent safeguards in place for this US transfer, and users should be informed of potential US law enforcement access.

Error Tracking

Privacy policy clauses for Firebase Crashlytics

Firebase Crashlytics is Google's crash reporting service that automatically captures diagnostic data when mobile apps experience errors or crashes. App developers use it to identify, prioritize, and resolve stability issues affecting user experience.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Firebase Crashlytics collects

Your privacy policy must disclose each of the following data types when you use Firebase Crashlytics.

Crash logs

Device info

App state at crash time

When does Firebase Crashlytics trigger privacy obligations?

Firebase Crashlytics begins collecting data the moment its SDK is initialized in your app or website. It immediately captures crash logs, stack traces, device identifiers (including IDFA on iOS, Android Advertising ID), OS version, app version, and RAM/storage state—without requiring user action or crash to occur.

GDPR (EU/UK/similar): If your app has even one user in the EU, GDPR Article 6 requires a lawful basis for processing this personal data. Device identifiers and crash metadata constitute personal data under GDPR Article 4(1). You must establish consent (Article 7) or another lawful basis *before* the SDK runs. GDPR Article 13/14 requires you disclose Firebase Crashlytics, Google LLC as processor, and data types in your privacy notice. If you process children's data (under 16, or under 13 in some countries), GDPR Article 8 mandates parental consent.

CCPA (California): If your app collects data from California residents, CCPA Section 1798.100 grants users the right to know what personal information is collected. Device identifiers and diagnostic data qualify. You must disclose Firebase Crashlytics in your privacy policy and honor opt-out rights under Section 1798.120.

Privacy policy clauses for Firebase Crashlytics

What data Firebase Crashlytics collects

When does Firebase Crashlytics trigger privacy obligations?

Where data goes

Common compliance pitfalls

Forgetting to disclose Firebase Crashlytics in privacy policy

Collecting crash data without consent or lawful basis

Missing Data Processing Agreement (DPA) with Google

Sample privacy policy clause

What regulators look for

Frequently asked questions

Does Firebase Crashlytics require disclosure in a privacy policy?

What specific data does Firebase Crashlytics collect?

Does Firebase Crashlytics require a cookie consent banner?

Who processes Firebase Crashlytics data and where is it stored?

Don't ship without Bandit.