Do I need to disclose Knock in my privacy policy?

Yes. Knock processes user identity data and notification preferences on your behalf, making it a data processor under GDPR and CCPA. You must disclose Knock's use, explain what data it accesses, and link to Knock Labs Inc.'s privacy policy. This transparency is required to comply with data processing regulations and user rights.

What specific data does Knock collect about my users?

Knock collects user identity and properties needed for routing notifications, notification content and templates you send, delivery status across channels (email, push, SMS, in-app), and user notification preferences and opt-outs. You control what user properties are shared; Knock recommends avoiding unnecessary PII in notification content to minimize sensitive data exposure.

Does Knock require a cookie consent banner?

Knock does not use cookies itself. However, if your website uses cookies for analytics or tracking alongside Knock notifications, you may need a consent banner under GDPR. Review your entire tech stack rather than Knock alone to determine cookie consent requirements.

Who is the data processor and where is my data stored?

Knock Labs Inc., based in the United States, is your data processor. User data is transferred to and stored in the U.S. Knock maintains SOC 2 Type II certification. Ensure your privacy policy discloses U.S.-based processing and include a Data Processing Agreement with Knock if required by GDPR or CCPA.

Push Notifications

Privacy policy clauses for Knock

Knock is a notification infrastructure platform that enables product teams to send targeted push notifications, in-app messages, and multi-channel communications to users. Websites use Knock to deliver timely notifications while managing user preferences and tracking delivery across channels.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Knock collects

Your privacy policy must disclose each of the following data types when you use Knock.

User identity and properties

Notification content and templates

Delivery status across channels

User notification preferences

When does Knock trigger privacy obligations?

Installation and data flow

The moment you integrate Knock's SDK into your product, you begin collecting and transmitting user identity data and notification preferences to Knock Labs Inc. (a U.S.-based processor). This triggers three immediate obligations:

GDPR (if your users include EU residents): You become a data controller; Knock becomes a processor. GDPR Article 28 requires a signed Data Processing Agreement (DPA) *before* data flows. Knock's standard DPA is available at https://knock.app/privacy. You must also provide GDPR Article 13/14 transparency notices disclosing that notification content, delivery metadata, and user preferences are stored by Knock.

CCPA (if users include California residents):

Privacy policy clauses for Knock

What data Knock collects

When does Knock trigger privacy obligations?

Installation and data flow

Where data goes

Common compliance pitfalls

Pitfall 1: Storing PII in notification templates without disclosure

Pitfall 2: Missing or outdated Data Processing Agreement

Pitfall 3: Conflating notification preferences with consent categories

Legal note

Sample privacy policy clause

What regulators look for

Audit priorities

Frequently asked questions

Do I need to disclose Knock in my privacy policy?

What specific data does Knock collect about my users?

Does Knock require a cookie consent banner?

Who is the data processor and where is my data stored?

Don't ship without Bandit.