Does Kochava require disclosure in our privacy policy?

Yes. Kochava collects personal data including device identifiers, fingerprints, and location information, which requires explicit disclosure in your privacy policy. Additionally, Kochava was subject to an FTC settlement in 2023 regarding location data practices, making transparent disclosure particularly important for user trust and regulatory compliance.

What specific data does Kochava collect?

Kochava collects install and event attribution data, device identifiers and fingerprints, audience segments and cohorts, and location data when permitted by users. This data is used to attribute app installs to specific marketing campaigns and build behavioral audience profiles for advertising purposes.

Does Kochava require a cookie consent banner?

Kochava itself does not use cookies. However, if your integration with Kochava involves third-party ad networks or pixel-based tracking, those partners may require consent. Under GDPR and iOS App Tracking Transparency (ATT), you must obtain explicit user consent before Kochava processes identifiers and location data for tracking purposes.

Who processes data through Kochava and where is it stored?

Kochava Inc., a United States-based company, acts as a data processor. Data is transferred to and processed in the United States. You should ensure your Data Processing Agreement with Kochava includes standard contractual clauses (SCCs) for GDPR compliance and clearly document this transfer in your privacy policy.

Deep Linking & Attribution

Privacy policy clauses for Kochava

Kochava is a mobile attribution and audience management platform that tracks app installations, user events, and device behavior to measure marketing campaign performance and build targeted audience segments. We use it to understand which marketing channels drive downloads and user engagement.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Kochava collects

Your privacy policy must disclose each of the following data types when you use Kochava.

Install and event attribution

Device identifiers and fingerprints

Audience segments and cohorts

Location data (when permitted)

When does Kochava trigger privacy obligations?

Data flows and trigger points

Installing the Kochava SDK immediately begins collecting device identifiers (IDFA, Android Advertising ID, IP address) and fingerprinting data tied to app installs and in-app events. If your app has any location permission, Kochava will collect and process location data. This is not passive—attribution and audience segmentation require active transmission to Kochava's servers in the United States.

Regulatory scope

GDPR (EU/EEA users): Device identifiers and location data constitute personal data under GDPR Article 4(1). Processing requires a lawful basis (Article 6) and explicit opt-in consent for location under the ePrivacy Directive Article 5(3). Apple's App Tracking Transparency (ATT) requirement means iOS users must grant permission *before* Kochava collects IDFA; without it, you cannot use that identifier for attribution.

Privacy policy clauses for Kochava

What data Kochava collects

When does Kochava trigger privacy obligations?

Data flows and trigger points

Regulatory scope

First concrete step

Where data goes

Common compliance pitfalls

Pitfall 1: Omitting location data disclosure or consent

Pitfall 2: Missing or incomplete Data Processing Agreement

Pitfall 3: Inadequate consent management or using pre-ticked consent boxes

Legal note

Sample privacy policy clause

What regulators look for

DPA and FTC enforcement priorities

Frequently asked questions

Does Kochava require disclosure in our privacy policy?

What specific data does Kochava collect?

Does Kochava require a cookie consent banner?

Who processes data through Kochava and where is it stored?

Don't ship without Bandit.