Do I need to disclose Novu in my privacy policy?

Yes. Novu processes subscriber data to deliver notifications on your behalf, making it a data processor under GDPR and CCPA. You must disclose this service and explain how user notification preferences and delivery data are handled. This transparency is required to maintain compliance and user trust.

What specific data does Novu collect?

Novu collects subscriber identity information, notification preferences (channel choices like email or SMS), notification content, and delivery status records. If your notifications contain personally identifiable information (PII), Novu will process that content as well. The specific data depends on what you choose to send through the platform.

Does Novu require a cookie consent banner?

No. Novu does not use cookies for tracking or identification. However, if you're using Novu's cloud-hosted version, you should still disclose data storage practices in your privacy policy. Self-hosted deployments give you full control over data residency and processing.

Who is the data processor and where is data stored?

If you self-host Novu, you control data storage entirely. If you use Novu's cloud version, Novu acts as your data processor and stores subscriber data on their servers. You should verify Novu's data residency options and ensure a Data Processing Agreement (DPA) is in place before collecting user data.

Push Notifications

Privacy policy clauses for Novu

Novu is an open-source notification infrastructure platform that enables websites to send multi-channel notifications (email, SMS, push, in-app) to users. We use Novu to manage subscriber preferences and deliver targeted notifications while tracking delivery status.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Novu collects

Your privacy policy must disclose each of the following data types when you use Novu.

Subscriber identity and preferences

Notification content and delivery status

Channel preferences (email, SMS, push, in-app)

When does Novu trigger privacy obligations?

Installation and First Data Flow

Adding Novu to your application triggers immediate privacy obligations the moment you begin collecting subscriber identity data and notification preferences. Novu's core function—storing subscriber profiles, channel preferences (email, SMS, push, in-app), and notification content—means you are processing personal data as defined under GDPR Article 4(1) and CCPA Section 1798.100.

Applicable Regulations by Deployment

GDPR (EU/EEA users). If your app reaches EU residents, GDPR applies regardless of where Novu is hosted. You must establish a lawful basis (GDPR Article 6) for collecting subscriber identity and preferences—typically consent under Article 7 or legitimate interest under Article 6(1)(f). If you self-host Novu, you remain the controller; if you use Novu's cloud offering, you and Novu are joint controllers under Article 26, requiring a Data Processing Agreement (DPA).

CCPA (California users).

Privacy policy clauses for Novu

What data Novu collects

When does Novu trigger privacy obligations?

Installation and First Data Flow

Applicable Regulations by Deployment

Common compliance pitfalls

Pitfall 1: Forgetting to Name Novu in Privacy Policies and Consent Banners

Pitfall 2: Assuming Self-Hosting Eliminates Compliance Obligations

Pitfall 3: Storing Notification Content (Including PII) Without Specifying Retention Periods

Legal note

Sample privacy policy clause

What regulators look for

Primary Audit Flags

Sector-Specific Risk

Frequently asked questions

Do I need to disclose Novu in my privacy policy?

What specific data does Novu collect?

Does Novu require a cookie consent banner?

Who is the data processor and where is data stored?

Don't ship without Bandit.