Do we need to disclose OneSignal in our privacy policy?

Yes. OneSignal processes personal data on our behalf, making it a data processor under GDPR and CCPA. You must disclose its use and explain what data is collected. This transparency is legally required and builds user trust regarding how we communicate with them.

What specific data does OneSignal collect?

OneSignal collects device tokens (unique identifiers for push delivery), user tags and segment assignments (for targeting), email addresses if voluntarily provided, and IP addresses. This data enables OneSignal to deliver notifications to the correct devices and segment users for targeted messaging campaigns.

Does OneSignal require a cookie consent banner?

No. OneSignal does not use cookies. However, under GDPR and CCPA, you must still obtain valid consent before collecting device tokens and other identifiers for push notification purposes, as these constitute tracking technologies. A consent mechanism is required even without cookies.

Who processes OneSignal data and where is it stored?

OneSignal Inc., a United States-based company, acts as our data processor. Data is transferred to and processed in the US. If you have users in the EU, ensure a lawful transfer mechanism (such as Standard Contractual Clauses) is in place between your organization and OneSignal.

Push Notifications

Privacy policy clauses for OneSignal

OneSignal is a push notification platform that enables websites and apps to send targeted messages to users across devices. We use it to deliver timely notifications based on user segments and behavior, improving engagement and communication with our audience.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data OneSignal collects

Your privacy policy must disclose each of the following data types when you use OneSignal.

Device token

Tags and user segments

Email (if provided)

IP address

When does OneSignal trigger privacy obligations?

Installation Triggers Immediate Obligations

The moment you integrate OneSignal's SDK into your app or website, you begin collecting and transmitting device tokens, IP addresses, and (optionally) email addresses and user tags to OneSignal Inc.'s US-based servers. This is a data processing relationship that triggers GDPR Article 6 (lawful basis), Article 14 (transparency), and CCPA Section 1798.100 (disclosure) obligations immediately—even before users interact with notifications.

Jurisdiction-Specific Thresholds

GDPR applies if: You have any EU users. The collection of device tokens + IP addresses for OneSignal constitutes processing of personal data under GDPR Article 4(1). No minimum user count threshold.

Privacy policy clauses for OneSignal

What data OneSignal collects

When does OneSignal trigger privacy obligations?

Installation Triggers Immediate Obligations

Jurisdiction-Specific Thresholds

First Concrete Steps

Where data goes

Common compliance pitfalls

Pitfall 1: Not Treating Device Tokens as Personal Data

Pitfall 2: Missing Email Disclosure in Privacy Policies

Pitfall 3: No DPA or Vague Processor Relationship

Sample privacy policy clause

What regulators look for

Audit Priorities

Frequently asked questions

Do we need to disclose OneSignal in our privacy policy?

What specific data does OneSignal collect?

Does OneSignal require a cookie consent banner?

Who processes OneSignal data and where is it stored?

Don't ship without Bandit.