Does Realm require disclosure in our privacy policy?

Yes. Realm processes user data stored on devices and potentially synced to cloud servers, making it a material part of your data handling practices. You must disclose Realm's use, the data it handles, and whether cloud sync is enabled. This is required under GDPR, CCPA, and similar privacy regulations.

What specific data does Realm collect or process?

Realm stores and processes application data on the user's device. If Atlas Device Sync is enabled, this data is synchronized to MongoDB's cloud infrastructure. Realm itself does not collect personal identifiers, but the application data stored within it may contain personally identifiable information depending on your app's functionality.

Do we need a cookie consent banner for Realm?

No. Realm does not use cookies. However, if you enable cloud synchronization via Atlas Device Sync, you should still disclose this data transfer practice in your privacy policy and obtain necessary user consent under applicable privacy laws.

Who is the data processor for Realm, and where is data transferred?

MongoDB Inc., a United States-based company, operates Atlas and processes synced Realm data. If you use Atlas Device Sync, user data is transferred to and stored in MongoDB's U.S. infrastructure. You must include MongoDB Inc. in your list of data processors and ensure appropriate data transfer agreements are in place.

Database & ORM

Privacy policy clauses for Realm

Realm is a mobile-first embedded database that stores application data locally on users' devices with optional cloud synchronization through MongoDB Atlas. We use Realm to enable offline functionality and real-time data sync while maintaining data security and performance.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Realm collects

Your privacy policy must disclose each of the following data types when you use Realm.

Application data stored on device and/or synced to Atlas

When does Realm trigger privacy obligations?

Installation & Data Flow

Adding Realm to your app triggers privacy obligations immediately because Realm stores application data on-device and—critically—can sync that data to MongoDB Atlas in the cloud. Even if you initially use only local storage, the capability to sync means you must assume data will eventually leave the device.

Regulatory Thresholds

GDPR (if users are in EU/UK): Any personal data processed through Realm is subject to GDPR. This includes data at rest on device and in transit to Atlas. You must establish a lawful basis (Article 6) before sync occurs. If Realm processes children's data, GDPR Article 8 applies (parental consent required for under-16s in most EU states).

CCPA (California residents): If you collect personal information via Realm and share it with MongoDB (Atlas), MongoDB becomes a service provider under CCPA Section 1798.140(ag). You must execute a Data Processing Agreement with MongoDB and disclose that data is shared with them.

HIPAA (health data): Realm is HIPAA-eligible, but this is a *capability*, not automatic compliance. You must sign a BAA with MongoDB before any PHI touches Atlas.

First Steps

1. Document what data Realm stores

Privacy policy clauses for Realm

What data Realm collects

When does Realm trigger privacy obligations?

Installation & Data Flow

Regulatory Thresholds

First Steps

Where data goes

Common compliance pitfalls

Pitfall 1: Omitting MongoDB from Privacy Disclosures

Pitfall 2: Misconfiguring or Omitting Data Processing Agreements

Pitfall 3: HIPAA Without a Business Associate Agreement

Legal note

Sample privacy policy clause

What regulators look for

Key Audit Priorities

Frequently asked questions

Does Realm require disclosure in our privacy policy?

What specific data does Realm collect or process?

Do we need a cookie consent banner for Realm?

Who is the data processor for Realm, and where is data transferred?

Don't ship without Bandit.