Do I need to disclose RevenueCat in my privacy policy?

Yes. RevenueCat processes personal data on your behalf, making it a third-party data processor that must be disclosed in your privacy policy. GDPR and CCPA regulations require transparency about services collecting purchase history and device information from your users. Failure to disclose RevenueCat exposes you to regulatory penalties and violates user trust obligations.

What specific data does RevenueCat collect?

RevenueCat collects purchase history, subscription status, device information (including device identifiers and OS details), and customer IDs. This data is used to validate transactions, sync subscriptions across platforms, prevent fraud, and manage user entitlements. The data may include personally identifiable information when linked to user accounts.

Does RevenueCat require a cookie consent banner?

RevenueCat itself does not use cookies for tracking. However, if your app or website uses cookies for other purposes alongside RevenueCat, you must implement a compliant consent banner. RevenueCat's data processing still requires user consent or a lawful basis under GDPR and CCPA, even without cookies.

Who processes my data with RevenueCat and where is it stored?

RevenueCat Inc., based in the United States, acts as your data processor. Purchase and subscription data is transferred to and processed by RevenueCat's servers in the US. You should review RevenueCat's privacy policy at https://www.revenuecat.com/privacy for details on data retention, security practices, and international transfers.

Payments

Privacy policy clauses for RevenueCat

RevenueCat is a subscription management platform that handles in-app purchases and subscription billing across iOS, Android, and web platforms. Websites and apps use it to process, validate, and synchronize subscription data while managing customer access to paid features.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data RevenueCat collects

Your privacy policy must disclose each of the following data types when you use RevenueCat.

Purchase history

Subscription status

Device info

Customer ID

When does RevenueCat trigger privacy obligations?

RevenueCat is triggered the moment you integrate its SDK into your app or initialize it on your backend—no user action required. Installation immediately activates data collection: RevenueCat begins capturing device identifiers, subscription status, purchase history, and customer IDs and transmits them to RevenueCat Inc servers in the United States.

Regulatory triggers:

GDPR (EU/EEA users). If your app has any EU users, RevenueCat's collection and transmission of device info and customer IDs constitutes processing of personal data. This triggers GDPR Article 5 (lawfulness, fairness, transparency), Article 6 (legal basis for processing), and Article 13/14 (transparency obligations). You must document a lawful basis—typically legitimate interest or consent—and disclose RevenueCat specifically in your privacy policy before collection begins.

Privacy policy clauses for RevenueCat

What data RevenueCat collects

When does RevenueCat trigger privacy obligations?

Where data goes

Common compliance pitfalls

Omitting RevenueCat from privacy disclosures

Failing to establish a lawful basis or treating consent as automatic

Missing or incomplete Data Processing Agreements (DPA)

Legal note

Sample privacy policy clause

What regulators look for

Frequently asked questions

Do I need to disclose RevenueCat in my privacy policy?

What specific data does RevenueCat collect?

Does RevenueCat require a cookie consent banner?

Who processes my data with RevenueCat and where is it stored?

Don't ship without Bandit.