Does Split require disclosure in a privacy policy?

Yes. Split processes personal data including user keys and attributes to evaluate feature flags and track user interactions. Under GDPR and CCPA, you must disclose this data collection and explain that Split acts as a data processor on your behalf. Include Split's name, the types of data collected, and a link to their privacy policy.

What specific data does Split collect?

Split collects user keys (identifiers), user attributes, feature flag evaluation results, and impression events that track which feature variants were shown to users. This data is used to determine feature eligibility and measure experiment performance. The user key is essential for Split to function and is sent during every split evaluation.

Does Split require a cookie consent banner?

No cookie consent banner is required for Split, as the service does not rely on cookies for its core functionality. However, you must still disclose Split's data collection in your privacy policy as it processes personal data through other mechanisms.

Who is the data processor for Split and where is data transferred?

Split Software Inc., based in the United States, is the data processor. Data is transferred to the U.S. for processing. Split maintains SOC 2 Type II compliance and supports data residency options, allowing you to request alternative data storage locations if needed for regulatory compliance.

Feature Flags & Experimentation

Privacy policy clauses for Split

Split is a feature flags and experimentation platform that enables websites to deliver features progressively, test variations with users, and measure performance. It collects user identifiers and behavioral data to determine which feature variants users experience and track experiment results.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Split collects

Your privacy policy must disclose each of the following data types when you use Split.

User key and attributes

Split evaluation results

Track events and impressions

When does Split trigger privacy obligations?

Split's SDK begins transmitting data the moment it initializes on your site or app. Specifically, Split sends a user key (which you provide—often a user ID, email, or anonymous identifier) plus any user attributes you've defined, along with impression events (which split the user was evaluated for) and optional track events to Split's US-hosted servers.

### Obligation thresholds

GDPR (EU/EEA users): If your app or website serves EU residents, Split's user key and attributes constitute personal data under GDPR Article 4(1). You must establish lawful basis (Article 6) before the SDK fires. If the user key is pseudonymous but can be linked back to a person (even with effort), it is still personal data. You need a Data Processing Agreement (DPA) with Split Software Inc. under GDPR Article 28.

Privacy policy clauses for Split

What data Split collects

When does Split trigger privacy obligations?

Where data goes

Common compliance pitfalls

Forgetting to disclose the user key and attributes in your privacy policy

Misconfiguring consent categories or forgetting to gate Split behind consent

Missing or unsigned DPA

Legal note

Sample privacy policy clause

What regulators look for

Frequently asked questions

Does Split require disclosure in a privacy policy?

What specific data does Split collect?

Does Split require a cookie consent banner?

Who is the data processor for Split and where is data transferred?

Don't ship without Bandit.