Handling Personal Data
Common questions about GDPR and handling data with OneSignal
OneSignal was built to be compliant with GDPR, CCPA and all your data privacy needs, even on our Free Plan! This guide will walk through all the options for handling user data.
If you need a DPA and Model Clauses for compliance purposes, please see our Paid Plans for details.
Data handling guide
The OneSignal SDK collects data once it is initialized on your app or website. See Data Collected by the OneSignal SDK for more information.
The data collected is generally not PII (Personally Identifiable Information), with the exception of any sensitive user information you pass to us as Data Tags. Keep in mind that data that is linkable (such as first name or birthday) is still considered PII, even though it is non-sensitive. Clients dealing with PII need to have a Privacy Policy in place that states what they store.
This guide will go over how to use OneSignal without sending Personal User Data.
IP address collection
IP Addresses is typically not considered to be private, but in the EU and UK, it is considered personal data in some cases. For this reason, OneSignal will automatically not collect IP Addresses from all EU and UK Users.
If you wish to additionally prevent the storage of IP addresses from non-EU or UK users, you will need to contact support@onesignal.com with each of your app’s OneSignal App ID and last 5 digits of your REST API key for verification.
Mask personal identifiable information
Screenshot: User data obscured on the Subscriptions page of the OneSignal dashboard
Protect user privacy and reduce compliance risks by masking personally identifiable information (PII) such as emails and phone numbers. With PII masking, your team can work securely while still analyzing campaign performance and sharing insights across teams.
OneSignal automatically masks phone numbers and emails in the dashboard and any data exported directly from the platform. However, PII masking does not currently apply to data accessed via API requests, external IDs, or data tags.
PII masking is available exclusively for Enterprise customers and for Professional or Growth plan customers who have opted into the Security and Legal package. To enable PII masking, contact OneSignal Support or your dedicated Account Manager.
Personal information sent as data tags
OneSignal requires that you have appropriate consent for any data you send to us, including any personal data you may send to us as data tags or other fields.
For example, if you send us the user’s email address or phone number, you must make sure you have all necessary consent to do so.
Some data is automatically collected by the OneSignal SDK. A complete list of automatically-collected information is available here: Data Collected by the OneSignal SDK.
Each of these fields can be customized by modifying our SDK code to exclude the field, or using provided helper methods. Instructions and examples on each of these methods is available below.
Getting user consent
To assist with any compliance requirements, OneSignal has optional methods to delay initialization and prevent any data from being sent to OneSignal until the user has provided consent.
Your application can call these methods before the initialization of the OneSignal SDK to prevent data from being collected and anytime after the user provides consent to allow data collection. Until consent is provided, you can continue to call the SDK methods, but nothing will happen.
The consent setting is persisted between sessions. This means that your application only ever needs to collect consent by calling the provided method a single time, and the setting will be persisted (remembered) by the SDK.
Mobile SDKs
Click here for the mobile SDK method setConsentRequired
Web SDKs
Click here for the web SDK method setConsentRequired
Location sharing
OneSignal provides a method to disable Location sharing within each mobile SDK.
Mobile SDKs
Click here for the mobile SDK method setIsLocationShared()
Web SDKs
The web SDK does not send location
Push tokens
Push Tokens are generally not considered PII data because you can’t share a push token with someone else and have it be used to reach that person or to determine anything about that person. We do however recommend disclosing to users in a privacy policy that data is shared with a 3rd party for the purposes of sending personalized or targeted notifications. But this would be true no matter what service you use.
Deleting data
See the Delete Users guide for more details on deleting user data.
See the Delete Users guide for more details on deleting user data.
Records of messages sent through OneSignal’s dashboard can be deleted via the dashboard, but will otherwise be stored indefinitely unless you delete your OneSignal app.
Records of messages sent through OneSignal’s API will be deleted around 30 days after being sent.
All other data is typically stored until your app is deleted. See Managing your OneSignal Account for more information.
Handling Personal Data
Common questions about GDPR and handling data with OneSignal
OneSignal was built to be compliant with GDPR, CCPA and all your data privacy needs, even on our Free Plan! This guide will walk through all the options for handling user data.
If you need a DPA and Model Clauses for compliance purposes, please see our Paid Plans for details.
Data handling guide
The OneSignal SDK collects data once it is initialized on your app or website. See Data Collected by the OneSignal SDK for more information.
The data collected is generally not PII (Personally Identifiable Information), with the exception of any sensitive user information you pass to us as Data Tags. Keep in mind that data that is linkable (such as first name or birthday) is still considered PII, even though it is non-sensitive. Clients dealing with PII need to have a Privacy Policy in place that states what they store.
This guide will go over how to use OneSignal without sending Personal User Data.
IP address collection
IP Addresses is typically not considered to be private, but in the EU and UK, it is considered personal data in some cases. For this reason, OneSignal will automatically not collect IP Addresses from all EU and UK Users.
If you wish to additionally prevent the storage of IP addresses from non-EU or UK users, you will need to contact support@onesignal.com with each of your app’s OneSignal App ID and last 5 digits of your REST API key for verification.
Mask personal identifiable information
Screenshot: User data obscured on the Subscriptions page of the OneSignal dashboard
Protect user privacy and reduce compliance risks by masking personally identifiable information (PII) such as emails and phone numbers. With PII masking, your team can work securely while still analyzing campaign performance and sharing insights across teams.
OneSignal automatically masks phone numbers and emails in the dashboard and any data exported directly from the platform. However, PII masking does not currently apply to data accessed via API requests, external IDs, or data tags.
PII masking is available exclusively for Enterprise customers and for Professional or Growth plan customers who have opted into the Security and Legal package. To enable PII masking, contact OneSignal Support or your dedicated Account Manager.
Personal information sent as data tags
OneSignal requires that you have appropriate consent for any data you send to us, including any personal data you may send to us as data tags or other fields.
For example, if you send us the user’s email address or phone number, you must make sure you have all necessary consent to do so.
Some data is automatically collected by the OneSignal SDK. A complete list of automatically-collected information is available here: Data Collected by the OneSignal SDK.
Each of these fields can be customized by modifying our SDK code to exclude the field, or using provided helper methods. Instructions and examples on each of these methods is available below.
Getting user consent
To assist with any compliance requirements, OneSignal has optional methods to delay initialization and prevent any data from being sent to OneSignal until the user has provided consent.
Your application can call these methods before the initialization of the OneSignal SDK to prevent data from being collected and anytime after the user provides consent to allow data collection. Until consent is provided, you can continue to call the SDK methods, but nothing will happen.
The consent setting is persisted between sessions. This means that your application only ever needs to collect consent by calling the provided method a single time, and the setting will be persisted (remembered) by the SDK.
Mobile SDKs
Click here for the mobile SDK method setConsentRequired
Web SDKs
Click here for the web SDK method setConsentRequired
Location sharing
OneSignal provides a method to disable Location sharing within each mobile SDK.
Mobile SDKs
Click here for the mobile SDK method setIsLocationShared()
Web SDKs
The web SDK does not send location
Push tokens
Push Tokens are generally not considered PII data because you can’t share a push token with someone else and have it be used to reach that person or to determine anything about that person. We do however recommend disclosing to users in a privacy policy that data is shared with a 3rd party for the purposes of sending personalized or targeted notifications. But this would be true no matter what service you use.
Deleting data
See the Delete Users guide for more details on deleting user data.
See the Delete Users guide for more details on deleting user data.
Records of messages sent through OneSignal’s dashboard can be deleted via the dashboard, but will otherwise be stored indefinitely unless you delete your OneSignal app.
Records of messages sent through OneSignal’s API will be deleted around 30 days after being sent.
All other data is typically stored until your app is deleted. See Managing your OneSignal Account for more information.