You can use OneSignal and be GDPR compliant, even on our free plan! See Getting User Consent below and read this guide for best practices. If you would like a DPA and Model Clauses, please see our Paid Plan Benefits for details on signing up for a paid plan.
The OneSignal SDK collects data once it is initialized on your app or website. See Data Collected by the OneSignal SDK for more information.
The data collected is generally not PII (Personally Identifiable Information) with the exception of any sensitive user information you pass to us as Data Tags.
This guide will go over how to use OneSignal without sending Personal User Data.
IP Address is typically not considered to be private, but in the EU it is considered personal data in some cases. For this reason, OneSignal will automatically not collect IP Addresses from all EU Users.
If you wish to additionally prevent the storage of IP addresses from non-EU users, you will need to contact email@example.com with each of your app's OneSignal App ID and first 5 digits of your REST API key for verification.
OneSignal requires that you have appropriate consent for any data you send to us, including any personal data you may send to us as data tags or other fields. For example, if you send us the user's email using the
sendEmail method, or if you send us the user's phone number using
sendTags, you must make sure you have all necessary consent to do so.
Some data is automatically collected by the OneSignal SDK. For example, on mobile devices this typically include's the device's advertising id, purchases they have made in your app, the timezone setting of the device, and location data (if your app has location permission). A complete list is available here: Data Collected by the OneSignal SDK.
Each of these fields can be customized by modifying our SDK code to exclude the field, or using helper methods such as
setLocationShared(false). Instructions and examples on each of these methods is available below.
In order to comply with GDPR or other regulations, you should make sure you appropriately disclose and get consent to send data to OneSignal. For EU GDPR compliance in particular, recommend displaying a dialog to users and having them provide unambiguous consent for data to be shared with OneSignal (And any other services you send personal data to).
To simplify this process, we've introduced an optional method to each of our SDKs to delay initialization and prevent any data from being sent to OneSignal until the user has provided consent.
Your application should call this method before initialization of the SDK. If you pass in true, your application will need to call
provideConsent(true) before the OneSignal SDK gets fully initialized. Until this happens, you can continue to call methods (such as
sendTags()), but nothing will happen.
The consent setting is persisted between sessions. This means that your application only ever needs to call
provideConsent a single time and the setting will be persisted (remembered) by the SDK.
By default, the OneSignal WordPress plugin does not handle Personally Identifiable Information (PII) or EU personal data, and does not have any built-in mechanisms for getting user consent. Clients that use OneSignal's Wordpress Plugin should work with their legal counsel for compliance recommendations specific to their company if there are any concerns.
Deleting Notifications or Configuration Data
Records of notifications that have been sent through OneSignal's dashboard can be deleted via the dashboard, but will otherwise be stored indefinitely unless you delete your OneSignal app.
Records of notifications sent through OneSignal's API will be deleted within 30 days of delivery.
All other data is typically stored until your app is deleted.
Deleting User Data
If you need to delete all the data collected from a device and presently stored by OneSignal, you can use the API DELETE call for the player ID of the device. For more information on the OneSignal player ID and how to find it see our Player ID docs.
User data deleted in this way will be immediately prevented from being used by OneSignal or shared with OneSignal's partners. It will also be removed from OneSignal's servers and backups within 30 days. However, any non-EU data has been shared with OneSignals analytics or research partners (for clients that use OneSignal's free plan) may be kept by them for a longer duration.
Caution - This should be used sparingly and only when strictly necessary
If you delete a user, there is no way to recover them and it may cause issues with analytics and tracking. Please read our documentation on deleting users
curl --include \ --request DELETE \ --header "Authorization: Basic YOUR_ONESIGNAL_API_KEY" \ https://onesignal.com/api/v1/players/ONESIGNAL_PLAYER_ID?app_id=YOUR_APP_ID
Once you delete this user's device data, our SDK may re-collect this data when the device re-opens the app or website. To prevent this, you should not initialize the SDK on devices or pages for that user.