OneSignal Help & Documentation

Welcome to the OneSignal New IA developer hub. You'll find comprehensive guides and documentation to help you start working with OneSignal New IA as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    Discussions

Handling Personal Data

Common questions about GDPR and handling data with OneSignal

OneSignal was built to be compliant with GDPR, CCPA and all your data privacy needs, even on our Free Plan! This guide will walk through all the options for handling user data.

If you need a DPA and Model Clauses for compliance purposes, please see our Paid Plans for details.


Data Handling Guide

The OneSignal SDK collects data once it is initialized on your app or website. See Data Collected by the OneSignal SDK for more information.

The data collected is generally not PII (Personally Identifiable Information), with the exception of any sensitive user information you pass to us as Data Tags.

This guide will go over how to use OneSignal without sending Personal User Data.

IP Address Collection

IP Addresses is typically not considered to be private, but in the EU and UK, it is considered personal data in some cases. For this reason, OneSignal will automatically not collect IP Addresses from all EU and UK Users.

If you wish to additionally prevent the storage of IP addresses from non-EU or UK users, you will need to contact [email protected] with each of your app's OneSignal App ID and first 5 digits of your REST API key for verification.

Personal Information Sent As Data Tags

OneSignal requires that you have appropriate consent for any data you send to us, including any personal data you may send to us as data tags or other fields.

For example, if you send us the user's email using the sendEmail method, or if you send us the user's phone number using sendTags, you must make sure you have all necessary consent to do so.

Some data is automatically collected by the OneSignal SDK. For example, on mobile devices, this typically includes the device's advertising id, purchases they have made in your app, the timezone setting of the device, and location data (if your app has location permission). A complete list of automatically-collected information is available here: Data Collected by the OneSignal SDK.

Each of these fields can be customized by modifying our SDK code to exclude the field, or using helper methods such as setLocationShared(false). Instructions and examples on each of these methods is available below.

Getting User Consent

In order to comply with GDPR or other regulations, you should make sure you appropriately disclose and get consent to send data to OneSignal.

For EU and UK GDPR compliance in particular, we recommend displaying a dialog to users and having them provide unambiguous consent for data to be shared with OneSignal (and any other services you send personal data to).

To simplify this process, we've introduced an optional method to each of our SDKs to delay initialization and prevent any data from being sent to OneSignal until the user has provided consent.

Your application should call this method before initialization of the SDK. If you pass in true, your application will need to call provideConsent(true) before the OneSignal SDK gets fully initialized.

Until this happens, you can continue to call methods (such as sendTags()), but nothing will happen.

The consent setting is persisted between sessions. This means that your application only ever needs to call provideConsent a single time, and the setting will be persisted (remembered) by the SDK.

πŸ“˜

A note for Wordpress clients

By default, the OneSignal WordPress plugin does not handle Personally Identifiable Information (PII) or EU and UKpersonal data, and does not have any built-in mechanisms for getting user consent. Clients that use OneSignal's Wordpress Plugin should work with their legal counsel for compliance recommendations specific to their company if there are any concerns.

Location Sharing

OneSignal provides a method to disable Location sharing within each mobile SDK.

SDK

Method

iOS Native

setLocationShared

Android Native

setLocationShared

Unity

setLocationShared

Xamarin

setLocationShared

Cordova

setLocationShared

Ionic

setLocationShared

Phonegap

setLocationShared

Intel XDK

setLocationShared

React Native

setLocationShared

Web Push

Never sends Location

Push Tokens

Push Tokens are generally not considered PII data because you can't share a push token with someone else and have it be used to reach that person or to determine anything about that person. We do however recommend disclosing to users in a privacy policy that data is shared with a 3rd party for the purposes of sending personalized or targeted notifications. But this would be true no matter what service you use.

Deleting User Data

See the Delete Users guide for more details on deleting user data.

Deleting Notification Data

Records of notifications that have been sent through OneSignal's dashboard can be deleted via the dashboard, but will otherwise be stored indefinitely unless you delete your OneSignal app.

Records of notifications sent through OneSignal's API will be deleted around 30 days of delivery.

Deleting Other Data

All other data is typically stored until your app is deleted. See Managing your Account for more information.

Updated a day ago



Handling Personal Data


Common questions about GDPR and handling data with OneSignal

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.