Privacy Policy

Last Updated and Reviewed: April 12, 2024

Our Commitment to Privacy 

Your privacy is important to us and maintaining your trust is one of our highest priorities. This Privacy Policy includes a description of our information practices, how we use tracking technologies, as well as the decisions you may make regarding how your information is collected and used. 

California, the United Kingdom, and Singapore Employees, Job Applicants, Owners, Directors, Officers, and Contractors: If you are a resident of California, the United Kingdom, or Singapore and you are an employee, controlling owner, director, officer, or independent contractor of ours, see the Privacy Notice for California, the United Kingdom, and Singapore Company Workforce below. If you are a resident of California, the United Kingdom, or Singapore and a job applicant, see https://onesignal.com/job-privacy .  

Introduction and Background 

OneSignal, Inc. is a U.S. company located at 201 S. B Street, San Mateo, CA 94401 (“OneSignal” “we,” “us,” and “our”). 

OneSignal is a customer engagement platform for companies around the world to enable their relationships with (and communicate with) their customers. This is primarily done by leveraging first party data (the company’s data on their customers) to personalize and automate messaging by the company through various channels, such as email, SMS, mobile push notifications, web push notifications, and in-app messaging. 

OneSignal collects this first party data through a software development kit (“ SDKs ”) that companies use in their mobile applications and websites. These web and mobile SDKs permit app developers and website operators to send, manage, optimize and customize messages to their customers and users. All of our services are referred to collectively as our “ Services, ” and the app developers, website operators, business customers, partners and advertisers are referred to collectively as our “ Clients. ” 

This privacy policy (the “ Privacy Policy ”) explains our personal information practices regarding:  

  • Our Client’s end users and customers (“Client End Users”), 
  • Our Clients’, partners’, and vendors’ business representatives (e.g., their employees), and 
  • Users of our website(s), including any website on which this Privacy Policy is posted, which we separately describe in Section 4,  below

This Privacy Policy does not apply to any third-party sites or hosted services you may find or access through our website. This Privacy Policy also does not apply to our Client’s data practices.  If you submit personal information to any of those sites or services or to our Clients, your information will be governed by their privacy policies. We encourage you to carefully read the privacy policy of any site you visit or hosted service you use. 

Personal Information 

References to “personal information” in this Privacy Policy mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an individual or household.  

Data Controller or Data Processor  

OneSignal is primarily a data processor (or service provider) in relation to the Services we provide to our Clients, such as when a Client deploys our technology in order to collect, process or transfer their first party data. In some cases we operate as a data controller (or business) when we process personal information of our business contacts, employees, and representatives.  

1. Changes to This Privacy Policy 

We reserve the right, at our sole discretion, to modify this Privacy Policy or any portion thereof. Any changes will be effective from the time of publication of the new privacy policy. Your continued use of the Services after the changes have been implemented shall indicate your agreement with the terms of such revised privacy policy. Otherwise, and if the new privacy policy does not suit you, you must no longer use the Services. Where required by law we will notify you and/or obtain your consent.  

2. Contacting Us 

If you have any questions regarding this Privacy Policy, please contact our Data Protection Officer at Privacy@OneSignal.com or at 201 S. B Street, Suite 200 San Mateo, CA 94401. 

3. Our Data Practices on our SDKs 

Categories of Information Collected About Client End Users by Our Web SDKs

  • Identifiers such as:
    • IP address 
    • Email address, if provided to us
    • A unique cookie identifier, which may uniquely identify a Client End User  
  • Commercial information that we receive from our Clients or from our Clients’ use of our Services, such as:  
    • Information about Client End User’s transactions and interactions with apps and websites 
    • What push notifications have been sent to a Client End User
  • Internet or other electronic network information activity information, such as:  
    • Information about a Client End User’s browser, such as browser language type and version of operating system (e.g., Android, iOS); network provider; language setting; time zone 
    • Web pages visited that have implemented the SDK, and information about those visits (e.g., session duration, time-stamp, referring URLs) 
  • Geolocation data inferred from IP address
  • Sensitive information provided or made available by our Clients

Categories of Information Collected About Client End Users by Our Mobile SDKs

  • Identifiers such as:
    • IP address
    • Email address, if provided to us
    • Mobile device or account identifiers which may be associated with other information, including inference data that Clients create on Client End Users 
  • Commercial information that we receive from our Clients or from our Clients’ use of our Services, such as: 
    • Purchases made within an app
    • Information about Client End User’s transactions and interactions with the app 
  • Internet or other electronic network information activity information, such as: 
    • Information associated with or related to devices, such as device type (e.g., mobile, tablet); type and version of operating system (e.g., Android, iOS); network provider; mobile browser (e.g. Safari, Chrome, etc.); language setting; time zone; and network status type (such as WiFi) 
    • How a user has used the App (e.g., session duration, time-stamp)
  • Geolocation data inferred from IP address
    • Precise Location information, generally a Client End User’s lat/long data (i.e., GPS-level data) or WiFi information, which we may associate with Mobile IDs, and which may be collected whether or not an app is in use. (Location information is only collected the user has granted permission to the App to collect this, and the app chooses to send this data to OneSignal) 
  • Sensitive information provided or made available by our Clients

Sensitive Information

We generally ask our Clients not to provide us with any sensitive information of the Client End Users. However, if they do provide us with sensitive information, then as a service provider to our Clients, we rely on our Clients to obtain consent (if required by applicable law) or provide opt out rights (if required by law) and to provide all rights to individuals as are required by applicable law, contract, or otherwise. Where applicable and required by law, we may enter into U.S. business associate agreements with our Clients for the processing of protected health information.  

We refer to all of the above collectively as the “ SDK Information .”Sources of SDK Information 

The categories of sources of the SDK Information include the following:  

  • Information provided by our Clients
  • Information automatically collected from our Clients’ use of the Services 

How We Use the SDK Information 

We use the SDK Information on behalf of our Clients for the purpose of providing the Services to our Clients. This includes: 

  • To offer and support app and website features provided through the SDKs, including those related to push notifications. This includes, for instance, providing customer, technical and operational support for these features, detecting and protecting against errors, fraud, or other criminal activity; resolving disputes and enforcing our legal terms and other rights we may have. It also includes analyzing, customizing, and improving the features we offer Clients. 
  • To provide information and analytics to our Clients about the use of these app and website features provided through the SDKs, or to help Clients create or enhance user profiles of Client End Users. 
  • To enable Clients to create inferences about Client End Users. For instance, if SDK Information indicates that a particular device is frequently seen at restaurants, we might categorize a user for targeting of local restaurant offers. Or, if a user is frequently seen at sports stadiums, we might categorize the user as a “Sports Fan.” 
  • To develop and use “predictive models” which are data models that try to predict Client End Users’ potential future behavior and interests on a per-device basis or across devices. 
  • To analyze ad performance, for instance, by attributing Client End Users’ app installations, web visits, or store visits to ad campaigns. 
  • Sometimes, the SDK Information may be used to resolve identities across multiple devices, such as to match IP addresses or hashed emails to link a Client End User across (for instance) browsers, mobile devices, tablets, set top boxes, or other devices. 
  • Sometimes the SDK Information may be used to perform any of the above functions, or other marketing or analytics services. Or, we may aggregate and create data “models” to do this – creating algorithms in order to predict certain trends and things that different Client End Users might have in common. 

We may deploy online cookies to track users across websites, or to associate users (and these cookies) with Mobile IDs. We may do this to resolve user identifies across platforms, and to better or more accurately target messages. You can learn more about cookies and similar technologies, such as web beacons and SDKs, in the Section titled “ Cookies, Pixel Tags and SDKs .” 

We may also use the SDK Information for the following purposes:

  • To explore a potential acquisition or sale of our business
  • To prevent or stop activity that we may think is illegal; to protect our rights, privacy, safety or property, and that of you and others; to protect the security of our services or website; to comply with applicable law; to comply with legal process and our legal obligations; to respond to requests or requirements from public, law and government authorities and private parties; to enforce our terms; to allow us to pursue available remedies or limit potential damages; and to exercise or defend legal claims 
  • In other ways with your consent or at your direction

How We Disclose the SDK Information 

We may disclose SDK Information to the following categories of third parties: 

  • Service Providers. We disclose the SDK Information on our Clients’ behalf to service providers, contractors and other companies to fulfill your orders, operate our business, communicate with you and make available our Services and this Website. These service providers may help us perform any of the activities set forth in Section 2. For instance, we may disclose certain of the information we collect or receive to companies that help us with billing and payment, marketing, advertising and email marketing, data enhancement (e.g., to provide more relevant offers), website hosting, technology and customer support, web and marketing analytics, anti-fraud or security operations, and other operational, marketing or business support. 
  • We likewise may disclose the SDK Information or data segments regarding a Client (for instance, related to push notifications they send) for that Client’s own advertising, analytics, or other purposes. 
  • Affiliates. We may disclose your information to our affiliates (e.g., our subsidiaries). 
  • Buyers and investors. We may disclose or transfer your personal information in connection with, or during negotiations of, any acquisition of our business, financing or similar transaction. 
  • Other third parties for legal purposes. We may also disclose your information if we believe it is required: (a) to prevent or stop activity that we may think is, or is at risk of being, illegal, unethical or legally actionable activity; (b) to protect our rights, privacy, safety or property, and that of you and others; (c) to protect our operations and the security of our services and website; (d) under applicable law; (e) to comply with legal process and our legal obligations; (f) to respond to requests or requirements from public, law and government authorities (including national security and law enforcement requirements) and private parties; (g) to enforce our terms and conditions; (h) to allow us to pursue available remedies or limit potential damages; and (i) to exercise or defend legal claims. 
  • Other ways with consent. We may disclose your personal information in other ways with your consent or at your direction. 

California, Virginia, Colorado, Connecticut, and Utah Residents. 

  • We do not sell your personal information or share your personal information for cross context behavioral advertising or for targeted advertising purposes. 
  • We may create deidentified information as part of providing our Services. We commit to maintain and use deidentified information in deidentified form only and we will not attempt to reidentify the information, except we may attempt to reidentify the information solely for the purpose of determining whether our deidentification process satisfies our commitment above. 
  • We do not engage in profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.      

4. Our Data Practices on the OneSignal Website(s) 

OneSignal Website Information We Collect 

We collect the following personal information from visitors of our website(s) (the “ OneSignal Website Information, ” including the website on which this Privacy Policy appears (“ OneSignal Website(s) ”):

  • Identifiers that you disclose to us on the OneSignal Websites, such as name, email address, phone number, and other contact information. For example, you provide your personal information when you request information from us, fill out a form on our website, or interact with us in other ways.  
  • Internet or other electronic network activity information that is collected by automated mechanisms (e.g., with cookies, unique IDs, pixels and other locally stored objects), such as visitor interactions with the OneSignal Websites. (You can learn more about these technologies below in the Section titled “Cookies, Pixel Tags and  SDKs ”). We may use third party-services such as Google Analytics, in which case those third parties gather information such as your IP address, browser type, the webpage from which you came to our website, and the times of your access to the OneSignal Website. In addition, as you browse our website, advertising cookies may be placed on your computer so that we can understand what you are interested in. Our display advertising partners may then help us retarget ads to you on other sites based on your interactions with the OneSignal Website. To “opt out” of having your information used to tailor ads to you in this way by third party ad platforms that we may work with or provide data to, please review the Section below titled “Consumer Control and Opt Out  Options”  to learn how to opt-out of these services and instead receive generic, non-tailored ads. When we do use these types of third party advertising partners, we endeavor to limit and restrict their processing to acting solely as our service provider and data processor. 
  • Audio and electronic information of our Clients’, partners’, and vendor’s employees and other representatives in connection with business calls and business email communications. 
  • Professional or employment related information about our Clients’, partners’, and vendors’ employees and other representatives. 
  • Sensitive information, as defined under applicable law, which may include location data and account login data 

Sensitive Information

If you are a California resident and you have created an online login account with us, your account login information may be treated as sensitive information under the California Consumer Privacy Act of 2018 (CCPA). The account is set up in your capacity as a representative of one of our Clients. We use that information at your specific request and to perform our services to the Client. We do not use sensitive information for the purpose of inferring characteristics about you. Also, we do not sell sensitive information and we do not process or otherwise disclose sensitive information for the purpose of behavioral advertising. You may ask us to delete this account information, but you will not be able to log in anymore on behalf of the Client. 

Sources of OneSignal Website Information 

The categories of sources of the SDK Information include the following:  

  • Information provided by you 
  • Information automatically collected from your use of the OneSignal Website 
  • Information collected in connection with our business relationship (e.g. interactions with you as a representative of one of our Clients, partners, or vendors) 

How We Use the OneSignal Website Information 

In addition to the uses described above, we use the OneSignal Website Information (alone or in combination) to provide, market, and operate the OneSignal Websites and Services. Among other things, by collecting the OneSignal Website Information, we are able to: 

  • Perform our contract obligations, including maintaining and offering access to the OneSignal Websites and Services and optimizing how they’re offered to our Clients. 
  • Send information about our products and services, including administrative and marketing communications. 
  • Respond to your questions, concerns, or customer service inquiries.
  • Customize the content and advertising you see on the OneSignal Websites, across the Internet, and elsewhere. 
  • Explore a potential acquisition or sale of our business
  • Prevent or stop activity that we may think is illegal; protect our rights, privacy, safety or property, and that of you and others; protect the security of our services or website; comply with applicable law; comply with legal process and our legal obligations; respond to requests or requirements from public, law and government authorities and private parties; to enforce our terms; allow us to pursue available remedies or limit potential damages; and exercise or defend legal claims. 
  • Use your information in other ways with your consent or at your direction. 

How We Disclose the OneSignal Website Information 

We may disclose the OneSignal Website Information to the following categories of third parties: 

  • Service providers, such as third parties that help us to provide the OneSignal Websites or Services and make them available and functional (such as hosting services); entities that help us make available or transmit any information we hold (such as helping us send emails, process payments, and manage customer information); and entities that help us (including our contractors, agents, and affiliates) provide technical, customer, billing, administrative, event planning, marketing or operational services to us or our Clients. 
  • Corporate affiliates such as subsidiaries.
  • A third party as part of a business sale, merger, consolidation, investment, change in control, transfer of substantial assets, reorganization or liquidation, or in connection with steps taken in anticipation of such an event (e.g., due diligence). 
  • A third party if we believe it is required: (a) to prevent or stop activity that we may think is, or is at risk of being, illegal, unethical or legally actionable activity; (b) to protect our rights, privacy, safety or property, and that of you and others; (c) to protect our operations and the security of our services and website; (d) under applicable law; (e) to comply with legal process and our legal obligations; (f) to respond to requests or requirements from public, law and government authorities (including national security and law enforcement requirements) and private parties; (g) to enforce our terms and conditions; (h) to allow us to pursue available remedies or limit potential damages; and (i) to exercise or defend legal claims. 
  • Other third parties with your consent or at your direction. 

California, Virginia, Colorado, Connecticut, and Utah Residents. 

  • We do not sell your personal information or share your personal information for targeted advertising purposes. 
  • We may create deidentified information as part of providing our Services. We commit to maintain and use deidentified information in deidentified form only and we will not attempt to reidentify the information, except we may attempt to reidentify the information solely for the purpose of determining whether our deidentification process satisfies our commitment above. 
  • We do not engage in profiling in furtherance of decisions that produce legal or similarly significant effects concerning you. 

5. Cookies, Pixel Tags and SDKs 

Cookies and Pixel Tags.  Cookies are small data files containing a string of characters, such as an anonymous unique browser identifier. Cookies are stored on your computer or other device and act as unique tags that identify your device or browser. Our servers may send your device a cookie when you visit the OneSignal Websites, and our Clients and partners may do likewise on our OneSignal Websites, our Clients’ websites, and elsewhere. A pixel tag (also commonly known as a web beacon or clear GIF) is an invisible 1 x 1 pixel that is placed on certain web pages. When you access web pages on which a pixel tag is deployed, the pixel tag may generate a generic notice of the visit and permit OneSignal, our Clients or partners to set or read cookies. Pixel tags are used in combination with cookies to anonymously track the activity on a website by a particular browser on a particular device. If you disable cookies, pixel tags simply detect an anonymous website visit. OneSignal, alone or with our Clients and partners, may use cookies to, among other things, “remember” you (e.g., when you visit the OneSignal Websites or the websites of our Clients or partners), track trends, and collect information about how you use our Clients’ or partners’ websites or interact with advertising. We and partners we work with use cookies to provide relevant content to you and replace non-relevant ads with ads that better match your interests. We may sometimes use other locally stored objects in ways similar to how we use cookies. Often, these objects are deleted when you clear your browser cookie cache, but because this may not always occur (depending on the browser you use), we recommend that if you wish to opt out of notification features or third party interest-based advertising you instead follow the steps we have set forth in Section 7 titled “ Consumer Control & Opt-Out Options. ” 

Mobile Device Identifiers and SDKs.   We may use or work with partners who use mobile SDKs (including our own SDKs, which are described in more detail in this Policy) to collect information, such as mobile identifiers (e.g., IDFAs and Android Advertising IDs), and information related to how mobile devices and their users interact with our Services and those using our Services. The SDK is computer code that app developers can include in their apps to enable ads to be shown, data to be collected, and related services to be implemented. We may use this technology, for instance, to identify users through mobile applications and browsers based on information associated with your mobile device. We do not collect advertising identifiers such as IDFAs or Android Advertising IDs. 

Social Media Widgets.   The OneSignal Website may include social media features, such as the Twitter button, and widgets, such as the Share this button or interactive mini-programs. These features may collect your IP address, which page you are visiting on the website, and may set a cookie to enable the feature to function properly. Social media features and widgets are either hosted by a third party or hosted directly on the website. Your interactions with these features are governed by the privacy policy of the company providing it. 

Do Not Track Signals.  OneSignal currently does not respond to browser do not track (DNT) signals, so we may not be aware of, or may be unable to respond to, such signals. 

6. Data Retention 

Generally speaking, we retain the SDK Information and Website Information for as long as reasonably necessary to achieve our objectives as detailed in this Privacy Policy, and to comply with our legal obligations, resolve disputes and enforce our agreements. We may delete user information from certain apps that we deem as “inactive,” in-line with applicable privacy laws and privacy best practices, and in response to requests from Clients and individuals. In general, “inactive” apps include apps with no recent messages sent or impressions made, no recent logins by accounts associated with the app, and/or no meaningful changes in user counts. 

When considering the retention period for personal information, we consider the nature, sensitivity, and amount of the personal information, the potential risk of harm from unauthorized disclosure or use, and our legal, regulatory, tax, accounting and other similar obligations. 

For customers on our free plan, we delete push subscribers that have not been active for the past 18 months. Push subscribers are considered dormant if the subscriber: (1) has not used the customer’s  mobile app or visited the customer’s  website in more than 18 months, or (2) OneSignal has not processed any data points for the subscriber in more than 18 months. For customers on active paid plans, their subscribers will be retained until the customer chooses to delete them. 

7. Data Security 

We have reasonable administrative, technical, and physical safeguards in place in our physical facilities and in our computer systems, databases, and communications networks. These safeguards are designed to protect information from unauthorized or illegal access, destruction, use, modification, or disclosure and to protect the confidentiality, integrity, and accessibility of personal information. In addition, we are SOC 2 Type 2 certified and have a SOC 2 Type 2 report certifying that our security policies and controls meet industry standards. This report captures how we safeguard customer data and how well those controls are operating.  

Note that no method of electronic transmission or storage is 100% secure and  we cannot guarantee absolute security of personal information. 

8. Children 

We do not knowingly collect personal information from anyone under the age of 18. Our services and our website are directed to and intended for people who are at least 18 years old or older. If you are a parent or guardian and you are aware that your child has provided us with personal information, please contact us. If we become aware that we have collected personal information from anyone under the age of 18 without verification of parental consent, we take steps to remove that information from our servers and databases. 

If our Clients provide us with information about individuals under the age of 18, as a service provider we rely on our Clients to obtain consent (if required by applicable law) or provide opt out rights (if required by law) and otherwise to provide such rights to individuals and their parents or legal guardians as are required by applicable law, contract, or otherwise. 

9. Third-Party Websites and Apps 

We are not responsible for the privacy practices or disclosures of websites and applications that use our Services. Likewise, when you access the OneSignal Website, you may be directed to other websites that are also beyond our control. We encourage you to read the applicable privacy policies and terms and conditions of such third parties and websites, and the industry tools that we have referenced in this Privacy Policy. This Privacy Policy, however, only applies to the OneSignal Site and the Services. 

10. European Data - Legal Grounds