Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Airship is a customer engagement and CRM platform that orchestrates push notifications, SMS, email, in app messaging and web personalisation across the customer lifecycle. Operators integrate a JavaScript SDK on the website and a mobile SDK in the app to capture events, register push tokens, segment audiences and trigger automated journeys. Because Airship sets cookies, reads device identifiers and processes personal data on US infrastructure by default, it qualifies as a tracking technology under the ePrivacy Directive and as a high risk processing under the GDPR.
Airship is a customer engagement and CRM platform headquartered in Portland, Oregon. It allows brands to orchestrate push notifications, SMS, email, in app messages and web personalisation across the customer lifecycle. Operators integrate a JavaScript SDK on the website and a mobile SDK in the app to capture user events, register push notification tokens, build audience segments and trigger automated journeys based on behaviour.
Once consent is granted, the Airship web SDK sets a first party cookie that holds a pseudonymous channel identifier and reads the IP address, the user agent, the URL of the page, custom event names and parameters. On mobile, the SDK collects the device advertising identifier (IDFA, AAID), the application version, the OS version and the push notification token. Email campaigns include open and click trackers that fire pixels.
The Airship SDK writes and reads identifiers on the user device, which falls within Article 5(3) of the ePrivacy Directive. Prior, free, specific, informed and unambiguous consent is required before the SDK loads. The legal basis for marketing messages is consent under Article 6(1)(a) GDPR. Push notifications carrying advertising content also require consent under Article 13 of the ePrivacy Directive. The operator and Airship must sign a Data Processing Agreement.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
By default, Airship processes data on US infrastructure. EU customers can request EU data residency, which keeps customer profiles and event data within EU data centres but does not necessarily eliminate all transfers (operations, support, machine learning). Where data leaves the EEA, the transfer relies on the EU US Data Privacy Framework when Airship is certified, otherwise on Standard Contractual Clauses combined with a Transfer Impact Assessment.
Block the Airship SDK until consent is granted, integrate it with your CMP, request EU data residency in the contract, sign a Data Processing Agreement and SCCs with Airship, document the integration in your record of processing activities and your privacy notice, define a retention period for events and audience profiles, and set up a process to honour data subject access, deletion and objection requests within Airship.
EU based customer engagement platforms such as Batch, Selligent, Splio or open source push servers like Capacitor Push and ntfy keep data within the EEA. Server side journey orchestration with first party data and minimal device telemetry is also a privacy friendly approach.
Websites using Airship CRM must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is required because Airship enables systematic profiling of customer behaviour, processes large volumes of personal data including push tokens and email addresses, builds audience segments, and may transfer data to the United States. The DPIA must document the legal basis, the data flows, the role of Airship as processor, the EU data residency option, the SCC and DPF mechanisms and the safeguards against US government access.
Sample consent text
We use Airship to send personalised messages, push notifications and email campaigns. Airship stores cookies on your device, reads identifiers and may transfer personal data to the United States unless EU data residency is enabled. You can accept, refuse or withdraw your consent at any time in our privacy preferences.
Third-party domains contacted
airship.comurbanairship.comaaff.airship.comgo.urbanairship.comwallet.urbanairship.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ua_channel_id | first_party | 13 months | Pseudonymous Airship channel identifier used to recognise the visitor across sessions for behavioural messaging. |
| ua_consent | first_party | 12 months | Stores the user consent state for Airship messaging purposes. |
| ua_session | first_party | Session | Short lived session cookie used to scope the current visit for in app and web messaging. |
Airship CRM places tracking cookies for advertising — comply with GDPR using FlowConsent.
On the web, the Airship SDK sets a first party channel identifier cookie scoped to the publisher domain plus a consent state cookie. On mobile, Airship reads the IDFA on iOS, the AAID on Android and the FCM or APNs push notification token. Email campaigns embed open and click tracking pixels.
Yes. The Airship SDK writes and reads identifiers on the user device, which falls within Article 5(3) of the ePrivacy Directive. Marketing notifications and behavioural tracking also require consent under the GDPR. The SDK must remain blocked until consent is granted through your CMP.
For marketing channels (push, email, SMS) and behavioural tracking, the legal basis is consent under Article 6(1)(a) GDPR. For transactional messages tied to a contract, Article 6(1)(b) may apply. The operator must keep a granular consent record and offer easy withdrawal in the user preference centre.
By default yes. EU customers can opt for EU data residency, which keeps customer profiles and events in EU data centres. Even with EU residency, some support, analytics or machine learning operations may still involve US transfers. SCCs or the EU US Data Privacy Framework apply to the residual transfers.
Yes. Systematic profiling of customer behaviour, large scale processing of contact data, automated journeys and potential US transfers all trigger the DPIA obligation under Article 35 GDPR.
Block the SDK until consent is granted, request EU data residency, sign a DPA and SCCs with Airship, document the integration in your record of processing activities and your privacy notice, define retention periods, configure preference centres for granular opt out and forward data subject requests to Airship.
EU based customer engagement platforms such as Batch, Selligent, Splio or open source push servers like ntfy keep data within the EEA. Server side journey orchestration on first party data with minimal device telemetry is also a privacy friendly approach.
List the Airship channel cookie and the consent cookie with provider, purpose and retention. Mention the device identifiers used in app, the push token registration and the transfer to the United States or EU residency setup. Increment the policy version and prompt for fresh consent.