Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Batch is a French customer engagement platform specialised in mobile push notifications, web push, in app messaging, email, and SMS orchestration. Founded in 2014 in Paris and serving major French and European brands (Auchan, Veepee, Total, Decathlon), it offers strict EU data residency with all data stored on OVHcloud servers in France. Push notification opt in requires explicit user consent under the GDPR and the ePrivacy Directive, with additional CNIL guidance on transactional vs. marketing notifications.
Batch is a French customer engagement platform founded in 2014 in Paris. It orchestrates mobile push notifications (iOS, Android), web push, in app messages, email, and SMS for major brands across France and Europe (Auchan, Veepee, Total, Decathlon, JC Decaux, M6). Batch is widely used as the French alternative to US push platforms such as Airship and OneSignal.
On the web, Batch is integrated via a JavaScript SDK (batch-sdk.js). On mobile, native SDKs handle the registration with the platform push services. All customer data is stored on OVHcloud infrastructure in Paris.
Batch processes the device push token (APNs, FCM, or web push endpoint), an internal installation identifier, app or browser metadata, language, timezone, and any custom attributes or tags the publisher passes (segments, language, plan, etc.). For mobile apps it can also collect approximate location if the publisher enables it.
Batch can also store custom event data (clicks on notifications, conversions, custom events) to power segmentation and analytics. Sensitive data (health, finance, political) should not be pushed into Batch custom attributes.
Push notifications fall under both Art. 6 GDPR (lawful basis for processing the push token and the related profile) and Art. 13 ePrivacy (unsolicited commercial communications). The CNIL has published specific guidance on push notifications: marketing pushes require prior, free, informed and specific consent, separate from any other consent given on the website or app.
Transactional pushes related to a service the user actively requested (delivery confirmation, password reset, security alerts) can rest on contract or legitimate interest. Marketing pushes always require opt in.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Batch stores all customer data on OVHcloud servers in Paris, France. No transfer outside the EU takes place for the core Batch platform, which is a clear advantage versus US competitors. A signed Data Processing Agreement with Batch SAS is mandatory.
However, the actual delivery of push notifications relies on Apple Push Notification service (APNs), Google Firebase Cloud Messaging (FCM), Microsoft Windows Notification Service (WNS) and browser vendors. These are US controlled platforms (Apple, Google, Microsoft) with their own transfer regime. This must be acknowledged in the DPIA and the privacy notice.
Sign the Batch DPA. Add Batch to your Records of Processing Activities as processor. Implement a clear two step consent for push: first an in app or in page invitation (with context), then the OS or browser prompt. Distinguish marketing from transactional notifications and document the basis for each. Avoid pushing sensitive data into Batch custom attributes.
Provide a preferences page that lets users disable individual notification categories. Document APNs, FCM, WNS, and browser push providers in your privacy notice as recipients of the push payload, with their US transfer regime.
Websites using Batch must obtain user consent under GDPR regulations.
DPIA considerations
Batch is a customer engagement platform processing identifiers, push tokens, and behavioural events. Key DPIA considerations: (1) push tokens (APNs, FCM, web push) link the user to Apple, Google or the browser vendor; this is independent processing by those operators with their own legal regime; (2) Batch builds customer profiles via custom data (custom audiences, segments) which can include personal data and even special category data if pushed by the publisher; (3) EU data residency at OVHcloud Paris significantly reduces transfer risk for the core platform; (4) the orchestration of push, in app, email, and SMS triggers multiple regulatory regimes (ePrivacy for electronic communications, GDPR for profiling, CNIL guidance on marketing); (5) recent CNIL enforcement against companies sending push without consent (Carrefour, others) demonstrates active scrutiny; (6) transactional push (delivery status, security alerts) can rely on legitimate interest or contract, but marketing push must rely on opt in consent.
Sample consent text
We use Batch to send you push notifications about new content, promotions, or service updates. With your consent, Batch processes your device push token (provided by Apple, Google or your browser) and your interactions with our notifications. Your data is stored in France on Batch infrastructure. You can disable push notifications at any time from your device settings or our preferences page.
Third-party domains contacted
batch.comws.batch.comsdk.batch.comvia.batch.comweb.batch.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ba_install_id | Functional | 1 year | Stores the internal Batch installation identifier on the web, used to associate the visitor with their push subscription and custom attributes. |
| ba_session | Functional | Session | Tracks the current Batch session for orchestration purposes between page loads. |
| ba_optin | Functional | 1 year | Stores the current push opt-in status to avoid prompting the user on every page view. |
Batch places tracking cookies for advertising — comply with GDPR using FlowConsent.
On the web, Batch sets functional cookies and localStorage entries to store an internal installation identifier and the push subscription state. On mobile, it relies on the platform push token (APNs token on iOS, FCM token on Android). Mobile push tokens are not cookies but they are personal data and require the same lawful basis analysis.
Yes for marketing pushes. Under Art. 5(3) ePrivacy, Art. 13 ePrivacy (unsolicited communications), and CNIL guidance, marketing pushes require prior, free, informed and specific consent, in addition to the OS or browser prompt. Transactional pushes related to a service the user actively requested can rely on contract or legitimate interest.
For marketing pushes: consent (Art. 6(1)(a) GDPR). For transactional pushes tied to a contract the user has entered (order confirmation, security alerts): contract performance (Art. 6(1)(b)) or legitimate interest (Art. 6(1)(f)) with a balancing test. The basis must be documented for each notification category.
The core Batch platform stores all customer data in France on OVHcloud, with no transfer outside the EU. However, the delivery of push notifications relies on APNs (Apple, United States), FCM (Google, United States), WNS (Microsoft, United States) and the browser push services, which are US controlled. These onward transfers are inherent to the push ecosystem and must be disclosed in the privacy notice.
A DPIA is generally recommended for any large scale push deployment, especially when combined with segmentation based on personal data or special category data. The DPIA should cover the segmentation logic, the push token processing, the dependency on APNs / FCM / WNS, and the retention of push attribution data.
Sign the Batch DPA. Add Batch to your RoPA. Use a clear two step opt in (in app or in page invitation explaining the context, then the OS or browser prompt). Categorise notifications (marketing, transactional, transactional security) and ground each on the right legal basis. Avoid sending special category data into Batch attributes. Maintain a preferences page.
EU based alternatives: OneSignal (US but with EU storage options), Notify (France), Pushwoosh (originally Russia, now Estonia / UAE based, controversial). US based: Airship, Braze (also covers email and SMS), Iterable, Salesforce Marketing Cloud. Open source: NotificationHub (Azure), self hosted FCM / APNs. Batch differentiator is the native French residency.
On the web, list the Batch functional cookies (or localStorage entries) used for the push subscription, with provider (Batch SAS, France), purpose (push notification orchestration), lifetime and category (Functional). In the privacy notice, mention push token processing, the dependency on APNs / FCM / WNS, the French residency, and the user opt out mechanism.