Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Pushub is a European web push notification platform that lets publishers and ecommerce sites re engage visitors through browser push messages.
Pushub is a web push notification platform aimed at media publishers, ecommerce sites and editorial brands. It runs on top of the Web Push standard, registers a service worker on the visitor browser and creates a subscription endpoint hosted by the browser vendor (Mozilla, Google, Apple). The publisher can then trigger desktop or mobile alerts that reach the user even after they leave the site.
Pushub stores the push subscription endpoint, the public encryption keys produced by the browser, the user agent, the IP address at delivery time, segmentation tags, browser and OS metadata and the click and dismiss events on each notification. The endpoint, although issued by the browser, behaves as a persistent device level identifier and qualifies as personal data under the GDPR.
Two layers of consent apply. The browser native permission prompt is the technical gate that allows the subscription. On top of that, the storage of the endpoint and the subsequent processing trigger Article 5(3) of the ePrivacy Directive and require informed consent under GDPR Article 6(1)(a). Soft prompts that pre qualify users before the native dialog must not pre check any opt in.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Trigger the Pushub script and the soft prompt only after the visitor has accepted marketing on the cookie banner. Make withdrawal as easy as opt in by exposing an in app preference page or a one click unsubscribe link. Honour the unsubscribe within a short period and document the timestamp.
Pushub itself runs in the European Union, but each push message is delivered through the browser vendor push service: Apple Push Notification service, Firebase Cloud Messaging or Mozilla autopush. These backends may transit through the United States, so the publisher must list these sub processors and rely on Standard Contractual Clauses or the EU US Data Privacy Framework for the transfer.
Sign a Data Processing Agreement with Pushub. List Pushub and the browser vendor push services in your privacy policy. Run a DPIA covering retention of subscriptions, segmentation profiles and cross border delivery. Cap inactivity windows and prune endpoints that have been silent for more than six to twelve months.
Websites using Pushub must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended because web push tracks subscribers across sessions, captures IP at delivery time and creates a persistent device level identifier through the subscription endpoint.
Sample consent text
I agree to receive web push notifications from this site. The browser will create a subscription identifier that allows the site to send push messages until I revoke permission.
Third-party domains contacted
pushub.iocdn.pushub.iosw.pushub.ioapi.pushub.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| pushub_subscription | indexeddb | persistent | Holds the Web Push subscription endpoint, public key and auth secret needed to deliver push notifications |
| pushub_segments | localstorage | 1 year | Stores the segmentation tags assigned to the subscriber for personalisation purposes |
| pushub_uid | http_cookie | 1 year | Anonymous identifier used by Pushub to count unique subscribers and measure click rates |
Pushub places tracking cookies for advertising — comply with GDPR using FlowConsent.
Pushub does not rely on classic third party cookies but does store a service worker registration, a push subscription endpoint and small operational entries in IndexedDB and localStorage. The endpoint is a persistent device level identifier and is treated as personal data under the GDPR.
Yes. Two layers apply: the native browser permission prompt for push and the GDPR plus ePrivacy consent that covers storage and processing. The publisher must collect informed opt in before triggering the Pushub script and the soft prompt.
Article 6(1)(a) GDPR (consent) is the only valid legal basis. The processing is direct marketing in nature and depends on a persistent device identifier, so legitimate interest is not appropriate.
Pushub itself runs in the European Union, but push delivery passes through APNs, FCM or Mozilla autopush, which may operate in the United States. The publisher must list these sub processors and rely on Standard Contractual Clauses or the EU US Data Privacy Framework for the transfer.
A DPIA is recommended. The platform tracks subscribers across sessions, captures IP at delivery time and creates a persistent identifier. Marketing scale and segmentation push the risk above the threshold defined by the EDPB criteria.
Load the script after consent is granted. Show a soft prompt before the native dialog, but never pre check it. Provide an in app preference page and a one click unsubscribe. Sign a Data Processing Agreement and document the IPN, FCM and Mozilla autopush sub processors.
OneSignal and Pushwoosh are global alternatives but raise the same compliance constraints. For lower risk, prefer email or SMS opt in flows or a self hosted Web Push stack relying directly on browser endpoints, where you control retention and segmentation.
List Pushub as a processor with the categories of data (subscription endpoint, IP, segmentation tags, click events), the purposes (re engagement, personalisation), retention, and the browser push sub processors. Provide an unsubscribe link and the right to withdraw at any time.