Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Xtremepush is an Irish customer engagement platform that combines web and mobile push notifications, in app messages, email, SMS and on site personalisation into a single audience and orchestration layer. It is widely used in iGaming, retail, banking and travel, with primary EU hosting and optional US region. For EU customers it raises GDPR and ePrivacy obligations on tracking cookies, push subscription consent and email or SMS marketing legal bases.
Xtremepush is an Irish customer engagement platform serving iGaming, retail, financial services and travel. It bundles web and mobile push notifications, in app messages, email, SMS, on site banners and an audience and journey builder. The web SDK is loaded as a JavaScript tag, the mobile SDK ships native iOS and Android libraries. The platform is hosted in the EU by default.
IP address, user agent, country, device platform, app version, language, customer identifier provided by the customer (often email hash or internal ID), push subscription token (APNs, FCM, Web Push), event stream (page views, custom events, transactions), audience memberships and message delivery and engagement logs.
Web SDK cookies and event streams fall under article 5(3) ePrivacy and need prior consent. Push notification subscriptions are a separate, explicit opt in granted by the browser or operating system. Email and SMS marketing must rest on consent or the soft opt in. Profiling for marketing automation needs to remain proportionate, especially in iGaming where vulnerable user protection is critical.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Block the Xtremepush web SDK behind a Consent Management Platform. Never auto trigger the browser push prompt: ask first with a soft prompt that explains the value, then trigger the native prompt only if the user agrees. Manage email and SMS consent through clearly labelled opt in checkboxes and offer a preference centre.
Customer data stays in EU regions for EU clients. Push delivery to iOS and Android devices involves Apple Push Notification service (US, with SCCs) and Firebase Cloud Messaging (US, with SCCs and EU US DPF). Document these transfers in your privacy notice and records of processing.
Sign the Xtremepush DPA, list APNs and FCM as sub processors, gate the web SDK behind consent, design a soft push prompt, document email and SMS lawful basis per segment, set conservative retention, run a DPIA where profiling is significant and audit segmentation logic to avoid discrimination.
Websites using Xtremepush must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Xtremepush profiles EU users at scale (especially in iGaming, lending or insurance), drives automated decisions, or processes special category data. Document segmentation logic, retention, push subscription flows, sub processors (APNs, FCM) and any US fallback region.
Sample consent text
We use Xtremepush to send web and mobile push notifications, in app messages, emails and SMS. Xtremepush stores its data on EU servers and only fires its tracking cookies once you accept marketing.
Third-party domains contacted
xtremepush.comwebpushr.xtremepush.comtracking.xtremepush.comcdn.xtremepush.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| xtremepush_id | persistent | 1 year | First party device identifier used by Xtremepush web SDK to recognise the visitor across sessions for behavioural events and audience membership. Requires consent. |
| xtremepush_sid | session | session | Session identifier used by Xtremepush web SDK to group events into a session. Requires consent. |
Xtremepush places tracking cookies for advertising — comply with GDPR using FlowConsent.
Xtremepush web SDK sets a first party device identifier cookie, a session cookie and writes localStorage entries to keep the push subscription and audience memberships across sessions. Mobile SDKs do not set browser cookies but persist a device identifier locally and a push token issued by APNs or FCM.
Yes for web tracking cookies and behavioural event streams. The browser or operating system native push prompt counts as the explicit subscription consent for push notifications. Email and SMS rely on consent or the soft opt in for existing customers.
Web tracking: consent under article 6(1)(a) GDPR and article 5(3) ePrivacy. Push subscriptions: the native browser or OS subscription. Email and SMS: consent or soft opt in. Profiling for personalisation should rely on consent for sensitive industries (iGaming, credit).
EU customer data sits in EU regions by default. Push delivery uses Apple APNs and Firebase Cloud Messaging in the US, covered by SCCs and the EU US Data Privacy Framework. A US region of Xtremepush is available for North American clients on request.
A DPIA is recommended in iGaming, lending, insurance, and any context with significant profiling or automated decisions. Document segmentation, retention, push flows, sub processors and the role of marketing automation in customer outcomes.
Sign the DPA, list APNs and FCM as sub processors, gate the web SDK behind a Consent Management Platform, use a soft push prompt, capture email and SMS opt in separately, set conservative retention and audit segments for fairness.
EU friendly alternatives include Braze (with EU data residency), Iterable (EU available), Insider (EU available), MoEngage (EU region), CleverTap (EU), Optimove (EU and UK), Selligent (now Marigold) and EU specific players like Notify and Batch (France).
List the Xtremepush web SDK cookies with vendor, purposes, retention and legal basis. Mention push subscription as a separate, OS managed opt in. Add APNs and FCM as transfer recipients for push delivery. Update on each platform release.