Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
AppsFlyer is an Israeli mobile measurement partner (MMP) providing attribution, deep linking, deduplication and analytics for mobile apps.
AppsFlyer is an Israeli mobile measurement partner founded in 2011 and used by a majority of leading app publishers worldwide. The SDK is embedded in iOS and Android apps to attribute installs and in app events to specific ad campaigns, deduplicate across networks, support deep linking and detect fraud. It acts as a neutral third party between advertisers and ad networks, offering server to server postbacks rather than requiring shared cookies.
AppsFlyer processes advertising identifiers (IDFA on iOS, GAID on Android), the AppsFlyer ID generated at first launch, IP address, device model, OS version, locale, install referrer and a configurable set of in app event payloads. Where the advertising ID is unavailable, it can fall back on probabilistic matching using IP and timestamp, although this is subject to platform restrictions and SDK configuration.
Accessing the advertising identifier is processing of personal data under GDPR and access to information stored on the device under Article 5(3) ePrivacy, both requiring consent. On iOS, App Tracking Transparency further requires an explicit prompt before AppsFlyer can access the IDFA. On Android, the Play Console Data Safety section and the Digital Markets Act compliant Play Install Referrer add layered obligations. The publisher is the data controller; AppsFlyer is generally a data processor under its DPA.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The SDK must be initialised in non personalised mode until consent is obtained, using AppsFlyer Consent Manager or manual stop/start methods. For users who refuse, attribution must rely solely on the SKAdNetwork or Privacy Sandbox aggregate APIs, without device level data. The consent flow must be specific (attribution and advertising), informed (purposes and partners), and revocable from app settings.
AppsFlyer offers an EU data centre in Frankfurt, with additional infrastructure in the United States and India. Israel benefits from an EU adequacy decision, US transfers can rely on the Data Privacy Framework where the recipient is certified, otherwise on Standard Contractual Clauses with supplementary measures. Document the regions used for your account and ensure the SDK posts to the EU endpoint where data residency is required.
Activate the AppsFlyer Consent Manager, configure the SDK with start() guarded by consent, choose the EU data centre, sign the DPA, minimise the events sent and document them, run a DPIA, integrate the consent state into your iOS ATT prompt and Android consent flow, and align your app store privacy declarations with what the SDK actually collects.
Websites using AppsFlyer must obtain user consent under GDPR regulations.
DPIA considerations
AppsFlyer involves large scale collection of device identifiers, fingerprinting signals and event level data, with transfers to Israel, the United States and India. A DPIA is appropriate. Consider the impact of probabilistic attribution, fraud signals and the necessity of each event passed to the SDK, and map data flows to ad networks.
Sample consent text
We use AppsFlyer to measure how you found our app and to optimise our campaigns. This requires access to your advertising identifier. You can accept, refuse or change your choice at any time in our settings.
Third-party domains contacted
appsflyer.comapp.appsflyer.comevents.appsflyer.comonelink.melaunches.appsflyer.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| IDFA | third_party | persistent | Apple advertising identifier read by the AppsFlyer iOS SDK after the ATT prompt, used for install attribution and in app event tracking. |
| GAID | third_party | persistent | Google advertising identifier read by the AppsFlyer Android SDK, used for install attribution and in app event tracking. |
| AppsFlyer ID | third_party | persistent | Internal AppsFlyer device identifier generated on first launch and stored on device, used for deduplication and cross campaign analytics. |
| OneLink | third_party | session | Used in deep links and OneLink redirections to attribute web to app journeys to the correct campaign. |
AppsFlyer collects user analytics data — you legally need a consent banner. Try FlowConsent free.
AppsFlyer is a mobile SDK and does not rely on web cookies. It processes the advertising identifier (IDFA on iOS, GAID on Android), an AppsFlyer ID stored on device, IP address, install referrer and a configurable set of in app events.
Yes. Access to advertising identifiers is regulated by GDPR and ePrivacy, and on iOS by App Tracking Transparency. Initialise the SDK in non personalised mode and only call start() once the user has granted consent through your CMP or in app prompt.
Consent under Article 6(1)(a) GDPR is the appropriate legal basis for attribution and advertising measurement. AppsFlyer operates as a processor on behalf of the app publisher, with a data processing agreement defining the scope and instructions.
Yes. AppsFlyer infrastructure spans the EU (Frankfurt), the United States, Israel and India. Israel has an EU adequacy decision; US transfers can rely on the Data Privacy Framework or SCCs. Choose the EU data centre if you want primary data to remain in Europe.
In most cases yes. The scale of identifier processing, in app event payloads and international transfers meet the EDPB criteria for a DPIA. Document the lifecycle of data, the partners receiving postbacks and the impact of probabilistic attribution.
Use AppsFlyer Consent Manager, configure the SDK to wait for consent before calling start(), align with iOS ATT and Android Play Data Safety, choose the EU data centre, sign the DPA, list AppsFlyer in your privacy policy and store privacy labels, and minimise the events transmitted.
Alternatives include Adjust (Germany), Branch (United States), Kochava (United States), Singular (United States) and Tenjin (United States). For European data residency, Adjust based in Berlin is a frequent choice.
List AppsFlyer with its purposes (attribution, measurement, fraud detection), the categories of data (advertising ID, IP, install referrer, in app events), the regions where data are processed, the retention duration and how users can opt out from app settings.