Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
PushWoosh is a web technology service that provides essential functionality for websites and digital platforms. It delivers core capabilities that support site operations, content delivery, and user experience optimization. PushWoosh integrates seamlessly with modern web architectures, ensuring reliable performance and compatibility across browsers and devices. Trusted by businesses worldwide, PushWoosh helps organizations maintain robust websites that meet user expectations and technical requirements.
Pushwoosh, founded in 2011 and now operated from the United States with EU infrastructure in Germany, is one of the longest standing customer engagement platforms specialised in push notifications. It targets mobile apps and websites, with unified subscriber profiles, segments and journeys, and is used by media companies, retailers and gaming studios worldwide.
Pushwoosh sends mobile push (iOS APNS, Android FCM), web push (W3C Push API), in app messages and emails. It includes a Customer Journey builder, audience segmentation, A/B tests, transactional API, BigQuery export and integrations with Segment, Amplitude and mParticle. The web SDK can be embedded with a few lines of JavaScript and registers each visitor as a subscriber after browser permission.
The web SDK requests the W3C Push permission and registers a unique device identifier (Pushwoosh hwid). It stores first party cookies (pw_session, pwid) on the embedding website for cross visit tracking. The platform records IP, user agent, language, time zone, opt in time, message opens, link clicks and custom events. Behavioural segmentation can be very granular and combined with location based triggers.
Push notifications are considered direct marketing under Art. 13 ePrivacy Directive and require prior consent. The W3C Push permission alone is not sufficient: a GDPR layer of consent must be collected before the browser prompt is displayed, with granular description of the purposes. The SDK cookies require ePrivacy consent under Art. 5(3) regardless of the push permission decision.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Pushwoosh offers two regions: United States (default, AWS) and European Union (Hetzner, Germany). The region is selected at account creation and cannot be changed later without data migration. EU region keeps data inside Hetzner Germany; US region triggers transfers under the EU US DPF or SCCs. Audit your account settings to confirm the region.
Select the EU region at account creation if you serve EU residents. Add a custom consent layer before the W3C Push prompt with granular purposes. Block the Pushwoosh SDK behind a CMP marketing category. Reduce segmentation depth to what is strictly necessary. Sign the Pushwoosh DPA. Document Pushwoosh in your records of processing and your privacy notice including the region.
Websites using PushWoosh must obtain user consent under GDPR regulations.
Third-party domains contacted
pushwoosh.comcp.pushwoosh.comapi.pushwoosh.comeu-push.pushwoosh.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| pwid | first_party | 2 years | Pushwoosh device identifier used to link the browser to a subscriber profile. |
| pw_session | first_party | Session | Session identifier used by the Pushwoosh web SDK for state during the current visit. |
| pw_segment | first_party | 1 year | Stores the visitor segmentation tags used for behavioural targeting of push messages. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
The Pushwoosh web SDK sets first party cookies on the embedding website: pwid (device identifier, up to two years), pw_session (session), and may forward Google Analytics identifiers. All require prior consent under Art. 5(3) ePrivacy.
Yes. Push notifications are direct marketing, requiring prior explicit consent under Art. 13 ePrivacy and Art. 6(1)(a) GDPR. The W3C Push permission alone is not enough, you must collect a GDPR consent layer before triggering it. The SDK cookies also require ePrivacy consent.
Consent (Art. 6(1)(a) GDPR) for marketing push and for the SDK cookies. Legitimate interest (Art. 6(1)(f)) may apply narrowly to security or service status notifications when the user expects them and has not objected.
It depends on the region selected at account creation. The EU region (Hetzner Germany) keeps data in the EEA. The US region triggers transfers under the EU US Data Privacy Framework or Standard Contractual Clauses with supplementary measures.
A DPIA is recommended for any large scale push setup, especially when combined with profiling, behavioural segmentation, geolocation or sensitive content. Document the region, the lawful basis, the W3C permission flow, the SDK cookies, retention and rights.
Select the EU region at account creation for EU residents. Add a custom consent layer before the W3C Push prompt. Block the SDK behind the CMP marketing category. Sign the Pushwoosh DPA. Limit behavioural segmentation. Document Pushwoosh, the region and the transfer mechanism in your records of processing.
EU based push platforms: Notificare (Netherlands), Batch (France), Airship (US with EU residency), MagicBell (Spain), CleverPush (Germany). Self hosted: Gotify, Apprise. For mobile only: Firebase Cloud Messaging (free but Google).
Track Pushwoosh sub processor and DPA updates. When sub processors, certifications or region offerings change, update your cookie table, privacy notice and records of processing and bump the consent banner version.