Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Firebase is a Google Cloud platform of mobile and web backend services widely used in Europe for authentication, real-time databases, push notifications, hosting and analytics. Most Firebase products run on Google infrastructure with default multi-region storage; Cloud Firestore, Cloud Storage and Cloud Functions can be pinned to EU regions while Firebase Analytics and Cloud Messaging currently process data globally with US storage.
Firebase is a Google Cloud platform that bundles mobile and web backend services into a single SDK. Common products include Firebase Authentication, Cloud Firestore, Realtime Database, Firebase Cloud Messaging, Firebase Analytics, Crashlytics, Firebase Hosting and Cloud Functions. It is widely used in Europe for both mobile apps and web applications because it removes the need to operate authentication, database and analytics infrastructure independently.
Firebase Authentication stores user credentials, refresh tokens and session identifiers. Cloud Firestore and Realtime Database store the application data the developer chooses to write. Firebase Cloud Messaging stores device tokens for push notifications. Firebase Analytics collects events, screen views, device information, IP addresses and a persistent app instance identifier (the Firebase Installation ID). Crashlytics collects stack traces, device state and user identifiers if attached.
Authentication, Cloud Firestore and Realtime Database used to deliver the app rely on contract performance (Art. 6(1)(b) GDPR). Firebase Analytics and Crashlytics rely on consent (Art. 6(1)(a) GDPR) and on Art. 5(3) ePrivacy because they read and write identifiers on the device. Firebase Cloud Messaging marketing campaigns require consent. Use Firebase Consent Mode (Google Consent Mode v2) to enforce consent signals on Analytics.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Cloud Firestore, Cloud Storage and Cloud Functions can be configured to store data in EU regions (europe-west1, europe-west3, eur3, etc.). Firebase Authentication, Firebase Analytics and Cloud Messaging currently process data globally with US storage. Transfers rely on Google''s certification under the EU US Data Privacy Framework and on Standard Contractual Clauses included in the Google Cloud Data Processing Addendum.
Sign the Google Cloud Data Processing Addendum from your Firebase console. Pin Cloud Firestore and Cloud Storage to an EU region. Enable Firebase Consent Mode and gate Firebase Analytics and Crashlytics behind your consent management platform. For mobile apps, request iOS App Tracking Transparency before enabling Analytics and follow the Android Privacy Sandbox guidance. Document the Firebase services in use, the regions, and the EU US Data Privacy Framework basis in your privacy notice.
Websites using Firebase must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for Firebase deployments that combine Authentication, Analytics and Crashlytics with significant user volumes, given the global Google Cloud processing and the persistent identifiers used for analytics and marketing.
Sample consent text
This application uses Firebase (Google LLC) for authentication, data storage and analytics. Firebase Analytics and Crashlytics are activated only after your consent. Personal data may be transferred to Google infrastructure outside the EEA under the EU US Data Privacy Framework or Standard Contractual Clauses.
Third-party domains contacted
firebase.googleapis.comfirebaseio.comfirebaseinstallations.googleapis.comfcmregistrations.googleapis.comfirebaselogging-pa.googleapis.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| firebase_id_token | first_party | 1 hour | Short-lived ID token issued by Firebase Authentication after a successful login. |
| firebase_refresh_token | first_party | Variable (long-lived) | Refresh token stored locally so the app can request new ID tokens without forcing re-authentication. |
| FIREBASE_INSTALLATION_ID | first_party | Persistent | Persistent app instance identifier used by Firebase Analytics, Crashlytics and Cloud Messaging to attribute events. |
| FCM_TOKEN | first_party | Persistent | Device token used by Firebase Cloud Messaging to deliver push notifications. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Firebase Authentication issues an ID token (1 hour) and a long-lived refresh token. Firebase Installations creates a persistent app instance identifier used by Analytics, Crashlytics and Cloud Messaging. Firebase Cloud Messaging stores a device token. Firebase Analytics and Crashlytics also write event payloads with device and IP information when active.
Firebase Authentication and the database services that simply deliver the requested feature do not require a separate cookie banner. Firebase Analytics, Crashlytics and Cloud Messaging marketing campaigns require freely given consent under Art. 6(1)(a) GDPR and Art. 5(3) ePrivacy. Use Firebase Consent Mode to gate data collection.
Authentication, Cloud Firestore and Realtime Database used to deliver the app rely on contract performance (Art. 6(1)(b)). Firebase Analytics, Crashlytics and Cloud Messaging marketing rely on consent (Art. 6(1)(a)). Tax retention may rely on legal obligation (Art. 6(1)(c)). Strictly necessary identifiers rely on Art. 5(3) ePrivacy.
Yes for several Firebase products. Cloud Firestore, Cloud Storage and Cloud Functions can be pinned to EU regions. Firebase Authentication, Firebase Analytics and Cloud Messaging currently process data globally with US storage. Transfers rely on the Google EU US Data Privacy Framework certification and on Standard Contractual Clauses included in the Google Cloud Data Processing Addendum.
A DPIA is recommended for Firebase deployments that combine Authentication, Analytics and Crashlytics with significant user volumes, given the global Google Cloud processing and the persistent identifiers used. A DPIA is normally not required for a small Authentication only or hosting only project.
Sign the Google Cloud Data Processing Addendum from the Firebase console. Pin Cloud Firestore and Cloud Storage to an EU region. Enable Firebase Consent Mode and gate Firebase Analytics and Crashlytics behind your CMP. For mobile apps, request iOS App Tracking Transparency before enabling Analytics. Document Firebase services, regions and the DPF basis in your privacy notice.
EU-based alternatives include Supabase (managed in EU regions on AWS), Appwrite (open source, self hosted or EU cloud), Hasura with EU hosting, and Nhost (EU hosting). For analytics specifically, prefer Plausible, Matomo, Pirsch or Posthog with EU hosting. Selection depends on whether you need full backend services or only specific Firebase products.
List the Firebase services in use (Authentication, Cloud Firestore, Storage, Functions, Cloud Messaging, Analytics, Crashlytics) with their purpose, the regions configured and the persistent identifiers issued. State that data may be transferred to Google infrastructure outside the EEA under the EU US Data Privacy Framework or Standard Contractual Clauses, and reference the Google Cloud Data Processing Addendum.