Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Leanplum is a mobile and multi channel customer engagement platform founded in San Francisco in 2012 and acquired by CleverTap in 2022. It offers mobile and web push notifications, in app messages, email, A/B testing and behavioural analytics for consumer apps. As a US based vendor processing app event data, identifiers and contact information, it is treated as a high risk processor under the GDPR and requires consent for marketing channels in the European Union.
Leanplum is a mobile marketing and customer engagement platform created in San Francisco in 2012 and acquired by CleverTap in 2022. It is now part of the CleverTap customer engagement suite and supports push notifications, in app messages, email, web push, A/B testing, behavioural analytics and audience targeting. The platform is widely used by mobile apps in retail, fintech, media and gaming to power onboarding flows, retention campaigns and personalised content.
The Leanplum SDK collects mobile advertising identifiers (IDFA, GAID) when granted, app instance identifiers, push notification tokens, user properties (email, name, custom attributes), app events (sessions, screens, custom events with parameters), device model, OS, OS version, app version, language, time zone, network type, IP address and coarse geolocation. When the web SDK is used, it collects browser identifiers and event data similar to a web analytics tool. All these signals are stored in the user profile maintained on Leanplum and CleverTap infrastructure.
Mobile push notifications are direct electronic marketing under Article 13 ePrivacy and require prior opt in consent. Reading device storage from the SDK falls under Article 5(3) ePrivacy. App event tracking for analytics or profiling requires a GDPR lawful basis, which is generally consent given the scope of data collected. Combining behavioural data with profiles for targeted offers raises additional obligations under Art. 22 GDPR when decisions have significant effects on users.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Leanplum and CleverTap process data on AWS infrastructure primarily in the United States. CleverTap offers EU and India data residency on request, which European customers should activate via contract. International transfers are governed by Standard Contractual Clauses under Art. 46(2)(c) GDPR and require a Transfer Impact Assessment that takes FISA 702 into account. CleverTap publishes a Data Processing Addendum and sub processor list to help controllers complete their analysis.
Compliance checklist: implement a mobile consent flow (App Tracking Transparency on iOS plus an in app consent prompt for marketing); only initialise the Leanplum SDK after the user has accepted analytics and marketing; activate EU data residency where available; sign the Leanplum / CleverTap DPA and the SCCs; document the processing in your RoPA; run a DPIA for retention, profiling and large scale processing; update your privacy policy with the SDK, the processors, the categories of data and the user rights including erasure on request.
Websites using Leanplum (CleverTap) must obtain user consent under GDPR regulations.
DPIA considerations
Leanplum collects device identifiers (IDFA, GAID, app instance id), push notification tokens, user attributes, app events, session metadata, app version, OS, language, geolocation (when granted) and behavioural funnels. Key DPIA points: (1) the mobile SDK reads from and writes to terminal storage, triggering Art. 5(3) ePrivacy; (2) push notification tokens and user attributes constitute personal data under the GDPR, with marketing pushes requiring consent under Art. 7 ePrivacy as transposed in EU member states; (3) data is transferred to Leanplum and CleverTap servers in the United States by default, requiring SCCs and a Transfer Impact Assessment; (4) profiling and segmentation for targeted campaigns may trigger Art. 22 GDPR obligations; (5) audience export to advertising platforms must be assessed separately; a DPIA under Art. 35 GDPR is recommended for any large scale or sensitive context deployment.
Sample consent text
We use Leanplum (CleverTap) to send you in app messages, push notifications and tailored content, and to measure how you interact with our application. Leanplum collects technical identifiers, app events and contact data and processes them on Leanplum and CleverTap servers in the United States. You can accept, refuse or fine tune this use at any time through our consent settings.
Third-party domains contacted
api.leanplum.comwww.leanplum.comleanplum-cdn.s3.amazonaws.comeu.api.clevertap.comwzrkt.comd2r1yp2w7bby2u.cloudfront.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| lp_user_id | HTTP first party cookie / Local Storage | 12 months | Stores the Leanplum user identifier used to stitch web events to a known profile. |
| lp_session | HTTP first party cookie | Session | Maintains the current Leanplum session metadata for web event collection. |
| _clevertap_* | HTTP first party cookie | 12 months | Cookies set by the CleverTap parent product for cross channel user identification, in app messaging targeting and analytics. |
| IDFA / GAID | Mobile advertising identifier | Until reset by the user | Mobile advertising identifiers consumed by the Leanplum SDK when the user grants App Tracking Transparency (iOS) or the equivalent Android permission. |
Leanplum (CleverTap) places tracking cookies for advertising — comply with GDPR using FlowConsent.
On the web SDK, Leanplum sets first party cookies and uses localStorage to store a visitor identifier. On mobile, the SDK relies on IDFA (iOS, with App Tracking Transparency), GAID (Android Advertising ID), an app instance id, and persistent storage for user properties and event queueing. All of these constitute personal data under the GDPR.
Yes. Marketing push notifications require opt in under Art. 13 ePrivacy. SDK initialisation and event tracking require Art. 5(3) ePrivacy consent before reading the device storage or advertising identifiers. On iOS, ATT consent is also required to access IDFA.
Consent (Art. 6(1)(a) GDPR) for marketing, analytics and behavioural segmentation. Legitimate interest (Art. 6(1)(f) GDPR) may apply to purely transactional in app messages tightly linked to the service requested by the user.
Yes by default. Leanplum and CleverTap run on AWS primarily in the United States. EU and India data residency are available on request. Transfers require SCCs under Art. 46(2)(c) GDPR and a Transfer Impact Assessment.
Yes in most cases. Large scale processing of behavioural data, profiling for targeted campaigns, and the combination of identifiers across devices typically trigger Art. 35 GDPR DPIA obligations.
Gate SDK initialisation and push permission requests behind your CMP, activate EU data residency, sign the CleverTap DPA and SCCs, document processing in your RoPA, run a DPIA, configure retention and deletion settings, and update your privacy policy with a section on mobile marketing.
Mobile engagement alternatives include Braze, Iterable, Airship, OneSignal, Batch (France), Bloomreach Engagement (Czech Republic) and Customer.io. Several offer EU hosting which simplifies the transfer analysis.
Add an entry for Leanplum / CleverTap covering the SDK, processed identifiers, retention period, US data transfer, and a clear opt out path through the CMP and the mobile system settings.