Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
OneSignal is one of the most widely used web and mobile push notification platforms, operated from the United States. It registers a service worker on your website to send push notifications and tracks subscription tokens, device metadata and IP addresses on AWS US infrastructure. Both the push subscription and the related cookies require explicit user consent in addition to the browser native push prompt.
OneSignal is a customer engagement platform founded in 2014 in San Mateo, California. It is one of the most widely used solutions for web push, mobile push, in app messaging, email and SMS, with over a million sites and apps using it. The web SDK registers a service worker on the publisher domain to handle push notifications.
OneSignal stores a push subscription identifier, the OneSignal player ID and a device record (browser, OS, country, language, IP address). On the publisher site it registers a service worker (OneSignalSDKWorker.js) and uses localStorage for the player ID. Mobile SDKs collect installation and app usage events. Subscriber tags and segments may include any custom attribute the publisher attaches.
Web push is a non essential tracker according to most EU regulators, so the OneSignal SDK and its service worker should be loaded only after the user gives consent under Art. 5(3) ePrivacy. The browser native push prompt is an additional but not sufficient consent because it does not cover the prior storage and processing required to register the subscription. Marketing notifications themselves rely on consent (Art. 6(1)(a) GDPR).
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
OneSignal hosts its primary infrastructure on AWS US. Subscription tokens, device records, IP addresses and engagement events are processed in the United States. Transfers rely on the EU US Data Privacy Framework certification (where applicable) and on Standard Contractual Clauses included in the OneSignal DPA. Enterprise plans may offer regional residency options.
Sign the OneSignal DPA from the dashboard. Block the OneSignal SDK behind your CMP and load it only after explicit opt in. Use a custom soft prompt before requesting the browser native push permission, with a clear description of the purpose. Add OneSignal to your privacy notice with the US transfer, the SCC and DPF basis and the categories of data collected. Provide an obvious unsubscribe path inside notifications and the OneSignal subscriber settings.
Websites using OneSignal must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for OneSignal deployments that combine large subscriber bases, behavioural segmentation and cross device user identification, given the persistent identifiers involved and the US transfer.
Sample consent text
We use OneSignal (OneSignal Inc., United States) to send push notifications. By accepting you consent to the registration of a push subscription, the related identifiers and the transfer of your data to OneSignal in the US under appropriate safeguards.
Third-party domains contacted
cdn.onesignal.comapi.onesignal.comonesignal.comimages.onesignal.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| onesignal-pageview-count | first_party | Persistent (localStorage) | Tracks the number of pageviews so OneSignal can trigger a soft prompt after a configured threshold. |
| onesignal-notification-prompt | first_party | Persistent (localStorage) | Records whether the user has dismissed the soft prompt to avoid repeated prompting. |
OneSignal places tracking cookies for advertising — comply with GDPR using FlowConsent.
OneSignal stores a push subscription identifier and the OneSignal player ID in localStorage on the publisher domain, registers a service worker (OneSignalSDKWorker.js) and sends a device record (browser, OS, country, language, IP) to its backend. Optional pageview and prompt counters are also stored in localStorage.
Yes. Most EU regulators consider web push a non strictly necessary tracker, so the OneSignal SDK and its service worker must be loaded only after consent under Art. 5(3) ePrivacy. The browser native push prompt is an additional but not sufficient consent because it does not cover the prior storage and registration steps.
Consent (Art. 6(1)(a) GDPR) for the push subscription, the related identifiers and the marketing notifications. The opt in must be granular and as easy to withdraw as it was to give. Notification scheduling and analytics performed in the OneSignal backend are sub processing under Art. 28.
Yes. OneSignal Inc. is a US company and its primary infrastructure runs on AWS US. Subscription tokens, device records, IP addresses and engagement events are processed in the United States. Transfers rely on the EU US Data Privacy Framework certification (where applicable) and on the Standard Contractual Clauses included in the OneSignal DPA.
A DPIA is recommended for OneSignal deployments that combine large subscriber bases, behavioural segmentation and cross device user identification, given the persistent identifiers involved and the US transfer.
Sign the OneSignal DPA. Block the SDK behind your CMP and load it only after explicit opt in. Use a custom soft prompt explaining the purpose before requesting the browser native push permission. Add OneSignal to your privacy notice with the US transfer, the SCC and DPF basis, and the categories of data collected. Provide an obvious unsubscribe path inside notifications.
EU based alternatives include WonderPush (France), Pushwoosh (data residency in EU available), Sendmunk (Germany) and self hosted Mautic with the web push extension. For mobile only, Firebase Cloud Messaging from EU regions can be used for transactional messages but raises similar transfer questions for marketing.
State that OneSignal (OneSignal Inc., United States) is a processor for push notifications and engagement. Describe the service worker, the player ID, the device record, the IP address processing and the campaign analytics. Note the US transfer with the SCC and DPF basis, and provide a one click unsubscribe link or page.