Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Pushly is a web push notification platform operated by The Arena Group from New York City. It uses the VAPID web push protocol, a service worker registered on the publisher origin and a JavaScript SDK to capture push subscriptions, then routes notifications through Apple, Google and Mozilla push services. It stores subscriber endpoints and behavioural segments in the United States.
Pushly is a web push notification platform run by The Arena Group, a US media company headquartered in New York City. It targets publishers and e commerce sites that want to push articles, alerts and promotions to browsers even when the user is not on the site. The integration relies on a JavaScript SDK loaded on every page, a service worker registered on the publisher origin and the VAPID web push protocol described in RFC 8292.
When a visitor accepts the browser prompt, the user agent registers a unique push subscription with Apple APNs (Safari), Google FCM (Chrome and Edge) or Mozilla autopush (Firefox). The endpoint URL and encryption keys are sent to Pushly servers and stored alongside any segments the publisher has configured.
Pushly stores the push subscription endpoint, the public key, the auth secret, the browser fingerprint (user agent, language, time zone), the IP address at subscription time and behavioural events such as impressions, clicks and dismissals. Many integrations also push first party identifiers (article tags, user segments, logged in user ID) to enable targeting, plus local storage entries used by the SDK.
Although web push does not technically rely on traditional cookies, the persistent subscription endpoint plus local storage values constitute storage in the user terminal under Article 5(3) of the ePrivacy Directive and §25 TDDDG, and the endpoint plus IP qualify as personal data under Article 4(1) GDPR.
Web push subscriptions require explicit consent because they involve both the storage of identifiers in the terminal (Art. 5(3) ePrivacy) and direct marketing communications (Art. 13 ePrivacy, transposed by national soft opt in rules). The EDPB Guidelines 5/2020 specify that consent under the GDPR must be specific, informed, unambiguous and given by a clear affirmative action. The native browser prompt alone is not enough: a CNIL compliant deployment uses a pre prompt that explains the purpose and a clear category in the cookie banner.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Do not load the Pushly SDK on the first page view. Block it behind a Marketing or Communications category in your CMP, and only register the service worker after the visitor has accepted that category. Show a soft pre prompt that explains what kind of notifications will be sent, at which frequency and who the recipient is, then trigger the native browser prompt. Log the consent (timestamp, IP, banner version, choice) and offer a one click unsubscribe in every push.
Pushly stores subscriber endpoints in AWS US regions. Push delivery flows through Apple APNs (Cupertino, California), Google FCM (United States) and Mozilla autopush (United States). All four parties are US based and are in scope of US surveillance law, which makes the transfer subject to the EDPB Schrems II recommendations.
Rely on the EU US Data Privacy Framework where the recipient is certified, sign the Standard Contractual Clauses 2021 where it is not, and document supplementary measures: end to end payload encryption, pseudonymisation of segments, short endpoint retention and a transfer impact assessment.
List Pushly in your record of processing activities and in your cookie and local storage register. Document the lawful basis, the recipients (The Arena Group plus the relevant push service), the data categories and the retention period. Trigger a DPIA if you segment users by behaviour or push to minors. Provide an in app preferences page where users can change topics or revoke their subscription, mirror that revocation to Pushly via its API, and review unsubscribed endpoints monthly.
Websites using Pushly must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended whenever Pushly is used to send behavioural or personalised push notifications, to retarget anonymous visitors, to segment audiences by content interaction, or to push to children under 16. The assessment must document the lawful basis for the push subscription and for the segmentation that follows, the categories of data sent to Apple, Google and Mozilla push services, the retention period for endpoints and engagement events, the role of automated segmentation under Art. 22 GDPR, and the supplementary measures applied to US transfers.
Sample consent text
We would like to send you web push notifications via Pushly. With your consent, your browser will register a unique push subscription with our service worker and Pushly (operated from the United States) will store this endpoint to deliver notifications. You can withdraw your consent at any time in your browser settings or via the unsubscribe link in any notification.
Third-party domains contacted
pushly.comcdn.p-n.ioapi.p-n.iofcm.googleapis.comupdates.push.services.mozilla.comweb.push.apple.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| pushly_sid | Persistent | 1 year | Pushly subscriber identifier used to associate the browser with a stored push subscription and to attribute engagement events back to the subscriber profile. |
| pushly_segments | Local Storage | Until cleared by user | Local storage entry holding the segment memberships and topic preferences assigned to the subscriber for push targeting. |
| pushly_sw_registration | Local Storage | Until service worker unregistered | Stores the push subscription endpoint, public key and auth secret returned by the browser PushManager, so Pushly can deliver notifications even when the tab is closed. |
| pushly_prompt_state | Persistent | 6 months | Records whether the visitor has already been shown the soft pre prompt and whether they accepted, dismissed or refused, to avoid prompt fatigue. |
Pushly places tracking cookies for advertising — comply with GDPR using FlowConsent.
When a visitor accepts the push prompt, the browser generates a unique push subscription endpoint (a URL hosted by Apple, Google or Mozilla) and a pair of encryption keys. Pushly receives and stores that endpoint, the public key, the auth secret, the user agent, the language, the time zone, the IP address at subscription time and a Pushly subscriber ID. Pushly also logs every push delivery, impression, click and dismissal, and can attach first party segments such as article tags or logged in user IDs supplied by the publisher.
Yes. Activating Pushly involves both writing identifiers in the terminal (push subscription plus local storage entries) and sending direct marketing communications, so it falls under both Article 5(3) of the ePrivacy Directive and Article 13. The CNIL, the AEPD and the German DSK all require prior, freely given, specific and informed consent expressed by a clear affirmative action. The native browser prompt alone is not enough: deploy a pre prompt that explains the purpose, frequency and recipient, and only register the service worker once the visitor has accepted a Marketing category in the CMP.
The push subscription itself is based on Article 6(1)(a) GDPR (consent), together with Article 5(3) ePrivacy for the storage of identifiers and Article 4(11) GDPR for the affirmative action. Behavioural segmentation that profiles subscribers (article categories read, products viewed) sits on the same consent and may also trigger Article 22 GDPR if it leads to fully automated decisions producing significant effects. Legitimate interest is generally not available because the EDPB has confirmed that direct electronic marketing to natural persons must rely on consent under ePrivacy.
Yes. Pushly is headquartered in New York and hosts its infrastructure on AWS US regions. Push delivery flows through Apple APNs, Google FCM and Mozilla autopush, all US based. The endpoint URL itself reveals which push provider is in use, and any payload metadata reaches that provider. Such transfers require either the EU US Data Privacy Framework where the recipient is certified or Standard Contractual Clauses 2021, plus a Schrems II transfer impact assessment that documents encryption of the payload, short retention, role based access and audit logging.
A DPIA is recommended when Pushly is used to profile users (behavioural segments, lookalike audiences), to retarget anonymous visitors at scale, to push to children under 16, or to combine push subscriptions with logged in identity data. The EDPB criteria (large scale processing, evaluation or scoring, innovative technology) and the CNIL and AEPD high risk lists generally trigger a DPIA in these scenarios. The assessment must describe the data flow to the publisher, to Pushly and to the operating system push services, and the supplementary measures used to mitigate the Schrems II risk.
Place the Pushly SDK behind a Marketing or Communications category in your consent management platform and keep it blocked until the visitor opts in. Display a pre prompt that names the controller, the purpose, the frequency and the third parties involved. Only after acceptance, register the service worker on your origin and fire the native browser prompt. Log the consent with a timestamp and banner version. Provide a preferences centre to change topics, expose a one click unsubscribe in every push, and propagate revocations to Pushly via its API.
EU hosted or EU friendly alternatives include OneSignal with EU data residency, Batch (France, also covers mobile push), Brevo (formerly Sendinblue) Push, Notifix (France) and self hosted solutions such as web push libraries on top of your own backend with the Mozilla autopush and FCM endpoints. None of these can avoid Apple APNs, Google FCM or Mozilla autopush for actual delivery, but EU hosted dashboards and storage reduce the surface for US transfers and make sub processor lists easier to manage. Choose a vendor that signs an EU SCC based DPA and offers an EU data region.
Add a dedicated section that names The Arena Group (Pushly) as the third party, explains that web push relies on a service worker, an endpoint stored at Pushly and delivery via Apple, Google and Mozilla push services. Disclose the categories of data (endpoint, IP, user agent, segments, engagement events), the retention period, the lawful basis (Art. 6(1)(a) plus Art. 5(3) ePrivacy), the international transfer mechanism (DPF or SCCs with supplementary measures) and the rights of access, erasure and withdrawal, together with a direct unsubscribe path.