You’re in Control: How Location Actually Works in OneSignal’s SDK

OneSignal -

A technical explainer on permissions, privacy, and who decides what your app can do.

There’s a conversation happening right now about a government app and its use of location data.

OneSignal’s SDK has been named in that conversation, so we want to do what we always do: be transparent, be technical, and be clear.

Here’s how location works in our SDK.

Location is off by default

OneSignal’s SDK does not collect location data out of the box. Full stop.

For location to be active in any app using our platform, two separate things must happen, both of which are outside of OneSignal’s control:

1. The developer must explicitly enable it. Location collection is a feature that app developers choose to turn on. It requires adding specific permissions to their app’s manifest (Android) or Info.plist (iOS), and then calling our SDK’s location methods in code. If a developer never enables this, the SDK never asks for or touches location data.

2. The user must grant permission at the operating system level. Even after a developer enables location, the user’s device will present a native system prompt — controlled by Apple or Google, not by OneSignal — asking whether the app can access their location. The user can say no. They can say “only while using the app.” They can revoke permission at any time in their device settings.

This is how every modern mobile SDK that supports location works. It is a double opt-in system: developer opt-in, then user opt-in.

What happens when location is enabled

The location data is associated with the user’s device record within the developer’s OneSignal account. It is not sold. It is not shared with third parties. It is not used for purposes outside of the developer’s own messaging campaigns.

The developer decides. The user confirms.

The key distinction in this conversation, and in any conversation about SDK-level data collection, is who makes the decisions.

OneSignal provides tools. We don’t make the choices about how those tools are used in any individual app. The developer decides which features to enable. The operating system enforces user consent. And the user has the final say.

This is true of virtually every major SDK in the mobile ecosystem — analytics, crash reporting, attribution, push notifications. The SDK provides capability. The developer activates it. The user approves it.

What we believe about privacy

We’ve built OneSignal around a principle: give developers powerful engagement tools, and give users control over their experience.

That means:

  • Location is off by default and requires deliberate developer action to enable.
  • We respect the permission frameworks that Apple and Google have built to protect users.
  • We do not sell user data. Period.
  • We publish clear documentation on every data point our SDK can collect, and how to configure it.
  • Developers can disable location collection entirely with a single line of code.

We believe that transparency is the best response to any question about data practices. Not vague reassurances, but documentation, code samples, and clear architecture.

A note on the broader conversation

When any app, government or otherwise, makes choices about what data to collect, those choices deserve scrutiny. That scrutiny is healthy. It’s how the ecosystem gets better.

But it’s important to distinguish between the tool and the implementation. A push notification SDK that supports location-based messaging is not, in itself, a surveillance mechanism — any more than a database is a surveillance mechanism because it can store personal data.

The questions worth asking are: Does the app need this data for its stated purpose? Is the user clearly informed? Can they opt out? Those are questions about app design and policy, not about the underlying infrastructure.

Read the docs

We publish everything. If you want to understand exactly how our SDK handles location, down to the API calls and configuration flags. Here’s where to start:

Location Opt-In Prompt Documentation

Mobile SDK Location Reference

Privacy & Personal Data Overview

We’d rather you read our docs than take our word for it. That’s kind of the point.

OneSignal is the customer engagement platform trusted by one in four app publishers to deliver push notifications, email, SMS, and in-app messages. We believe great messaging starts with user trust.