Privacy Policy

Last Updated and Reviewed: November 9, 2023

Our Commitment to Privacy

Your privacy is important to us and maintaining your trust is one of our highest priorities. This Privacy Policy includes a description of our information practices, how we use tracking technologies, as well as the decisions you may make regarding how your information is collected and used.

California, the United Kingdom, and Singapore Employees, Job Applicants, Owners, Directors, Officers, and Contractors: If you are a resident of California, the United Kingdom, or Singapore and you are an employee, controlling owner, director, officer, or independent contractor of ours, see the Privacy Notice for California, the United Kingdom, and Singapore Company Workforce below. If you are a resident of California, the United Kingdom, or Singapore and a job applicant, see https://onesignal.com/job-privacy

Introduction and Background

OneSignal, Inc. is a U.S. company located at 201 S. B Street, San Mateo, CA 94401 (“OneSignal” “we,” “us,” and “our”).

OneSignal is a customer engagement platform for companies around the world to enable their relationships with (and communicate with) their customers. This is primarily done by leveraging first party data (the company’s data on their customers) to personalize and automate messaging by the company through various channels, such as email, SMS, mobile push notifications, web push notifications, and in-app messaging.

OneSignal collects this first party data through a software development kit (“SDKs ”) that companies use in their mobile applications and websites. These web and mobile SDKs permit app developers and website operators to send, manage, optimize and customize messages to their customers and users. All of our services are referred to collectively as our “Services  ,” and the app developers, website operators, business customers, partners and advertisers are referred to collectively as our “Clients .”

This privacy policy (the “Privacy Policy  ”) explains our personal information practices regarding: 

  • Our Client’s end users and customers (“Client End Users ”),
  • Our Clients’, partners’, and vendors’ business representatives (e.g., their employees), and
  • Users of our website(s), including any website on which this Privacy Policy is posted, which we separately describe in Section 4,  below .

This Privacy Policy does not apply to any third-party sites or hosted services you may find or access through our website. This Privacy Policy also does not apply to our Client’s data practices.  If you submit personal information to any of those sites or services or to our Clients, your information will be governed by their privacy policies. We encourage you to carefully read the privacy policy of any site you visit or hosted service you use.

Personal Information

References to “personal information” in this Privacy Policy mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an individual or household. 

Data Controller or Data Processor 

OneSignal is primarily a data processor (or service provider) in relation to the Services we provide to our Clients, such as when a Client deploys our technology in order to collect, process or transfer their first party data. In some cases we operate as a data controller (or business) when we process personal information of our business contacts, employees, and representatives. 

1. Changes to This Privacy Policy

We reserve the right, at our sole discretion, to modify this Privacy Policy or any portion thereof. Any changes will be effective from the time of publication of the new privacy policy. Your continued use of the Services after the changes have been implemented shall indicate your agreement with the terms of such revised privacy policy. Otherwise, and if the new privacy policy does not suit you, you must no longer use the Services. Where required by law we will notify you and/or obtain your consent. 

2. Contacting Us

If you have any questions regarding this Privacy Policy, please contact our Data Protection Officer at Privacy@OneSignal.com or at 201 S. B Street, Suite 200 San Mateo, CA 94401.

3. Our Data Practices on our SDKs

Categories of Information Collected About Client End Users by Our Web SDKs

  • Identifiers such as:
    • IP address 
    • Email address, if provided to us
    • A unique cookie identifier, which may uniquely identify a Client End User 
  • Commercial information that we receive from our Clients or from our Clients’ use of our Services, such as: 
    • Information about Client End User’s transactions and interactions with apps and websites
    • What push notifications have been sent to a Client End User
  • Internet or other electronic network information activity information, such as: 
    • Information about a Client End User’s browser, such as browser language type and version of operating system (e.g., Android, iOS); network provider; language setting; time zone
    • Web pages visited that have implemented the SDK, and information about those visits (e.g., session duration, time-stamp, referring URLs)
  • Geolocation data inferred from IP address
  • Sensitive information provided or made available by our Clients

Categories of Information Collected About Client End Users by Our Mobile SDKs

  • Identifiers such as:
    • IP address
    • Email address, if provided to us
    • Mobile device or account identifiers which may be associated with other information, including inference data that Clients create on Client End Users
  • Commercial information that we receive from our Clients or from our Clients’ use of our Services, such as:
    • Purchases made within an app
    • Information about Client End User’s transactions and interactions with the app
  • Internet or other electronic network information activity information, such as:
    • Information associated with or related to devices, such as device type (e.g., mobile, tablet); type and version of operating system (e.g., Android, iOS); network provider; mobile browser (e.g. Safari, Chrome, etc.); language setting; time zone; and network status type (such as WiFi)
    • How a user has used the App (e.g., session duration, time-stamp)
  • Geolocation data inferred from IP address
    • Precise Location information, generally a Client End User’s lat/long data (i.e., GPS-level data) or WiFi information, which we may associate with Mobile IDs, and which may be collected whether or not an app is in use. (Location information is only collected the user has granted permission to the App to collect this, and the app chooses to send this data to OneSignal)
  • Sensitive information provided or made available by our Clients

Sensitive Information

We generally ask our Clients not to provide us with any sensitive information of the Client End Users. However, if they do provide us with sensitive information, then as a service provider to our Clients, we rely on our Clients to obtain consent (if required by applicable law) or provide opt out rights (if required by law) and to provide all rights to individuals as are required by applicable law, contract, or otherwise. Where applicable and required by law, we may enter into U.S. business associate agreements with our Clients for the processing of protected health information. 

We refer to all of the above collectively as the “SDK Information .”Sources of SDK Information

The categories of sources of the SDK Information include the following: 

  • Information provided by our Clients
  • Information automatically collected from our Clients’ use of the Services

How We Use the SDK Information

We use the SDK Information on behalf of our Clients for the purpose of providing the Services to our Clients. This includes:

  • To offer and support app and website features provided through the SDKs, including those related to push notifications. This includes, for instance, providing customer, technical and operational support for these features, detecting and protecting against errors, fraud, or other criminal activity; resolving disputes and enforcing our legal terms and other rights we may have. It also includes analyzing, customizing, and improving the features we offer Clients.
  • To provide information and analytics to our Clients about the use of these app and website features provided through the SDKs, or to help Clients create or enhance user profiles of Client End Users.
  • To enable Clients to create inferences about Client End Users. For instance, if SDK Information indicates that a particular device is frequently seen at restaurants, we might categorize a user for targeting of local restaurant offers. Or, if a user is frequently seen at sports stadiums, we might categorize the user as a “Sports Fan.”
  • To develop and use “predictive models” which are data models that try to predict Client End Users’ potential future behavior and interests on a per-device basis or across devices.
  • To analyze ad performance, for instance, by attributing Client End Users’ app installations, web visits, or store visits to ad campaigns.
  • Sometimes, the SDK Information may be used to resolve identities across multiple devices, such as to match IP addresses or hashed emails to link a Client End User across (for instance) browsers, mobile devices, tablets, set top boxes, or other devices.
  • Sometimes the SDK Information may be used to perform any of the above functions, or other marketing or analytics services. Or, we may aggregate and create data “models” to do this – creating algorithms in order to predict certain trends and things that different Client End Users might have in common.

We may deploy online cookies to track users across websites, or to associate users (and these cookies) with Mobile IDs. We may do this to resolve user identifies across platforms, and to better or more accurately target messages. You can learn more about cookies and similar technologies, such as web beacons and SDKs, in the Section titled “Cookies, Pixel Tags and  SDKs .”

We may also use the SDK Information for the following purposes:

  • To explore a potential acquisition or sale of our business
  • To prevent or stop activity that we may think is illegal; to protect our rights, privacy, safety or property, and that of you and others; to protect the security of our services or website; to comply with applicable law; to comply with legal process and our legal obligations; to respond to requests or requirements from public, law and government authorities and private parties; to enforce our terms; to allow us to pursue available remedies or limit potential damages; and to exercise or defend legal claims
  • In other ways with your consent or at your direction

How We Disclose the SDK Information

We may disclose SDK Information to the following categories of third parties:

  • Service Providers. We disclose the SDK Information on our Clients’ behalf to service providers, contractors and other companies to fulfill your orders, operate our business, communicate with you and make available our Services and this Website. These service providers may help us perform any of the activities set forth in Section 2. For instance, we may disclose certain of the information we collect or receive to companies that help us with billing and payment, marketing, advertising and email marketing, data enhancement (e.g., to provide more relevant offers), website hosting, technology and customer support, web and marketing analytics, anti-fraud or security operations, and other operational, marketing or business support.
  • We likewise may disclose the SDK Information or data segments regarding a Client (for instance, related to push notifications they send) for that Client’s own advertising, analytics, or other purposes.
  • Affiliates . We may disclose your information to our affiliates (e.g., our subsidiaries).
  • Buyers and investors . We may disclose or transfer your personal information in connection with, or during negotiations of, any acquisition of our business, financing or similar transaction.
  • Other third parties for legal purposes . We may also disclose your information if we believe it is required: (a) to prevent or stop activity that we may think is, or is at risk of being, illegal, unethical or legally actionable activity; (b) to protect our rights, privacy, safety or property, and that of you and others; (c) to protect our operations and the security of our services and website; (d) under applicable law; (e) to comply with legal process and our legal obligations; (f) to respond to requests or requirements from public, law and government authorities (including national security and law enforcement requirements) and private parties; (g) to enforce our terms and conditions; (h) to allow us to pursue available remedies or limit potential damages; and (i) to exercise or defend legal claims.
  • Other ways with consent . We may disclose your personal information in other ways with your consent or at your direction.

California, Virginia, Colorado, Connecticut, and Utah Residents. 

  • We do not sell your personal information or share your personal information for cross context behavioral advertising or for targeted advertising purposes.
  • We may create deidentified information as part of providing our Services. We commit to maintain and use deidentified information in deidentified form only and we will not attempt to reidentify the information, except we may attempt to reidentify the information solely for the purpose of determining whether our deidentification process satisfies our commitment above.
  • We do not engage in profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.     

4. Our Data Practices on the OneSignal Website(s)

OneSignal Website Information We Collect

We collect the following personal information from visitors of our website(s) (the “OneSignal Website Information ,” including the website on which this Privacy Policy appears (“OneSignal Website(s)”):

  • Identifiers that you disclose to us on the OneSignal Websites, such as name, email address, phone number, and other contact information. For example, you provide your personal information when you request information from us, fill out a form on our website, or interact with us in other ways. 
  • Internet or other electronic network activity information that is collected by automated mechanisms (e.g., with cookies, unique IDs, pixels and other locally stored objects), such as visitor interactions with the OneSignal Websites. (You can learn more about these technologies below in the Section titled “Cookies, Pixel Tags and  SDKs ”). We may use third party-services such as Google Analytics, in which case those third parties gather information such as your IP address, browser type, the webpage from which you came to our website, and the times of your access to the OneSignal Website. In addition, as you browse our website, advertising cookies may be placed on your computer so that we can understand what you are interested in. Our display advertising partners may then help us retarget ads to you on other sites based on your interactions with the OneSignal Website. To “opt out” of having your information used to tailor ads to you in this way by third party ad platforms that we may work with or provide data to, please review the Section below titled “Consumer Control and Opt Out  Options  ”  to learn how to opt-out of these services and instead receive generic, non-tailored ads. When we do use these types of third party advertising partners, we endeavor to limit and restrict their processing to acting solely as our service provider and data processor.
  • Audio and electronic information of our Clients’, partners’, and vendor’s employees and other representatives in connection with business calls and business email communications.
  • Professional or employment related information about our Clients’, partners’, and vendors’ employees and other representatives.
  • Sensitive information, as defined under applicable law, which may include location data and account login data

Sensitive Information

If you are a California resident and you have created an online login account with us, your account login information may be treated as sensitive information under the California Consumer Privacy Act of 2018 (CCPA). The account is set up in your capacity as a representative of one of our Clients. We use that information at your specific request and to perform our services to the Client. We do not use sensitive information for the purpose of inferring characteristics about you. Also, we do not sell sensitive information and we do not process or otherwise disclose sensitive information for the purpose of behavioral advertising. You may ask us to delete this account information, but you will not be able to log in anymore on behalf of the Client.

Sources of OneSignal Website Information

The categories of sources of the SDK Information include the following: 

  • Information provided by you 
  • Information automatically collected from your use of the OneSignal Website
  • Information collected in connection with our business relationship (e.g. interactions with you as a representative of one of our Clients, partners, or vendors)

How We Use the OneSignal Website Information

In addition to the uses described above, we use the OneSignal Website Information (alone or in combination) to provide, market, and operate the OneSignal Websites and Services. Among other things, by collecting the OneSignal Website Information, we are able to:

  • Perform our contract obligations, including maintaining and offering access to the OneSignal Websites and Services and optimizing how they’re offered to our Clients.
  • Send information about our products and services, including administrative and marketing communications.
  • Respond to your questions, concerns, or customer service inquiries.
  • Customize the content and advertising you see on the OneSignal Websites, across the Internet, and elsewhere.
  • Explore a potential acquisition or sale of our business
  • Prevent or stop activity that we may think is illegal; protect our rights, privacy, safety or property, and that of you and others; protect the security of our services or website; comply with applicable law; comply with legal process and our legal obligations; respond to requests or requirements from public, law and government authorities and private parties; to enforce our terms; allow us to pursue available remedies or limit potential damages; and exercise or defend legal claims.
  • Use your information in other ways with your consent or at your direction.

How We Disclose the OneSignal Website Information

We may disclose the OneSignal Website Information to the following categories of third parties:

  • Service providers, such as third parties that help us to provide the OneSignal Websites or Services and make them available and functional (such as hosting services); entities that help us make available or transmit any information we hold (such as helping us send emails, process payments, and manage customer information); and entities that help us (including our contractors, agents, and affiliates) provide technical, customer, billing, administrative, event planning, marketing or operational services to us or our Clients.
  • Corporate affiliates such as subsidiaries.
  • A third party as part of a business sale, merger, consolidation, investment, change in control, transfer of substantial assets, reorganization or liquidation, or in connection with steps taken in anticipation of such an event (e.g., due diligence).
  • A third party if we believe it is required: (a) to prevent or stop activity that we may think is, or is at risk of being, illegal, unethical or legally actionable activity; (b) to protect our rights, privacy, safety or property, and that of you and others; (c) to protect our operations and the security of our services and website; (d) under applicable law; (e) to comply with legal process and our legal obligations; (f) to respond to requests or requirements from public, law and government authorities (including national security and law enforcement requirements) and private parties; (g) to enforce our terms and conditions; (h) to allow us to pursue available remedies or limit potential damages; and (i) to exercise or defend legal claims.
  • Other third partieswith your consent or at your direction.

California, Virginia, Colorado, Connecticut, and Utah Residents. 

  • We do not sell your personal information or share your personal information for targeted advertising purposes.
  • We may create deidentified information as part of providing our Services. We commit to maintain and use deidentified information in deidentified form only and we will not attempt to reidentify the information, except we may attempt to reidentify the information solely for the purpose of determining whether our deidentification process satisfies our commitment above.
  • We do not engage in profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

5. Cookies, Pixel Tags and SDKs

Cookies and Pixel Tags.  Cookies are small data files containing a string of characters, such as an anonymous unique browser identifier. Cookies are stored on your computer or other device and act as unique tags that identify your device or browser. Our servers may send your device a cookie when you visit the OneSignal Websites, and our Clients and partners may do likewise on our OneSignal Websites, our Clients’ websites, and elsewhere. A pixel tag (also commonly known as a web beacon or clear GIF) is an invisible 1 x 1 pixel that is placed on certain web pages. When you access web pages on which a pixel tag is deployed, the pixel tag may generate a generic notice of the visit and permit OneSignal, our Clients or partners to set or read cookies. Pixel tags are used in combination with cookies to anonymously track the activity on a website by a particular browser on a particular device. If you disable cookies, pixel tags simply detect an anonymous website visit. OneSignal, alone or with our Clients and partners, may use cookies to, among other things, “remember” you (e.g., when you visit the OneSignal Websites or the websites of our Clients or partners), track trends, and collect information about how you use our Clients’ or partners’ websites or interact with advertising. We and partners we work with use cookies to provide relevant content to you and replace non-relevant ads with ads that better match your interests. We may sometimes use other locally stored objects in ways similar to how we use cookies. Often, these objects are deleted when you clear your browser cookie cache, but because this may not always occur (depending on the browser you use), we recommend that if you wish to opt out of notification features or third party interest-based advertising you instead follow the steps we have set forth in Section 7 titled “Consumer Control & Opt-Out Options. 

Mobile Device Identifiers and SDKs.  We may use or work with partners who use mobile SDKs (including our own SDKs, which are described in more detail in this Policy) to collect information, such as mobile identifiers (e.g., IDFAs and Android Advertising IDs), and information related to how mobile devices and their users interact with our Services and those using our Services. The SDK is computer code that app developers can include in their apps to enable ads to be shown, data to be collected, and related services to be implemented. We may use this technology, for instance, to identify users through mobile applications and browsers based on information associated with your mobile device. We do not collect advertising identifiers such as IDFAs or Android Advertising IDs.

Social Media Widgets.  The OneSignal Website may include social media features, such as the Twitter button, and widgets, such as the Share this button or interactive mini-programs. These features may collect your IP address, which page you are visiting on the website, and may set a cookie to enable the feature to function properly. Social media features and widgets are either hosted by a third party or hosted directly on the website. Your interactions with these features are governed by the privacy policy of the company providing it.

Do Not Track Signals.  OneSignal currently does not respond to browser do not track (DNT) signals, so we may not be aware of, or may be unable to respond to, such signals.

6. Data Retention

Generally speaking, we retain the SDK Information and Website Information for as long as reasonably necessary to achieve our objectives as detailed in this Privacy Policy, and to comply with our legal obligations, resolve disputes and enforce our agreements. We may delete user information from certain apps that we deem as “inactive,” in-line with applicable privacy laws and privacy best practices, and in response to requests from Clients and individuals. In general, “inactive” apps include apps with no recent messages sent or impressions made, no recent logins by accounts associated with the app, and/or no meaningful changes in user counts.

When considering the retention period for personal information, we consider the nature, sensitivity, and amount of the personal information, the potential risk of harm from unauthorized disclosure or use, and our legal, regulatory, tax, accounting and other similar obligations.

For customers on our free plan, we delete push subscribers that have not been active for the past 18 months. Push subscribers are considered dormant if the subscriber: (1) has not used the customer’s  mobile app or visited the customer’s  website in more than 18 months, or (2) OneSignal has not processed any data points for the subscriber in more than 18 months. For customers on active paid plans, their subscribers will be retained until the customer chooses to delete them.

7. Data Security

We have reasonable administrative, technical, and physical safeguards in place in our physical facilities and in our computer systems, databases, and communications networks. These safeguards are designed to protect information from unauthorized or illegal access, destruction, use, modification, or disclosure and to protect the confidentiality, integrity, and accessibility of personal information. In addition, we are SOC 2 Type 2 certified and have a SOC 2 Type 2 report certifying that our security policies and controls meet industry standards. This report captures how we safeguard customer data and how well those controls are operating. 

Note that no method of electronic transmission or storage is 100% secure and  we cannot guarantee absolute security of personal information.

8. Children

We do not knowingly collect personal information from anyone under the age of 18. Our services and our website are directed to and intended for people who are at least 18 years old or older. If you are a parent or guardian and you are aware that your child has provided us with personal information, please contact us. If we become aware that we have collected personal information from anyone under the age of 18 without verification of parental consent, we take steps to remove that information from our servers and databases.

If our Clients provide us with information about individuals under the age of 18, as a service provider we rely on our Clients to obtain consent (if required by applicable law) or provide opt out rights (if required by law) and otherwise to provide such rights to individuals and their parents or legal guardians as are required by applicable law, contract, or otherwise.

9. Third-Party Websites and Apps

We are not responsible for the privacy practices or disclosures of websites and applications that use our Services. Likewise, when you access the OneSignal Website, you may be directed to other websites that are also beyond our control. We encourage you to read the applicable privacy policies and terms and conditions of such third parties and websites, and the industry tools that we have referenced in this Privacy Policy. This Privacy Policy, however, only applies to the OneSignal Site and the Services.

10. European Data - Legal Grounds

If you are a visitor to our OneSignal Website from the European Economic Area, Switzerland or the United Kingdom, our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it.

Our legal grounds for processing your personal information may be one or more of the following: 

  • Consent: in some cases, we rely on your consent, which you can withdraw at any time 
  • Performance of a contract with you: we might need to process your personal information to perform our obligations or to take steps prior to entering into a contract with you
  • Compliance with law: in some cases, we may have a legal obligation to use or retain your personal data
  • Legitimate interests: we may also process your personal information where it is necessary for our legitimate interests in a way that might be expected as part of running our business and not overridden by your data protection interests or fundamental rights and freedoms.

If we process your personal information on behalf of a Client, we rely on our Client’s legal ground for processing your personal information on their behalf.

11. Individuals From Outside the United States

Data is hosted and stored in Europe and accessed in the United States, as well as other countries where our offices or facilities are located or where our service providers operate. The data protection and other laws of the United States might not be as comprehensive as those in your country. By using the OneSignal Website or Services you consent to your information being transferred to our offices and facilities and to those of our service providers to whom we disclose it. 

Standard Contractual Clauses

If you are located in the European Economic Area, the United Kingdom or Switzerland, we will protect your personal information when it is transferred outside of your jurisdiction by (a) processing it in a territory that provides an adequate level of protection based on its data protection laws; or (b) implementing appropriate safeguards to protect your personal information, such as relying on the European standard contractual clauses (and the United Kingdom addendum, if applicable). OneSignal currently relies on these European standard contractual clauses for data transfers.

EU-U.S. Data Privacy Framework

Swiss-U.S. Data Privacy Framework

We have certified our participation in the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework ("DPF ") with the U.S. Department of Commerce. This certification relates to our processing of personal information received from the European Economic Area and Switzerland under the DPF in connection with our certification on the DPF list located at https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt00000008wTNAAY&status=Active .  If there is any conflict between the terms in this disclosure and the DPF principles, the DPF principles will control. To learn more about the DPF, visit the DPF website ( https://www.dataprivacyframework.gov/ ).

The Swiss-U.S. Data Privacy Framework will not be relied upon by us in relation to transfers of any relevant personal information to the U.S. from Switzerland until the date of entry into force of Switzerland’s recognition of adequacy.

We follow the DPF for all personal information received from the European Economic Area or Switzerland under the DPF. Please see further detail about our data practices in this privacy policy, including details about the types of personal information processed, the purposes for the processing, the types of third parties to which personal information is disclosed, an individual’s right to access their personal information, an individual’s choices and means for limiting the use and disclosure of their personal information, and how personal information is disclosed in response to legal requests. 

Our compliance with the DPF is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. In accordance with the DPF, we are also liable for onward transfers to third parties that process personal information in a way that does not follow the DPF.

Please email us at privacy@onesignal.com with any questions, concerns, or complaints about our DPF certification. You can resolve any applicable disputes with us related to our certification free of charge through JAMS ( https://www.jamsadr.com/DPF-Dispute-Resolution ), an alternative dispute resolution provider based in the United States. You can contact JAMS as described at https://www.jamsadr.com/DPF-Dispute-Resolution

In some situations, the DPF Framework gives you the right to invoke binding arbitration. You can do this to resolve complaints not resolved by other means, as described in Annex I to the DPF Framework ( https://www.dataprivacyframework.gov/s/framework-text )

12. Consumer Control and Opt Out Options

You may have the following privacy rights:

  • If you wish to access, correct, or request deletion of your personal information, you can do so at any time by contacting us at  Privacy@OneSignal.com .
  • If you wish to opt-out of marketing communications (including emails), click on the “opt-out” link in our marketing communications or contact us at  Privacy@OneSignal.com .

See Certain US Rights and Rights of Europeans below for additional rights that may apply to you.

Opting Out of OneSignal Push Notifications

You may in most cases opt out of receiving push notifications by going to your device “Settings” and clicking on “Notifications,” and then changing those settings for some or all of the apps on your device. Different device configurations, or updates to devices, may affect or change how these settings work.

Your choice to opt out of “Notifications” from the OneSignal platform will not affect notifications placed by any other organization.

Opting Out of Online Interest-Based Advertising by Third Parties

You can opt out of many of the platforms and service providers that facilitate online interest-based advertising by visiting the Digital Advertising Alliance’s consumer education and opt-out page, at http://www.aboutads.info/. This type of opt out is cookie based and specific to each browser, which means that if you replace or upgrade your browser, or delete your cookies, you will need to opt out again. Opting out in this way will not prevent you from receiving ads – it will just make the ads you see less customized to you.

Opting Out of “Cross-App” Advertising on Mobile Devices by Third Parties

You can opt out of having your mobile advertising identifiers used for certain types of interest-based (also called “cross-app”) mobile behavioral advertising, by accessing the “settings” on your Apple or Android mobile device.

Additional Choices – Our Clients

Our Clients may also provide ways for you to opt out from or limit their collection of information from and about you. Please refer to the privacy policies of our Clients to learn more about their privacy practices.

Where you wish to enforce any of these rights in respect of our Services, you should contact the Client who provides you with the website or mobile application. We will then help them to fulfill that request in accordance with their instructions and applicable legal requirements.

13. Certain US Rights

As a California, Virginia, Colorado, Connecticut or Utah resident, you may have the additional rights below. 

  • Right to know
  • Right to access
  • Right to data portability
  • Right to correction
  • Right to deletion
  • Right of no discrimination and no retaliation
  • Right to appeal (certain states)

Additional rights that are not applicable are not listed above because OneSignal is not engaged in such activities (e.g., selling, sharing for cross context behavioral advertising, targeted advertising, and profiling).

Personal Information from Client

If you make a request relating to personal information that we process on behalf of a Client, you will need to make the request directly with our Client unless our Client has authorized us to respond directly to you. 

Know, Access, and Data Portability 

You have the right to request that we disclose certain information to you about our collection and use of your personal information. Once we receive and confirm your verifiable consumer request, we will disclose to you:

  • The categories of personal information we collected about you.
  • The categories of sources for the personal information we collected about you.
  • Our purposes for collecting that personal information.
  • The categories of third parties to whom we disclosed that personal information.
  • The specific pieces of personal information we collected about you – you can then copy and port that information.

Correction 

You have the right to request that OneSignal correct any of your personal information that OneSignal collected from you and retained. Once we receive and confirm your verifiable consumer request, we will correct your personal information.    

Deletion 

You have the right to request that OneSignal delete any of your personal information that OneSignal collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete your personal information from our records, unless an exception applies under applicable law. 

Right of No Discrimination and No Retaliation

We will not retaliate or discriminate against you for exercising any of your rights under applicable law. You have the right not to receive discriminatory treatment for the exercise of any of these rights.

Appeal Right – Virginia, Colorado, Connecticut Residents

If we decline to take action regarding your request, we will inform you of that decision and the justification for declining to take action. 

If we decline to take action at the direction of our Client, you must contact the Client directly to appeal the decision. 

For Virginia residents, you have the right appeal our decision by no later than 30 days after we inform you of our decision. Send your appeal to us via email at Privacy@OneSignal.com with “Appeal Right” in the subject line of your email.  Within 60 days after we receive your appeal, we will inform you of any action taken or not taken in response to the appeal. If the appeal is denied, you may contact Virginia’s Attorney General to submit a complaint at https://www.oag.state.va.us/consumer-protection/index.php/file-a-complaint.

     

For Colorado residents, you have the right appeal our decision by no later than 30 days after we inform you of our decision. Send your appeal to us via email at Privacy@OneSignal.com with “Appeal Right” in the subject line of your email.  Within 45 days after we receive your appeal, we will inform you of any action taken or not taken in response to the appeal. We may extend this period by 60 additional days where reasonably necessary. If the appeal is denied, you may contact Colorado’s Attorney General to submit a complaint at https://coag.gov/file-complaint/.

For Connecticut residents, you have the right appeal our decision by no later than 30 days after we inform you of our decision. Send your appeal to us via email at Privacy@OneSignal.com with “Appeal Right” in the subject line of your email.  Within 60 days after we receive your appeal, we will inform you of any action taken or not taken in response to the appeal. If the appeal is denied, you may contact Connecticut’s Attorney General to submit a complaint at https://portal.ct.gov/AG/Common/Complaint-Form-Landing-page.

Exercising Your Rights

To exercise the rights described above, please submit a verifiable consumer request emailing us at Privacy@OneSignal.com and including your full name and email address and the type of request you are making (e.g., right to know, access, portability, correction, or deletion).     

     

Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. 

14. Rights of Europeans

If your personal information is protected under applicable European law, you may have the following rights:

  • Right to access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing 
  • Right to data portability
  • Right to object 
  • Right in relation to automated decision-making and profiling*
  • Right to withdraw consent
  • Right to lodge a complaint 

*OneSignal currently does not engage in automated decision-making or profiling.

Personal Information from Client

If you make a request relating to personal information that we process on behalf of a Client, you will need to make the request directly with our Client unless our Client has authorized us to respond directly to you. 

If you wish to exercise the rights above, contact us at Privacy@OneSignal.com

If you wish to withdraw your consent to the processing of your personal information, the withdrawal will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on other legal grounds other than consent.

You have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local supervisory authority.

Privacy Notice for California, the United Kingdom, and Singapore Company Workforce 

This Privacy Notice for California, the United Kingdom, and Singapore Company Workforce (“     Workforce Notice ”) applies solely to employees, controlling owners, directors, officers, independent contractors, and medical staff (if any) of OneSignal who are California, United Kingdom or Singapore residents (“you” or the “Company Workforce”). California, the United Kingdom, and Singapore job applicants can review our careers privacy policy here: https://onesignal.com/job-privacy

Information We Collect from Company Workforce

We collect the following categories of personal information from our Company Workforce:

Sensitive Information

We collect the above examples of sensitive personal information from our Company Workforce. We use this sensitive information for the purposes set forth in “Use of Personal Information ” below. We do not use sensitive information for the purpose of inferring characteristics about you. We do not sell your sensitive information, and we do not process or otherwise disclose sensitive information for the purpose of behavioral advertising.

Sources of Collection

These are the categories of sources of your personal information that we collect:

  • Directly from you 
  • Automatically 
  • From service providers 

Use of Personal Information

We may use the personal information of the Company Workforce for the following purposes:

  • Employees, directors and officers: We may use your information for the following purposes: identifying you, verifying work authorization, administering taxes and health, medical and other benefit plans, keeping track of your records, contacting you, facilitating payment to bank accounts, contributing to and administering 401(k) plans, garnishing wages required by law, evaluating performance, tracking efficiency and productivity, protecting against disclosure of confidential information and trade secrets, and ensuring compliance with applicable laws and company policies.
  • Independent contractors: We may use your information for the following purposes: identifying you, administering taxes, keeping track of your records, contacting you, facilitating payment to bank accounts, evaluating performance, tracking efficiency and productivity, protecting against disclosure of confidential information and trade secrets, and ensuring compliance with applicable laws and company policies.
  • Controlling Owners: We may use your information for the following purposes: identifying you, administering equity ownership and taxes, keeping track of records, contacting you, facilitating payment to bank accounts, and ensuring compliance with applicable laws and company policies.
  • Legal and Other Uses. We may also use your information if we believe it is required or appropriate: (a) to prevent or stop activity that we may think is, or is at risk of being, illegal, unethical or legally actionable activity; (b) to protect our rights, privacy, safety or property, and that of you and others; (c) to protect our operations and the security of our Services; (d) under applicable law; (e) to comply with legal process and our legal obligations; (f) to respond to requests or requirements from public, law and government authorities (including national security and law enforcement requirements) and private parties; (g) to enforce our terms and conditions; and (h) to allow us to pursue available remedies or limit potential damages.
  • We may use your information as described to you when collecting your personal information or as otherwise permitted under applicable law     .

Disclosing Personal Information

We disclose the above categories of personal information to the following categories of third parties: 

  • Service Providers.
  • Affiliates.
  • Buyer, investor, etc. of our business.
  • Legal and other Disclosures.
  • Other third parties with your consent.

No Sale of Personal Information and No Sharing Personal Information for Cross-Context Behavioral Advertising 

We do not sell personal information. We do not share personal information to other companies for their cross-context behavioral advertising purposes. “Sell” and “share” are defined under the CCPA. 

Your Rights  

Your rights may include the following: 

  • Right to know
  • Right to access
  • Right to data portability
  • Right to correction (or right to rectification in the UK)
  • Right to deletion (or right to erasure in the UK)
  • Right not to receive retaliatory or discriminatory treatment (CA)
  • Right to restrict processing (UK)*
  • Right to object to processing (UK)*
  • Right to withdraw consent (UK and Singapore)*
  • Right to lodge a complaint with a data protection authority (UK)

Additional rights that are not applicable are not listed above because OneSignal is not engaged in such activities (e.g., selling, sharing for cross context behavioral advertising, targeted advertising,  and profiling).

*Exercising these rights may not affect the lawfulness of certain processing that we are required to do to comply with applicable law.

Exercising Your California, United Kingdom, and Singapore Rights

To exercise the rights described above, please submit a verifiable consumer request as follows:

  • emailing us at Privacy@OneSignal.com and including your full name and email address and the type of request you are making (e.g., right to know, access, portability, correction, or deletion), or
  • writing us at Privacy Policy, Attention: Legal, 201 S. B Street, Suite 200, San Mateo, CA 94401

Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. 

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. 

We will only use personal information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request. 

Category Examples of information collected
Identifiers. A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number (or local equivalent), driver’s license number, passport number, visa information, or other similar identifiers.
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
Protected classification characteristics under California or federal law. Age (40 years or older), race, national origin, medical condition, disability, gender, sexual orientation, veteran or military status.
Internet or other similar network activity. Browsing history, search history, information on a consumer’s interaction with a website or application.
Geolocation data. Physical location.
Audio and electronic data. Recordings of virtual meetings, electronic communications, and recordings from security cameras on office premises.
Professional or employment-related information. Current or past job history, resume information, or performance evaluations.
Inferences drawn from other personal information. Profile reflecting a person’s intelligence, abilities, and aptitudes.
Sensitive personal information. Social security number, driver’s license, passport number, company account login, financial account information, precise geolocation, race or ethnic origin, citizenship, immigration status, contents of emails.

Sensitive Information

We collect the above examples of sensitive personal information from our Company Workforce. We use this sensitive information for the purposes set forth in “Use of Personal Information ” below. We do not use sensitive information for the purpose of inferring characteristics about you. We do not sell your sensitive information, and we do not process or otherwise disclose sensitive information for the purpose of behavioral advertising.

Sources of Collection

These are the categories of sources of your personal information that we collect:

  • Directly from you 
  • Automatically 
  • From service providers 

Use of Personal Information

We may use the personal information of the Company Workforce for the following purposes:

  • Employees, directors and officers: We may use your information for the following purposes: identifying you, verifying work authorization, administering taxes and health, medical and other benefit plans, keeping track of your records, contacting you, facilitating payment to bank accounts, contributing to and administering 401(k) plans, garnishing wages required by law, evaluating performance, tracking efficiency and productivity, protecting against disclosure of confidential information and trade secrets, and ensuring compliance with applicable laws and company policies.
  • Independent contractors: We may use your information for the following purposes: identifying you, administering taxes, keeping track of your records, contacting you, facilitating payment to bank accounts, evaluating performance, tracking efficiency and productivity, protecting against disclosure of confidential information and trade secrets, and ensuring compliance with applicable laws and company policies.
  • Controlling Owners: We may use your information for the following purposes: identifying you, administering equity ownership and taxes, keeping track of records, contacting you, facilitating payment to bank accounts, and ensuring compliance with applicable laws and company policies.
  • Legal and Other Uses. We may also use your information if we believe it is required or appropriate: (a) to prevent or stop activity that we may think is, or is at risk of being, illegal, unethical or legally actionable activity; (b) to protect our rights, privacy, safety or property, and that of you and others; (c) to protect our operations and the security of our Services; (d) under applicable law; (e) to comply with legal process and our legal obligations; (f) to respond to requests or requirements from public, law and government authorities (including national security and law enforcement requirements) and private parties; (g) to enforce our terms and conditions; and (h) to allow us to pursue available remedies or limit potential damages.
  • We may use your information as described to you when collecting your personal information or as otherwise permitted under applicable law     .

Disclosing Personal Information

We disclose the above categories of personal information to the following categories of third parties: 

  • Service Providers.
  • Affiliates.
  • Buyer, investor, etc. of our business.
  • Legal and other Disclosures.
  • Other third parties with your consent.

No Sale of Personal Information and No Sharing Personal Information for Cross-Context Behavioral Advertising 

We do not sell personal information. We do not share personal information to other companies for their cross-context behavioral advertising purposes. “Sell” and “share” are defined under the CCPA. 

Your Rights  

Your rights may include the following: 

  • Right to know
  • Right to access
  • Right to data portability
  • Right to correction (or right to rectification in the UK)
  • Right to deletion (or right to erasure in the UK)
  • Right not to receive retaliatory or discriminatory treatment (CA)
  • Right to restrict processing (UK)*
  • Right to object to processing (UK)*
  • Right to withdraw consent (UK and Singapore)*
  • Right to lodge a complaint with a data protection authority (UK)

Additional rights that are not applicable are not listed above because OneSignal is not engaged in such activities (e.g., selling, sharing for cross context behavioral advertising, targeted advertising,  and profiling).

*Exercising these rights may not affect the lawfulness of certain processing that we are required to do to comply with applicable law.

Exercising Your California, United Kingdom, and Singapore Rights

To exercise the rights described above, please submit a verifiable consumer request as follows:

  • emailing us at Privacy@OneSignal.com and including your full name and email address and the type of request you are making (e.g., right to know, access, portability, correction, or deletion), or
  • writing us at Privacy Policy, Attention: Legal, 201 S. B Street, Suite 200, San Mateo, CA 94401

Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. 

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. 

We will only use personal information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request.