← Resources
Tutorial March 15, 2026 · 7 min read

GDPR compliance for push notifications: what you need to know

This is practical guidance, not legal advice — but most push-notification GDPR questions come down to a few concrete practices.

Consent must be informed and specific

The browser permission prompt alone is weak consent. Tell users what they're opting into ("order updates", "weekly digest") before the native prompt, and keep them able to opt out per topic.

Keep a consent record

Store when and how a subscriber opted in. If you ever need to demonstrate consent, "the browser allowed it" is not enough — a timestamped record tied to the subscriber is.

Push tokens are personal data

An endpoint/token is a pseudonymous identifier tied to a device — treat it as personal data: encrypt at rest, limit access, and include it in deletion/export requests.

Honor deletion and export

Mind your subprocessors

Apple (APNs), Google (FCM), and browser-vendor push services receive your payloads to deliver them. List them as subprocessors in your privacy policy and offer a DPA to business customers.

OpenPushAPI encrypts credentials at rest, auto-removes dead tokens, supports per-subscriber deletion, and documents its subprocessors — the building blocks for a compliant setup.

Ready to ship push notifications?

Create free account →