Information systems security and privacy issues are top priorities for Batch. We carry out a permanent legal watch to ensure that our products and services remain up to date on GDPR compliance.

We provide our customers with the necessary information and actionable features for GDPR compliance.

Geographical location of the data

Our customers' data is stored exclusively in France and we do not maintain any technical infrastructure outside the European Union. Batch does not send personal data to external entities.

For more details, you can find our Data Processing Agreement (DPA) on https://dashboard.batch.com/gdpr as soon as you create an account with Batch here.

Default data collected by Batch

Hereafter is a list of the data which is collected natively by Batch for mobile and web integrations.

Mobile (iOS / Android)

  • Installation ID

  • Advertising ID (can be deactivated: iOS / Android)

  • Identifier for Vendor (IDFV), on iOS (can be deactivated).

  • API level of the SDK (on Android)

  • IP address (shared with Batch, but not stored on Batch side)

  • Bundle ID

  • OS version

  • App version

  • Batch SDK version

  • Push token

  • Push notifications opt-in status

  • MLVL (Mobile Landing Version)

  • Transaction tracked

  • Device's brand

  • Device's model

  • Mobile carrier: Batch collects the MNC/MCC codes and deducts the carrier name based on these IDs.

  • Locale (language and region)

  • Device time zone

  • Country: Batch deducts the country based on the IP address. If the IP address cannot be used, Batch will use the country set in the device settings.

  • City: Batch uses IP geolocation to find the city of your users. This feature works when the user is on a Wi-Fi network, not on a cellular network.

Web

  • Installation ID

  • IP address (shared with Batch, but not stored on Batch side)

  • Push token

  • Push notifications opt-in status

  • User-agent (web browser, OS, etc.)

  • Locale (language and region)

  • Country

  • Device time zone

  • City (see above for more details)

  • Batch SDK version

Batch does not set any cookies but relies on Local Storage.

App usage and campaigns data (App + Web)

  • First SDK start date

  • Last SDK start date

  • List of the campaigns that targeted the install.

  • List of the campaigns that targeted the install and clicked by the user.

  • Smart Segment

  • Send date of the most recent campaign that targeted the install.

  • Number of push sent to the install, used for frequency capping limit.

🚧 Note:

According to the GDPR, you need to obtain consent from your users for the data treatments that you implement. Your legal team can help you to determine how to handle these treatments in your specific case.

In addition to the data listed above, you’re free to send custom data to Batch. In this case, ensure that you have all the necessary consent too.

You can use all the methods offered by Batch to comply with your users' choices.

Actionable features for GDPR compliance

Activate/Deactivate Batch's SDK on demand

On mobile, the SDK can be disabled by default and start collecting data only after consent. Optionally, locally collected data can be deleted when the user opt-outs.

The SDK opt-out methods are documented here: iOS / Android.

The collection of the Advertising ID (e.g. IDFA / GAID), can be easily disabled (see our documentation here: iOS / Android).

For web push, you can deactivate Batch's JavaScript tag manually or using your Tag Manager. For example, you can choose to execute the JavaScript tag only after your users give their consent through your CMP.

Read more: How to integrate Batch into my CMP?

Data Access / Deletion

Batch provides a GDPR-dedicated API, which can be integrated into your internal processes to carry out requests for access or deletion of data linked to an identifier. This ID can be a custom user ID, an advertising ID, or an installation ID.

Our API also supports an OpenGDPR endpoint (https://opengdpr.org/).

The API features are also available in a Privacy Center on our operational dashboard via Settings β†’ GDPR:

The dashboard shows the list of all the requests made from the API or the dashboard on a daily basis:

It also shows the status of all your data access/removal requests:

It is possible to wipe local SDK data directly using the methods documented here: iOS / Android.

In all cases, any/all deleted data resulting from a manual action are permanently wiped from our databases under a 30 days max. retention period to make sure that you can comply with the 3 months max. official GDPR requirement.

Did this answer your question?