What is the true cost of using OneSignal push notification?

Yes i know, one signal is free to use.
BUT you and I know there is no free lunch. OneSignal is an amazing service and i’ve been enjoying it. But as i get closer to releasing one particular product of mine i’ve stopped to ponder about the way one signal makes their money.
For a company that has raised about $9.2million one really needs to understand their business model.
To make this post short, one signal has made it emphatically clear that they make money by selling your user’s data to third parties.

FREE - Best of all, OneSignal is a free service that supports unlimited devices and notifications. OneSignal makes money by selling data to advertisers and research companies. We also offer paid service options for clients that require increased data privacy.

The good thing is they didn’t hide this fact in some fine print legal jargons. You can read it all on their privacy policy page here. Luckily it’s very short too and in plain english, just about some 3 minutes read.

Pay particular attention to section 5 (Cookies, Pixel Tags and SDKs) . Basically yes they’re going to collect your users phone numbers, ip addresses (locations), browsing behaviour, etc, etc and share(sell) to their partners.

I think as developers i’ts our responsibility to understand the services we use expecially when it comes to our end user’s privacy.
I’m currently in a limbo as i’m not comfortable with the kind of data they’re collecting and selling especially giving that this particular application i’m currently working on is a health/medical application, on the other hand there is no better push notification service well supported by tools like bubble and dropsource which i’m using.

Does anyone have information on their premuim package if you don’t want them selling your user’s data? I’ve contacted them and waiting for their response.
Maybe if we’re concerned with our end-users privacy we should look into paying for the service and maybe passing on the cost to the users.

If you’re a developer/freelancer that uses such services too, i think you should let our clients know these privacy issues.

There is no free lunch!

Here is a post discussing how free push notification companies including OneSignal make money.

https://www.quora.com/How-do-push-notification-companies-plan-to-compete-with-free-push-notification-service-of-Onesignal

@seanhoots did you ever find out about the paid service? As I think about users privacy as well.

Hi @falcor, i actually didn’t get a response from them. But haven’t followed up though.

Ok so unless you’ve not been following technology news, you will have heard about the Facebook and Cambridge Analytica data privacy scandal.
Here is a timeline for those not in the know.

I decided to come back to this post because i think it is extremely important for developers to take this seriously.
Just yesterday OneSignal sent the email below to all its users (i’m sure some of you received it as well).
Even if you haven’t read the OneSignal privacy policy, just reading in between the lines in the email will tell you some of the data they’re taking from your users (e.g. ip address).

One thing that caught my attention in the email sent yesterday is the last paragraph, whereby OneSignal make it clear you’re responsible for ensuring that you have valid legal basis for the personal data OneSignal is collecting from your users.

For clients who use OneSignal in their apps or websites and who have EU users or are based in the EU, you are responsible for ensuring that you have a valid legal basis (e.g., consent, legitimate interest) for the personal data that is being sent to OneSignal. We recommend working with your legal counsel for guidance on your specific responsibilities.

So for people developing your own apps or developing for others, it is important you take note of this and take the right course of action.

Does anyone know the privacy policy for Google Firebase push notification (FCM)? I can’t seem to find it anywhere.

Dear OneSignal Client,

OneSignal is committed to helping our clients be GDPR compliant when using our Web Push, Mobile Push, and E-mail products. Our business and legal team are working hand-in-hand with many of our existing clients to ensure compliance with EU law. Whether you are in the EU or not, we’d like to help make it easier for all of our partners to comply with GDPR.

While these specific suggestions and changes we’re making will help you comply with GDPR, we also recommend that your consult with your legal counsel for compliance recommendations specific to your company.

Some of the major changes we’re making include updating our legal terms and our push and email products to limit our access to and what data is stored from EU users. We’ve been working closely with our legal team to update our EULA and make these product updates before the May 25th deadline.

These product changes include:

1. Providing the option to not store end-user IP addresses, and by default, not storing the IP addresses of end-users from countries within the EU.

2. For all clients, beginning on May 21st, 2018, we will discontinue building data models with data nor will we monetize any EU user data with our business and analytics partners. For our Enterprise clients, we have introduced a Data Processor Agreement (DPA) which formally designates us as a Processor for all data.

3. Releasing updated versions of our SDKs to make it easier for our clients to prevent user data from being sent to OneSignal until a user explicitly consents.

4. Adding support to our API for the deletion of user data. Additionally, we are reducing our data retention period of deleted data to 72 hours.

5. Updating our user data exporting capabilities to make it easier to search for and export user data from OneSignal. This will help our clients meet individual user requests for restriction, erasure, and data portability.

6. Preparing a guide on how to use OneSignal for push notifications without sending us personal user data.
   In addition to the product changes, we’ve taken steps internally to ensure that all data sent to OneSignal is stored securely. These steps include auditing the software we use for security vulnerabilities, ensuring we’re using up-to-date versions, improving network security in out datacenter, and ensuring we maintain and follow security best practices internally to ensure that we prevent unauthorized access to our servers.

For clients who use OneSignal in their apps or websites and who have EU users or are based in the EU, you are responsible for ensuring that you have a valid legal basis (e.g., consent, legitimate interest) for the personal data that is being sent to OneSignal. We recommend working with your legal counsel for guidance on your specific responsibilities. We are happy to work alongside you and your legal team to ensure compliance while using our services.

If you have any questions or concerns about this topic, our team is happy to answer any questions you have. Please send your inquiries to [email protected].

A good practice is to disclose in your privacy policy all the 3rd party providers you are using(and sending PII to) and a link to their own privacy policy.

Thanks to GDPR the world will be a better place.

I just found this article which really summarizes the privacy policy requirements for the different platforms if your app uses push notifications.

In short, If your app sends push notifications to users, you’re likely going to need a Privacy Policy.

Hi @JonL, is it just enough to link the privacy policy of the push notification service?

For clients who use OneSignal in their apps or websites and who have EU users or are based in the EU, you are responsible for ensuring that you have a valid legal basis (e.g., consent, legitimate interest) for the personal data that is being sent to OneSignal. We recommend working with your legal counsel for guidance on your specific responsibilities.

How will it address the highlighted text above?

Not enough.

What I do first is gather “explicit consent” while user creation. Your typical checkbox that points to the privacy policy. “I’ve read and agree to…”

In that policy I inform that I will handle, store and share if needed with 3rd party service providers. Then I disclose the list of 3rd party service providers with a link to their privacy policy.

So consent comes first. Then as a good practice I provide the names of the 3rd parties.

You can be as transparent as you want. You may want to let users know exactly what you are sharing with these providers.

This is for SMEs: http://ec.europa.eu/justice/smedataprotect/index_en.htm

Thanks, that makes a lot of sense.

An important point. Unfortunately we developers are sometimes not aware of what data we’re sending out due to some third party service we’re using so we’re not able to be very transparent.
And I think it’s our responsibility to really know these pravacy issues and if possible present it to the user in a very clear and understandable way instead of just pointing them to some fine print legal jargons privacy page which we all know no one reads.

That is actually one of the points where GDPR focus. The usage of plain language.

Screen Shot 2018-04-13 at 19.29.36.png618×921 60.9 KB

sorry to send this now in the old topic

After reading your post since 2018 today I got random notifications with pornogrphy ads, after contacting them

I got an email from them saying change my password and the REST API got LEAKED, they said remove admin users, however, it’s only my account.- also if someone hacked my account I should see in the history the push message. Lastly, they said to rest the REST API, that’s dumb, I had two apps, one I made in 2018 and one this week, both have different API keys, how the hell they got “hacked” Also, just like you said, Admob doesn’t send ads via notifications. therefore it’s the issue within onesignal.com . Just to let you know I got this once in 2019 But I didn’t report it. I’m surprised no one also did.

my reply to onesignal.com :

Sir, I got the notifications on both apps, in the history of the messages of push notifications sent, I don’t see anything… Also, I change my password just in case even though I have a feeling that it’s not the problem because again, I don’t see any push messages in the history of my apps. Lastly the “REST API key” is not the problem, I have two apps with two API keys, I don’t think both are leaked, and I don’t have any of my project files anywhere of the web. I believe that your system has been comprised and someone is responsible for this. Just to let you know this is not the first time it happens.

thinking pushsafer is the way to go. ~ $0.001 per message, you buy a 1000 for .99 EUR. pricing is straightforward, API easy to use.

caveat is users must install the push safer app…