GDPR & CCPA overview


GDPR (General Data Protection Regulation) took effect May 25, 2018, and its regulations apply to any company, person, or group that collects, processes, or otherwise handles the personal data of EU and UK residents.

GDPR defines two different types of organizations who have to follow the new regulations: data controllers and data processors.

  • Data controllers: determine why and how personal data is processed. As a Leanplum customer, your organization is considered a data controller.
  • Data processors: process user data on behalf of the controller. Leanplum processes user data on your behalf, which makes us a data processor.

As a processor, Leanplum provides the technical capabilities and organizational processes that will allow you and our customers to maintain the rights of your EU and UK users while using our product.


Inspired by GDPR, California enacted its own consumer data protection regulations called California Consumer Protection Act (CCPA). Effective January 1, 2020 this act works to create new consumer rights for personal data collected from California residents.

Under CCPA, Leanplum is a Service Provider to our customers and businesses. Consumer rights to erasure, objection, access & portability are fulfilled via the same APIs created for GDPR. However, th right to rectification is currently absent from CCPA.

See below for some common tasks to help you remain GDPR and CCPA compliant while using Leanplum.

Informing your end users

As a data controller, you have to inform your end-users about the personal data you collect from them and their rights surrounding this data. GDPR & CCPA lay out several requirements for what you must inform your end-users, and it’s up to you to provide the information in a transparent, accessible way.

For more details on how Leanplum handles and protects your users’ data, refer to the security information in your contract’s data processing addendum.

User consent for data collection

Under GDPR & CCPA, users must explicitly opt-in to data collection before you start tracking with Leanplum. The GDPR has some stringent requirements for how and when to give users the option to consent for data collection, so make sure you are aware of these regulations.

To prevent data collection through Leanplum, do not call leanplum.start() until after the user opts-in for data collection. You can also offer separate opt-out prompts for different messaging channels in Leanplum. Giving users more options to control their app experience might encourage them to consent (opt-in) to data collection.

For example, if a user opts-in to data collection in general, but not to email or push, your app should call leanplum.start and the opt-out methods for the push and email channels. See the unsubscribe params in setUserAttributes for more info.

Block data collection and processing

If a user objects to data processing, you can prevent Leanplum from collecting and processing data for that user with the block API request.

block will stop Leanplum from collecting data for that user moving forward. In order to ensure that Leanplum does not process this user’s old data, we will delete all of their data from our systems.

See block for more details.

Erasing user data

Under GDPR & CCPA, data subjects have the right to request the deletion or removal of personal data.

To delete a user’s data from Leanplum, you can use the deleteUser request, which will delete all attributes for that user. You can also use this call to delete a user's sessions data.

See deleteUser for more information.


Data Exported to AWS S3 Bucket

If you export Leanplum data into an AWS S3 bucket or other backup locations, you will be responsible to handle the GDPR & CCPA requests on that data.

Data access and portability

Users also have the right to request a copy of their personal data in a human or machine-readable format. Both GDPR and CCPA specify that data subjects can obtain and reuse their personal data for their own purposes (for example, to create an account with a competing service).

To receive a copy of a user’s data, you can use the exportUser request. This will return all user attributes.

More coming soon on requesting your users’ data from Leanplum.

Rectify user data

As a data controller, GDPR requires you to give users the ability to correct personal data if they feel it is inaccurate or incomplete. In Leanplum, this includes user location, user attributes, and device attributes.

Use the setUserAttributes API request to change a user's attributes or location data in Leanplum. You can also change device-specific attributes using setDeviceAttributes.

Additional support

If you are unsure of how to use some of the methods or processes above, contact [email protected] for assistance. We are happy to answer any questions on how to use our platform. One note, we do not provide any legal advice and are not qualified lawyers. For any legal questions about GDPR or CCPA, we urge you to consult with your lawyer.

You can also find some general guidelines for using the Leanplum API here.