GDPR Compliance

Implement privacy-compliant tracking with consent management.

Overview#

Mobana is designed with privacy in mind:

No device IDs: We don't collect IDFA, GAID, or other device identifiers.
No personal data: The SDK doesn't collect names, emails, or other PII.
Probabilistic matching: Attribution uses IP address, timezone, and screen size — not persistent identifiers.
User control: The setEnabled() method lets users opt out at any time.

Data Collected#

The SDK collects the following data:

• Install ID: Random UUID generated on first launch
• Platform: iOS or Android
• Device signals: Timezone, screen dimensions, language
• UTM parameters: From attribution redirect URLs
• Conversion events: Event names and values you track
• Flow events: Flow interaction events

None of this data is personally identifiable on its own. The install ID is random and can be reset at any time.

Implementing Consent#

Check for Consent on Launch

App.tsx

// Show consent prompt before initializing SDK
async function handleAppStart() {
  // Check if we've already asked for consent
  const consentStored = await AsyncStorage.getItem('tracking_consent');
  
  if (consentStored === null) {
    // First launch - show consent prompt
    navigation.navigate('ConsentScreen');
    return;
  }
  
  // Initialize SDK based on stored consent
  await Mobana.init({
    appId: 'YOUR_APP_ID',
    enabled: consentStored === 'true',
  });
}

Consent Screen

ConsentScreen.tsx

// ConsentScreen.tsx
function ConsentScreen() {
  const handleAccept = async () => {
    await AsyncStorage.setItem('tracking_consent', 'true');
    
    // Initialize and enable SDK
    await Mobana.init({
      appId: 'YOUR_APP_ID',
      enabled: true,
    });
    
    navigation.navigate('Home');
  };
  
  const handleDecline = async () => {
    await AsyncStorage.setItem('tracking_consent', 'false');
    
    // Initialize but keep disabled
    await Mobana.init({
      appId: 'YOUR_APP_ID',
      enabled: false,
    });
    
    navigation.navigate('Home');
  };
  
  return (
    <View>
      <Text>We use attribution tracking to understand how users find our app.</Text>
      <Button onPress={handleAccept}>Accept</Button>
      <Button onPress={handleDecline}>Decline</Button>
    </View>
  );
}

Allow Users to Change Consent

PrivacySettings.tsx

// Settings screen - allow users to change their mind
function PrivacySettings() {
  const [trackingEnabled, setTrackingEnabled] = useState(false);
  
  useEffect(() => {
    AsyncStorage.getItem('tracking_consent').then(value => {
      setTrackingEnabled(value === 'true');
    });
  }, []);
  
  const handleToggle = async (enabled: boolean) => {
    setTrackingEnabled(enabled);
    await AsyncStorage.setItem('tracking_consent', String(enabled));
    
    // Update SDK state
    Mobana.setEnabled(enabled);
  };
  
  return (
    <View>
      <Text>Allow attribution tracking</Text>
      <Switch value={trackingEnabled} onValueChange={handleToggle} />
    </View>
  );
}

GDPR Data Subject Rights#

Right to Access

Users can request what data is collected:

// Handle GDPR data request
async function handleDataRequest() {
  // Get the install ID for reference
  // Note: You'll need to expose this or track it separately
  const installId = await AsyncStorage.getItem('@mobana:install_id');
  
  // Send this to your support team or backend
  // Mobana stores: installId, UTM parameters, timestamps
  // No personal data (name, email, etc.) is collected by the SDK
  
  return {
    installId,
    dataCollected: [
      'Install timestamp',
      'UTM parameters (source, campaign, medium)',
      'Device platform (iOS/Android)',
      'Conversion events',
    ],
  };
}

Right to Erasure

Users can request data deletion:

// Handle GDPR data deletion request
async function handleDataDeletion() {
  // Clear all local Mobana data
  await Mobana.reset();
  
  // Reset consent state
  await AsyncStorage.removeItem('tracking_consent');
  
  // Note: Server-side data is anonymized (only installId and UTM params)
  // and can be deleted upon request to [email protected]
}

For server-side data deletion, users should contact [email protected] with their install ID.

SDK Behavior When Disabled#

When the SDK is disabled via enabled: false or setEnabled(false):

getAttribution() returns null
trackConversion() queues events locally but doesn't send them
startFlow() returns an error
No network requests are made

When re-enabled, queued conversions are sent and normal operation resumes.

Best Practices#

Ask once, respect always: Don't repeatedly ask users who declined. Show a toggle in settings instead.
Be clear about purpose: Explain that tracking helps you understand which ads work, not track their personal behavior.
Offer granular control: Some users may be comfortable with attribution but not flow analytics.
Document your compliance: Keep records of your consent implementation for audits.

Custom Endpoints

/redirect