Why Firebase Requires Privacy Disclosure
Firebase is not a single product. It is a suite of over a dozen services, each with its own data collection practices. When you add the Firebase SDK to your app, multiple services may begin collecting data automatically, even before you write a single line of custom code. Both Google Play and the Apple App Store require apps to have a privacy policy that accurately describes all data collection.
Google requires developers who use Firebase to maintain a privacy policy. This is not optional. If your mobile app uses any Firebase service, your policy must name Firebase, describe what data each service collects, and explain how that data is processed and stored.
Firebase Services and Data Collection
Each Firebase service collects different types of data. Your privacy policy must account for every service you use.
| Service | Data Collected | Purpose |
|---|---|---|
| Analytics | Device ID, session data, screen views, events, user properties | Usage tracking and reporting |
| Crashlytics | Crash logs, stack traces, device state, OS version | Crash reporting and stability monitoring |
| Cloud Messaging | Device tokens, message metadata, delivery data | Push notifications |
| Authentication | Email, phone number, OAuth tokens, IP address | User identity and sign-in |
| Firestore | User-defined document data, read/write metadata | Cloud database storage |
| Realtime Database | User-defined JSON data, connection metadata | Real-time data sync |
| Remote Config | Device info, app version, country | Feature flags and A/B config |
| Performance Monitoring | App startup time, HTTP request traces, device info | App performance tracking |
| A/B Testing | Experiment assignments, Analytics events | Experiment management |
| Dynamic Links | Link metadata, device info, referrer data | Deep linking across platforms |
| Cloud Functions | Request data, execution logs | Server-side logic execution |
| ML Kit | Image/text data (on-device or cloud), model usage | Machine learning features |
| AdMob | Ad interactions, device ID, location (if permitted) | Ad serving and revenue |
Google's Data Processing Terms
Google offers Firebase Data Processing Terms that govern how Google handles data collected through Firebase services. These terms are important for GDPR compliance because they establish Google's role as a data processor for most Firebase services.
Data processor services: For Crashlytics, Cloud Firestore, Authentication, and Cloud Functions, Google acts as your data processor and only processes data on your instructions.
Data controller services: For Firebase Analytics (when linked to Google Analytics), Google may act as an independent data controller, using data for its own purposes like benchmarking.
Standard Contractual Clauses: Google's Data Processing Terms include SCCs for international data transfers, providing a legal mechanism for EU data to be processed on Google's global infrastructure.
Data retention controls: You can configure retention periods for Analytics data (2 or 14 months) and request deletion of user data through the Firebase console or API.
Do I need to sign Google's Data Processing Terms separately?
No. The Firebase Data Processing Terms are automatically included when you accept the Firebase Terms of Service. However, you should review them to understand your obligations and reference them in your privacy policy when explaining how Google processes data on your behalf.
Firebase Analytics and Google Analytics 4
Firebase Analytics is now powered by Google Analytics 4. This means your app's analytics data flows into the same Google Analytics infrastructure used by websites. Your privacy policy must reflect this connection.
What Firebase Analytics Collects Automatically
- App instance ID (unique per device installation)
- Screen views and session duration
- Device model, brand, OS version, and app version
- Country, region, and language settings
- First open time, app update events, and in-app purchases
If you link your Firebase project to Google Analytics, the data sharing settings in your GA4 property also apply. Review both your Firebase and Google Analytics configurations to ensure your privacy policy covers all data flows.
Crashlytics Data Collection
Crashlytics is one of the most widely used Firebase services, and it collects significant device and app data when crashes occur. Many developers underestimate how much information Crashlytics captures.
Crashlytics Data Points
- Crash traces and stack traces
- Crashlytics installation UUID
- Device state at crash time (orientation, free RAM, disk space)
- Operating system version and device model
- Custom keys and logs (if you add them in your code)
Cloud Messaging and Push Notifications
Firebase Cloud Messaging (FCM) enables push notifications, but it also collects data that must be disclosed. Each device that registers for push notifications receives a unique token, and FCM tracks delivery metadata.
FCM Data Collection
- Device registration tokens (unique per app installation)
- Message delivery status and timestamps
- Topic subscriptions and device group memberships
- Message open and interaction analytics (if linked to Analytics)
Your privacy policy should explain that you use push notifications, what triggers them, and how users can opt out by disabling notifications in their device settings.
Firebase Authentication Data
Firebase Authentication stores user identity data that is clearly personal information under every major privacy law. The specific data depends on which sign-in methods you enable.
Authentication Data by Sign-in Method
- Email/password: email address, password hash, account creation date
- Phone authentication: phone number, verification codes
- Google/Facebook/Apple sign-in: OAuth tokens, display name, profile photo URL
- Anonymous authentication: unique user ID and IP address
- All methods: last sign-in time, user agent, and IP address
Does anonymous authentication still collect personal data?
Yes. Even anonymous authentication creates a persistent user ID and logs the IP address. Under GDPR, IP addresses are considered personal data, so anonymous authentication still requires disclosure in your privacy policy.
App Store Requirements for Firebase
Both Google Play and the Apple App Store have specific requirements for apps that use Firebase. Your app privacy policy must align with your store listing declarations.
Google Play Data Safety: You must declare all data types collected by Firebase services in your Data Safety section. Google provides a Firebase-specific mapping guide to help you complete this accurately.
Apple App Privacy Labels: Apple requires you to declare data collection for each Firebase SDK in your App Privacy nutrition labels. This includes analytics identifiers, crash data, and authentication information.
Privacy policy link requirement: Both stores require a working privacy policy URL in your app listing. Apps without a privacy policy link will be rejected or removed.
Consistency requirement: Your privacy policy text must match your store listing declarations. If your policy says you do not collect location data but your app includes Firebase services that access location, your app may be flagged.
For Android apps, pay special attention to the Google Play Data Safety form, which requires you to declare whether data is collected, shared, or processed for each Firebase service individually.
Common Mistakes Developers Make
Not listing Firebase by name
Generic phrases like "we use third-party analytics" are insufficient. Your policy must name Firebase and each specific service you use.
Ignoring automatic data collection
Firebase Analytics collects data the moment the SDK initializes. If you added the Firebase SDK, you are collecting data, even without custom event code.
Forgetting about Crashlytics disclosures
Crashlytics collects device identifiers and crash data that qualify as personal information. Many developers forget to mention crash reporting in their privacy policies.
Mismatched store declarations
Your Google Play Data Safety or Apple Privacy Labels must match your privacy policy. Inconsistencies can lead to app removal or rejection.
No opt-out mechanism for analytics
GDPR requires a way for users to opt out of analytics tracking. Firebase provides APIs to disable Analytics collection, but you must implement and disclose them.
How to Write Your Firebase Privacy Policy
Follow these six steps to create a compliant privacy policy for your Firebase-powered app.
Audit your Firebase services
Open your Firebase console and review the list of enabled services. Check your build.gradle or Podfile for Firebase SDK dependencies. Every imported Firebase library represents a service that may collect data.
Map data collection per service
For each active service, document the specific data types collected. Use the table above as a starting reference, then check Google's official documentation for the most current list of data points.
Identify Google's data processing role
Determine whether Google acts as a processor or controller for each service. This distinction affects your GDPR disclosures and your legal basis for processing.
Draft service-specific disclosures
Write clear, plain-language sections for each Firebase service. Explain what data is collected, why, how long it is retained, and whether it is shared with Google or other parties.
Add opt-out and user rights sections
Include instructions for disabling analytics collection, deleting accounts, and exercising data rights under GDPR and CCPA. Reference the Firebase APIs that support these actions.
Validate against store requirements
Cross-reference your privacy policy with your Google Play Data Safety and Apple App Privacy declarations. Ensure every data type you disclose in the stores is also covered in your policy.
Frequently Asked Questions
Do I need a privacy policy if I only use Firebase Authentication?
Yes. Firebase Authentication collects email addresses, phone numbers, OAuth tokens, and IP addresses. Even this single service requires a privacy policy that discloses what data is collected and how it is processed.
Does Firebase Analytics collect data automatically without code?
Yes. Once the Firebase SDK is added, Analytics automatically collects certain events and user properties including device model, OS version, app version, and session data. You must disclose this even if you have not written any custom analytics code.
Is Firebase GDPR compliant?
Firebase provides tools and Data Processing Terms to support GDPR compliance, but compliance depends on how you implement and disclose Firebase in your app. You must configure data retention settings, provide opt-out mechanisms, and include proper disclosures in your privacy policy.
What Firebase data do I need to declare in Google Play's Data Safety section?
You must declare all data types collected by each Firebase service you use. This includes device identifiers, crash logs, analytics data, authentication tokens, and any user-generated content stored in Firestore or Realtime Database.
Can I use Firebase without collecting personal data?
Most Firebase services collect some form of personal data by default, such as device identifiers and IP addresses. While you can disable certain collection features and configure data retention, it is very difficult to use Firebase with zero personal data collection.
How do I handle Firebase data deletion requests?
For Authentication data, delete user accounts through the Firebase console or Admin SDK. For Analytics data, use the user deletion API. For Firestore and Realtime Database, implement your own deletion logic. Your privacy policy should explain your deletion process for each service.
Does Firebase transfer data outside the EU?
Yes. Firebase services process data on Google's global infrastructure, which means data may be transferred outside the EU. Google's Data Processing Terms include Standard Contractual Clauses to provide a legal basis for these transfers under GDPR.
Generate My Firebase Privacy Policy
Create a customized privacy policy that properly discloses every Firebase service your app uses. Ready in under 60 seconds.
Structured around widely accepted GDPR, CCPA, and app store requirements. Not legal advice.
Related Resources
Privacy Policy for Apps
General app privacy compliance guide
Privacy Policy for Mobile Apps
Mobile-specific requirements and disclosures
Privacy Policy for Google Play
Google Play Data Safety requirements
Privacy Policy for Google Analytics
GA4 data collection and disclosure guide
Android App Privacy Policy Template
Template for Android app compliance
GDPR Privacy Policy Template
EU compliance guide and template structure
What Happens Without a Privacy Policy
Risks and consequences of non-compliance
Policy Generator
Create your compliant privacy policy