FeaturesHow It WorksPricingFAQ Docs Blog Contact Login
All Documentation
  • Docs
  • /
  • Security & Compliance

Privacy Considerations for Your App

What data a WebView app collects, how to write a compliant privacy policy, GDPR and CCPA requirements, and how to complete Google Play's Data Safety form.

All mobile apps (even simple WebView apps) collect some form of user data, either directly or through the services they integrate with. Understanding what data your app handles, and how to communicate that to users and regulators, is a basic legal and policy requirement for publishing on Google Play.

What Data a WebView App Typically Collects

Through Your Website

Any analytics or tracking code on your website (Google Analytics, Facebook Pixel, Hotjar, etc.) operates the same way in the app as it does in a browser. The app does not need special configuration: the WebView runs your website as-is, including all its scripts.

Data collected by your website's analytics:

  • Pages visited and time spent
  • Device type, operating system version, browser version (in this case, the WebView's engine version)
  • Country and approximate location (derived from IP address)
  • Referring source (how the user got to each page)

Through Firebase Cloud Messaging (Push Notifications)

FCM generates a unique registration token for each app install. This token is how your app receives targeted notifications. The token is:

  • Specific to the app install (uninstalling and reinstalling generates a new token)
  • Not tied to any personal identity by FCM itself
  • Stored in Firebase as long as the app is installed

Through Google AdMob

AdMob collects the Android Advertising ID (AAID) to serve targeted ads. The AAID is a resettable, device-level identifier. Users can reset it or opt out of ad personalization in their device's Google settings.

AdMob also collects:

  • Ad interaction data (which ads were shown, tapped, etc.)
  • App usage context for ad targeting
  • IP address

Writing a Privacy Policy

Your app needs a privacy policy if it collects any personal data, which any app with website analytics, FCM, or AdMob does. Google Play requires a privacy policy URL for these apps.

A privacy policy for a WebView app should cover:

  • Who you are: Company or individual name and contact information
  • What data is collected: List the categories (analytics, FCM tokens, ad identifiers)
  • Who it's shared with: Third-party services (Google Analytics, Firebase, AdMob)
  • How long data is retained: Google Analytics retains data per your account settings; FCM tokens are retained while the app is installed
  • User rights: How users can request data deletion or access their data
  • Contact: How to reach you for privacy questions

If you already have a privacy policy on your website, update it to include the app. Add a section or note that the policy applies to both the website and the mobile app.

GDPR (European Users)

If any of your users are in the EU or UK, the GDPR applies. Key obligations for a typical WebView app:

  • Use a legal basis for processing (legitimate interest or consent, depending on the type of data)
  • Provide a clear privacy notice (your privacy policy)
  • Honor data subject requests: access, deletion, portability
  • If using AdMob, configure EU consent using Google's UMP (User Messaging Platform) SDK

The UMP SDK displays a GDPR consent dialog to users in the EU before serving personalized ads. WebToAppConvert includes UMP support for Professional builds with AdMob enabled.

CCPA (California Users)

If you have users in California, the CCPA requires you to:

  • Disclose what categories of personal information you collect
  • Provide a "Do Not Sell My Personal Information" link if you sell data to third parties
  • Honor opt-out requests within 15 days

For most small-scale WebView apps, the data handling does not constitute "selling" data in the CCPA definition. Standard analytics and ad serving are typically classified as "service providers" under CCPA, not data sales. Consult a legal professional if your situation is complex.

Children's Privacy (COPPA)

If your app is directed at children under 13, or has a mixed audience that includes children, you must comply with COPPA (USA) and equivalent regulations. Key requirements:

  • No behavioral advertising (AdMob in personalized mode cannot be used)
  • No analytics that collect personal data from children without verified parental consent
  • Declare the children's audience in your Play Console Data Safety form
  • Set AdMob's "child-directed treatment" flag in your app configuration

Apps targeted at children that use AdMob in standard mode without child-directed settings will be rejected by Google Play and may be removed from AdMob.

Google Play Data Safety Form

The Data Safety section in Play Console asks structured questions about your data practices. Fill it out accurately: inaccurate declarations are a policy violation independent of your actual privacy practices.

For a typical WebView app with FCM and AdMob:

  • Data collected: Device or other IDs (FCM token, Advertising ID), App activity (analytics), App info and performance
  • Data shared: Yes, with advertising service providers (AdMob) and analytics providers (Firebase/Google Analytics)
  • Data encrypted in transit: Yes (all Firebase and AdMob traffic uses HTTPS)
  • User can request data deletion: Depends on whether you've set up a deletion mechanism: if yes, explain how in your privacy policy
Previous Understanding Android Permissions

Still need help?

Can't find the answer you're looking for? Reach out to our support team.

Contact Support
© 2026 WebToAppConvert, Made With ❤️ by Excyn Labs