---
title: Privacy - Flutter
description: Configure privacy settings and user consent management in your Flutter app with the CSQ SDK to ensure regulatory compliance
lastUpdated: 05 December 2025
source_url:
  html: https://docs.contentsquare.com/en/csq-sdk-flutter/product-analytics/privacy/
  md: https://docs.contentsquare.com/en/csq-sdk-flutter/product-analytics/privacy/index.md
---

Customers (“Customer(s)”, “you,” or “your”), as app developers and/or publishers, shall ensure compliance with applicable data privacy laws and regulatory guidelines while using Contentsquare SDK for your app.

This section explains the data processing involved in the use of Contentsquare SDK and provides information to help you comply with data protection laws, including the GDPR, e-privacy directive, and the [French Data Protection authority (CNIL) guidelines on mobile applications ↗](https://www.cnil.fr/sites/cnil/files/2025-05/recommendation-mobiles-app.pdf). This section is for informational purposes only and is not legal advice. If you are not sure of how to comply with data protection laws that apply to you, refer to legal counsel.

To learn about Contentsquare privacy practices, see our [Privacy Center ↗](https://contentsquare.com/privacy-center/) and [Privacy Policy ↗](https://contentsquare.com/privacy-center/privacy-policy/).

## Purpose of processing and categories of personal data collected

Here is the list of categories of personal data Contentsquare collects by default that are part of our [privacy manifests](../privacy/#privacy-manifest). All collected personal data listed below is linked to the end-user via the [Contentsquare User ID](#contentsquare-user-id) we generate.

Warning

The Contentsquare SDK provides features that allow you to send to Contentsquare additional types of personal data (such as username, email address, customer ID, account number): [Dynamic variables](../../experience-analytics/track-dynamic-variables/), [Custom variables](../../experience-analytics/track-custom-variables/), [User identifier](../../experience-analytics/session-replay/#send-user-identifier), [Screen names](../../experience-analytics/track-screens/), [Session Replay (unmasking elements)](../../experience-analytics/session-replay/#personal-data-masking).

If you decide to use these features to collect new types of personal data or use already collected data but for a different purpose, it is up to you to describe these privacy practices in your app manifest.

| Categories | Data type | Purposes |
| - | - | - |
| Identifiers | User ID | Analytics - using personal data from end-users interacting with your app, for analyzing their digital behavior and visualizing their journey to improve digital user experience and your app performance |
| Usage Data | Product Interaction such as touch gestures (taps, swipes), user journey (pages visited), time of engagement, or transactions | Analytics - using personal data from end-users interacting with your app, for analyzing their digital behavior and visualizing their journey to improve digital user experience and your app performance |
| Usage Data | Other usage data (any other data about end-user activity in the app) | Analytics - using personal data from end-users interacting with your app, for analyzing their digital behavior and visualizing their journey to improve digital user experience and your app performance |
| Other Data types | Other Data types (technical data, any other data inputted by customers in the dynamic variables, data used as part of the Session Replay feature where applicable) | Analytics - using personal data from end-users interacting with your app, for analyzing their digital behavior and visualizing their journey to improve digital user experience and your app performance |
| Diagnostics | Crashes, such as crash logs | Analytics - using personal data from end-users interacting with your app, for analyzing their digital behavior and visualizing their journey to improve digital user experience and your app performance (only when you use the [Error Analysis module](../../experience-analytics/error-analysis/)) |
| Diagnostics | Performance data, such as launch time, freeze rate, or energy use | Analytics - using personal data from end-users interacting with your app, for analyzing their digital behavior and visualizing their journey to improve digital user experience and your app performance (only when you use the [Error Analysis module](../../experience-analytics/error-analysis/) |
| Diagnostics | Other diagnostic data (any other data collected for the purposes of measuring technical diagnostics related to the app) | Analytics - using personal data from end-users interacting with your app, for analyzing their digital behavior and visualizing their journey to improve digital user experience and your app performance (only when you use the [Error Analysis module](../../experience-analytics/error-analysis/) |
| Search History | Information about searches performed by an end-user in the app | Analytics - using personal data from end-users interacting with your app, for analyzing their digital behavior and visualizing their journey to improve digital user experience and your app performance (only when you use the [Session Replay module](../../experience-analytics/session-replay/)) |
| Purchase History | Transaction data about an end-user (such as order reference, amount, bought items) | Analytics - using personal data from end-users interacting with your app, for analyzing their digital behavior and visualizing their journey to improve digital user experience and your app performance |

See how the data types and purposes are reflected in the [privacy manifest ↗](https://github.com/ContentSquare/CS_iOS_SDK/blob/master/ContentsquareModuleWrapper/PrivacyInfo.xcprivacy).

Note

Contentsquare is not designed to collect sensitive personal data (e.g., health, financial, or racial data). It is your responsibility to prevent any sensitive data from being sent to Contentsquare. If you accidentally send sensitive data, contact your customer success manager to immediately delete them from Contentsquare servers.

## User identifiers

### Contentsquare User ID

The SDK generates a unique user ID (UUID) (random hash) which is specific to users on their device. Contentsquare cannot identify a user across devices. This user ID and all collected data are stored for 13 months. We don’t persist the UUID when the app is deleted and re-installed. The SDK generates a new UUID after install or re-install. Contentsquare does not share this user ID with any third parties.

### IDFA

Contentsquare does not collect the **IDFA** (Advertising ID) or any ad related information to identify the user.

Check out our page about [10 Things to know about the Contentsquare solution's data processing ↗](https://contentsquare.com/privacy-center/10-things-to-know-cs-data-processing/).

### "User identifier" feature

Contentsquare provides the ability to search for session(s) associated with a specific visitor, based on an identifier provided by the customer. See [User identifier feature](../../experience-analytics/session-replay/#send-user-identifier) for more information.

## Data retention and storage location

### Data retention

By default, end-users personal data are kept for 13 months. The retention of end-users personal data collected via the Session Replay is customizable by customers, from 3 to 24 months.

### Storage location

End-users personal data are stored in Europe or in the US, depending on your location. For more details on applicable hosting locations, refer to our [subprocessors list ↗](https://contentsquare.com/privacy-center/subprocessors/).

## Informing your End-User

The Contentsquare SDK collects end-user’s personal data on your app. As a data controller, app developers, or app publishers, it is your responsibility to provide appropriate information to your end-users on how their personal data is handled when using the CSQ SDK, for example via a privacy policy or cookie banner.

Contentsquare provides a sample [description of the services ↗](https://contentsquare.com/privacy-center/sample-cookie-description/) (including Experience Analytics and Product Analytics) to help customers meet their transparency obligations. This description is for information only and is not legal advice.

## Handling User Consent

Contentsquare collects usage data on your app. **By default, the SDK will consider every new user to be opted-out.** To start tracking, the SDK [Opt-in API](#opt-in) must be called.

You are responsible for handling the UI asking end-users for their consent and allowing them to manage their privacy settings.

Use the following APIs to pass the user decision to the Contentsquare SDK.

Note

If data protection laws that apply to you do not require end-user consent for your app, discuss it during implementation with your Contentsquare contact (as this would go against Apple Privacy guidelines).

### Opt-in

Use the Opt-in API to get end-user consent. Calling this API will generate a user ID and initiate tracking.

* Swift

  ```swift
  import UIKit
  import ContentsquareSDK


  optinButton.addTarget(self, action: #selector(optInButtonTapped), for: .touchUpInside)


  @objc func optInButtonTapped(_ sender: UIButton) {
      CSQ.start()
      CSQ.optIn()
      ...
  }
  ```

* Objective-C

  ```objective-c
  #import <UIKit/UIKit.h>
  #import <ContentsquareSDK/ContentsquareSDK.h>
  [optinButton addTarget:self action:@selector(optInButtonTapped:) forControlEvents:UIControlEventTouchUpInside];


  - (void)optInButtonTapped:(UIButton *)sender {
      [CSQ start];
      [CSQ optIn];
      // Additional initialization or navigation code...
  }
  ```

### Opt-Out

When this API is called, tracking stops immediately, all settings are reset (Session number, Page number, and so on) and all files and directory including personal data collected via the SDK created by Contentsquare are deleted. This means that the user ID is deleted. The SDK will never track and collect any data from the user’s phone unless the Opt-in API is called again.

* Swift

  ```swift
  CSQ.optOut()
  ```

* Objective-C

  ```objective-c
  [CSQ optOut];
  ```

### Handling your end-user’s data subject requests

In case Contentsquare receives a request from an individual that identifies as an end-user of your app, Contentsquare will promptly refer such individual directly to you, as the data controller and will support you with any means available to resolve such request.

Contentsquare has launched a portal for managing data subject requests to its customers respond to data subjects within the legal deadlines. Therefore, you can forward any data subject request (such as data deletion or data access request) you receive to Contentsquare via this Data Subject Portal at [https://contentsquare.com/privacy-center/data-subject-request-portal/ ↗](https://contentsquare.com/privacy-center/data-subject-request-portal/).

### Get Contentsquare User ID

Since Contentsquare SDK does not collect by default any directly identifiable personal data about your end-user, we cannot help you respond to an end-user’s data subject request without their Contentsquare User ID.

Use this API to get the Contentsquare User ID of your end-user and forward the end-user’s data subject request (such as data deletion or data access request) via Contentsquare’s [portal ↗](https://contentsquare.com/privacy-center/data-subject-request-portal/).

* Swift

  ```swift
  CSQ.metadata.userID
  ```

* Objective-C

  ```objective-c
  [CSQ metadata].userID
  ```

Note

You are able to get an ID only if the user is not Opted-out.

### Enrichment API

[The Enrichment API](https://docs.contentsquare.com/en/api/enrichment/) allows for enriching the behavioural data tracked by Contentsquare client-side, with other session-based data that can be sent server-side.

During a visit on an app, you can interact with Contentsquare's SDK to pull those identifiers with the following SDK APIs:

* Swift

  ```swift
  let projectID = CSQ.metadata.projectID
  let sessionId = CSQ.metadata.sessionID
  // store these Contentsquare session identifiers in your backend
  ```

* Objective-C

  ```objective-c
  NSString *projectID = [CSQ metadata].projectID;
  NSString *sessionId = [CSQ metadata].sessionID;
  // store these Contentsquare session identifiers in your backend
  ```

### Pause / Resume Tracking

To completely stop data collection of your end-users of your app, use the pause and resume tracking APIs. When `stop/pause` is called, the Contentsquare SDK pauses all tracking (Analytics, Session Replay, Errors) of your end-users. When `resume` is called, the Contentsquare SDK resumes all tracking (Analytics, Session Replay, Errors) and starts collecting your end-users personal data again with the same Contentsquare user ID.

* Swift

  ```swift
  CSQ.stop()
  // ...
  CSQ.resumeTracking()
  ```

* Objective-C

  ```plaintext
  objective-c
  [CSQ stop];
  // ...
  [CSQ resumeTracking];
  ```

Note

As this mechanism pauses the tracking, make sure that you call resume once your user exits the sensitive screen. Best practice would be to link these method calls to lifecycle events on UIView/UIViewControllers.

## Disable user tracking across sessions

If you don't want to link the different sessions of a user to the same userID, reset the userID at each app start:

* Swift

  ```swift
  func application(_ application: UIApplication, didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey: Any]?) {
      CSQ.start()
      CSQ.optOut()
      CSQ.optIn()
      // ...
  }
  ```

* Objective-C

  ```objective-c
  - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
      [CSQ start];
      [CSQ optOut];
      [CSQ optIn];
      // ...
      return YES;
  }
  ```

Starting the SDK manually using `start()` will ensure that opt-out is called right after the start of the SDK (no event tracked in between).

Calling `optOut()` will delete the previous userID.

Calling `optIn()` will set a new one.

Note

If you are monitoring the network requests, you may see event requests being sent at app start. This is expected as there may be events from the previous session that haven't been sent yet. The [opt-out API](#opt-out) makes sure to send all data stored locally before stopping the tracking and wiping all data.

### Session Replay privacy APIs

As part of Session Replay capabilities, Contentsquare provides masking mechanisms to prevent unwanted end-user’s personal data from the Session Replay module from being transmitted to Contentsquare. See [Session Replay Personal data masking](../../experience-analytics/session-replay/#personal-data-masking) for more information.

## App Store Privacy Guidelines Compliance

As customer app developers, it is your responsibility to comply with the [App Store Privacy guidelines ↗](https://developer.apple.com/app-store/review/guidelines/#privacy).

### Privacy manifest

The Contentsquare SDK includes a [privacy manifest ↗](https://github.com/ContentSquare/CS_iOS_SDK/blob/master/ContentsquareModuleWrapper/PrivacyInfo.xcprivacy) describing the types of end-users personal data collected, the purpose of processing and the reasons for using APIs. [See Apple's website for more information ↗](https://developer.apple.com/app-store/app-privacy-details/)

### Tracking and App Tracking Transparency (ATT)

App Store (Apple) requests App developers to receive end-users' permission to track them or access Advertising ID using the [AppTrackingTransparency framework ↗](https://developer.apple.com/documentation/apptrackingtransparency) (ATT).

**It is not required to ask for end-users' permission through the ATT when using Contentsquare, as it does not fall under the** [“tracking” definition of Apple ↗](https://developer.apple.com/app-store/app-privacy-details/#user-tracking). The data collected by the Contentsquare SDK is not linked with Third-Party Data (as defined by Apple) for targeted advertising or advertising measurement purposes, nor shared with a data broker.