Skip to main content

Kochava Data Security & Privacy

Your trust and the safety of your data are critical foundations of Kochava’s privacy-first data solutions.


As an industry-leading technology provider, we help enable compliance and ensure the security of your data and that of your customers. In today’s privacy-centric data economy, brands can form closer connections with consumers than ever before by building trusted relationships. Therefore, it is vital to protect information being shared across platforms and connected devices while also empowering consumers with choice.


The California Consumer Privacy Act (CCPA) represents a significant shift in state-side consumer data privacy legislation, with implications for brands serving and targeting consumers in the state of California.

For answers to important questions about your business, Kochava, and the CCPA, visit our CCPA FAQ.

CCPA requires brands to provide consumers with a comprehensive description of their online and offline practices regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their personal information. Privacy policies must be designed and presented in a way that is easy to read and understandable to an average consumer. Unlike Europe’s General Data Protection Regulations (GDPR), which required app developers to “ask consumers for consent,” the CCPA requires developers to provide consumers a mechanism to “opt-out” from having their personal data sold, with stricter “opt-in” mechanisms for minors. Full legislation here.

The CCPA took effect on January 1st, 2020, with enforcement commencing no later than July 1st, 2020.

Kochava complies with the CCPA in its capacity as a “service provider” in providing Kochava Measurement services. 

As an acting member of the Interactive Advertising Bureau (IAB), Kochava is enacting the IAB’s CCPA Compliance Framework within our native measurement SDKs.


The General Data Protection Regulation (“GDPR”) creates consistent data protection rules across Europe. It applies to companies that are based in the EU and global companies like Kochava that process personal data about individuals in the EU. Kochava is, and will continue to be, compliant with all data privacy laws across the globe. We are committed to complying with GDPR legislation and collaborating with partners to facilitate compliance.

We thought it would be helpful to provide the context upon which Kochava delivers its services to clients in order for you to better understand how Kochava complies with GDPR and treats client data.

The characteristic Kochava Measurement client is a company that has created an app and wants to measure every aspect of an advertising campaign promoting it. The Kochava Measurement client enters into a contractual relationship with Kochava, which allows the client to embed Kochava software (an “SDK”) into its app. The client customizes the SDK to collect certain data derived from the app. Kochava processes this data on behalf of the client and visualizes it on a private dashboard for the client’s analysis. The client pays Kochava a fee for providing this service. The data remains the exclusive property of the client at all times.

In providing measurement services to its clients, Kochava acts as a Data Processor for purposes of GDPR; Kochava’s legal basis for processing the data is that Kochava strictly processes the data on behalf of Kochava’s clients.

In its capacity as a Data Processor, Kochava adheres to the rules of the GDPR as follows:

Data Protection by Design

The Kochava Measurement and FAA service platforms (“Platform”) are designed to enable clients to:

  • Determine which personal data the Platform processes;
  • Limit the collection of personal data to that which is adequate, relevant, and necessary for the purpose of which they are processed;
  • Manage the retention periods of personal data; and
  • Destroy personal data.

Data Protection by Default

The Platform is designed to:

  • Process personal information in conformance to the instructions provided by the client;
  • Collect only the personal data that are necessary for fulfilling the purposes of which they are processed;
  • Make personal data accessible only to a limited number of people whose job requires such access; and
  • Ensure a level of security appropriate to the risk of processing personal data.

Collection of “Sensitive” Personal Data

Kochava contractually prohibits its clients from utilizing the Platform to collect, process, or otherwise handle sensitive personal data.

Data Retention

Kochava does not keep personal data any longer than is necessary for the purposes for which it is being processed. Kochava deletes personal data after a client’s contract has expired or has been terminated.

Incident Response

Kochava will continue to promptly inform clients of incidents involving personal data in line with the data incident terms in our current (and any subsequently updated) agreements. Kochava maintains, and will continue to invest in, advanced threat detection and avoidance technologies, as well as a rigorous 24/7 incident management program to help identify and respond to security or privacy events (and any personal data breaches under the GDPR) without delay.

Third-Party Audit

Kochava is audited annually by an independent third party against GDPR and ISO/IEC 27001:2013 standards.

International Transfers

Kochava ingests client data to its cloud servers from locations across the world. Upon ingestion, Kochava transfers the data to its secure processing facility located in the United States. Kochava is certified under the EU-U.S. Privacy Shield frameworks, which is a legal mechanism to enable the transfer of personal data from the European Economic Area to the US, where certified organizations guarantee to provide a level of protection in line with EU data protection law. See more here:
Kochava also offers clients EU-approved Model Contract Clauses upon request.

Kochava will, in addition, continue to monitor the evolution of international data-transfer mechanisms under the GDPR, and is committed to having an ongoing lawful basis for data transfers in compliance with applicable data protection laws.


Kochava does not subcontract any of its processing operations to a subprocessor in the absence of a written agreement which contractually obligates the subprocessor to adhere to all applicable GDPR data processing requirements.

Opt-Out & Right to be Forgotten

You may click here to be redirected to the Kochava web page dedicated to providing guidance on opting out of interest-based advertising.

In order to protect your privacy, Kochava has engineered its systems to not collect identifying information such as email, name, and phone number. However, GDPR considers mobile device identifiers and IP addresses to be “personal information.” A mobile device identifier is a unique string of 30+ numbers associated with your device (e.g., cell phone). An IP address is a series of numbers separated by periods that identifies each computing device using a particular “Internet Protocol” at a given time to communicate over a network.

If you are concerned that Kochava has this information, we will be happy to delete it from our systems upon request. You may submit a request to delete all your personal information by emailing Kochava at or by contacting the legal department via telephone at 855-562-4282. However, please bear in mind that when you contact Kochava with such a request, because of the precautions we have proactively taken to protect your privacy, you are actually volunteering more personally identifying information to Kochava as a result of lodging the request than Kochava would have ever had prior to you initiating contact.

Opt Out Policy

Additional Terms

In its capacity as a processor of personal data, Kochava will ensure its contractual agreements with clients require the parties to adhere to the respective obligations of controllers and processors. Furthermore, Kochava will enter into data-processing agreements with clients where required.

Our Consent Management Platform can help you comply with CCPA as a business and GDPR as a data controller.

Standards, Regulations & Certifications

Comprehensive controls over security and risk management
A framework for legally transferring and processing EU data in the US
Kochava is a registered member of the Trustworthy Accountability Group
Controls over financial reporting
Controls over security, availability, and confidentiality
Public report of controls over security, availability, and confidentiality
Securing cloud computing environments.
German standard for information security of cloud services.

Accessibility Statement

We’re committed to access for everyone. Kochava is committed to making our website as accessible as possible to people with special needs. We are actively taking steps toward improving the accessibility of our website ensuring we provide equal access to all of our users. We view accessibility as an ongoing effort and will continue to devote resources to further enhance the accessibility of our website and other technologies.

Web Content Accessibility Guidelines (WCAG)
Kochava is WCAG 2.1 AA Compliant

Wherever possible, will adhere to the Web Content Accessibility Guidelines (WCAG). These guidelines outline four main principles that state that sites should be:

  • Perceivable: Information and user interface components must be presentable to users in ways they can perceive.
  • Operable: User interface components and navigation must be operable.
  • Understandable: Information and the operation of user interface must be understandable.
  • Robust: Content must be robust enough that it can be interpreted reliably by a wide variety of user agents, including assistive technologies.

Service Level Standards

The Kochava Platform will operate and otherwise comply and function in all material respects on an uptime basis of 99.99% over a rolling annual basis. If an incident disrupts the client’s use of the Platform, then Kochava shall respond as follows:

  • Critical Priority Incident rendering the Platform inoperative: Kochava shall respond to Company within one hour of notice and immediately begin replicating and verifying the problem.
  • High Priority Incident degrading the operations and use of the Platform: Kochava shall respond to Company within four hours of notice and immediately begin replicating and verifying the problem.
  • Medium Priority Incident affecting the operations of, but not degrading, the Platform: Kochava shall respond to Company within six hours of notice and immediately begin identifying and verifying the problem during normal business hours.
  • Low Priority Incident having a minor impact on the operations of the Platform- Kochava shall respond to Company within eight hours of notice if alerted between 6:00 a.m. – 8:00 p.m. PST Monday through Friday and begin identifying and verifying the problem within two business days.

Have further questions on Kochava Data Privacy and Security?