Consent Management (CMP)

Data privacy and user consent are critical components of a trustworthy mobile app. Our solution integrates a native Consent Management Platform (CMP) and fully supports Apple’s mandatory Tracking Transparency framework.

Technical Implementation

1. The Consent Tool: OneTrust

Currently, all our apps use OneTrust as the backend for managing consent.

• Contract & License: OneTrust is not included in our platform license. You must have a direct contract with OneTrust.
• Pre-Integration: While we have technically pre-integrated the OneTrust SDK to allow for a fast implementation, the commercial relationship remains between you and OneTrust.
• Onboarding: OneTrust typically assigns a Project Manager to guide you through the initial setup of your categories and legal requirements.
• Configuration: You manage the categories (e.g., “Marketing”, “Personalization”) and legal texts within your OneTrust account. The app simply fetches this configuration.

2. Native User Interface

To ensure the best user experience and performance, both the initial consent banner and the detailed settings view (“Preference Center”) are fully native components.

• Banner: Appears on first launch to request user consent.
• Preference Center: A detailed view where users can manage their choices. It is accessible at any time via a persistent link (usually in the footer of the Storefront).

3. Category-Based Consent

The consent logic is currently based on categories, not individual services.

• Example: A user can accept or reject the entire “Marketing Cookies” category, but not select/deselect a single tracking script within that category.

4. Consent-Dependent SDKs

We implement all third-party SDKs (like Analytics or Push-Notification tools) in a consent-dependent manner.

• How it works: An SDK is only initialized after the user has given explicit consent for the corresponding category. If consent is withdrawn, the SDK is deactivated.

5. Webview Bridge for Consent

The user’s consent status is shared with any Webviews inside the app.

• Benefit: This allows your website’s Tag Manager (running in the Webview) to respect the native consent decision, ensuring a consistent privacy experience across the entire app.

Apple’s App Tracking Transparency (ATT)

For iOS users, Apple mandates an additional layer of consent known as ATT.

• The Flow: During the onboarding process, the standard OneTrust banner appears first. Immediately afterwards, the system-native Apple ATT popup appears.
• The Hierarchy: Apple’s system overrules everything.
  • If a user accepts tracking in OneTrust but rejects it in the Apple ATT popup, tracking is disabled.
  • The app technically enforces this by blocking access to the IDFA (Identifier for Advertisers).
• App Store Review: Apple rigorously checks this implementation during every app review. If the ATT popup is missing, displayed incorrectly, or if the explanation text is unclear, Apple will reject the app update.

Apple's Strict Rules

You cannot “hide” the ATT popup or delay it indefinitely. It is a mandatory requirement for any app that uses tracking tools (like Firebase, Adjust, or Facebook).

Legal Responsibility & Scope

Your Responsibility as Data Controller

You, as the brand and shop operator, are the legal “Data Controller”. You are ultimately responsible for data protection compliance.

While we provide the technical tools and implement features based on best practices, the final legal responsibility lies with you. This includes:

• Consent Tool Management: You are responsible for maintaining the configuration the Consent Management Tool of your choice (e.g., assigning cookies to categories). We only handle the technical connection to the App.
• Legal Texts: All privacy policies, legal notices, and consent banner texts must be provided and legally vetted by you. These are typically managed in Drupal and displayed in Webviews.
• Tool Selection: If you ask us to integrate a new third-party tool (e.g., a new analytics provider), you are responsible for vetting that provider and its data processing agreements (DPA).
• Feature Requests: You must ensure that any feature requests you submit are compliant with GDPR and other relevant privacy laws. We act as the “Data Processor” on your behalf.