This page outlines Firebase's key security and privacy information. Whether
you're looking to kick off a new project with Firebase, or curious about how
Firebase works with your existing project, read on to see how Firebase can help
protect you and your users.
Last modified: April 29, 2024
Data protection
Firebase support for GDPR and CCPA
On May 25th, 2018, the EU General Data Protection Regulation (GDPR) replaced the
1995 EU Data Protection Directive. On January 1, 2020, the California Consumer
Privacy Act (CCPA) took effect. On January 1, 2023, the California Privacy
Rights Act (CPRA), which is a data privacy law that amends and expands upon the
CCPA, took effect. Google is committed to helping our customers succeed under
these privacy regulations, whether they are large software companies or
independent developers.
The GDPR imposes obligations on data controllers and data processors, and the
CCPA/CPRA imposes obligations on businesses and their service providers.
Firebase customers typically act as the "data controller" (GDPR) or "business"
(CCPA/CPRA) for any personal data or information about their end-users they
provide to Google in connection with their use of Firebase, and Google generally
operates as a "data processor" (GDPR) or "service provider" (CCPA/CPRA).
This means that data is under the customer's control. Customers are
responsible for obligations like fulfilling an individual's rights with respect
to their personal data or information.
Firebase Data Processing and Security Terms
When customers use Firebase, Google is generally a data processor under GDPR and
processes personal data on their behalf. Similarly, when customers use Firebase,
Google generally operates as a service provider under the CCPA/CPRA handling
personal information on their behalf. Firebase terms include
Data Processing
and Security Terms
detailing these
responsibilities.
Certain Firebase services governed by the
Google Cloud Platform (GCP) Terms of Service
are already covered by associated data processing terms, the
Cloud Data Processing Addendum
.
A complete list of Firebase services currently governed by the GCP Terms of
Service is available in the
Terms of Service for Firebase Services
.
Google Analytics is a separate service that can be used together with Firebase,
and is subject to separate
terms
.
Firebase is certified under major privacy and security standards
ISO and SOC compliance
All Firebase services (aside from App Indexing) have successfully completed the
ISO 27001
and
SOC
1
,
SOC
2
,
and
SOC 3
evaluation
process, and some have also completed the
ISO
27017
and
ISO
27018
certification
process. Compliance reports and certificates for Firebase services governed by
the GCP Terms of Service may be requested via the
Compliance Reports
Manager
Service name
|
ISO 27001
|
ISO 27017
|
ISO 27018
|
SOC 1
|
SOC 2
|
SOC 3
|
Firebase ML
|
check
|
|
|
check
|
check
|
check
|
Firebase Test Lab
|
check
|
check
|
check
|
check
|
check
|
check
|
Cloud Firestore
|
check
|
check
|
check
|
check
|
check
|
check
|
Cloud Functions for Firebase
|
check
|
check
|
check
|
check
|
check
|
check
|
Cloud Storage for Firebase
|
check
|
check
|
check
|
check
|
check
|
check
|
Firebase Authentication
|
check
|
check
|
check
|
check
|
check
|
check
|
Firebase Crashlytics
|
check
|
|
|
check
|
check
|
check
|
Firebase App Check
|
check
|
|
|
check
|
check
|
check
|
Firebase App Distribution
|
check
|
|
|
check
|
check
|
check
|
Firebase In-App Messaging
|
check
|
|
|
check
|
check
|
check
|
Firebase Cloud Messaging
|
check
|
|
|
check
|
check
|
check
|
Firebase Performance Monitoring
|
check
|
|
|
check
|
check
|
check
|
Firebase Hosting
|
check
|
|
|
check
|
check
|
check
|
Firebase Dynamic Links
|
check
|
|
|
check
|
check
|
check
|
Firebase Remote Config
|
check
|
|
|
check
|
check
|
check
|
Firebase Realtime Database
|
check
|
|
|
check
|
check
|
check
|
Firebase Platform
|
check
|
|
|
check
|
check
|
check
|
Firebase A/B Testing
|
check
|
|
|
check
|
check
|
check
|
International Data Transfers
The Privacy Shield frameworks provided a mechanism to comply with data
protection requirements when transferring EEA, UK or Swiss personal data to the
United States and onwards. In light of the Court of Justice of the European Union ruling on data
transfers, invalidating the EU-U.S. Privacy Shield, Firebase has moved to
reliance on Standard Contractual Clauses for relevant data transfers, which, as
per the ruling, can continue to be a valid legal mechanism to transfer data
under the GDPR. The European Commission approved new versions of the Standard
Contractual Clauses on June 4, 2021, which we are incorporating into our
contracts with Firebase customers for relevant data transfers.
We are committed to having a lawful basis for data transfers in compliance with
applicable data protection laws.
Examples of end-user data processed by Firebase
Some Firebase services process your end users' data to provide their service.
The chart below has examples of how various Firebase services use and handle
end-user data that may potentially be identifying. In addition, many Firebase
services offer the ability to request deletion of specific data or control how
data is handled.
Firebase service
|
End-user data
|
How data helps provide the service
|
Cloud Functions for Firebase
|
|
How it helps:
Cloud Functions uses IP addresses to
execute event-handling functions and HTTP functions based on end-user actions.
Retention:
Cloud functions only saves IP addresses temporarily, to
provide the service.
|
Firebase Authentication
|
- Passwords
- Email addresses
- Phone numbers
- User agents
- IP addresses
|
How it helps:
Firebase Authentication uses the data to enable end-user
authentication, and facilitate end-user account management. It also uses user-agent
strings and IP addresses to provide added security and prevent abuse during sign-up and
authentication.
Retention:
Firebase Authentication keeps logged IP addresses for a few
weeks. It retains other authentication information until the Firebase customer initiates
deletion of the associated user, after which data is removed from live and backup
systems within 180 days.
|
Firebase App Check
|
- Attestation material from supported attestation providers
- App Check tokens from successful attestations
|
How it helps:
Firebase App Check uses attestation
material required by the corresponding attestation provider and
received from end-user's devices to help establish the integrity of
the device and/or the app. Attestation materials are sent to the
corresponding attestation provider for validation based on the
developer's configuration. App Check tokens obtained from successful
attestations are sent with every request to supported Firebase
services to access resources protected by App Check.
Retention:
Attestation material is not retained by
App Check, but when it is sent to attestation providers, it is
subject to the terms of those attestation providers. App Check
tokens returned from successful attestations are valid throughout
their TTL duration, which cannot be longer than 7 days. For
developers who use replay protection features, App Check stores the
App Check tokens used with these features for at most 30 days. Other
App Check tokens not used with replay protection features are not
retained by Firebase services.
|
Firebase App Distribution
|
- Users' names
- Email addresses
- iOS UDIDs
- Secure Android IDs
- Firebase installation IDs
- Tester feedback (screenshots and text)
|
How it helps:
Firebase App Distribution uses the data to distribute
app builds to testers, monitor tester activity, enable tester features like in-app
feedback, and associate data with tester devices.
Retention:
Firebase App Distribution retains user information
until the Firebase customer requests its deletion, after which data is removed from live
and backup systems within 180 days.
|
Firebase Cloud Messaging
|
- Firebase installation IDs
|
How it helps:
Firebase Cloud Messaging uses
Firebase installation IDs to determine which devices to deliver messages to.
Retention:
Firebase retains Firebase installation IDs
until the Firebase customer
makes an API call to delete the ID. After the call, data is removed from live and backup
systems within 180 days.
|
Firebase Crashlytics
|
- Crashlytics Installation UUIDs
- Firebase installations ID
- Crash traces
- Breakpad minidump formatted data
(NDK crashes only)
|
How it helps:
Firebase Crashlytics uses crash stack
traces to associate crashes with a project, send email alerts to
project members and display them in the Firebase Console, and help
Firebase customers debug crashes. It uses Crashlytics Installation
UUIDs to measure the number of users impacted by a crash and
minidump data to process NDK crashes. The minidump data is stored
while the crash session is being processed and then discarded. The
Firebase installation ID enables upcoming features that will enhance
crash reporting and crash management services. Refer to
Examples of stored device information
for more detail on the types of user information gathered.
Retention:
Firebase Crashlytics keeps crash stack traces,
extracted minidump data, and associated identifiers (including
Crashlytics Installation UUIDs and Firebase installation IDs) for 90 days before
starting the process of removing it from live and backup systems.
|
Firebase Dynamic Links
|
- Device specs (iOS)
- IP Addresses (iOS)
|
How it helps:
Dynamic Links uses device specs and IP addresses on iOS to open
newly-installed apps to a specific page or context.
Retention:
Dynamic Links only stores device specs and IP addresses temporarily, to
provide the service.
|
Firebase Hosting
|
|
How it helps:
Hosting uses IP addresses of incoming requests to detect
abuse and provide customers with detailed analysis of usage data.
Retention:
Hosting retains IP data for a few months.
|
Firebase Performance Monitoring
|
- Firebase installation IDs
- IP addresses
|
How it helps:
Performance Monitoring uses Firebase installation IDs
to calculate the number of unique Firebase installations that access network resources,
to ensure that access patterns are sufficiently anonymous. It also uses
Firebase installation IDs with Firebase Remote Config
to manage the rate of performance event reporting. Additionally, it uses IP
addresses to map performance events to the countries they originate from. For more
information, see
Data collection
.
Retention:
Performance Monitoring keeps IP-associated
events for 30 days, and it keeps installation-associated and de-identified performance
data for 90 days before starting the process of removing it from live and backup
systems.
|
Firebase In-App Messaging
|
- Firebase installation IDs
|
How it helps:
Firebase In-App Messaging uses
Firebase installation IDs to determine which devices to deliver messages to.
Retention:
Firebase retains Firebase installation IDs
until the Firebase customer
makes an API call to delete the ID. After the call, data is removed from live and backup
systems within 180 days.
|
Firebase Realtime Database
|
|
How it helps:
Realtime Database uses IP addresses and user agents to
enable the
profiler
tool
, which helps Firebase customers understand usage trends and platform
breakdowns.
Retention:
Realtime Database keeps IP addresses and user agent
information for a few days, unless a customer chooses to save it for longer.
|
Firebase Remote Config
|
- Firebase installation IDs
|
How it helps:
Remote Config uses Firebase installation IDs
to select configuration
values to return to end-user devices.
Retention:
Firebase retains
Firebase installation IDs until the Firebase customer makes an API call to delete the
ID. After the call, data is removed from live and backup systems within 180 days.
|
Firebase ML
|
- Uploaded Images
- installation auth tokens
|
How it helps:
The Cloud based APIs store uploaded images temporarily,
to process and return the analysis to you. Stored images are typically deleted within a
few hours. See the Cloud Vision
Data Usage FAQ
for more
information.
installation auth tokens
are used by Firebase ML for device authentication when interacting with app
instances, for example, to distribute developer models to app instances.
Retention:
installation auth tokens remain valid until their
expiration date. The default token lifetime is one week.
|
Examples of information collected by Crashlytics
- An RFC-4122 UUID which permits us to deduplicate crashes
- The Crashlytics Installation UUID
- The Firebase installations ID (FID)
- The Firebase session ID, which is a random UUID generated to tag events
with a session
- The timestamp of when the crash occurred
- The app's bundle identifier and full version number
- The device's operating system name and version number
- A boolean indicating whether the device was jailbroken/rooted
- The device's model name, CPU architecture, amount of RAM and disk
space
- The uint64 instruction pointer of every frame of every currently running
thread
- If available in the runtime, the plain-text method or function name
containing each instruction pointer.
- If an exception was thrown, the plain-text class name and message value
of the exception
- If a fatal signal was raised, its name and integer code
- For each binary image loaded into the application, its name, UUID, byte
size, and the uint64 base address at which it was loaded into RAM
- A boolean indicating whether or not the app was in the background at the
time it crashed
- An integer value indicating the rotation of the screen at the time of
crash
- A boolean indicating whether the device's proximity sensor was
triggered
- The contents of
version-control-info.textproto
(only for Android apps
configured
to use the version control system (VCS) integration
)
Guides for enabling opt-in for end-user data processing
Services in the table above need some amount of end-user data to function. As a
result, it's not possible to entirely disable data collection while using those
services.
If you're a customer who would like to offer users a chance to opt-in to a
service, and the data collection that comes with it, in most cases that just
requires adding a dialog or settings toggle before using the service.
Some services, however, start up automatically when included in an app. To give
users a chance to opt-in before using those services, you can choose to disable
auto-initialization for each service, and manually initialize them at run time
instead. To find out how, read the guides below:
If you integrate Firebase with Google Analytics, learn how to
configure Analytics data collection
.
Data storage and processing locations
Unless a service or feature offers data location selection, Firebase may process
and store your data anywhere Google or its agents maintain facilities. Potential
facility locations vary by service.
US-only services
The Firebase Authentication service is run only from US data centers. As a result, Firebase Authentication processes data exclusively in the United States.
Global services
The majority of Firebase services run on global Google infrastructure.
They could process data at any of the
Google Cloud Platform locations
or
Google data center locations
.
For some services
you can make a specific
Data Location Selection
which restricts processing to that location.
- Cloud Storage for Firebase
- Cloud Firestore
- Cloud Functions for Firebase
- Firebase Hosting
- Firebase Crashlytics
- Firebase Performance Monitoring
- Firebase Dynamic Links
- Firebase Remote Config
- Firebase Cloud Messaging
- Firebase ML
- Firebase Test Lab
- Firebase App Check
Data encryption
Firebase services encrypt data in transit using HTTPS and logically isolate
customer data.
In addition, several Firebase services also encrypt their data at rest:
- Cloud Firestore
- Cloud Functions for Firebase
- Cloud Storage for Firebase
- Firebase Crashlytics
- Firebase Authentication
- Firebase Cloud Messaging
- Firebase Realtime Database
- Firebase Test Lab
- Firebase App Check
- Firebase Performance Monitoring
Security practices
To keep personal data safe, Firebase employs extensive security measures to
minimize access:
- Firebase restricts access to a select employees who have a business purpose to access personal data.
- Firebase logs employee access to systems that contain personal data.
- Firebase only permits access to personal data by employees who sign in with Google Sign-In and
2-factor authentication
.
Firebase Service Data
Firebase Service Data is personal information that Google collects and generates
during the provision and administration of the Firebase services
*
,
excluding Customer Data
**
as defined in our customer agreements
covering Firebase services and
Google Cloud Service Data
.
Examples of Firebase Service Data include information about service usage,
resource identifiers like application IDs and package name/bundle IDs, technical
and operational details of usage such as IP addresses, and direct communications
with developers from feedback and support related conversations.
*Services covered include Firebase A/B Testing, Firebase App Distribution,
Firebase Cloud Messaging, Firebase Crashlytics, Firebase Dynamic Links,
Firebase Hosting, Firebase In-App Messaging, Firebase ML,
Firebase Performance Monitoring, Firebase Realtime Database, Firebase Remote
Config, and Firebase User Segmentation Storage.
**For more information about how we process Customer Data, see our
Firebase Data Processing and Security
Terms
.
Examples of how Firebase Service Data is processed by Firebase
Google uses Firebase Service Data in accordance with our
privacy policy
and applicable terms.
Firebase Service Data is used, for example, to:
- Provide Firebase services you request
- Make recommendations to optimize use of Firebase services
- Maintain and improve Firebase services
- Provide and improve other services you request
- Understand your use of Firebase and other Google services
- Provide better support to and communicate with you
- Protect you, our users, the public and Google
- Comply with legal obligations
Firebase Service Data use by non-Firebase Google services
You can control whether your Firebase Service Data may be used by Google to
provide more in depth analysis, insights, and recommendations about
non-Firebase
Google services and improve
non-Firebase
Google services.
You can configure this in your Firebase data privacy settings page.
If this control is disabled, Firebase Service Data will continue to be used
for other purposes, such as those mentioned above, in accordance with our
privacy policy
and applicable terms, including
to make recommendations about and improve
Firebase
services, and to deliver
and improve other services you request, such as Google products you link to your
Firebase project.
For any privacy-related questions you have that aren't covered here,
reach out to Firebase Support
. If you're a Firebase developer, include your Firebase App ID. Find your Firebase App ID in the
Your apps
card of your
settings
Project
settings
.