Privacy and Security in Firebase

This page outlines Firebase's key security and privacy information. Whether you're looking to kick off a new project with Firebase, or curious about how Firebase works with your existing project, read on to see how Firebase can help protect you and your users.

Last modified: November 27, 2019

Data protection

Firebase support for GDPR and CCPA

On May 25th, 2018, the EU General Data Protection Regulation (GDPR) replaced the 1995 EU Data Protection Directive. On January 1, 2020, the California Consumer Privacy Act (CCPA) takes effect. Google is committed to helping our customers succeed under these privacy regulations, whether they are large software companies or independent developers.

The GDPR imposes obligations on data controllers and data processors, and the CCPA imposes obligations on businesses and their service providers. Firebase customers typically act as the "data controller" (GDPR) or "business" (CCPA) for any personal data or information about their end-users they provide to Google in connection with their use of Firebase, and Google generally operates as a "data processor" (GDPR) or "service provider" (CCPA).

This means that data is under the customer's control. Customers are responsible for obligations like fulfilling an individual's rights with respect to their personal data or information.

Firebase Data Processing and Security Terms

When customers use Firebase, Google is generally a data processor under GDPR and processes personal data on their behalf. Similarly, when customers use Firebase, Google generally operates as a service provider under the CCPA handling personal information on their behalf. Firebase terms include Data Processing and Security Terms detailing these responsibilities.

Certain Firebase services governed by the Google Cloud Platform (GCP) Terms of Service are already covered by associated data processing terms, the GCP Data Processing and Security Terms. A complete list of Firebase services currently governed by the GCP Terms of Service is available in the Terms of Service for Firebase Services.

Crashlytics and App Distribution are governed by the Firebase Crashlytics and Firebase App Distribution Terms of Service, and are covered by those associated data processing terms.

Google Analytics for Firebase and Google Analytics are governed by the Google Analytics for Firebase Terms of Service and the Google Analytics Terms of Service, respectively, as well as the Google Ads Data Processing Terms. For additional information, refer to Safeguarding your data.

Firebase is certified under major privacy and security standards

ISO and SOC compliance

All Firebase services have successfully completed the ISO 27001 and SOC 1, SOC 2, and SOC 3 evaluation process, and some have also completed the ISO 27017 and ISO 27018 certification process:

Service name ISO 27001 ISO 27017 ISO 27018 SOC 1 SOC 2 SOC 3
Google Analytics for Firebase check check check check
ML Kit for Firebase check check check check
Firebase Test Lab check check check check check check
Cloud Firestore check check check check check check
Cloud Functions for Firebase check check check check check check
Cloud Storage for Firebase check check check check check check
Firebase Authentication check check check check check check
Firebase Crash Reporting check check check check
Firebase Crashlytics check
Firebase In-App Messaging check check check check
Firebase Invites check check check check
Firebase Cloud Messaging check check check check
Firebase Predictions check check check check
Firebase Performance Monitoring check check check check
Firebase Hosting check check check check
Firebase Dynamic Links check check check check
Firebase Remote Config check check check check
Firebase Realtime Database check check check check
Firebase Platform check check check check
Firebase A/B Testing check check check check

Privacy Shield Framework certifications

In July 2016, the European Commission concluded that the EU-U.S. Privacy Shield Framework provides an adequate mechanism to allow EU companies to comply with requirements under the Directive in connection with transfer of personal data from the European Union to the United States. Google LLC is certified under both the EU-U.S. and Swiss-U.S. Privacy Shield frameworks. You can see the certifications on the Privacy Shield list.

Data processing information

Examples of end-user personal data processed by Firebase

Some Firebase services process your end users' personal data to provide their service. The chart below has examples of how various Firebase services use and handle end-user personal data. In addition, many Firebase services offer the ability to request deletion of specific data or control how data is handled.

Firebase service Personal data How data helps provide the service
Cloud Functions for Firebase
  • IP addresses

How it helps: Cloud Functions uses IP addresses to execute event-handling functions and HTTP functions based on end-user actions.

Retention: Cloud functions only saves IP addresses temporarily, to provide the service.

Firebase Authentication
  • Passwords
  • Email addresses
  • Phone numbers
  • User agents
  • IP addresses

How it helps: Firebase Authentication uses the data to enable end-user authentication, and facilitate end-user account management. It also uses user-agent strings and IP addresses to provide added security and prevent abuse during sign-up and authentication.

Retention: Firebase Authentication keeps logged IP addresses for a few weeks. It retains other authentication information until the Firebase customer initiates deletion of the associated user, after which data is removed from live and backup systems within 180 days.

Firebase Cloud Messaging
  • Instance IDs

How it helps: Firebase Cloud Messaging uses Instance IDs to determine which devices to deliver messages to.

Retention: Firebase retains Instance IDs until the Firebase customer makes an API call to delete the ID. After the call, data is removed from live and backup systems within 180 days.

Firebase Crash Reporting
  • Instance IDs
  • Crash traces

How it helps: Crash Reporting uses crash stack traces to associate crashes with a project, send email alerts to project members and display them in the Firebase Console, and help Firebase customers debug crashes. It uses Instance IDs to measure number of users impacted by a crash.

Retention: Crash Reporting retains crash stack traces for 180 days. Firebase retains Instance IDs until the Firebase customer makes an API call to delete the ID. After the call, data is removed from live and backup systems within 180 days.

Firebase Dynamic Links
  • Device specs (iOS)

How it helps: Dynamic Links uses device specs on iOS to open newly-installed apps to a specific page or context.

Retention: Dynamic Links only stores device specs temporarily, to provide the service.

Firebase Hosting
  • IP addresses

How it helps: Hosting uses IP addresses of incoming requests to detect abuse and provide customers with detailed analysis of usage data.

Retention: Hosting retains IP data for a few months.

Firebase Invites
  • Device specs (iOS)
  • Locally-stored contacts

How it helps: Invites allows users to send invitation links to their contacts. Those links are Firebase Dynamic Links, which use device specs on iOS to open newly-installed apps to a specific page or context.

Retention: App Invites only accesses locally-stored contacts from the device, and only stores device specs temporarily, via Firebase Dynamic Links, to provide the link service.

Firebase Performance Monitoring
  • Instance IDs
  • IP addresses

How it helps: Performance Monitoring uses Instance IDs to calculate the number of unique app instances that access network resources, to ensure that access patterns are sufficiently anonymous. It also uses Instance IDs with Firebase Remote Config to manage the rate of performance event reporting. Additionally, it uses IP addresses to map performance events to the countries they originate from. For more information see Data collection.

Retention: Performance Monitoring keeps instance and IP-associated events for 30 days and de-identified performance data for 90 days. Firebase retains Instance IDs until the Firebase customer makes an API call to delete the ID. After the call, data is removed from live and backup systems within 90 days.

Firebase Predictions
  • Instance IDs

How it helps: Predictions uses Instance IDs to associate app instances with a project and to retrieve a time series of events. It uses those events to enable prediction of the likelihood of occurrence of customer-specified events, as well as spend and churn predictions by default.

Retention: Predictions stores instance-associated events for 60 days, and predictions made based on these events for a few weeks. Firebase retains Instance IDs until the Firebase customer makes an API call to delete the ID. After the call, data is removed from live and backup systems within 180 days.

Firebase Realtime Database
  • IP addresses
  • User agents

How it helps: Realtime Database uses IP addresses and user agents to enable the profiler tool, which helps Firebase customers understand usage trends and platform breakdowns.

Retention: Realtime Database keeps IP addresses and user agent information for a few days, unless a customer chooses to save it for longer.

Google Analytics for Firebase

How it helps: Google Analytics uses the data to provide analytics and attribution information. The precise information collected can vary by the device and environment. For more information see Data collection.

Retention: Google Analytics retains certain advertising identifier associated data (e.g., Apple’s Identifier for Advertisers and Identifier for Vendors, Android’s Advertising ID) for 60 days, and retains aggregate reporting and certain user-level campaign data without automatic expiration, unless the Firebase customer changes their retention preference in their Analytics settings or deletes their project.

Firebase Remote Config
  • Instance IDs

How it helps: Remote Config uses Instance IDs to select configuration values to return to end-user devices.

Retention: Firebase retains Instance IDs until the Firebase customer makes an API call to delete the ID. After the call, data is removed from live and backup systems within 180 days.

ML Kit for Firebase
  • Uploaded Images
  • Instance IDs

How it helps: The Cloud based APIs store uploaded images temporarily, to process and return the analysis to you. Stored images are typically deleted within a few hours. See the Cloud Vision Data Usage FAQ for more information.

Instance IDs are used by ML Kit when interacting with app instances, for example, to distribute developer models to app instances. Instance IDs also allow ML Kit to utilize Firebase Remote Config to ensure device-side APIs (e.g., topic lists and filters) are kept up to date.

Retention: Firebase retains Instance IDs until the Firebase customer makes an API call to delete the ID. After the call, data is removed from live and backup systems within 180 days.

Firebase Crashlytics For more information on Crashlytics and end-user data processing, see the Crashlytics Data Collection Policies.

Guides for enabling opt-in for end-user personal data processing

Services in the table above need some amount of end-user personal data to function. As a result, it's not possible to entirely disable data collection while using those services.

If you're a customer who would like to offer users a chance to opt-in to a service, and the data collection that comes with it, in most cases that just requires adding a dialog or settings toggle before using the service.

Some services, however, start up automatically when included in an app. To give users a chance to opt-in before using those services, you can choose to disable auto-initialization for each service, and manually initialize them at run time instead. To find out how, read the guides below:

Data storage and processing locations

Unless a service or feature offers data location selection, Firebase may process and store your data anywhere Google or its agents maintain facilities. Potential facility locations vary by service.

US-only services

A few Firebase services are only run from US data centers. As a result, these services process data exclusively in the United States.

  • Firebase Realtime Database
  • Firebase Hosting
  • Firebase Authentication

Global services

The majority of Firebase services run on global Google infrastructure. They could process data at any of the Google Cloud Platform locations or Google data center locations. For some services you can make a specific Data Location Selection which restricts processing to that location.

  • Cloud Storage for Firebase
  • Cloud Firestore
  • Cloud Functions for Firebase
  • Firebase Performance Monitoring
  • Firebase Crash Reporting
  • Firebase Dynamic Links
  • Firebase Invites
  • Firebase Remote Config
  • Firebase Cloud Messaging
  • Firebase Predictions
  • Google Analytics
  • ML Kit for Firebase
  • Firebase Test Lab

Security information

Data encryption

Firebase services encrypt data in transit using HTTPS and logically isolate customer data.

In addition, several Firebase services also encrypt their data at rest:

  • Cloud Firestore
  • Cloud Functions for Firebase
  • Cloud Storage for Firebase
  • Firebase Authentication
  • Firebase Cloud Messaging
  • Firebase Realtime Database
  • Firebase Test Lab

Security practices

To keep personal data safe, Firebase employs extensive security measures to minimize access:

  • Firebase restricts access to a select employees who have a business purpose to access personal data.
  • Firebase logs employee access to systems that contain personal data.
  • Firebase only permits access to personal data by employees who sign in with Google Sign-In and 2-factor authentication.

Still have questions? Contact us

For any privacy-related questions you have that aren't covered here, reach out through the Account Services form.