Data Collection and Security

The SAP Engagement Cloud SDK collects data to power engagement features, and provides mechanisms to support data security, along with guidance on handling user consent and data deletion requests.

Privacy Notice

This solution does not identify or link users across customer databases and apps using parameters tracked by the SDK or by any other means. It is your responsibility to ensure that you always obtain the necessary consent for that data from your consumers, meaning a natural person such as a customer, contact, or account.

Automatically Tracked Data

Device Information

Parameter	Description	Collected When
Platform	Operating system (Android, iOS, or web)	SDK initialization, device settings change
Platform Category	Device category (mobile or web)	SDK initialization, device settings change
Application Version	Host application version	SDK initialization, device settings change
Device Model	Hardware model identifier	SDK initialization, device settings change
OS Version	Operating system version	SDK initialization, device settings change
SDK Version	Engagement Cloud SDK version	SDK initialization, device settings change
Language	Device language setting	SDK initialization, language change
Timezone	Device timezone	SDK initialization, device settings change
Client ID	SDK-generated UUID, not tied to hardware or advertising identifiers	SDK initialization
Notification Settings	Push notification status	SDK initialization, settings change
Platform Wrapper	Wrapper framework (React Native, Flutter, etc.)	SDK initialization (if applicable)
Platform Wrapper Version	Wrapper framework version	SDK initialization (if applicable)

Application Events

Event Name	Description	Data Included
app:start	Application is launched	Timestamp, custom attributes (optional)
session:start	Session begins	Timestamp, custom attributes (optional)
session:end	Session ends	Timestamp, session duration, custom attributes (optional)

Message Interactions

Event Type	Description	Data Included
Push Notification Clicked	User taps push notification	Campaign metadata, reporting data, origin, timestamp
In-App Message Viewed	In-app message is displayed	Campaign metadata, timestamp
In-App Button Clicked	User taps in-app button	Campaign metadata, reporting data, origin, timestamp
On Event Action Executed	Automated action completes	Campaign metadata, reporting data, origin, timestamp

---

Manually Tracked Data

Contact Management

API Method	Purpose	Data Sent
EngagementCloud.contact.link()	Link user using a contact field	Contact field value
EngagementCloud.contact.linkAuthenticated()	Link user using an OpenID token	OpenID token

Push Notifications

API Method	Purpose	Data Sent
EngagementCloud.push.registerToken()	Register push token	Device push token

Event Tracking

API Method	Purpose	Data Sent
EngagementCloud.event.track()	Track events	Event name, attributes (optional), timestamp

Deep Link Tracking

API Method	Purpose	Data Sent
EngagementCloud.deepLink.track()	Track deep link usage	Deep link URL, tracking identifier

Configuration

API Method	Purpose	Data Sent
EngagementCloud.config.changeApplicationCode()	Update application code	New application code
EngagementCloud.config.setLanguage()	Set language override	Language code
EngagementCloud.config.resetLanguage()	Reset language to device language	None

Embedded Messaging

Feature	Purpose	Data Sent
Filter by unread	Show only unread messages	Filter state
Filter by categories	Show specific categories	Selected categories

---

Database

Data Type	Purpose	Retained Until
Device Information	Change detection	App uninstall
Client ID	Device identification	App uninstall
Authentication Token (OpenID)	Session authentication	unlink() or disable()
Push Token	Notification delivery	Token replaced or app uninstall
Pending Events	Offline event queue	Successful delivery
SDK Configuration	Application settings	App uninstall or disable()
Language Preference	Custom language	resetLanguage() or app uninstall

---

Platform-Specific Details

Platform	Push Service	Platform Identifier	Additional Data
Android (Google)	Firebase Cloud Messaging (FCM)	android	Notification channel settings, importance levels
Android (Huawei)	Huawei Mobile Services (HMS)	android-huawei	Notification channel settings, importance levels
iOS	Apple Push Notification Service (APNs)	ios	Notification settings, permission status
Web	Web Push (browser)	web	Notification permission status

---

iOS Privacy Manifest

For more information on how the SAP Engagement Cloud SDK complies with Apple's Privacy Manifest requirement, see iOS Privacy Manifest.

Data Transport Security

• All network communication is encrypted using HTTPS.
• The SDK does not add database-level encryption.

Handling User Consent

The SDK starts collecting data as soon as enable() is called. Do not call enable() until the user has given consent.

• Allow users to revoke consent. When a user revokes consent, call disable(), which automatically unlinks the contact.
• Calling disable() stops future data collection but does not delete previously collected data.

Handling Data Deletion Requests

When a user requests data deletion:

1. Call unlink().
2. Clear your app's local storage and caches. Remove the data stored by the SDK through the platform's storage settings.
3. Verify deletion on the server side by checking the contact profile in SAP Engagement Cloud.

Security Testing Checklist

You are responsible for complying with the following security requirements:

Item	Action
Data Transport	Confirm TLS with certificate pinning. Reject non-HTTPS image URLs for rich push.
Logging	Ensure that no OpenID tokens or PII is logged. Avoid sending tokens to third-party analytics tools unless required.
Permissions	Verify that push permission prompts for Android and iOS only occur when expected.
Consent Revocation	Verify your consent revocation process end‑to‑end.
OpenID Token Rotation	Rotate OpenID token and validate that the old token is rejected.