ConsentMark
Free Scan
X
Push NotificationsMedium complexity

Xtremepush

by Xtremepush

All product names, logos, and trademarks are the property of their respective owners. Their inclusion here is for identification purposes only and does not imply endorsement by Obscurity Ltd.

Sets cookies
Yes
Sends PII
No
Cross-site tracking
No
Consent required
Advertising / Marketing
Transfer mechanism
Standard Contractual Clauses
Cookies
_xpid_xpid_*

Overview

Web and mobile push notification, in-app messaging, and customer engagement platform. Irish-incorporated vendor with EU and US regional endpoints. Collects device tokens, persistent device identifiers, engagement events, and subscription state to deliver targeted notifications and measure outcomes.

Detection capabilities

Signature count
2
Detection methods
network
Property types
hostnamepathname

Performance impact

Performance Impact

Script size
60 KB
Requests per page
4

Common mistakes

  • 1Loading the Xtremepush SDK from prod.webpu.sh before consent, which immediately creates a device record and fires eventHit beacons
  • 2Assuming the browser push permission prompt is sufficient consent for all the analytics data the SDK collects alongside the subscription
  • 3Not surfacing prod.webpu.sh in tag-inventory reviews because the hostname does not obviously identify Xtremepush as the vendor
  • 4Leaving the global `xtremepush` function initialised before the CMP resolves, so deviceCreate and eventHit calls run even when the user is pre-interaction
  • 5Using the EU SDK endpoint (sdk.eu.xtremepush.com) without confirming data residency in the DPA - the regional endpoint is a routing convenience, not a residency guarantee

Compliance considerations

Xtremepush serves its web SDK from `prod.webpu.sh/<APP_KEY>/sdk.js` and sends events to regional endpoints (`sdk.eu.xtremepush.com`, `sdk.us.xtremepush.com`). Because `webpu.sh` does not contain the vendor name, tag audits and GTM inventories frequently miss it.

Consent: Treat as advertising/marketing - push-notification delivery plus engagement analytics is not strictly necessary. Both the SDK load and the `deviceCreate`/`eventHit` API calls must be gated behind consent.

Transfer: Xtremepush is incorporated in Ireland but serves customers globally. Regional endpoints route requests but do not by themselves guarantee data residency - confirm the current DPA.

Cookies: sets `_xpid` and per-application `_xpid_<APP_ID>` first-party identifiers used to attribute subscription state and engagement events across sessions.

Related services

OneSignal

onesignal

Push NotificationsLow risk

2 detection signatures

Scan your site for Xtremepush

Run a free ConsentMark scan to see how Xtremepush is loading on your site, whether it respects consent, and where governance gaps exist across your wider tag estate.

Start a free scan