Apple holds iOS app developers to very high standards. Every app hosted on the Apple App Store must work properly, collect user data responsibly, and have a legally-compliant Privacy Policy.
This article will help you understand:
- Whether your iOS app needs a Privacy Policy
- Whether you still need a Privacy Policy if your app doesn't collect user data
- How to fulfill Apple's Privacy Policy requirements
- Which privacy laws you need to comply with when creating your Privacy Policy
- How to submit your Privacy Policy to Apple
- How to make your Privacy Policy available to your users
Apple sets strict rules about what your iOS App Privacy Policy must disclose. Your iOS app will be rejected from the App Store unless your Privacy Policy meets Apple's requirements.
- 1. Does My iOS App Need a Privacy Policy?
- 1.1. Do I Need a Privacy Policy If My App Doesn't Collect User Data?
- 2. Apple's Privacy Policy Requirements
- 2.1. What Data Your App Collects
- 2.2. How Your App Collects Data
- 2.3. How Your App Uses Data
- 2.4. Information About Sharing Data With Third Parties
- 2.5. How Your Users Can Revoke Consent
- 2.6. Your Data Retention Policy
- 2.7. How Your Users Can Delete Their Data
- 3. Legal Requirements
- 3.1. How to Create a Privacy Policy for Your Mobile App
- 4. Publishing Your iOS App Privacy Policy
- 4.1. Submitting Your Privacy Policy to Apple
- 4.2. Providing Access to Your Privacy Policy Within Your App
- 4.3. Other Places to Link to Your Privacy Policy Within Your App
- 5. Summary of Your iOS App Privacy Policy
Does My iOS App Need a Privacy Policy?
Yes, your iOS app needs a Privacy Policy. Since October 2018, Apple has required all iOS apps to have a Privacy Policy:
Apple now gives this requirement in its App Store Review Guidelines:
All iOS apps must go through the App Store Review Process. Apple will reject your iOS app if you submit it without a compliant Privacy Policy.
Apple also states that every iOS app must comply with local law:
Therefore, you must also comply with the privacy laws that apply in your region, and any other regions in which your app is available.
Do I Need a Privacy Policy If My App Doesn't Collect User Data?
Perhaps your iPhone app doesn't transfer any user data away from your users' devices. After all, if you don't need to collect user data or personal information, you should not do so.
Even if your iOS app doesn't collect any user data, you still need a Privacy Policy. In your Privacy Policy, you can explain that your app doesn't access any user data, or that it only does so locally (i.e., any data that the app processes remains on the device).
Here's how iPad photo editing app Pixelmator handles this:
Pixelmator provides a clear and reassuring explanation of its practices to its users. This is much more professional than simply not publishing a Privacy Policy.
However, even if you believe your app doesn't collect user data, you could be wrong. You may find that some of your app's activities do require disclosure in a Privacy Policy.
Apple's Privacy Policy Requirements
Apple's App Store Review Guidelines tell developers what an iOS Privacy Policy should contain:
Let's break that down. To comply with this section of the App Store Review Guidelines, your Privacy Policy must:
- Disclose what user data you collect
- Explain how you collect user data
- Explain you use user data
- Confirm that you only share user data with companies that have good privacy practices
- Disclose how long you store user data
- Explain how your users can revoke their consent to your use of their data
- Explain how your users can request you delete their data
We're going to explain each of these obligations and give examples so you can understand exactly what Apple requires.
What Data Your App Collects
Let's look at Apple's first Privacy Policy requirement.
Your Privacy Policy must "identify what data, if any, the app/service collects."
Note that Apple uses the term "data." Due to the context, you can reasonably conclude that "data" includes "personal information" and you should apply a very broad definition of this term.
Apple doesn't provide a definitive list of what types of information it considers "personal information." It does give some examples of personal information in a guidance document called Requesting Permission:
Apple considers at least the following types of data to be personal information:
- Location data
- Information from the user's calendar
- Contact information
- Reminders
- Photos
Bear in mind that Apple doesn't allow iOS apps to collect unnecessary or excess personal information. Your app should collect user data sparingly. This is stated in this section of the App Store Review Guidelines on "data minimization":
Here's how iOS app Drafts discloses the types of data it collects:
Drafts breaks down the types of data it collects into categories to make it easier for users to understand.
Note that even if your app doesn't transmit user data from the device, you should still disclose any permissions that your app requests.
How Your App Collects Data
Your Privacy Policy must explain how your iOS app collects user data.
Depending on what your app does, it might collect user data by requesting it (e.g., names, usernames, email addresses) or by collecting it automatically (e.g., device data, usage data, location data).
This might be quite a technical section of your Privacy Policy. You should try to explain your data collection practices in language that your users will understand.
Here's how Chemdata explains how it collects the data its users provide directly:
Later on Chemdata's Privacy Policy, the company describes how its app collects user data automatically:
How Your App Uses Data
Your Privacy Policy must explain how your app uses any data it collects. And, to reiterate: You must always have a good reason to collect user data.
Here's how Cultured Code explains its uses for the user data it collects:
Bear in mind that Cultured Code's Privacy Policy applies over all of its products, plus its mailing list and website. Your Privacy Policy should also cover any other means by which you collect personal information.
Information About Sharing Data With Third Parties
Apple places strict rules on how developers share user data with third parties.
Your app may share user data for many reasons. Sharing data is allowed so long it is legal and within the scope of Apple's rules. Your Privacy Policy must confirm that any third parties will take equally good care of your users' data as you do.
Your app must be compliant with Apple's privacy standards. Therefore, any third party your app shares user data with must also be compliant with Apple's privacy standards.
Apple gives some examples of the types of companies it considers third parties:
- Analytics tools providers
- Advertising networks
- Third-party software development kit (SDK) providers
- Parent companies, subsidiaries, or other related entities
Sports news app Võrumaa Nutimängud is very specific. Its Privacy Policy identifies the specific third parties with whom it shares user data:
How Your Users Can Revoke Consent
Apple states that your Privacy Policy must "describe how a user can revoke consent."
Apple's App Store Review Guidelines states that you must only collect user data with consent. If a user revokes consent, you must stop collecting their data.
iOS apps will often ask for consent by using the permission request mechanisms provided in iOS SDKs. You can provide a method for your users to revoke this sort of consent within your app settings. Your Privacy Policy should explain how users can do this.
Here's how Kinemaster explains how its users can revoke consent:
In any situation where you have asked for a user's consent, they must be able to revoke it, and your Privacy Policy should explain how.
For example, if you ask for a user's email address to send them your newsletter, they should be able to withdraw consent for this at any time.
Here's how the translation app company evolly.app explains this:
Your Data Retention Policy
Apple states that your Privacy Policy must explain your "data retention/deletion policies."
You must not keep user data longer than you need it. This means thinking carefully about how long you need to store user data and, if necessary, creating a retention schedule.
Your Privacy Policy should explain your data retention practices. Here's how Easybrain does this:
Be as specific as possible here with your timeframe, and make sure you're disclosing your actual practices.
How Your Users Can Delete Their Data
Apple states that your Privacy Policy must "describe how a user can [...] request deletion of the user's data."
This implies that you must offer users a way to delete any user data you hold on them. Apple doesn't explicitly state that you need to do this in its App Store Review Guidelines.
However, Apple does require that you give users control over their data. Apple states this in a document called "Protecting the User's Privacy:"
Enabling your users to request the deletion of their personal information is also a legal requirement under several privacy laws, including the GDPR and the CCPA.
Your app could provide the user with the ability to delete their data. Or you can invite your users to send you an email to make a deletion request.
Here's how the alarm clock app Sleep Cycle presents this information in its Privacy Policy:
Note that alarm clock users only need to contact the company if they want to delete backup data (which is stored remotely). To delete locally-stored data, users can simply delete the app.
Legal Requirements
Along with Apple's Privacy Policy requirements, you need to obey the law.
Privacy and data protection laws strictly regulate how you handle your users' personal information, and determine what you need to disclose in your Privacy Policy.
The law will give different Privacy Policy requirements depending on where you and your users are based.
Note: You must obey the privacy law of the regions where your users are based and not just where you are based.
Region(s) in which your app is accessible: | Privacy law you need to obey: |
United States |
Effectively, the State of California sets privacy standards in the US. As long as your app is accessible to California consumers, you must obey the state's strict privacy laws. All commercial websites and apps must comply with the California Online Privacy Protection Act (CalOPPA). Read our guide to creating a CalOPPA Privacy Policy to understand your obligations under this law. Larger companies must comply with the California Consumer Privacy Act (CCPA). This is currently the strictest privacy law in the US. Read our guide to creating a CCPA Privacy Policy. |
European Union |
The EU has the strictest privacy standards in the world. The EU General Data Protection Regulation (GDPR) sets extensive rules regarding what information you should provide in your Privacy Policy. Read our guide to creating a GDPR Privacy Policy. |
Canada |
Canada's privacy standards are also high. If your app has users in Canada, you must comply with the Personal Information Processing and Electronic Documents Act (PIPEDA). Read our guide to creating a PIPEDA Privacy Policy. |
Australia | If your app is accessible in Australia, you may be subject to Australia's main consumer privacy law, the Privacy Act of 1998. |
South-East Asia | There are a number of strict privacy laws in South-East Asian countries that might have implications for your Privacy Policy. |
Where these or any other privacy laws apply to you, you must ensure that your Privacy Policy is compliant with them.
How to Create a Privacy Policy for Your Mobile App
- Click on the "Start the Privacy Policy Generator" button.
- At Step 1, select the Mobile app option and click "Next step":
- Answer the questions about your mobile app and click "Next step" when finished:
- Answer the questions about your business practices and click "Next step" when finished:
- Enter your email address where you'd like your policy sent, select translation versions and click "Generate My Privacy Policy." You'll be able to instantly access and download your new Privacy Policy:
Publishing Your iOS App Privacy Policy
Once you've created your iOS app Privacy Policy, you need to host it online.
The best place to host your Privacy Policy is your company's website if you have one. If you by chance don't have a website, you can set up a simple Wordpress site, or even a publically-available Google Doc.
Once you've hosted your Privacy Policy online, Apple requires you to:
- Provide a link to your Privacy Policy with your app information when submitting your app on App Store Connect, and
- Provide a way for your users to access your Privacy Policy from within your iOS app
Submitting Your Privacy Policy to Apple
Apple states that "all apps must include a link to their privacy policy in the App Store Connect metadata field."
To get your app hosted in the App Store, you first need to add it to your App Store Connect account.
When you add an app to your App Store Connect account, you must provide Apple with certain app information, including the URL of your Privacy Policy.
Here you can see the Privacy Policy URL listed among the required app information in the App Store Connect Help for apps:
If you're submitting an app bundle (up to ten apps sold together at a reduced price), you should submit your Privacy Policy along with your app bundle's primary app. You don't need to submit a Privacy Policy with each bundled app you submit.
Apple explains this in its App Store Connect Help for bundles:
Once your iOS app is approved, your Privacy Policy will show alongside other information about your app in the App Store. Here's how it looks:
This is important because it gives potential users the opportunity to check out your privacy practices before deciding to download your app. If the link wasn't available before downloading and you collect any information during the download process or before the Privacy Policy was available within the app, you can see how this would violate privacy rights of your users.
Providing Access to Your Privacy Policy Within Your App
Apple requires that you provide users access to your Privacy Policy "within the app in an easily accessible manner."
Most apps provide Privacy Policy access via a "Settings" or "About" menu. Here's an example of how the Amazon Kindle app provides Amazon's Privacy Policy to its users.
The Kindle app's "Settings" menu contains an "Other" option where the Privacy Notice is linked along with other legal agreements and information:
This is a good example of how to make a Privacy Policy accessible within an app.
You could also link to your Privacy Policy directly within your app's "Settings" menu, or even as an item within your app's side or drop-down menu.
Google Maps places its Privacy Policy within the "Support" section of its "Settings" menu:
You need to make sure your users can access your Privacy Policy at any time, and keeping a static link somewhere in your app accomplishes this.
Other Places to Link to Your Privacy Policy Within Your App
Although Apple doesn't require it, you also should link to your Privacy Policy whenever you ask your users to provide personal information.
For example, here's how SoundHound directs users to its Privacy Policy when signing up for an account:
Here's how Amazon links users to its Privacy Policy when confirming a purchase:
Take every reasonable opportunity to appear transparent in your privacy practices by making your Privacy Policy link available often.
Summary of Your iOS App Privacy Policy
To meet Apple's requirements, your iOS app Privacy Policy must disclose:
- What user data your app collects
- How you collect user data
- How you use user data
- Whether you only share user data with companies that have good privacy practices
- How long you retain user data
- How your users can revoke consent
- How your users can request you delete their user data
Your iOS app Privacy Policy must also be legally compliant.
You must:
- Submit your Privacy Policy to Apple within your App Store Connect metadata
- Provide a link to your Privacy Policy within your iOS app
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.