« go to the main website

iubenda blog

iubenda's blog, privacy policy generator for websites and apps

Posted on by Simon Schmid

app_store_rejections 2

Your app is getting rejected after having submitted it potentially weeks earlier and being very hopeful. What happened? 

The most annoying reason you can get is "Metadata Rejected" and you're being sent to the Resolution Center. It's annoying because it hasn't got anything to do with the app itself and because it could be so easy to do. 

The process usually goes something like this:

Apple: How do you secure user data?
You: I use Parse and Stripe.
Apple: You need a privacy policy.
You: Okay.

What happens then is that you'll be sent to the actual rule that Apple thinks applies to you. And this is what's happening a lot of times since the launch of iOS 8. Even Dave Verwer an iOS developer and known newsletter host wrote about the fact that Apple posted about privacy policies on their developer blog:

I'm guessing that this post was prompted by the fact that using HomeKit, HealthKit or keyboard extensions in iOS 8 all now requireyou to include a privacy policy. However if you look at the list of conditions for where a policy is necessary, I won't be surprised if this field gets changed to be mandatory for all apps soon. If you don't have a privacy policy then you might want to check out Iubenda who have a really good, simple policy generator.

Of course there's a good reason why there are a lot of posts about this topic on this blog. We'd like to help iOS developers crafting their privacy policies.


Posted on by Simon Schmid | Posted in News

Leave a comment

Posted on by Simon Schmid

Here's an interesting piece of Apple news. Ok maybe it's not as interesting as it's informative. Apple decided to post information about "including a privacy policy in your apps".

The blog entry has more or less the same content that we've earlier posted in "iOS 8 Starts Today, so Do New Privacy Requirements". Nonetheless, it's very interesting to see Apple being so vocal about the whole privacy topic lately:

To ensure that customers understand how their data will be used, you must provide a link in the Privacy Policy URL field in iTunes if a privacy policy is required by law in your country or if your app does any of the following:

  • Accesses user or device data
  • Offers an account registration process
  • Accesses a user's existing account
  • Uses the HomeKit Framework or HealthKit Framework
  • Integrates Apple Pay
  • Includes keyboard extensions
  • Contains auto-renewable subscriptions or free subscriptions
  • Appears in the Kids Category

For more details, read the App Store Review Guidelines.

Time to address your privacy policy iOS developers. We'll gladly be of assistance.

Check out our guide Privacy Policy for iOS Apps.

Posted on by Simon Schmid | Posted in Category

Leave a comment

Posted on by Simon Schmid


Google Analytics and Google are pushing its new standard hard. Soon all accounts will be required to use Universal Analytics instead of the older implementation technologies.

With Universal Analytics its users also get some new technology and tracking features. Its most well publicized and advertised feature is the User ID which allows to "Connect multiple devices, sessions, and engagement data (...)."

In short User ID lets you more accurately track various sessions to one user. It's not hard to see that this potentially makes the analytics data much more insightful. This is what Google itself is saying about the feature:

The User ID is a Universal Analytics feature that you can use to associate multiple sessions (and any activity within those sessions) with a unique ID. When you send an unique ID and any related engagement data to Google Analytics, all activity is attributed to one user in your reports. With the User ID, you can get a more accurate user count, analyze the signed-in user experience, and get access to the new Cross Device reports. 

What changes for my privacy policy with User ID?

With User ID you also have some changes coming to your privacy policy. Google itself asks you to make those changes. Let's see what they are and where we can find these requirements.

The User ID feature is built for use with the Universal Analytics technologies. All implementations must comply with the Google Analytics Measurement Protocol / SDK / User ID Policy. The Universal Analytics usage guidelines, and security & privacy principles also apply.

Source https://support.google.com/analytics/answer/3123668?hl=en

 Let's, therefore, dive in deeper.

The Google Analytics Measurement Protocol / SDK / User ID Policy requirements

Here are Google's requirements from the Measurement Protocol:

  • You will give your end users proper notice about the implementations and features of Google Analytics you use (e.g. notice about what data you will collect via Google Analytics, and whether this data can be connected to other data you have about the end user). You will either get consent from your end users, or provide them with the opportunity to opt-out from the implementations and features you use.
  • If you use an SDK to implement any Google Analytics Advertising Features, such as Audience Reporting or Remarketing, you will abide by the Policy for Google Analytics Advertising Features, in addition to the Google Play Developer Program Policies , or any other applicable policy.

Source https://developers.google.com/analytics/devguides/collection/protocol/policy

 Three things are important here and will have direct impact on your privacy policy text. 

  • proper notice about the implementations and features
  • get consent or provide them with the opportunity to opt-out from the features and implementations
  • if you use Audience Reporting or Remarketing you need to additionally abide by further policies

The Universal Analytics Usage Guidelines requirements

Let's dive in right away:

Let your users know about these Google Analytics features, and give them proper notice about your implementation changes. Get consent or provide an opportunity to opt-out of your services.

When you implement Universal Analytics, it is your responsibility to ensure that your use is legally compliant, including with any local or regional requirements for specific notification to users.

Source https://support.google.com/analytics/answer/2795983?hl=en

Google wants you to let your users know about the changes (moving from the older version to Universal Analytics). There is no direct impact here on your privacy policy.

Security and privacy in Universal Analytics requirements

Here's an outtake:

(...) In case you use a service that has implemented the Measurement Protocol, please check the notice given and choice offered by this service directly with the Google Analytics customer using such service, as the opt-out directly provided by Google Analytics does not affect data reported through the Measurement Protocol.

Source https://support.google.com/analytics/answer/2838718

The point her is that you need to offer your users a way to opt-out for the features you use with Google Analytics that Google cannot control. Add a way for people to opt-out of these features to your privacy policy.

How iubenda can help you

If you have a privacy policy that you are confident in, consider making the changes written about above. Here is a summary:

  • proper notice about the implementations and features
  • get consent or provide them with the opportunity to opt-out from the features and implementations
  • if you use Audience Reporting or Remarketing you need to additionally abide by further policies

If you don't have a privacy policy or you want to improve your existing privacy policy, iubenda generates the privacy policy for you and spits out text ready to use on your site (or app). Here is another, shorter post, that outlines some other rules set out by Google about how you should implement User ID.

This is the process...

...when generating a privacy policy for Google Analytics' User ID feature:

  • Sign up or sign in and provide your site's url
  • Add the "Google Analytics" service
    • Alternatively add "Google Analytics with anonymized IP"
  • Add the "User ID" extension
    • Add the "Remarketing" clause if you need it
  • Done. Now add the privacy policy to your site.

Generate your privacy policy in a couple of minutes

Posted on by Simon Schmid | Posted in Guide

Leave a comment

Posted on by Simon Schmid


Most iubenda users don't feel that we are working on the product all of the time. And while that certainly is a good thing, we also want you and our users to know that we are hard at work behind the scenes. This is one of these updates to show what we've worked on lately and pushed live today:

  • Amazon Mobile Ads added as a service/integration
    • Amazon Mobile Ads has been integrated into the advertising networks category. It can now be used as a service right from the dashboard and the privacy policy's settings;
  • Apptentive added as a service/integration
    • Apptentive has been integrated into the "Interaction with support and feedback platforms" category. It can now be used as a service right from the dashboard and the privacy policy's settings;
  • Autosend added as a service/integration
    • Autosend is another app that allows you to send messages to your users based on certain actions within your app. It's been added to user database management and can be used for your privacy policy immediately.
  • GetSatisfaction clause slight changes in Portuguese (for Brazilian version)
    • We've fixed a translation detail that didn't reflect the meaning of our other language versions.
  • GetKudos Widget added as a service/integration
    • GetKudos, a service operated by Zopim (another already integrated service) has been added to the "Interaction with support and feedback platforms" category. It can now be used as a service right from the dashboard and the privacy policy's settings;
  • Google Cloud Storage added as a service/integration
    • Google Cloud Storage is now also ready. Integrate in into your privacy policy by browsing to the hosting section. 
  • Instagram Authentication & Instagram Widget added as a service/integration
    • Both the Instagram Authentication via OAuth and the widget that shows Instagram images on your own site have been added to the generator. Therefore if you use any Instagram features on your site, go get your privacy policy updated.
  • Monitis added as a service/integration
    • Monitis has been added as a service in infrastructure monitoring. It can now be used as a service right from the dashboard and the privacy policy's settings;
  • Sucuri CloudProxy added as a service/integration
    • CloudProxy has been added as a traffic optimization and distribution service. If you use them on your site, consider making your privacy policy with iubenda.
  • Taboola Monetize Content added as a service/integration
    • Have you ever noticed reading recommendations below an article or blog post that you've read that have taken you to a completely different site? That's what Taboola helps doing. Publishers that use Taboola on their site can now use iubenda to generate a privacy policy for themselves.

 And one here is more thing:

  • User ID extension for Google Analytics added as a service/integration
    • Google Analytics' User ID is going to be a big thing in the near future and it requires some changes to your privacy policy. Since this is a bigger topic we're also releasing a dedicated blog post about it.

 Add any of these services to your privacy policy

Posted on by Simon Schmid | Posted in Category

Leave a comment

Posted on by Simon Schmid

There are two new fines out for companies that improperly collected information about children. TinyCo and Yelp both settle the charges with fines of $300k and $450k, respectively. The press release by the Federal Trade Commission regarding the reasons and fines went out a couple of days ago (September 17). 

What happened and how can you avoid fines like these?

COPPA requires that companies collecting information about children under 13 online follow a number of steps to ensure that children’s information is protected. The main steps are disclosure and consent from parents. There's an earlier post here on the blog that dissects the various steps of COPPA compliance for mobile apps.

The actual privacy policy is only a small part of the compliance process.

About Yelp

Yelp collected personal information about kids even though they verifiably knew about their users age and that they had kids under the age of 13 signed up. Here's a summary of the complaint:

The FTC’s complaint alleges that Yelp failed to follow the COPPA Rule’s requirements, even though it knew – based on registrants’ birth dates – that children were registering for Yelp through the mobile app. According to the complaint, Yelp failed to implement a functional age-screen in its apps, thereby allowing children under 13 to register for the service, despite having an age-screen mechanism on its website. In addition, the complaint alleges that Yelp did not adequately test its apps to ensure that users under the age of 13 were prohibited from registering.

About TinyCO

TinyCo, the creators of games like Tiny Pets, Tiny Zoo, Tiny Monsters, Tiny Village and Mermaid Resort, were fined based on the fact that these games were in reality directed at children under 13 through their use of themes appealing to children, brightly colored animated characters and simple language.

The games partly collected email addresses, including those from 13 year olds. The FTC had this to say:

The FTC’s complaint alleges that the company failed to follow the steps required under the Rule related to the collection of children’s personal information.

The message is clear. The FTC is trying to make an example out of companies that don't follow the rules imposed on developers by COPPA. Compliance is a fair amount of work, but there are tools out there that help you out.

iubenda can help you out with a well written privacy policy and other companies help with consent systems that you can incorporate into your app. Two by the FTC approved companies are,

Generate a privacy policy with iubenda

Posted on by Simon Schmid | Posted in Category

Leave a comment

Posted on by Simon Schmid


Yesterday was the big day for iDevice owners. iOS 8 was rolled out to devices across the globe.

A couple of weeks back I had already written about the implications iOS brings in the privacy realm. Apple has done some homework on privacy at large. Also, if you are a developer, do check out this presentation about "User Privacy on iOS and OS X" by members of the product security and privacy team. So what exactly are those changes I am talking about in terms of privacy policies?

In a nutshell iOS 8 was confirmed to incorporate requirements for privacy policies across the spectrum. This is what the aforementioned documentation says:

Important for all apps to have one, required for some app categories
• Apps that link against HealthKit
• Apps that link against HomeKit
• Third party keyboards
• Kids

Before iOS 8 only the kids category had an outspoken requirement for the privacy policy. This documentation has confirmed 4 categories before September, 9's keynote.

Updated App Store Review Guidelines

So today, on iOS 8 day two, I am double checking the updates in the App Store Review Guidelines for you. And in it you can find the following rules for your privacy (policy):

3.12 (Metadata (name, descriptions, ratings, rankings, etc.))

Apps should have all included URLs fully functional when you submit it for review, such as support and privacy policy URLs

17 (Privacy)

  • Apps cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used

  • 17.2

    Apps that require users to share personal information, such as email address and date of birth, in order to function will be rejected

  • 17.3

    Apps may ask for date of birth (or use other age-gating mechanisms) only for the purpose of complying with applicable children's privacy statutes, but must include some useful functionality or entertainment value regardless of the user's age

  • 17.4

    Apps that collect, transmit, or have the capability to share personal information (e.g. name, address, email, location, photos, videos, drawings, the ability to chat, other personal data, or persistent identifiers used in combination with any of the above) from a minor must comply with applicable children's privacy statutes, and must include a privacy policy

  • 17.5

    Apps that include account registration or access a user’s existing account must include a privacy policy or they will be rejected

24.1 (Kids Category)

Apps in the Kids Category must include a privacy policy and must comply with applicable children's privacy statutes

25.7 (Keyboard Extensions)

Apps offering Keyboard extensions must have a primary category of Utilities and a privacy policy or they will be rejected

26.2 (HomeKit)

Apps using the HomeKit framework must indicate this usage in their marketing text and they must provide a privacy policy or they will be rejected

27.7 (HealthKit)

Apps using the HealthKit framework must provide a privacy policy or they will be rejected

29.4 (Apple Pay)

Apps using Apple Pay must provide a privacy policy or they will be rejected

Apple now requires 5 categories of apps to have a privacy policy

So, as not that much of a surprise, Apple has now added Apple Pay apps to the list of apps that are required by Apple to incorporate a privacy policy. Upping the number of categories to 5.

Of course, if you've come here and haven't seen iubenda before, generating privacy policies for apps is what we do. In 6 languages, auto-updating, and we spit out a link to your privacy policy for you in the app store right after the generation. 

Since you're here...

You should probably read:

Generate your mobile privacy policy in a couple of minutes

Posted on by Simon Schmid | Posted in Category

Leave a comment