Documentation

Privacy Policy for (iOS, macOS) Apps: Apple’s App Store Review Guidelines

Since the release of iOS 8, Apple has implemented many requirements that need to be met in order to avoid having your app application rejected. One of the major requirements (that often results in Apps being rejected where conditions are not met) is that of data privacy.

Data privacy is more important than ever across various companies and platforms; with major fines and sanctions being handed down for non-compliance, companies are paying attention – and Apple is no exception: Apple’s App Store Review Guidelines have been updated to better accommodate recent changes in Data Protection Law.

From October 3, 2018 App Store Connect requires a privacy policy for all new apps and app updates before they can be submitted for distribution on the App Store or through TestFlight external testing.

From October 3, 2018 App Store Connect requires a privacy policy for all new apps and app updates.

Article 5.1 of Apple’s App Store Review Guidelines provides an overview of Apple’s privacy guidelines (and grounds for rejection where these conditions are not met). Article 5.1.1 on Data Collection and Storage further specifies as follows:

5.1.1(i) Privacy Policies: All apps must include a link to their privacy policy in the App Store Connect metadata field and within the app in an easily accessible manner. The privacy policy must clearly and explicitly:

  • Identify what data, if any, the app/service collects, how it collects that data, and all uses of that data.
  • Confirm that any third party with whom an app shares user data (in compliance with these Guidelines) — such as analytics tools, advertising networks and third-party SDKs, as well as any parent, subsidiary or other related entities that will have access to user data — will provide the same or equal protection of user data as stated in the app’s privacy policy and required by these Guidelines.
  • Explain its data retention/deletion policies and describe how a user can revoke consent and/or request deletion of the user’s data.

In addition, your app’s privacy policy link or text will only be editable when you submit a new version of your app. Read the App Store’s privacy clause here.

Example privacy policy for iOS/macOS apps

A lot of people ask for sample privacy policies for apps. The exact required contents of a privacy policy depend upon the applicable law and may need to address requirements across geographical boundaries and legal jurisdictions.

For this reason, it’s always advisable that you approach your (legally mandated) privacy policy with the strictest applicable regulations in mind. You can read more about determining your law of reference here or read our in-depth Legal Overview Guide here.

Let’s start with the legal minimum requirements. These are the most basic elements that a privacy policy should have:

  • Who is the app owner?
  • What data is being collected? How is that data being collected?
  • What is the Legal basis for the collection? (e.g consent, necessary for your service, legal obligation etc.) – This is more specifically related to the GDPR and EU Law, however, even if you fall outside of GDPR obligations, it’s likely that under many other legislations, you’ll still need to say why you’re processing the personal data of users.
  • For which specific purposes are the data collected? Analytics? Email Marketing?
  • Which third parties will have access to the information? Will any third party collect data through widgets (e.g. social buttons) and integrations (e.g. Facebook Connect)?
  • What rights do users have? Can they request to see the data you have on them, can they request to rectify, erase or block their data? (under European regulations most of this is mandatory)
  • Description of process for notifying users and visitors of changes or updates to the privacy policy
  • Effective date of the privacy policy

How you can meet these requirements

iubenda makes solving this issue easy: With hundreds of available clauses, our privacy policies contain all elements commonly required across many regions and services, while applying the strictest standards by default – giving you the option to fully customize as needed.

Our policies are created by lawyers, monitored by our lawyers and hosted on our servers to ensure that they are always up-to-date with the latest legal changes and third-party requirements.

The process is straightforward and intuitive, simply:

  1. click to add your services;
  2. fill out your web/app owner and contact details;
  3. embed.

Click here to read the full guide on how to generate a Privacy Policy.

1. Add your services

  • If you use Twitter or other auth (=OAuth) services for user management, then add the respective service by clicking “Add a service” then start typing the name of the service you’d like to add. Remember to include all services processing personal information. If you handling user registration yourself, don’t forget to add the “Direct Registration” service.

  • Select each applicable service from the list of suggestions that show up and customize by simply adding the specific types of personal data you collect. Our lawyer-crafted clauses automatically include the relevant user-rights disclosures and service definitions based on your input here.

  • If you’d like to add a custom service clause, simply click the “Create custom service” button and fill out the built-in form.

How to create a custom service

2. Fill out your app owner and contact details

Enter:

  • name and full address;
  • email address.

Congratulations! Your policy has been created. Simply check that all the details are correct, then embed.

3. Embed

As we said above, you have to include a link to your privacy policy within the app and in the App Store Connect metadata field.

Within the app

For apps, the direct link or direct text embedding methods are best. Apple specifically requires “a link” to the privacy policy, so the direct link method is sufficient in meeting Apples’s requirements, however if your app processes user data while offline, be sure to provide users with an in-app offline method of accessing the privacy policy in order to be legally compliant.

Whichever embed method you choose, remember that you’re required to choose a location that is easily accessible and visible to users.

App Store Connect metadata field

When your app is ready, you have 2 options to choose from: you can either beta test it by using TestFlight or submit it for review. In both cases – in addition to the app’s internal link – you’ll have to include a link to your privacy policy in the App Store Connect metadata field. Here’s how to meet this requirement:

TestFlight Beta Testing

In-App Store Connect, under “My Apps > TestFlight”, you will find “Test Information”, among which you will also find the privacy policy URL. Fill in the url for the translated privacy policy for each language that your app is translated into (iubenda offers 8 privacy policy languages out of the box):

App Store Connect / TestFlight Beta Testing - Privacy Policy URL

App submission

In-App Store Connect, under “My Apps > App Store”, you will find “App Information”, among which you will also find the privacy policy URL. As mentioned above, fill in a privacy policy URL for each language that your app is translated into:

App Store Connect - Privacy Policy URL

Once your application is approved, you will find your privacy policy linked under “Information” on the Application landing page that App Store generates for you:

Learnji on the App Store - Privacy Policy link

Create a privacy policy for your iOS/macOS app

Start generating

See also

Still have questions?

Visit our support forum Email us