This article will help you understand:
Apple now gives this requirement in its App Store Review Guidelines:
Apple also states that every iOS app must comply with local law:
Therefore, you must also comply with the privacy laws that apply in your region, and any other regions in which your app is available.
Perhaps your iPhone app doesn't transfer any user data away from your users' devices. After all, if you don't need to collect user data or personal information, you should not do so.
Here's how iPad photo editing app Pixelmator handles this:
- Disclose what user data you collect
- Explain how you collect user data
- Explain you use user data
- Confirm that you only share user data with companies that have good privacy practices
- Disclose how long you store user data
- Explain how your users can revoke their consent to your use of their data
- Explain how your users can request you delete their data
We're going to explain each of these obligations and give examples so you can understand exactly what Apple requires.
What Data Your App Collects
Note that Apple uses the term "data." Due to the context, you can reasonably conclude that "data" includes "personal information" and you should apply a very broad definition of this term.
Apple doesn't provide a definitive list of what types of information it considers "personal information." It does give some examples of personal information in a guidance document called Requesting Permission:
Apple considers at least the following types of data to be personal information:
- Location data
- Information from the user's calendar
- Contact information
Bear in mind that Apple doesn't allow iOS apps to collect unnecessary or excess personal information. Your app should collect user data sparingly. This is stated in this section of the App Store Review Guidelines on "data minimization":
Here's how iOS app Drafts discloses the types of data it collects:
Drafts breaks down the types of data it collects into categories to make it easier for users to understand.
Note that even if your app doesn't transmit user data from the device, you should still disclose any permissions that your app requests.
How Your App Collects Data
Depending on what your app does, it might collect user data by requesting it (e.g., names, usernames, email addresses) or by collecting it automatically (e.g., device data, usage data, location data).
Here's how Chemdata explains how it collects the data its users provide directly:
How Your App Uses Data
Here's how Cultured Code explains its uses for the user data it collects:
Information About Sharing Data With Third Parties
Apple places strict rules on how developers share user data with third parties.
Your app must be compliant with Apple's privacy standards. Therefore, any third party your app shares user data with must also be compliant with Apple's privacy standards.
Apple gives some examples of the types of companies it considers third parties:
- Analytics tools providers
- Advertising networks
- Third-party software development kit (SDK) providers
- Parent companies, subsidiaries, or other related entities
How Your Users Can Revoke Consent
Apple's App Store Review Guidelines states that you must only collect user data with consent. If a user revokes consent, you must stop collecting their data.
Here's how Kinemaster explains how its users can revoke consent:
For example, if you ask for a user's email address to send them your newsletter, they should be able to withdraw consent for this at any time.
Here's how the translation app company evolly.app explains this:
Your Data Retention Policy
You must not keep user data longer than you need it. This means thinking carefully about how long you need to store user data and, if necessary, creating a retention schedule.
Be as specific as possible here with your timeframe, and make sure you're disclosing your actual practices.
How Your Users Can Delete Their Data
This implies that you must offer users a way to delete any user data you hold on them. Apple doesn't explicitly state that you need to do this in its App Store Review Guidelines.
However, Apple does require that you give users control over their data. Apple states this in a document called "Protecting the User's Privacy:"
Enabling your users to request the deletion of their personal information is also a legal requirement under several privacy laws, including the GDPR and the CCPA.
Your app could provide the user with the ability to delete their data. Or you can invite your users to send you an email to make a deletion request.
Note that alarm clock users only need to contact the company if they want to delete backup data (which is stored remotely). To delete locally-stored data, users can simply delete the app.
Note: You must obey the privacy law of the regions where your users are based and not just where you are based.
To get your app hosted in the App Store, you first need to add it to your App Store Connect account.
Apple explains this in its App Store Connect Help for bundles:
The Kindle app's "Settings" menu contains an "Other" option where the Privacy Notice is linked along with other legal agreements and information:
- What user data your app collects
- How you collect user data
- How you use user data
- Whether you only share user data with companies that have good privacy practices
- How long you retain user data
- How your users can revoke consent
- How your users can request you delete their user data