Privacy Policy for iOS Apps

Privacy Policy for iOS Apps

Apple holds iOS app developers to very high standards. Every app hosted on the Apple App Store must work properly, collect user data responsibly, and have a legally-compliant Privacy Policy.

This article will help you understand:

  • Whether your iOS app needs a Privacy Policy
  • Whether you still need a Privacy Policy if your app doesn't collect user data
  • How to fulfill Apple's Privacy Policy requirements
  • Which privacy laws you need to comply with when creating your Privacy Policy
  • How to submit your Privacy Policy to Apple
  • How to make your Privacy Policy available to your users

Apple sets strict rules about what your iOS App Privacy Policy must disclose. Your iOS app will be rejected from the App Store unless your Privacy Policy meets Apple's requirements.


Does My iOS App Need a Privacy Policy?

Yes, your iOS app needs a Privacy Policy. Since October 2018, Apple has required all iOS apps to have a Privacy Policy:

Apple App Store: Upcoming Privacy Policy Requirement reminder

Apple now gives this requirement in its App Store Review Guidelines:

Apple App Store Review Guidelines: Data Collection and Storage clause - Privacy Policy general requirement

All iOS apps must go through the App Store Review Process. Apple will reject your iOS app if you submit it without a compliant Privacy Policy.

Apple also states that every iOS app must comply with local law:

Apple App Store Review Guidelines: Legal section intro clause

Therefore, you must also comply with the privacy laws that apply in your region, and any other regions in which your app is available.

Do I Need a Privacy Policy If My App Doesn't Collect User Data?

Perhaps your iPhone app doesn't transfer any user data away from your users' devices. After all, if you don't need to collect user data or personal information, you should not do so.

Even if your iOS app doesn't collect any user data, you still need a Privacy Policy. In your Privacy Policy, you can explain that your app doesn't access any user data, or that it only does so locally (i.e., any data that the app processes remains on the device).

Here's how iPad photo editing app Pixelmator handles this:

Pixelmator Privacy Policy: No personal information is collected

Pixelmator provides a clear and reassuring explanation of its practices to its users. This is much more professional than simply not publishing a Privacy Policy.

However, even if you believe your app doesn't collect user data, you could be wrong. You may find that some of your app's activities do require disclosure in a Privacy Policy.

Apple's Privacy Policy Requirements

Apple's Privacy Policy Requirements

Apple's App Store Review Guidelines tell developers what an iOS Privacy Policy should contain:

Apple App Store Review Guidelines: Privacy Policy requirements clause

Let's break that down. To comply with this section of the App Store Review Guidelines, your Privacy Policy must:

  • Disclose what user data you collect
  • Explain how you collect user data
  • Explain you use user data
  • Confirm that you only share user data with companies that have good privacy practices
  • Disclose how long you store user data
  • Explain how your users can revoke their consent to your use of their data
  • Explain how your users can request you delete their data

We're going to explain each of these obligations and give examples so you can understand exactly what Apple requires.

What Data Your App Collects

What Data Your App Collects

Let's look at Apple's first Privacy Policy requirement.

Your Privacy Policy must "identify what data, if any, the app/service collects."

Note that Apple uses the term "data." Due to the context, you can reasonably conclude that "data" includes "personal information" and you should apply a very broad definition of this term.

Apple doesn't provide a definitive list of what types of information it considers "personal information." It does give some examples of personal information in a guidance document called Requesting Permission:

Apple Developer Human Interface Guidelines: Requesting permission to access personal information highlighted

Apple considers at least the following types of data to be personal information:

  • Location data
  • Information from the user's calendar
  • Contact information
  • Reminders
  • Photos

Bear in mind that Apple doesn't allow iOS apps to collect unnecessary or excess personal information. Your app should collect user data sparingly. This is stated in this section of the App Store Review Guidelines on "data minimization":

Apple App Store Review Guidelines: Data Minimization clause

Here's how iOS app Drafts discloses the types of data it collects:

Drafts Privacy Policy: Policy Summary - Device permissions for Personal Data access and Location-based interactions sections

Drafts breaks down the types of data it collects into categories to make it easier for users to understand.

Note that even if your app doesn't transmit user data from the device, you should still disclose any permissions that your app requests.

How Your App Collects Data

Your Privacy Policy must explain how your iOS app collects user data.

Depending on what your app does, it might collect user data by requesting it (e.g., names, usernames, email addresses) or by collecting it automatically (e.g., device data, usage data, location data).

This might be quite a technical section of your Privacy Policy. You should try to explain your data collection practices in language that your users will understand.

Here's how Chemdata explains how it collects the data its users provide directly:

Chemdata Privacy Policy: User Provided Information clause

Later on Chemdata's Privacy Policy, the company describes how its app collects user data automatically:

Chemdata Privacy Policy: Automatically Collected Information clause

How Your App Uses Data

Your Privacy Policy must explain how your app uses any data it collects. And, to reiterate: You must always have a good reason to collect user data.

Here's how Cultured Code explains its uses for the user data it collects:

Cultured Code Privacy Policy: Excerpt of How we use your personal information clause

Bear in mind that Cultured Code's Privacy Policy applies over all of its products, plus its mailing list and website. Your Privacy Policy should also cover any other means by which you collect personal information.

Information About Sharing Data With Third Parties

Information About Sharing Data With Third Parties

Apple places strict rules on how developers share user data with third parties.

Your app may share user data for many reasons. Sharing data is allowed so long it is legal and within the scope of Apple's rules. Your Privacy Policy must confirm that any third parties will take equally good care of your users' data as you do.

Your app must be compliant with Apple's privacy standards. Therefore, any third party your app shares user data with must also be compliant with Apple's privacy standards.

Apple gives some examples of the types of companies it considers third parties:

  • Analytics tools providers
  • Advertising networks
  • Third-party software development kit (SDK) providers
  • Parent companies, subsidiaries, or other related entities

Sports news app Võrumaa Nutimängud is very specific. Its Privacy Policy identifies the specific third parties with whom it shares user data:

Vorumaa Nutimangud iOS App Privacy Policy: Third Party Services and SDKs clause

Apple states that your Privacy Policy must "describe how a user can revoke consent."

Apple's App Store Review Guidelines states that you must only collect user data with consent. If a user revokes consent, you must stop collecting their data.

iOS apps will often ask for consent by using the permission request mechanisms provided in iOS SDKs. You can provide a method for your users to revoke this sort of consent within your app settings. Your Privacy Policy should explain how users can do this.

Here's how Kinemaster explains how its users can revoke consent:

Kinemaster iOS Privacy Policy: Openness and Your Refusal or Withdrawal of Consent

In any situation where you have asked for a user's consent, they must be able to revoke it, and your Privacy Policy should explain how.

For example, if you ask for a user's email address to send them your newsletter, they should be able to withdraw consent for this at any time.

Here's how the translation app company evolly.app explains this:

evolly app Privacy Policy: How we use information - To communicate with you clause with opt-out highlighted

Your Data Retention Policy

Apple states that your Privacy Policy must explain your "data retention/deletion policies."

You must not keep user data longer than you need it. This means thinking carefully about how long you need to store user data and, if necessary, creating a retention schedule.

Your Privacy Policy should explain your data retention practices. Here's how Easybrain does this:

Easybrain Privacy Policy: Excerpt of Data Retention clause

Be as specific as possible here with your timeframe, and make sure you're disclosing your actual practices.

How Your Users Can Delete Their Data

How Your Users Can Delete Their Data

Apple states that your Privacy Policy must "describe how a user can [...] request deletion of the user's data."

This implies that you must offer users a way to delete any user data you hold on them. Apple doesn't explicitly state that you need to do this in its App Store Review Guidelines.

However, Apple does require that you give users control over their data. Apple states this in a document called "Protecting the User's Privacy:"

Apple Developer article: Protecting the User's Privacy - Give the User Control Over Data section

Enabling your users to request the deletion of their personal information is also a legal requirement under several privacy laws, including the GDPR and the CCPA.

Your app could provide the user with the ability to delete their data. Or you can invite your users to send you an email to make a deletion request.

Here's how the alarm clock app Sleep Cycle presents this information in its Privacy Policy:

Sleep Cycle Privacy Policy: Your Rights - Delete personal data clause

Note that alarm clock users only need to contact the company if they want to delete backup data (which is stored remotely). To delete locally-stored data, users can simply delete the app.

Legal Requirements

Along with Apple's Privacy Policy requirements, you need to obey the law.

Privacy and data protection laws strictly regulate how you handle your users' personal information, and determine what you need to disclose in your Privacy Policy.

The law will give different Privacy Policy requirements depending on where you and your users are based.

Note: You must obey the privacy law of the regions where your users are based and not just where you are based.

Region(s) in which your app is accessible: Privacy law you need to obey:
United States

Effectively, the State of California sets privacy standards in the US. As long as your app is accessible to California consumers, you must obey the state's strict privacy laws.

All commercial websites and apps must comply with the California Online Privacy Protection Act (CalOPPA).

Read our guide to creating a CalOPPA Privacy Policy to understand your obligations under this law.

Larger companies must comply with the California Consumer Privacy Act (CCPA). This is currently the strictest privacy law in the US.

Read our guide to creating a CCPA Privacy Policy.

European Union

The EU has the strictest privacy standards in the world. The EU General Data Protection Regulation (GDPR) sets extensive rules regarding what information you should provide in your Privacy Policy.

Read our guide to creating a GDPR Privacy Policy.

Canada

Canada's privacy standards are also high. If your app has users in Canada, you must comply with the Personal Information Processing and Electronic Documents Act (PIPEDA).

Read our guide to creating a PIPEDA Privacy Policy.

Australia If your app is accessible in Australia, you may be subject to Australia's main consumer privacy law, the Privacy Act of 1988.
South-East Asia There are a number of strict privacy laws in South-East Asian countries that might have implications for your Privacy Policy.

Where these or any other privacy laws apply to you, you must ensure that your Privacy Policy is compliant with them.

How to Create a Privacy Policy for Your Mobile App

TermsFeed Privacy Policy Generator: How to Create a Privacy Policy for Your Mobile App

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your website. Just follow these steps:

  1. Click on the "Privacy Policy Generator" button.
  2. At Step 1, select the App option and click "Next step":
  3. TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  4. Answer the questions about your mobile app and click "Next step" when finished:
  5. TermsFeed Privacy Policy Generator: Answer questions about Mobile App - Step 2

  6. Answer the questions about your business practices and click "Next step" when finished:
  7. TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  8. Enter your email address where you'd like your policy sent, select translation versions and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.


Publishing Your iOS App Privacy Policy

Publishing Your iOS App Privacy Policy

Once you've created your iOS app Privacy Policy, you need to host it online.

The best place to host your Privacy Policy is your company's website if you have one. If you by chance don't have a website, you can set up a simple Wordpress site, or even a publically-available Google Doc.

Once you've hosted your Privacy Policy online, Apple requires you to:

  • Provide a link to your Privacy Policy with your app information when submitting your app on App Store Connect, and
  • Provide a way for your users to access your Privacy Policy from within your iOS app

Submitting Your Privacy Policy to Apple

Apple states that "all apps must include a link to their privacy policy in the App Store Connect metadata field."

To get your app hosted in the App Store, you first need to add it to your App Store Connect account.

When you add an app to your App Store Connect account, you must provide Apple with certain app information, including the URL of your Privacy Policy.

Here you can see the Privacy Policy URL listed among the required app information in the App Store Connect Help for apps:

Apple App Store Connect App Information: Privacy Policy URL requirement highlighted

If you're submitting an app bundle (up to ten apps sold together at a reduced price), you should submit your Privacy Policy along with your app bundle's primary app. You don't need to submit a Privacy Policy with each bundled app you submit.

Apple explains this in its App Store Connect Help for bundles:

Apple App Store Connect App Information for Bundles: Privacy Policy URL requirement highlighted

Once your iOS app is approved, your Privacy Policy will show alongside other information about your app in the App Store. Here's how it looks:

Pocket Casts iOS app Information page with Privacy Policy link highlighted

This is important because it gives potential users the opportunity to check out your privacy practices before deciding to download your app. If the link wasn't available before downloading and you collect any information during the download process or before the Privacy Policy was available within the app, you can see how this would violate privacy rights of your users.

Providing Access to Your Privacy Policy Within Your App

Providing Access to Your Privacy Policy Within Your App

Apple requires that you provide users access to your Privacy Policy "within the app in an easily accessible manner."

Most apps provide Privacy Policy access via a "Settings" or "About" menu. Here's an example of how the Amazon Kindle app provides Amazon's Privacy Policy to its users.

The Kindle app's "Settings" menu contains an "Other" option where the Privacy Notice is linked along with other legal agreements and information:

Kindle iOS app: Other menu screen

This is a good example of how to make a Privacy Policy accessible within an app.

You could also link to your Privacy Policy directly within your app's "Settings" menu, or even as an item within your app's side or drop-down menu.

Google Maps places its Privacy Policy within the "Support" section of its "Settings" menu:

Google Maps iOS app: Settings screen

You need to make sure your users can access your Privacy Policy at any time, and keeping a static link somewhere in your app accomplishes this.

Other Places to Link to Your Privacy Policy Within Your App

Although Apple doesn't require it, you also should link to your Privacy Policy whenever you ask your users to provide personal information.

For example, here's how SoundHound directs users to its Privacy Policy when signing up for an account:

SoundHouse iOS app: Sign up screen

Here's how Amazon links users to its Privacy Policy when confirming a purchase:

Amazon iOS app: Place your order screen

Take every reasonable opportunity to appear transparent in your privacy practices by making your Privacy Policy link available often.

Summary of Your iOS App Privacy Policy

To meet Apple's requirements, your iOS app Privacy Policy must disclose:

  • What user data your app collects
  • How you collect user data
  • How you use user data
  • Whether you only share user data with companies that have good privacy practices
  • How long you retain user data
  • How your users can revoke consent
  • How your users can request you delete their user data

Your iOS app Privacy Policy must also be legally compliant.

You must:

  • Submit your Privacy Policy to Apple within your App Store Connect metadata
  • Provide a link to your Privacy Policy within your iOS app
Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.