21 July 2020
Developing or publishing a mobile app? Your mobile app almost certainly requires a Privacy Policy.
This article contains some simple, step-by-step guides to creating a basic Privacy Policy for your mobile app.
We're going to look briefly at the requirements under privacy law, Apple's policies, and Google's policies, so you can confirm whether you need a Privacy Policy for your mobile app.
If you already know you need to create a Privacy Policy for your mobile app, you can jump straight to our step-by-step guides to creating a Privacy Policy for an iOS app, an Android app, or for both platforms.
Many privacy laws around the world require businesses to provide their customers with a Privacy Policy. Privacy law is becoming stricter all the time, and intrusive mobile technology is a big reason for this.
It's highly likely that you will need to comply with privacy law if you develop or publish a mobile app.
There are two main reasons why you need a Privacy Policy:
✓ They're legally required: Privacy Policies are legally required by global privacy laws if you collect or use personal information.
✓ Consumers expect to see them: Place your Privacy Policy link in your website footer, and anywhere else where you request personal information.
Excerpt from TermsFeed Testimonials:
"I needed an updated Privacy Policy for my website with GDPR coming up. I didn't want to try and write one myself, so TermsFeed was really helpful. I figured it was worth the cost for me, even though I'm a small fry and don't have a big business. Thanks for making it easy."
Stephanie P.
Generated a Privacy Policy
Generate a Privacy Policy, 2021 up-to-date, for your business (web, mobile and others) with the Privacy Policy Generator from TermsFeed.
Here are some examples of countries and regions with privacy laws that require all or some businesses to publish a Privacy Policy:
Depending on where your business is based, and where your users are based, you might need to comply with several of these laws, and perhaps many more.
For example:
These rules apply whether you have a business presence in these places or not.
Most of these laws only require you to publish a Privacy Policy if your mobile app collects "personal information." However, personal information is a very broad concept.
Personal information can be a person's name or email address. It can be their username or device ID. Or it can even be data about how they use your app. For more information, see our article What Is Personal Information Under Privacy Laws?
Yes, Apple requires every iOS app to have a Privacy Policy. This rule has been in place since October 2018.
Apple is very clear in its App Store Review Guidelines that every app requires a Privacy Policy:
Apple has some very specific requirements about what you must cover in your Privacy Policy.
There's a step-by-step guide on how to create an iOS Privacy Policy below. We also take a detailed look at this topic in our article Privacy Policy for iOS Apps.
Yes, you're probably required to have a Privacy Policy for your Android app.
Google isn't quite as strict as Apple when it comes to having a Privacy Policy. There's no blanket rule that every Android app requires a Privacy Policy. Instead, Google states that your app requires a Privacy Policy if you collect "personal and sensitive information."
Notice that Google's definition of personal and sensitive information is very broad. It includes "personally identifiable information," which is another way of saying "personal information."
So, if your Android app collects any kind of personal information, you need a Privacy Policy. This might include a name, username, or email address.
Google adds that you also need a Privacy Policy if you collect:
If you're taking payments, running analytics, or accessing certain device permissions on your Android app, you need a Privacy Policy.
Google has specific requirements about what you must include in your Privacy Policy. There's a step-by-step guide on how to create an Android Privacy Policy below. We also take a detailed look at this topic in our article Privacy Policy for Android Apps.
Releasing your app on both iOS and Android? Apple and Google have slightly different requirements, but you don't need two separate Privacy Policies.
We've created step-by-step guides from creating a Privacy Policy for either iOS or Android below. There's some overlap between these guides.
You'll notice that steps 1-4 of our two guides are the same for both iOS and Android apps. If you want to create a Privacy Policy that covers both Apples and Google's requirements, ensure you read:
Here's a step-by-step guide to creating a basic Privacy Policy for an iOS app.
Before we begin, note that Apple has specific rules for developers of certain types of apps, including apps aimed at children, Mobile Device Management apps, and VPN apps. Depending on the nature of your app, you may need a more detailed Privacy Policy.
Here's what your iOS Privacy Policy must include, at minimum:
We're going to break those requirements down into six steps:
Remember that above all, your iOS Privacy Policy must be legally-compliant. You may need to comply with privacy laws that go beyond Apple's requirements. We can help you create a legally-compliant Privacy Policy for many major markets (see above).
Apple first requires that your Privacy Policy identifies what data your app collects.
This means listing all user data you collect via your app, whether you think it's "personal information" or not.
Here's a good example from journaling app Reflectly.
First Reflectly lists the personal information it collects:
Reflectly also lists some other sorts of data its app collects:
You must explain how your app collects user data.
There are two broad ways in which your app might collect user data:
Here's how DisplayIO explains these two methods of data collection to its users:
Note that in this section of its Privacy Policy, DisplayIO covers both points 2 and 3 of our list.
Your business might also collect personal information from third parties (such as marketing companies) or publicly available sources (such as social networks). Although this might not be strictly relevant to your app, you may still need to disclose it in your Privacy Policy.
You must explain exactly how you use the data your app collects.
Here's a great example from FaceApp. FaceApp is a photo-editing app that experienced controversy over its Privacy Policy in 2019. Its revised Privacy Policy seeks to reassure users and provide as much transparency as possible.
Here's an excerpt of the relevant section of FaceApp's Privacy Policy:
Think very carefully about what you're doing with all the data your app collects. Be very clear about what you're doing with this information. And if you collect data that you don't need, stop collecting it.
You must provide certain information about any third parties with whom you share user data.
Let's remind ourselves of Apple's exact requirements:
That point we've highlighted above is effectively two rules in one.
This ties in with other agreements you have with Apple, such as the Developer Program License Agreement, which requires you to take responsibility for the actions of your business partners if you share data with them.
Here's an example from Crazy Labs:
Note that Crazy Labs states that its partners provide "equal protection to that stated in this Privacy Policy [...] and the Platform Providers' rules, policies and guidelines," rather than specifically referencing Apple.
Your Privacy Policy must provide information about your data retention and deletion policies.
Again, let's remind ourselves of Apple's exact requirements.
This is more complicated than it first appears. This requirement implies that you must:
Here's an example of a simple data retention policy clause from Pitchero:
Pitchero explains that it will retain its users' data for as long as they are active users, and it will delete user data after three years of inactivity. It also notes what the procedure is for non-registered users.
If you ask for your users' consent when you collect their data (Apple insists that you do request consent under most circumstances), you must allow them to revoke consent. You must also provide a way for them to revoke consent (change their minds).
Here's how Fitbit explains several ways in which its users can revoke consent via settings it provides in its mobile app:
You should also set up a process by which your users can request that you delete their data. Your Privacy Policy should explain this process to your users, such as by providing your contact information and a note that users can email you with deletion requests.
It's good to provide a way for users to delete their data from within your app. Here's an example from the Intuit QuickBooks Self-Employed app:
While Apple does have some strict requirements, they aren't overly complicated to satisfy with some simple Privacy Policy clauses and content.
As we've seen, Google requires your app to have a Privacy Policy if it collects "personal and sensitive user data" (which is a very broad term).
So, what should you include in your Android app Privacy Policy? Here's an excerpt from Google's "Privacy, Security, and Deception" page:
We're going to break those requirements down into five steps:
Your Privacy Policy must be legally compliant.
We can help you create a legally-compliant Privacy Policy for many major markets (see above).
Note that Google has some very specific requirements if your mobile app is accessible within the EU. We explain some of these rules in our article Privacy Policy for Android Apps.
You should identify what types of data your app collects.
The data you collect might include:
Here's how Overhaul explains what data it collects:
Note that Overhaul specifies that it collects this data directly from its users. This leads us onto the next section of your Android app Privacy Policy.
You must explain how your app collects data.
Your Android app probably collects user data in two main ways:
Here's how Fitlink explains what data it collects from its users directly:
Here's how Animoto explains what data its app collects automatically from its users:
Depending on your business, you might also collect personal information about your users from third parties. You should also disclose this in your Privacy Policy.
Now you've told your users what data you collect and how you collect, you need to explain how you use their data.
Here's an example from SoundCloud:
This is just a small excerpt from the long list SoundCloud provides. Think carefully about how you use any information your app collects.
Google requires that you explain:
Here's how Manage does this:
Note how, after each bullet-point, Manage provides information about:
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your website. Just follow these steps:
Enter your email address where you'd like your policy sent, select translation versions and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
Both Apple and Google require that you display an easily-accessible link to your Privacy Policy within your mobile app. For example, this could be within your app's "Settings," "About," or "Legal" menu.
Here's an example from the BBC iPlayer app:
You should also, as far as possible, provide a link to your Privacy Policy whenever you collect personal information.
Here's an example from the self-improvement app Deepstash. The user can access Deepstash's Privacy Policy when they first set up an account:
You should also provide access to your Privacy Policy whenever taking payments over your app. Here's how Audible does this:
Take every reasonable opportunity to present your Privacy Policy to your users.
For iOS Apps, you must submit a link to your Privacy Policy when you upload your app to App Store Connect.
This link will then display in your App Store listing once your app is published.
For Android apps, you'll need to upload your Privacy Policy to the Google Play Store via your Play Console.
Google explains how to do this on its "Upload an App" page.
This link will then display in your Google Play Store listing once your app is published.
Mobile app developers need a Privacy Policy to comply with privacy law, Apple's policies, and/or Google's policies.
Here's a summary of the steps you should take when creating a Privacy Policy.
Mandatory for iOS apps | Mandatory for Android apps | |
Check which privacy laws apply to you | ✔ | ✔ |
Identify what data your app collects | ✔ | ✔ |
Explain how you collect user data | ✔ | ✔ |
Explain how you use user data | ✔ | ✔ |
Confirm recipients of user data are compliant with Apple's policies | ✔ | ✗ |
Explain your data retention and deletion policies | ✔ | ✗ |
Explain how you share user data | ✗ | ✔ |
Ensure you make your Privacy Policy easily available:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.