Every app hosted on the Apple App Store must work properly, collect user data responsibly, and have a legally-compliant Privacy Policy. Apple sets strict rules about what your iOS App Privacy Policy must disclose. Your iOS app will be rejected from the App Store unless your Privacy Policy meets Apple's requirements.

This article will help you understand Apple's requirements and how to fulfill them with a legally-compliant Privacy Policy.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your mobile app. Just follow these steps:

  1. At Step 1, select the App option.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your app.

    TermsFeed Privacy Policy Generator: Answer questions about Mobile App - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new App Privacy Policy.



Does My iOS App Need a Privacy Policy?

Yes, your iOS app needs a Privacy Policy. Since October 2018, Apple has required all iOS apps to have a Privacy Policy:

Apple App Store: Upcoming Privacy Policy Requirement reminder

Apple now gives this requirement in its App Store Review Guidelines:

Apple App Store Review Guidelines: Data Collection and Storage clause - Privacy Policy general requirement

All iOS apps must go through the App Store Review Process. Apple will reject your iOS app if you submit it without a compliant Privacy Policy.

Apple also states that every iOS app must comply with local law:

Apple App Store Review Guidelines: Legal section intro clause

Therefore, you must also comply with the privacy laws that apply in your region, and any other regions in which your app is available.

Do I Need a Privacy Policy If My App Doesn't Collect User Data?

Even if your iOS app doesn't collect any user data, you still need a Privacy Policy. In your Privacy Policy, you can explain that your app doesn't access any user data, or that it only does so locally (i.e., any data that the app processes remains on the device).

Here's how iPad photo editing app Pixelmator handles this:

Pixelmator Privacy Policy: No personal information is collected

Pixelmator provides a clear and reassuring explanation of its practices to its users. This is much more professional than simply not publishing a Privacy Policy. It also shows that you're aware of privacy laws and are complying rather than just hiding your privacy practices.

Apple's Privacy Policy Requirements

Apple's Privacy Policy Requirements

Apple's App Store Review Guidelines tell developers what an iOS Privacy Policy should contain:

Apple App Store Review Guidelines: Privacy Policy requirements clause

Let's break that down. To comply with this section of the App Store Review Guidelines, your Privacy Policy must:

  • Disclose what user data you collect
  • Explain how you collect user data
  • Explain you use user data
  • Confirm that you only share user data with companies that have good privacy practices
  • Disclose how long you store user data
  • Explain how your users can revoke their consent to your use of their data
  • Explain how your users can request you delete their data

We're going to explain each of these obligations and give examples so you can understand exactly what Apple requires.

What Data Your App Collects

Apple's first Privacy Policy requirement is that the policy must "identify what data, if any, the app/service collects."

Note that Apple uses the term "data." Due to the context, you can reasonably conclude that "data" includes "personal information" and you should apply a very broad definition of this term.

Bear in mind that Apple doesn't allow iOS apps to collect unnecessary or excess personal information. Your app should collect user data sparingly. This is stated in this section of the App Store Review Guidelines on "data minimization":

Apple App Store Review Guidelines: Data Minimization clause

Here's how iOS app Drafts discloses the types of data it collects:

Drafts Privacy Policy: Policy Summary - Device permissions for Personal Data access and Location-based interactions sections

Drafts breaks down the types of data it collects into categories to make it easier for users to understand.

Note that even if your app doesn't transmit user data from the device, you should still disclose any permissions that your app requests.

How Your App Collects Data

Your Privacy Policy must explain how your iOS app collects user data. Depending on what your app does, it might collect user data by requesting it (e.g., names, usernames, email addresses) or by collecting it automatically (e.g., device data, usage data, location data).

This might be quite a technical section of your Privacy Policy. You should try to explain your data collection practices in language that your users will understand.

Here's how Chemdata explains how it collects the data its users provide directly:

Chemdata App Privacy Policy: Information Collected clause - User Provided Information section

After this section, Chemdata describes how its app collects user data automatically:

Chemdata Privacy Policy: Automatically Collected Information clause

How Your App Uses Data

Your Privacy Policy must explain how your app uses any data it collects. And, to reiterate: You must always have a good reason to collect user data.

Here's how Cultured Code explains its uses for the user data it collects:

Cultured Code Privacy Policy: How we use your information clause excerpt

Keep in mind that Cultured Code's Privacy Policy applies over all of its products, plus its mailing list and website. Your Privacy Policy should also cover any other means by which you collect personal information.

Information About Sharing Data With Third Parties

Apple places strict rules on how developers share user data with third parties. Your Privacy Policy must confirm that any third parties will take equally good care of your users' data as you do.

Your app must be compliant with Apple's privacy standards. Therefore, any third party your app shares user data with must also be compliant with Apple's privacy standards.

Apple gives some examples of the types of companies it considers third parties:

  • Analytics tools providers
  • Advertising networks
  • Third-party software development kit (SDK) providers
  • Parent companies, subsidiaries, or other related entities

Sports news app Võrumaa Nutimängud is very specific. Its Privacy Policy identifies the specific third parties with whom it shares user data:

Vorumaa Nutimangud iOS App Privacy Policy: Third Party Services and SDKs clause

Apple states that your Privacy Policy must "describe how a user can revoke consent." Apple's App Store Review Guidelines states that you must only collect user data with consent. If a user revokes consent, you must stop collecting their data.

iOS apps will often ask for consent by using the permission request mechanisms provided in iOS SDKs. You can provide a method for your users to revoke this sort of consent within your app settings. Your Privacy Policy should explain how users can do this.

Here's how Võrumaa Nutimängud explains how its users can revoke consent:

Vorumaa Nutimangud iOS App Privacy Policy: Data Retention Policy

In any situation where you have asked for a user's consent, they must be able to revoke it, and your Privacy Policy should explain how.

Your Data Retention Policy

Apple states that your Privacy Policy must explain your "data retention/deletion policies." You must not keep user data longer than you need it. This means thinking carefully about how long you need to store user data and, if necessary, creating a retention schedule.

Your Privacy Policy should explain your data retention practices. Here's how Easybrain does this:

Easybrain Privacy Policy: Retention of Personal Data clause

Be as specific as possible here with your timeframe, and make sure you're disclosing your actual practices.

How Your Users Can Delete Their Data

Apple states that your Privacy Policy must "describe how a user can [...] request deletion of the user's data." This implies that you must offer users a way to delete any user data you hold on them. Apple doesn't explicitly state that you need to do this in its App Store Review Guidelines.

However, Apple does require that you give users control over their data. Apple states this in a document called "Protecting the User's Privacy:"

Apple Developer article: Protecting the User's Privacy - Give the User Control Over Data section

Enabling your users to request the deletion of their personal information is also a legal requirement under several privacy laws, including the GDPR and the CCPA.

Your app could provide the user with the ability to delete their data. Or you can invite your users to send you an email to make a deletion request.

Here's how the alarm clock app EY presents this type of information in its Privacy Statement:

EY Privacy Statement: Your rights in relation to personal data clause

After you meet Apple's requirements, there are more you'll need to be familiar with.

Legal Requirements

Along with Apple's Privacy Policy requirements, you need to obey the law. Privacy and data protection laws strictly regulate how you handle your users' personal information, and determine what you need to disclose in your Privacy Policy.

The law will give different Privacy Policy requirements depending on where you and your users are based.

Note: You must obey the privacy law of the regions where your users are based and not just where you are based.

Region(s) in which your app is accessible: Examples of privacy laws you need to obey:
United States

Effectively, the State of California sets privacy standards in the United States. As long as your app is accessible to California consumers, you must obey the state's strict privacy laws.

All commercial websites and apps must comply with the California Online Privacy Protection Act (CalOPPA).

Read our guide to creating a CalOPPA Privacy Policy to understand your obligations under this law.

Larger companies must comply with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA)

Read our guide to creating a CCPA (CPRA) Privacy Policy.

European Union

The EU has the strictest privacy standards in the world. The EU General Data Protection Regulation (GDPR) sets extensive rules regarding what information you should provide in your Privacy Policy.

Read our guide to creating a GDPR Privacy Policy.

Canada

Canada's privacy standards are also high. If your app has users in Canada, you must comply with the Personal Information Processing and Electronic Documents Act (PIPEDA).

Read our guide to creating a PIPEDA Privacy Policy.

Australia If your app is accessible in Australia, you may be subject to Australia's main consumer privacy law, the Privacy Act of 1988.
South-East Asia There are a number of strict privacy laws in South-East Asian countries that might have implications for your Privacy Policy.

Where these or any other privacy laws apply to you, you must ensure that your Privacy Policy is compliant with them.

How to Add a Privacy Policy URL in Apple App Store Connect

You can download these instructions as PDF file.

  1. Log in to your Apple App Store Connect account.

  2. Select your app:

    TermsFeed Apple App Store Connect: Dashboard - Apps - TermsFeed app selected

  3. Under the General section, select App Privacy:

    TermsFeed Apple App Store Connect: App menu - Selected App Privacy under General

  4. Next to the Privacy Policy title, click Edit:

    TermsFeed Apple App Store Connect: App menu - App Privacy - Privacy Policy with empty field for adding URL and  Edit option highlighted

  5. In the modal that opens you'll see a field to enter a Privacy Policy URL. Optionally, there is a User Privacy Choices URL field:

    TermsFeed Apple App Store Connect: App menu - Open Edit window with empty field for adding a Privacy Policy URL highlighted

    If you do not have a Privacy Policy, you can use our App Privacy Policy Generator and create it within minutes. TermsFeed will host your Privacy Policy URL for free.

  6. Once you have the Privacy Policy created by TermsFeed, click Copy from the Link to your Privacy Policy section to copy the URL:

    TermsFeed Generators App: Privacy Policy Download Page - Link to hosted Privacy Policy URL copy option highlighted

  7. Paste the Privacy Policy URL in the field box:

    TermsFeed Apple App Store Connect: App menu - Open Edit window with empty field for adding a Privacy Policy URL and paste option highlighted

  8. Click Save:

    TermsFeed Apple App Store Connect: App menu - Open Edit window with empty field for adding a Privacy Policy URL and Save button highlighted

  9. You're done!

    TermsFeed Apple App Store Connect: App menu - App Privacy - Privacy Policy with added URL highlighted

Publishing Your iOS App Privacy Policy

Publishing Your iOS App Privacy Policy

Once you've hosted your Privacy Policy online, Apple requires you to:

  • Provide a link to your Privacy Policy with your app information when submitting your app on App Store Connect, and
  • Provide a way for your users to access your Privacy Policy from within your iOS app

The best place to host your Privacy Policy is your company's website if you have one. If you by chance don't have a website, you can set up a simple WordPress site, or even a publically-available Google Doc.

Submitting Your Privacy Policy to Apple

Apple states that "all apps must include a link to their privacy policy in the App Store Connect metadata field."

To get your app hosted in the App Store, you first need to add it to your App Store Connect account. When you add an app to your App Store Connect account, you must provide Apple with certain app information, including the URL of your Privacy Policy.

If you're submitting an app bundle (up to ten apps sold together at a reduced price), you should submit your Privacy Policy along with your app bundle's primary app. You don't need to submit a Privacy Policy with each bundled app you submit.

Apple explains this in its App Store Connect Help for bundles:

Apple App Store Connect App Information for Bundles: Privacy Policy URL requirement highlighted

Once your iOS app is approved, your Privacy Policy will show alongside other information about your app in the App Store. Here's how it looks:

Pocket-casts Apple App Store listing with Privacy Policy link highlighted - Updated for 2022

This is important because it gives potential users the opportunity to check out your privacy practices before deciding to download your app. If the link wasn't available before downloading and you collect any information during the download process or before the Privacy Policy was available within the app, you can see how this would violate privacy rights of your users.

Providing Access to Your Privacy Policy Within Your App

Apple requires that you provide users access to your Privacy Policy "within the app in an easily accessible manner." Most apps provide Privacy Policy access via a "Settings," Legal," or "About" menu, or something similar. Here's an example of how the Fitbit app displays its Privacy Policy.

Users must click on the main Account icon to open the Account menu. From here, there's a Legal menu:

Fitbit iOS app Account menu  with legal menu highlighted

Within the Legal menu, users can find the Privacy Policy within the list of important legal information:

fitbit-ios-app-legal-menu-privacy-policy-highlighted-1

When a user clicks on the Privacy Policy link, a mobile browser opens up and takes the user to a mobile version of the company's Privacy Policy:

Fitbit iOS app Privacy Policy screenshot

This is a good example of how to make a Privacy Policy accessible within an app.

You could also link to your Privacy Policy directly within your app's "Settings" menu, or even as an item within your app's side or drop-down menu, like WeatherBug does here:

WeatherBug iOS app sidebar menu with Privacy Policy highlighted

You need to make sure your users can access your Privacy Policy at any time, and keeping a static link somewhere in your app accomplishes this.

Although Apple doesn't require it, you also should link to your Privacy Policy whenever you ask your users to provide personal information. Some such areas include when users sign up for an acccount with your app, or on a checkout page for an ecommerce app.

For example, here's how SoundHound directs users to its Privacy Policy when signing up for an account:

SoundHouse iOS app: Sign up screen

Here's how Amazon links users to its Privacy Policy when confirming a purchase:

Amazon iOS app: Place your order screen

Take every reasonable opportunity to appear transparent in your privacy practices by making your Privacy Policy link available often.

Summary of Your iOS App Privacy Policy

To meet Apple's requirements, your iOS app Privacy Policy must disclose:

  • What user data your app collects
  • How you collect user data
  • How you use user data
  • Whether you only share user data with companies that have good privacy practices
  • How long you retain user data
  • How your users can revoke consent
  • How your users can request you delete their user data

Your iOS app Privacy Policy must also be legally compliant.

You must:

  • Submit your Privacy Policy to Apple within your App Store Connect metadata
  • Provide a link to your Privacy Policy within your iOS app

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy