iOS Privacy Policy: What Apple Requires and How to Comply
Learn what Apple requires in an iOS privacy policy, App Store review guidelines, privacy nutrition labels, and how to write a compliant policy.
An iOS privacy policy is a legal document that describes how your app collects, uses, stores, and shares personal data from users on Apple devices. Apple requires every app published on the App Store to include a privacy policy, and failing to provide one will result in rejection during App Review.
This guide covers Apple's specific requirements, the App Store Review Guidelines you must satisfy, privacy nutrition labels, App Tracking Transparency, and the practical steps for writing and publishing a compliant iOS privacy policy. This content is educational and does not constitute legal advice. Consult a qualified attorney for guidance on your specific app.
Why Apple Requires an iOS Privacy Policy
Apple has positioned user privacy as a core platform value. Section 5.1.1 of the App Store Review Guidelines states that all apps must include a link to a privacy policy in both the App Store Connect metadata and within the app itself.
This requirement applies universally. It does not matter whether your app is free or paid, whether it collects minimal data, or whether it is a simple utility with no user accounts. Every iOS app needs a privacy policy.
Apple enforces this requirement at multiple stages:
- App Review: Reviewers check that a valid, accessible privacy policy URL exists in App Store Connect
- In-app access: The policy must be accessible from within the app, not only on the App Store listing
- Updates: Existing apps must maintain a working privacy policy URL; broken links can trigger removal
- Privacy nutrition labels: Your policy must align with the data practices you declare in the App Privacy section
What Apple's App Store Review Guidelines Require
The App Store Review Guidelines contain several sections that directly affect your iOS privacy policy. Understanding these rules prevents rejection during review.
Section 5.1.1: Data Collection and Storage
Your app must clearly disclose what data it collects and how it is used. The privacy policy must cover:
- What personal data the app collects (names, email, location, device identifiers, usage data)
- How that data is used (account creation, analytics, advertising, personalization)
- Whether data is shared with third parties and for what purposes
- How long data is retained
- How users can request deletion of their data
Section 5.1.1(i): Data Minimization
Apps may only request access to data that is relevant to the app's core functionality. Requesting unnecessary permissions (camera, contacts, location) without clear justification in your privacy policy will lead to rejection.
Section 5.1.1(ii): Account Deletion Requirement
Since June 2022, Apple requires all apps that support account creation to also support account deletion. Your privacy policy must describe how users can delete their accounts and what happens to their data when they do.
Section 5.1.2: App Tracking Transparency
If your app tracks users across apps or websites owned by other companies, you must use Apple's App Tracking Transparency (ATT) framework. Your privacy policy must explain what tracking occurs and for what purpose.
Privacy Nutrition Labels Explained
In December 2020, Apple introduced privacy nutrition labels, officially called "App Privacy Details." These labels appear on your App Store listing and give users a snapshot of your data practices before they download your app.
You must declare your app's data practices across three categories:
- Data Used to Track You: Data linked to your identity that is used to track you across apps and websites owned by other companies
- Data Linked to You: Data collected that is linked to your identity (through your account or device)
- Data Not Linked to You: Data collected that is not linked to your identity
Apple defines 14 data categories, each containing specific data types:
- Contact information (name, email address, phone number, physical address)
- Health and fitness
- Financial information (payment info, credit score)
- Location (precise and coarse)
- Sensitive information
- Contacts (address book)
- User content (emails, messages, photos, videos, gameplay content)
- Browsing history
- Search history
- Identifiers (user ID, device ID)
- Purchases
- Usage data (product interaction, advertising data)
- Diagnostics (crash data, performance data)
- Surroundings (environment scanning)
Your privacy nutrition labels must accurately reflect what your privacy policy states. Discrepancies between the two are a common cause of App Review rejection.
App Tracking Transparency and Your iOS Privacy Policy
App Tracking Transparency (ATT), introduced in iOS 14.5, requires apps to request user permission before tracking their activity across other companies' apps and websites. This has significant implications for your privacy policy.
Under Apple's definition, "tracking" means linking data collected from your app with data from other companies' apps, websites, or offline properties for targeted advertising or advertising measurement. It also includes sharing data with data brokers.
Your iOS privacy policy must address ATT by covering:
- Whether your app engages in tracking as Apple defines it
- What data is collected if the user grants tracking permission
- What data is collected if the user denies tracking permission
- Which third-party SDKs or advertising partners receive tracked data
- How the app's functionality changes (if at all) based on the user's ATT choice
Common third-party SDKs that trigger ATT requirements include Facebook SDK, Google AdMob, Firebase Analytics (when linked with advertising), and various attribution platforms like Adjust, AppsFlyer, and Branch.
How to Write an iOS Privacy Policy
Writing an iOS privacy policy requires covering Apple's specific requirements while also meeting legal obligations under applicable privacy laws such as the GDPR (if you have EU users), CCPA (California users), or other regional regulations.
Step 1: Audit your data collection
Before writing a single word, document every piece of data your app collects. Include data from:
- User input (registration forms, profile fields, in-app content)
- Automatic collection (device identifiers, IP addresses, usage analytics)
- Third-party SDKs (analytics, crash reporting, advertising, social login)
- System permissions (camera, microphone, location, contacts, photos)
Step 2: Map data flows
For each data type, record where it goes. Does it stay on the device? Is it sent to your servers? Is it shared with third-party analytics or advertising partners? This mapping directly feeds your privacy nutrition labels and policy disclosures.
Step 3: Draft the policy sections
A compliant iOS privacy policy should include these sections:
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate Now- Information we collect: List all data types, distinguishing between data provided by the user and data collected automatically
- How we use your information: Describe each purpose (account management, analytics, advertising, push notifications, customer support)
- Third-party sharing: Name categories of recipients (analytics providers, advertising networks, payment processors) and explain why data is shared
- Data retention: State how long each category of data is kept
- User rights: Cover access, correction, deletion, and data portability rights. Address Apple's account deletion requirement specifically
- Children's privacy: If your app is rated for ages under 13, address COPPA compliance. If your app is not directed at children, state that clearly
- Tracking disclosure: Explain your ATT practices
- Contact information: Provide an email address or contact form for privacy inquiries
- Changes to this policy: Describe how users will be notified of updates
Step 4: Generate and host the policy
Using a privacy policy generator can help you produce a structured, comprehensive document that covers both Apple's requirements and legal obligations. Hosting the policy at a clean, permanent URL ensures it remains accessible for App Store Connect and in-app links.
TermsBox hosts privacy policies at clean URLs (for example, termsbox.com/your-company/privacy-policy), which makes it straightforward to provide Apple with a stable, always-accessible link.
Where to Add Your iOS Privacy Policy
Apple requires your privacy policy to be accessible in multiple locations. Missing any of these can cause issues during App Review.
App Store Connect
- Log in to App Store Connect
- Navigate to your app and select the "App Information" tab under General
- Enter your privacy policy URL in the "Privacy Policy URL" field
- This URL must be publicly accessible without authentication
Within the app
Apple requires in-app access to the privacy policy. Common placements include:
- A "Privacy Policy" link in the app's Settings or About screen
- A link on the login or registration screen
- A link in the app's footer or navigation menu
On your website
If your app has a companion website, the privacy policy should also be accessible there. A consistent policy across your App Store listing, in-app link, and website demonstrates transparency.
In the App Privacy section
When submitting or updating your app, you must complete the App Privacy questionnaire in App Store Connect. Your answers populate the privacy nutrition labels on your App Store listing. Ensure your responses match your written privacy policy exactly.
Common iOS Privacy Policy Mistakes That Cause Rejection
App Review rejections related to privacy are among the most common. Avoiding these mistakes saves time and prevents delays in getting your app to users.
- Broken or inaccessible policy URL: The URL in App Store Connect must resolve to a publicly accessible page. PDFs behind login walls, expired domains, or placeholder pages will cause rejection
- Generic or template policies that do not match the app: A privacy policy that describes data practices your app does not actually perform, or that omits practices it does perform, will be flagged
- Missing account deletion information: Since Apple's June 2022 requirement, failing to describe how users delete their accounts and data is a rejection trigger
- Incomplete privacy nutrition labels: If your app uses Facebook SDK but you did not declare "Identifiers" and "Usage Data" collection, reviewers will catch the discrepancy
- No ATT implementation when tracking occurs: If your app includes advertising or attribution SDKs that perform tracking but does not present the ATT prompt, your app will be rejected
- Children's data collection without COPPA compliance: Apps in the Kids category or rated for young children face additional scrutiny under COPPA (Children's Online Privacy Protection Act) and Apple's own policies
iOS Privacy Policy Requirements Beyond Apple
Apple's requirements establish a baseline, but your iOS privacy policy must also satisfy the laws that apply to your users. The most common additional requirements come from:
GDPR (EU/EEA users): If your app is available in the EU, Article 13 of the GDPR requires you to disclose your legal basis for processing, data subject rights (access, erasure, portability under Articles 15 through 20), data protection officer contact details, and cross-border transfer safeguards. Penalties for non-compliance reach up to 20 million EUR or 4% of annual global turnover.
CCPA/CPRA (California users): California's privacy laws require disclosure of categories of personal information collected, the purposes of collection, categories of third parties with whom data is shared, and the right to opt out of the sale or sharing of personal information. Civil penalties range from $2,500 to $7,500 per intentional violation.
COPPA (users under 13): If your app collects data from children under 13, the Children's Online Privacy Protection Act requires verifiable parental consent, limits on data collection, and specific disclosures. The FTC can impose penalties of over $50,000 per violation.
CalOPPA: The California Online Privacy Protection Act requires any commercial website or app that collects personal information from California residents to conspicuously post a privacy policy. This is one reason Apple requires the policy to be clearly linked.
A well-structured privacy policy generator can help you address multiple jurisdictions in a single document, covering Apple's platform requirements alongside legal obligations from the GDPR, CCPA, and other frameworks.
Frequently Asked Questions
Does Apple require a privacy policy for iOS apps?
Yes. Apple requires a privacy policy for every app submitted to the App Store. Section 5.1.1 of the App Store Review Guidelines mandates a clearly accessible privacy policy, and apps without one will be rejected during review.
Where do I add my privacy policy URL in App Store Connect?
In App Store Connect, go to your app's page, select the App Information tab under General, and enter your privacy policy URL in the designated field. This URL must be publicly accessible and not require authentication.
What are Apple's privacy nutrition labels?
Privacy nutrition labels are the App Privacy section on your App Store listing. You must declare all data types your app collects, whether data is linked to the user's identity, and whether it is used for tracking. Apple introduced this requirement in December 2020.
Can my iOS app be rejected for privacy policy issues?
Yes. Common rejection reasons include missing or inaccessible privacy policy URLs, policies that do not match the app's actual data practices, incomplete App Tracking Transparency implementation, and failing to declare all collected data types in privacy nutrition labels.