My Blog

App Privacy

Written by

saqibkhan

in

Privacy Nutrition Labels

In App Store Connect, you must disclose what data your app collects and how it is used (tracking, third-party sharing, linking to the user, etc.).

Data Types

  • Contact info, health/fitness, financial info
  • Location, sensitive info, contacts, user content
  • Identifiers, usage data, diagnostics

Best Practices

  • Collect only what you need; prefer on-device processing.
  • Provide clear in-app explanations and opt-in flows.
  • Offer deletion and export of user data where applicable.

Tip: If you use third-party SDKs (analytics, ads, crash reporting), include their data practices in your disclosure.

What Apple Asks

  • Is data collected? Collected means transmitted off device to you or a third party.
  • Is data linked to the user? “Linked” means it’s associated with identity (account, device ID, etc.).
  • Is data used for tracking? Tracking means linking data across apps/websites owned by other companies for ads/measurement. Requires App Tracking Transparency.

How to Fill It In (App Store Connect)

  • Per data type (e.g., Identifiers, Usage Data, Diagnostics), answer:
    • Collected? If yes, by you or third parties?
    • Linked to the user? If not, aggregate or de-identified.
    • Purpose: App Functionality, Analytics, Developer’s Advertising, Third-Party Advertising, Product Personalization, etc.
    • Tracking? Check only if used for cross-app/company tracking.
  • Minimize scope: If you only collect during opt-in flows, reflect that and describe controls in your privacy policy.

Example

Example: Analytics (first-party)

Data Type: Usage Data
Collected: Yes (by you)
Linked to User: Yes
Purpose: Analytics
Tracking: No

Common Examples

  • Analytics (first-party): Usage Data (collected), often linked; purpose: Analytics; not used for tracking.
  • Crash reporting: Diagnostics (collected); usually linked for debugging; purpose: App Functionality/Diagnostics; not used for tracking.
  • Ads SDKs: Identifiers (IDFA), Usage Data; collected and linked; purpose: Third-Party Advertising; tracking = yes (requires ATT prompt).
  • Push notifications: Device token used to deliver pushes; disclose if you associate tokens with user identity or analytics.
  • Location features: Location data; specify purpose (App Functionality like maps vs. Ads/Analytics) and whether linked/tracked.

Third-party SDKs: Review each SDK’s data collection. Your disclosure must include SDK behaviors (analytics, ads, crash, social sign-in, etc.).

Updates & Maintenance

  • Revisit disclosures when you add features/SDKs or change analytics/ads settings.
  • Keep your privacy policy URL live and consistent with the listing.
  • Document data retention and deletion practices; provide user-initiated deletion if applicable.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts