App Store Privacy Policy Requirements 2025
Apple requires every app to have a privacy policy. But meeting App Store privacy requirements goes far beyond just having a URL—you need privacy nutrition labels, account deletion support, privacy manifests, and more.
What Privacy Requirements Does the App Store Have?
Every App Store app must have: 1) A privacy policy URL accessible from within the app, 2) Completed privacy nutrition labels in App Store Connect, 3) Account deletion functionality if the app allows account creation, 4) A privacy manifest file for apps using Required Reason APIs, and 5) Proper disclosure of all data collection including third-party SDKs.
Privacy Requirements Overview
Apple has significantly expanded privacy requirements since iOS 14. Here's what you need to comply with in 2025:
Privacy Policy URL
Required for all apps. Must be accessible from within the app and linked in App Store Connect metadata.
Privacy Nutrition Labels
Detailed disclosure of all data your app collects, how it's used, and whether it's linked to identity.
Account Deletion
If your app allows account creation, you must provide a way to delete accounts within the app (Guideline 5.1.1(v)).
Privacy Manifest
Required if using "Required Reason APIs" like UserDefaults, file timestamps, or device identifiers.
Privacy Policy URL Requirements
Where You Need a Privacy Policy Link
- App Store Connect: In your app's metadata under "App Privacy" section
- Within the app: Accessible from settings or registration flow
- Before data collection: Shown before requesting sensitive permissions
Common Rejection Reasons
- • Privacy policy URL returns 404 or is unreachable
- • Privacy policy is not available in the app's primary language
- • Policy doesn't mention the specific app or data it collects
- • No link to privacy policy within the app itself
Privacy Nutrition Labels
Since December 2020, all apps must disclose their data collection practices through "App Privacy" labels in App Store Connect. These appear on your App Store listing.
Three Categories of Data Use
Data Used to Track You
Data linked to your identity and used for advertising or shared with data brokers. Requires ATT (App Tracking Transparency) consent.
Data Linked to You
Data connected to your identity (account, device, etc.) but not used for tracking. Examples: purchase history, user content.
Data Not Linked to You
Anonymous data not tied to identity. Examples: aggregated analytics, crash logs without user identifiers.
Data Types You Must Disclose
Apple requires disclosure of 14 categories of data. Here are the most common ones developers collect:
| Data Type | Examples | Common Sources |
|---|---|---|
| Contact Info | Name, email, phone, address | Registration forms, profiles |
| Identifiers | User ID, Device ID | Analytics SDKs, crash reporters |
| Usage Data | App interactions, features used | Firebase, Amplitude, Mixpanel |
| Diagnostics | Crash data, performance data | Sentry, Crashlytics, Bugsnag |
| Location | Precise or coarse location | CoreLocation, IP-based |
| Purchases | Purchase history | StoreKit, payment processors |
Important: You must also disclose data collected by third-party SDKs (Firebase, Facebook, AdMob, etc.). Review each SDK's privacy documentation.
Account Deletion Requirements
Guideline 5.1.1(v) - Account Deletion
If your app allows users to create an account, it must also allow them to initiate deletion of their account from within the app.
This has been mandatory since June 30, 2022. Apps without this feature will be rejected.
What Account Deletion Must Include
- In-app initiation: Users must be able to start the deletion process from within the app—not just a website
- Complete deletion: Delete the account record and associated personal data
- Cancel subscriptions: Guide users to cancel any active auto-renewing subscriptions first
- Reasonable timeframe: Deletion should happen promptly (within days, not months)
Acceptable Implementations
- • In-app "Delete Account" button in Settings
- • In-app link to a web form (must be accessible from the app)
- • In-app chat/support flow that initiates deletion
- • Email request option (only if accompanied by in-app initiation)
Required Reason APIs
Since Spring 2024, Apple requires apps to declare why they use certain APIs that could be used for fingerprinting. You must include approved reasons in a privacy manifest file.
APIs Requiring Declared Reasons
File Timestamp APIs
NSFileCreationDate, NSFileModificationDate, etc.
System Boot Time APIs
systemUptime, mach_absolute_time
Disk Space APIs
volumeAvailableCapacity, NSURLVolumeAvailableCapacityKey
User Defaults APIs
UserDefaults (when accessed by third-party SDKs)
Privacy Manifest File
A privacy manifest is a PrivacyInfo.xcprivacy file that declares your app's privacy practices in a machine-readable format.
Sample Privacy Manifest
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>NSPrivacyTracking</key>
<false/>
<key>NSPrivacyCollectedDataTypes</key>
<array>
<dict>
<key>NSPrivacyCollectedDataType</key>
<string>NSPrivacyCollectedDataTypeCrashData</string>
<key>NSPrivacyCollectedDataTypeLinked</key>
<false/>
<key>NSPrivacyCollectedDataTypeTracking</key>
<false/>
<key>NSPrivacyCollectedDataTypePurposes</key>
<array>
<string>NSPrivacyCollectedDataTypePurposeAppFunctionality</string>
</array>
</dict>
</array>
<key>NSPrivacyAccessedAPITypes</key>
<array>
<dict>
<key>NSPrivacyAccessedAPIType</key>
<string>NSPrivacyAccessedAPICategoryUserDefaults</string>
<key>NSPrivacyAccessedAPITypeReasons</key>
<array>
<string>CA92.1</string>
</array>
</dict>
</array>
</dict>
</plist>Third-Party SDK Privacy
You are responsible for the data collection practices of every SDK in your app. Common SDKs and their typical data collection:
| SDK | Typical Data Collected | Notes |
|---|---|---|
| Firebase Analytics | Device ID, usage data, crash data | Linked to identity by default |
| Facebook SDK | Device ID, ad interactions, purchases | Used for tracking—requires ATT |
| Sentry/Crashlytics | Crash logs, device info | Can be configured as not linked |
| RevenueCat | Purchase history, user ID | Linked to identity |
Action Required: Check each SDK's documentation for their privacy manifest and include it in your app bundle. Apple now validates that SDKs have proper privacy manifests.
Privacy Policy Template
Your privacy policy should include these sections at minimum:
-
1
What data we collect
List all data types: contact info, usage data, device info, etc.
-
2
How we use your data
App functionality, analytics, personalization, advertising
-
3
Third-party sharing
List all third parties who receive data (analytics, ad networks)
-
4
Data retention
How long you keep data and when it's deleted
-
5
User rights
How to access, correct, or delete personal data
-
6
Contact information
Email or form to reach you about privacy concerns
Privacy Compliance Checklist
Privacy Policy
- Privacy policy URL is live and accessible
- Policy mentions your specific app by name
- Policy available in app's primary language
- Link to policy accessible within the app
Nutrition Labels
- All data types disclosed in App Store Connect
- Third-party SDK data collection included
- Tracking status correctly declared
- Data purposes accurately described
Account & Data
- Account deletion available in-app (if accounts exist)
- Subscription cancellation guidance provided
- Data export option available (if applicable)
Technical
- Privacy manifest included (if using Required Reason APIs)
- All SDK privacy manifests bundled
- ATT prompt implemented (if tracking)
Related Guides
Ensure Your Privacy Compliance
Our AI-powered review tool checks your app's privacy practices against Apple's requirements before you submit.
Check Privacy ComplianceFrequently Asked Questions
Do I need a privacy policy if my app doesn't collect any data?
Yes. Apple requires all apps to have a privacy policy URL in App Store Connect, even if you collect no data. Your policy can simply state that you don't collect personal information.
What happens if my privacy labels don't match my actual data collection?
Apple may reject your app or remove it from the store. In 2024, Apple began more actively verifying privacy labels against actual app behavior using automated scanning tools.
Can I just link to my website's privacy policy?
Yes, but the policy must specifically cover your app and its data practices—not just your general website. Apple reviewers check that the policy is relevant to the app being submitted.
How often should I update my privacy nutrition labels?
Update them whenever you add new SDKs, change data collection practices, or Apple adds new categories. You don't need to submit a new app version to update labels—they're managed separately in App Store Connect.