What Your iOS App's Privacy Policy Must Include in 2024

Apple requires every app in the App Store to have a privacy policy — no exceptions. But beyond simply having one, your policy needs to accurately reflect your data practices and comply with applicable laws like GDPR and CCPA.

What Apple Requires

Apple's App Store guidelines (Section 5.1.1) require that your privacy policy:

• Clearly identifies what data is collected
• Explains how the data is used
• States whether data is shared with third parties
• Describes user rights and how to exercise them
• Provides contact information

Failure to include a privacy policy will result in App Store rejection. An inaccurate or misleading policy can result in removal.

GDPR Requirements for iOS Apps

If your app is available in the European Union — even if you're a US-based developer — GDPR applies. Key requirements include:

Lawful basis for processing: You must have a valid legal basis for collecting each type of data. For most apps, this is either user consent or legitimate interests.

Data subject rights: Users must be able to access, correct, delete, and export their data. Your privacy policy must explain how to exercise these rights.

Data retention: You must specify how long you retain user data and the criteria used to determine retention periods.

Data transfers: If you transfer data outside the EU (e.g., to US-based servers), you must disclose this and explain the safeguards in place.

CCPA Requirements

The California Consumer Privacy Act applies if your app collects data from California residents and your business meets certain thresholds. Key disclosures include:

• Categories of personal information collected
• Purposes for collection
• Categories of third parties with whom data is shared
• Right to opt out of sale of personal information
• Right to deletion

Sections Every iOS Privacy Policy Needs

1. Information We Collect

List every category of data your app collects, including:

• Account information (name, email)
• Device identifiers (IDFA, device ID)
• Usage data (analytics, crash reports)
• Location data (if applicable)
• Health or financial data (if applicable)

2. How We Use Your Information

Explain the purpose behind each type of data collection. Be specific — "to improve our services" is too vague.

3. Third-Party Services

Disclose every SDK and third-party service that processes user data, including Google Analytics, Firebase, Facebook SDK, etc.

4. Data Retention

Specify how long you keep different types of data and what happens when a user deletes their account.

5. User Rights

Describe how users can access, correct, or delete their data. Provide a contact email or in-app mechanism.

6. Contact Information

Include a valid email address or physical address for privacy inquiries.

Generate Your Policy in Seconds

Rather than writing your privacy policy from scratch, use PrivacyPolicyGen.io to generate a comprehensive, legally-structured policy tailored to your specific app in under 2 minutes.