Answering app privacy questionsAs you get ready to select your answers from the options presented in App Store Connect, keep in mind: Show
Account Holders, Admins, and App Managers can learn how to enter their responses in App Store Connect. Data collectionThe purpose of the label is to help your customers understand what data is collected from your app and how it is used. To complete that, you’ll need to know the types of data that you and/or your third-party partners collect from your app before answering the questions in App Store Connect. Keep in mind that even if you collect the data for reasons other than analytics or advertising, it still needs to be declared. For example, if you collect data solely for the purpose of app functionality, declare the data on your label and indicate that it is only being used for that purpose. “Collect” refers to transmitting data off the device in a way that allows you and/or your third-party partners to access it for a period longer than what is necessary to service the transmitted request in real time. “Third-party partners” refers to analytics tools, advertising networks, third-party SDKs, or other external vendors whose code you’ve added to your app. Optional disclosureData types that meet all of the following criteria are optional to disclose:
Data types must meet all criteria in order to be considered optional for disclosure. If a data type collected by your app meets some, but not all, of the above criteria, it must be disclosed in App Store Connect. Examples of data that may not need to be disclosed include data collected in optional feedback forms or customer service requests that are unrelated to the primary purpose of the app and meet the other criteria above. For the purpose of clarity, data collected on an ongoing basis after an initial request for permission must be disclosed. Regulated Financial Services DisclosureData types that are collected by an app that facilitates regulated financial services and where the data collected meets all of the following criteria are optional to disclose:
Data types must meet all criteria in order to be considered optional for disclosure. If a data type collected by your app meets some, but not all, of the above criteria, it must be disclosed in your privacy section. Health Research DisclosureData types that are collected as part of a health research study and where the data collected meets all of the following criteria are optional to disclose:
If the data type collected by your app meets some, but not all, of the above criteria, it must be disclosed in your privacy section. Types of dataRefer to the list of data types below and compare them to the data collection practices in your app.
Data useYou should have a clear understanding of how each data type is used by you and your third-party partners. For example, collecting an email address and using it to authenticate the user and personalize the user’s experience within your app would include App Functionality and Product Personalization.
Data linked to the userYou’ll need to identify whether each data type is linked to the user’s identity (via their account, device, or other details) by you and/or your third-party partners. Data collected from an app is often linked to the user’s identity, unless specific privacy protections are put in place before collection to de-identify or anonymize it, such as:
Additionally, in order for data not to be linked to a particular user’s identity, you must avoid certain activities after collection:
Note: “Personal Information” and “Personal Data”, as defined under relevant privacy laws, are considered linked to the user. TrackingYou’ll need to understand whether you and/or your third-party partners use data from your app to track users and, if so, which data is used for this purpose. “Tracking” refers to linking data collected from your app about a particular end-user or device, such as a user ID, device ID, or profile, with Third-Party Data for targeted advertising or advertising measurement purposes, or sharing data collected from your app about a particular end-user or device with a data broker. “Third-Party Data” refers to any data about a particular end-user or device collected from apps, websites, or offline properties not owned by you. Examples of tracking include:
The following situations are not considered tracking:
Learn more about tracking. Privacy linksBy adding the following links on your product page, you can help users easily access your app’s privacy policy and manage their data in your app. Privacy Policy (Required): The URL to your publicly accessible privacy policy. Privacy Choices (Optional): A publicly accessible URL where users can learn more about their privacy choices for your app and how to manage them. For example, a webpage where users can access their data, request deletion, or make changes. Additional guidanceYour app has web views.Data collected via web traffic must be declared, unless you are enabling the user to navigate the open web. You collect and store IP address from your users.Declare the relevant data types based on how you use IP address, such as precise location, coarse location, device ID, or diagnostics. You offer in-app private messaging between users that are not SMS text messages.Declare emails or text messages on your label. Text messages refer to both SMS and non-SMS messages. Your app includes game saves, multiplayer matching, or gameplay logic.Declare Gameplay Content on your label. You collect different types of data from users depending on whether the user is a child, whether they are a free or paid user, whether they opt in, where they live, or for some other reason.Please disclose all data collected from your app, unless it meets all of the criteria outlined in the Optional Disclosure section. You may use the Privacy Choices or Privacy Policy links to provide additional detail about how your data collection practices may vary. You use Apple frameworks or services, such as MapKit, CloudKit, or App Analytics.If you collect data about your app from Apple frameworks or services, you should indicate what data you collect and how you use it. You are not responsible for disclosing data collected by Apple. You use location, device identifiers, and other sensitive data, but only on device, and the data is never sent to a server.Data that is processed only on device is not “collected” and does not need to be disclosed in your answers. If you derive anything from that data and send it off device, the resulting data should be considered separately. You collect precise location, but immediately de-identify and coarsen it before storing.Disclose that you collect Coarse Location, since the precise location data is immediately coarsened and precise location is not stored. Your app includes free-form text fields or voice recordings, and users can save any type of information they want through those mediums, including names and health data.Mark "Other User Content" to represent generic free form text fields and "Audio Data" for voice recordings. You’re not responsible for disclosing all possible data that users may manually enter in the app through free-form fields or voice recordings. However, if you ask a user to input a specific data type into a text field, such as their name or email, or if you have a feature that enables users to upload a particular media type, such as photos or videos, then you’ll need to disclose the specific type of data. You collect data to service a request but do not retain it after servicing the request."Collect" refers to transmitting data off the device and storing it in a readable form for longer than the time it takes you and/or your third-party partners to service the request. For example, if an authentication token or IP address is sent on a server call and not retained, or if data is sent to your servers then immediately discarded after servicing the request, you do not need to disclose this in your answers in App Store Connect. |