Do I really need a privacy policy?

Yes. If your website collects any data — including analytics, cookies, or email addresses — you're legally required to have one. GDPR (EU), CCPA (California), PIPEDA (Canada), and LGPD (Brazil) all mandate it. Google AdSense, Apple App Store, and Stripe also require one.

Is this a legally valid privacy policy?

PolicyForge generates professionally structured policies based on current privacy law frameworks. While we cover all major compliance areas, we recommend consulting an attorney for complex or high-risk situations. For most small businesses and startups, our policies provide solid coverage.

Why PolicyForge instead of a free template?

Free templates are generic and often outdated. PolicyForge customizes your policy based on your specific data practices — whether you use cookies, process payments, have user accounts, or handle children's data. Pro policies include GDPR/CCPA-specific rights sections that most templates miss entirely.

What's the difference between Free and Pro?

Free gives you 2 basic privacy policies per day. Pro ($12.99 one-time) adds unlimited generations, full GDPR/CCPA rights sections, data retention clauses, security measures, children's privacy, Terms of Service generator, and removes PolicyForge branding.

Is this a subscription?

No. All plans are one-time payments. Pay once, use forever. No recurring charges.

Apple App Store Compliant

Privacy Policy for Apple App Store

Apple rejects apps without a compliant privacy policy. Generate one that passes App Store Review, matches your Privacy Nutrition Labels, and covers ATT, GDPR, and CCPA — in under 2 minutes.

Generate Your App Store Privacy Policy Check Existing Policy

Apple App Store Review Guidelines Section 5.1.1

Section 5.1.1 of Apple's App Store Review Guidelines is the definitive reference for privacy policy requirements on iOS. It states that all apps must include a link to a privacy policy in both the App Store Connect metadata and within the app itself. Apple's review team actively checks this during every submission.

Key requirement: Your privacy policy must be accessible at all times — not just during onboarding. Apple reviewers navigate your app looking for a clearly visible privacy policy link. If they can't find one, your app is rejected.

Specifically, Section 5.1.1 requires your privacy policy to cover:

1.What data is collected — Every category of personal and device data your app accesses, whether directly or through third-party SDKs.
2.How the data is collected — Whether through user input, automatic device data collection, third-party sources, or SDK integrations.
3.How the data is used — The specific purposes for each data type: app functionality, analytics, advertising, personalization, or other uses.
4.Who the data is shared with — All third parties that receive user data, including analytics providers, ad networks, payment processors, and cloud services.
5.Data retention and deletion — How long you keep data and how users can request deletion of their data and account.
6.User consent mechanisms — How consent is obtained, especially for sensitive data, and how users can withdraw consent.

Apple updates these guidelines periodically. Always review the latest version of the App Store Review Guidelines on Apple's developer site before submitting your app.

App Store Privacy Nutrition Labels

Since December 2020, Apple requires every app to display Privacy Nutrition Labels on its App Store product page. These labels give users a quick summary of your app's data practices before they download. You fill them out in App Store Connect, and Apple verifies them against your app's actual behavior.

Nutrition Labels answer three questions for each data type your app collects:

Data Used to Track You

Is this data linked to your identity and used for cross-app or cross-site tracking (advertising attribution, data brokers)?

Data Linked to You

Is this data connected to your identity via your account, device, or other identifiers — but not used for tracking?

Data Not Linked to You

Is this data collected but not associated with your identity (aggregate analytics, anonymous crash data)?

How to Fill Out Nutrition Labels in App Store Connect

Step 1:

Audit your data collection

List every piece of data your app collects — directly and through SDKs. Include analytics, crash reporting, ad networks, and payment processors.

Step 2:

Categorize each data type

Map each piece of data to Apple's predefined categories (Contact Info, Location, Identifiers, Usage Data, Diagnostics, etc.).

Step 3:

Declare the purpose

For each data type, select one or more purposes: Third-Party Advertising, Analytics, Product Personalization, App Functionality, or Other.

Step 4:

Indicate linking and tracking

For each data type, specify whether it's linked to the user's identity and whether it's used for tracking across other apps/sites.

Step 5:

Cross-reference your privacy policy

Ensure every data type and purpose in your Nutrition Labels is also described in your privacy policy. Mismatches cause rejections.

Nutrition Label Purpose Categories

Third-Party Advertising

Data used to display targeted ads from third-party ad networks (e.g., AdMob, Meta Audience Network)

Developer's Advertising or Marketing

Data used for your own marketing campaigns, promotional emails, or in-app marketing messages

Analytics

Data used to evaluate user behavior, measure app performance, or understand usage patterns

Product Personalization

Data used to customize the user experience, such as content recommendations or UI preferences

App Functionality

Data necessary for the app to work correctly, such as authentication tokens or user settings

Other Purposes

Any data use that doesn't fit the above categories, such as compliance, fraud prevention, or security

App Tracking Transparency (ATT) and Your Privacy Policy

Since iOS 14.5, Apple's App Tracking Transparency framework requires apps to request user permission before tracking their activity across other companies' apps and websites. This is enforced at the OS level — apps that attempt to access the IDFA (Identifier for Advertisers) without showing the ATT prompt are rejected.

Important: "Tracking" in Apple's definition means linking data collected from your app with data from other companies' apps, websites, or offline properties for advertising purposes — or sharing data with data brokers. Even server-side tracking can trigger ATT requirements.

Your privacy policy must address ATT by covering these points:

•What tracking your app performs — Describe what cross-app or cross-site tracking occurs (ad attribution, retargeting, conversion measurement).
•What data is collected if the user opts in — IDFA, advertising identifiers, browsing behavior sent to ad networks.
•What happens if the user opts out — Explain that non-personalized ads may be shown, and that no cross-app tracking data will be collected or shared.
•Impact on user experience — Clarify whether opting out changes app functionality or only affects ad personalization.

If your app does not perform any tracking and does not access the IDFA, you should still mention this in your privacy policy. Explicitly stating "We do not track users across apps or websites" provides transparency and aligns with your Nutrition Label declarations.

Apple's Data Collection Categories

Apple defines 14 data collection categories that you must evaluate when filling out Nutrition Labels and writing your privacy policy. For each category, determine whether your app collects that data type, and if so, disclose it in both your Nutrition Labels and your privacy policy. Here is every category with its subcategories:

Contact Info

•Name
•Email address
•Phone number
•Physical address
•Other user contact info

Health & Fitness

•Health data (HealthKit)
•Fitness data (workouts, steps)
•Clinical health records
•Health-related research data

Financial Info

•Payment info (credit card, bank)
•Credit info
•Other financial info
•Salary or income data

Location

•Precise location (GPS)
•Coarse location (IP-based, city-level)

Sensitive Info

•Racial or ethnic data
•Sexual orientation
•Pregnancy or childbirth
•Religious or philosophical beliefs
•Political opinions
•Biometric data

Contacts

•Contacts list
•Social connections

User Content

•Emails or text messages
•Photos or videos
•Audio data
•Gameplay content
•Customer support interactions
•Other user content

Browsing & Search

•Browsing history
•Search history
•In-app search queries

Identifiers

•User ID
•Device ID (IDFA)
•Third-party advertising ID

Purchases

•Purchase history
•In-app purchase records
•Subscriptions

Usage Data

•Product interaction (taps, scrolls, views)
•Advertising data (ad clicks, impressions)
•Other usage data (session length, feature use)

Diagnostics

•Crash data
•Performance data (load times, battery)
•Other diagnostic data (logs, error reports)

Your privacy policy should address each category that applies to your app. PolicyForge generates policies that map to all of Apple's data categories automatically. Generate yours now →

Required vs Optional Data Collection Disclosures

Not all data collection needs to be disclosed in your Nutrition Labels — but your privacy policy should always be comprehensive. Apple exempts certain data from Nutrition Label disclosure under specific conditions:

Exempt from Nutrition Labels (Optional)

•Data collected infrequently, not used for tracking, and optional for the user
•Data processed entirely on-device and never sent to a server
•Data collected only for legal compliance purposes (fraud prevention, regulatory)
•Data collected by an optional feature the user explicitly chooses to enable

Must Be Disclosed (Required)

•Any data collected by default when the user opens or uses the app
•All data collected by third-party SDKs integrated into your app
•Data used for tracking, advertising, or shared with data brokers
•Any data linked to the user's identity through accounts or device IDs
•Device permissions data (camera, microphone, location, contacts)

Best practice: Even if data is exempt from Nutrition Labels, disclose it in your privacy policy anyway. Over-disclosure is always safer than under-disclosure. Apple may update exemption rules, and privacy laws like GDPR require disclosure regardless of Apple's categories.

Common App Store Rejection Reasons Related to Privacy

Privacy-related rejections are among the most frequent reasons apps fail App Store review. Here are the top rejection causes and how to fix each one:

No privacy policy URL provided

You left the Privacy Policy URL field blank in App Store Connect. Apple requires this for every app, even if it collects zero data.

Fix: Add your privacy policy URL in App Store Connect under App Information before submitting.

Privacy policy URL returns a 404 or is unreachable

Apple's review team clicks your privacy policy link. If it's broken, expired, or behind a login wall, your app is rejected.

Fix: Host your policy on a publicly accessible URL with no authentication. Test the link before submitting.

Privacy policy doesn't match Nutrition Label declarations

Your Privacy Nutrition Labels say you collect location data, but your privacy policy doesn't mention location tracking — or vice versa.

Fix: Audit your Nutrition Labels and privacy policy side by side. Every data type in one must appear in the other.

Missing data collection disclosures

Your app requests camera, contacts, or location permissions, but your privacy policy doesn't explain why or what data is collected.

Fix: List every permission your app requests and explain the purpose of each in your privacy policy.

No mention of third-party data sharing

Your app uses SDKs like Firebase, AdMob, or Facebook SDK that share data with third parties, but your policy is silent about this.

Fix: Disclose every third-party SDK, what data it collects, and link to each SDK's own privacy policy.

App Tracking Transparency (ATT) not addressed

Your app accesses the IDFA or performs cross-app tracking but your policy doesn't mention ATT or explain tracking behavior.

Fix: Add a section explaining what tracking your app does, why, and what happens when users opt out via ATT.

Kids category app with non-compliant policy

Your app is listed in the Kids category but uses third-party analytics, behavioral advertising, or lacks COPPA provisions.

Fix: Remove all non-essential SDKs for Kids apps. Add COPPA compliance section and parental consent mechanisms.

No data deletion mechanism described

Apple now requires apps to offer account and data deletion. Your policy doesn't describe how users can request deletion.

Fix: Add clear instructions for how users can request data deletion (in-app option, email, or web form).

Kids Category: Additional Privacy Requirements

If your app targets children and is listed in Apple's Kids category (ages 5 and under, ages 6-8, or ages 9-11), you face the strictest privacy requirements on the App Store. Apple enforces these rules in addition to all standard Section 5.1.1 requirements.

No third-party analytics

Kids category apps cannot include third-party analytics SDKs (Firebase Analytics, Mixpanel, Amplitude). Only Apple's built-in analytics via App Store Connect are permitted.

No third-party advertising

Behavioral or targeted advertising is strictly prohibited. No AdMob, Meta Audience Network, or similar ad SDKs. Only age-appropriate, context-based ads are allowed in limited circumstances.

No cross-app tracking

Kids apps must not access the IDFA, perform fingerprinting, or track users across apps/websites in any way. The ATT prompt should not even appear.

COPPA compliance required

Regardless of your location, if your app is in the Kids category, you must comply with COPPA (US Children's Online Privacy Protection Act). This means verifiable parental consent before collecting any personal information.

Minimal data collection

Collect only data that is strictly necessary for the app to function. No data collection for marketing, profiling, or enhancement purposes.

Parental gate for external links

Any links that take users outside the app (including to your website or privacy policy) must be behind a parental gate — a mechanism that prevents children from accidentally leaving the app.

Age-appropriate privacy policy language

Your privacy policy should be written in language that parents can easily understand. Consider providing a simplified version specifically for the Kids category listing.

If your app is a "Made for Kids" app or designed for a mixed audience (children and adults), similar but slightly different rules apply. Always check Apple's latest Kids category guidelines.

How to Add Your Privacy Policy URL in App Store Connect

Apple requires your privacy policy URL to be set in App Store Connect before you can submit your app for review. Follow these steps:

Go to appstoreconnect.apple.com and select your app.

Navigate to App Information

In the left sidebar under 'General', click 'App Information'.

Find the Privacy Policy URL field

Scroll down to the 'App Privacy' section. You'll see a 'Privacy Policy URL' field.

Paste your privacy policy URL

Enter the full HTTPS URL where your privacy policy is hosted. It must be publicly accessible with no login required.

Complete Privacy Nutrition Labels

In the same App Privacy section, click 'Get Started' to fill out your data collection practices for Nutrition Labels.

Add in-app privacy policy link

Add a 'Privacy Policy' link in your app's Settings, About, or Menu screen. Apple checks for this during review.

Save and submit

Save your changes, then submit your app for review. Apple's review team will verify both the URL and in-app accessibility.

Common mistake: Hosting your privacy policy on a page that requires authentication, is behind a paywall, or returns a redirect chain. Apple's review team must be able to access it directly with a single click. Test your URL in an incognito browser window before submitting.

Generate Your App Store Privacy Policy Now

PolicyForge generates privacy policies specifically designed to pass Apple App Store review. We cover Section 5.1.1 requirements, map to Nutrition Label categories, address ATT, and include GDPR and CCPA provisions — all from a simple form you can complete in 2 minutes.

✓ Section 5.1.1 compliant

✓ Nutrition Label aligned

✓ ATT disclosure included

✓ GDPR & CCPA ready

✓ Kids/COPPA provisions

Generate Now — FreeFree tier available · Pro from $4.99

Already Have a Privacy Policy?

Scan your app's privacy policy URL to check compliance across 10 categories — including App Store requirements, GDPR, CCPA, and data disclosure completeness.

Free Compliance Scan

Frequently Asked Questions

Does Apple require a privacy policy for every app?

Yes. Apple's App Store Review Guidelines Section 5.1.1 requires every app submitted to the App Store to include a privacy policy, regardless of whether the app collects user data. Even a simple utility app with no data collection must link to a privacy policy that states no data is collected. Without one, your app will be rejected during review.

What are Apple's Privacy Nutrition Labels and do I need them?

Privacy Nutrition Labels are the data disclosure cards shown on every app's App Store listing page. They display what data your app collects, whether it's linked to the user's identity, and whether it's used for tracking. You must fill these out in App Store Connect before submitting your app. Apple compares your Nutrition Labels against your actual app behavior and privacy policy — inconsistencies cause rejections.

What is App Tracking Transparency (ATT) and how does it affect my privacy policy?

ATT is Apple's framework (introduced in iOS 14.5) that requires apps to ask user permission before tracking their activity across other companies' apps and websites. If your app uses the IDFA or any form of cross-app tracking, you must implement the ATT prompt and describe your tracking practices in your privacy policy — including what happens when users opt out.

My app was rejected for privacy policy issues. What should I check?

The most common causes are: (1) privacy policy URL is broken or unreachable, (2) policy doesn't match your Nutrition Label declarations, (3) missing disclosures for device permissions you request, (4) no mention of third-party SDKs that collect data, (5) no data deletion mechanism described, and (6) ATT not addressed when your app tracks users. Fix each issue, update your policy, and resubmit.

How do I add a privacy policy URL in App Store Connect?

In App Store Connect, go to your app, then App Information (under General in the left sidebar). Scroll to the 'App Privacy Policy' section and paste your URL. This must be a publicly accessible HTTPS URL that doesn't require login. You should also link to the same policy within your app (in Settings or a dedicated screen) — Apple checks for in-app accessibility during review.

What extra requirements apply to Kids category apps?

Apps in Apple's Kids category face strict additional rules: no third-party advertising or analytics SDKs are permitted, no behavioral advertising, no cross-app tracking, data collection must be minimized to what's strictly necessary, and you must comply with COPPA (US) and equivalent children's privacy laws globally. Your privacy policy must explicitly state how children's data is handled and that parental consent is obtained.

Do I need separate privacy policies for my iOS app and my website?

No, one privacy policy can cover both — and this is actually recommended for consistency. However, make sure the policy addresses app-specific data (device identifiers, push tokens, permissions, SDKs) in addition to website-specific data (cookies, analytics). Your policy should clearly state which sections apply to each platform.

How often does Apple change its privacy requirements?

Apple updates its privacy requirements regularly, typically at WWDC each June and through periodic App Store Review Guideline updates. Major changes in recent years include Privacy Nutrition Labels (2020), App Tracking Transparency (2021), required account deletion (2022), and third-party SDK privacy manifests (2024). Review Apple's developer documentation before each submission to stay current.