P
PolicyForge
Compliance CheckerGenerate Policy
Flutter & React NativeGoogle Play + App Store

Privacy Policy for Flutter & React Native Apps

Building cross-platform? Both Google Play and the Apple App Store reject apps without a compliant privacy policy. Generate one that covers Data Safety declarations, Privacy Nutrition Labels, SDK disclosures, GDPR, and CCPA — in under 2 minutes.

Generate Your App Privacy PolicyCheck Existing Policy

Why Every Flutter and React Native App Needs a Privacy Policy

Cross-platform frameworks like Flutter, React Native, and Expo make it easy to ship to both iOS and Android from a single codebase. But both app stores have strict, independent privacy policy requirements that you must satisfy before your app goes live. Missing or non-compliant privacy policies are one of the most common reasons for app rejection.

Google Play Requirement

Since July 2022, Google Play requires every app to complete a Data Safety section and provide a privacy policy URL. Apps without a valid privacy policy are subject to removal. Apps that collect personal or sensitive data without a policy are automatically rejected.

Apple App Store Requirement

Apple requires a privacy policy for all apps — even those that collect zero data. You must provide a privacy policy URL in App Store Connect and include a link inside the app. Review Guidelines Section 5.1.1 governs all privacy requirements.

Cross-platform catch: Because Flutter and React Native apps ship to both stores simultaneously, your privacy policy must satisfy both Google Play and Apple requirements at the same time. A policy written only for one store will cause rejection on the other. PolicyForge generates policies that cover both stores in a single document.

Google Play Data Safety Section for Flutter Apps

Google Play's Data Safety section is a structured form you fill out in the Play Console. It tells users what data your app collects, whether it's shared with third parties, and what security practices you follow. Your privacy policy must be consistent with these declarations — Google checks for discrepancies.

For Flutter apps, the key challenge is accounting for data collected by every Dart package and native plugin in your pubspec.yaml. Many popular Flutter packages like firebase_analytics, google_mobile_ads, and sentry_flutter collect data that must be declared.

Google Play Data Types You Must Evaluate

Location

  • Approximate location
  • Precise location

Personal Info

  • Name
  • Email address
  • User IDs
  • Address
  • Phone number
  • Race and ethnicity
  • Political or religious beliefs
  • Sexual orientation
  • Other personal info

Financial Info

  • User payment info
  • Purchase history
  • Credit score
  • Other financial info

Health and Fitness

  • Health info
  • Fitness info

Messages

  • Emails
  • SMS or MMS
  • Other in-app messages

Photos and Videos

  • Photos
  • Videos

Audio Files

  • Voice or sound recordings
  • Music files
  • Other audio files

Files and Docs

  • Files and docs

Calendar

  • Calendar events

Contacts

  • Contacts

App Activity

  • App interactions
  • In-app search history
  • Installed apps
  • Other user-generated content
  • Other actions

Web Browsing

  • Web browsing history

App Info and Performance

  • Crash logs
  • Diagnostics
  • Other app performance data

Device or Other IDs

  • Device or other IDs

How to Complete the Data Safety Form

Step 1:

Audit your pubspec.yaml / package.json

List every dependency. For each package, check its pub.dev or npm page for privacy documentation. Many packages now include a 'Data Safety' section.

Step 2:

Map data to Google's categories

For each piece of data collected (by your code or by packages), match it to Google Play's predefined data types listed above.

Step 3:

Declare collection and sharing

For each data type, indicate whether it's collected (sent off-device) and whether it's shared with third parties. 'Shared' means transferred to other companies.

Step 4:

State the purpose

Select one or more purposes for each data type: App functionality, Analytics, Developer communications, Advertising or marketing, Fraud prevention/security, Personalization, Account management.

Step 5:

Declare security practices

Confirm whether data is encrypted in transit, whether users can request deletion, and whether your app follows Google's Families Policy (if applicable).

Step 6:

Cross-reference your privacy policy

Every data type declared in Data Safety must appear in your privacy policy with matching purposes. Inconsistencies trigger enforcement.

Apple App Store Requirements for Flutter & React Native Apps

Apple's App Store has its own set of privacy requirements that are independent from Google Play. When you submit your Flutter or React Native app to the App Store, you must complete Privacy Nutrition Labels in App Store Connect and provide a privacy policy URL. Apple's review team actively checks both.

Key Apple-specific requirements that affect cross-platform apps:

  • 1.Privacy Nutrition Labels — You must complete the App Privacy section in App Store Connect, declaring every data type your app collects. These labels appear on your App Store listing. They must match your privacy policy exactly.
  • 2.App Tracking Transparency (ATT) — If your app accesses the IDFA or performs cross-app tracking (common with ad SDKs like AdMob or Facebook), you must show the ATT prompt. This is enforced at the OS level on iOS 14.5+. Your privacy policy must describe your tracking practices.
  • 3.Privacy Manifests (2024+) — Apple now requires Privacy Manifests (PrivacyInfo.xcprivacy) for apps and SDKs. Flutter apps must include manifests that declare required reasons for accessing certain APIs (like UserDefaults, file timestamps, and disk space).
  • 4.In-app privacy policy link — Apple requires a visible link to your privacy policy within the app itself (Settings, About screen, or menu). A URL in App Store Connect alone is not enough.
  • 5.Account and data deletion — If your app offers account creation, you must also offer account and data deletion. Your privacy policy must describe how users can request this.

For a deep dive into Apple-specific requirements, see our Privacy Policy for App Store guide.

Google Play vs. Apple App Store: Privacy Requirements Compared

Since your Flutter or React Native app ships to both stores, here is a side-by-side comparison of every privacy requirement you need to satisfy:

RequirementGoogle PlayApple App Store
Privacy policy required?Yes — mandatory for all appsYes — mandatory for all apps
Where to add URL?Play Console > Store Listing > Privacy PolicyApp Store Connect > App Information > Privacy Policy URL
In-app link required?Recommended but not strictly enforcedYes — Apple checks during review
Data disclosure formatData Safety section (structured form)Privacy Nutrition Labels (structured form)
Data disclosure mandatory sinceJuly 2022December 2020
Must disclose SDK data?Yes — all third-party codeYes — all third-party code
Tracking consent required?No OS-level prompt (but GDPR may require consent)Yes — App Tracking Transparency (ATT) prompt for IDFA
Data deletion mechanism?Yes — required since December 2023Yes — required since June 2022
Kids/children rules?Families Policy (Designed for Families program)Kids Category restrictions + COPPA
Non-compliance penaltyApp removal, developer account suspensionApp rejection, removal from store

Common Flutter & React Native SDKs and Their Privacy Impact

Every third-party package in your app potentially collects user data that must be disclosed in your privacy policy, Data Safety form, and Nutrition Labels. Here are the most popular cross-platform SDKs and exactly what data they collect:

Firebase Analytics

firebase_analytics / @react-native-firebase/analytics

Data collected:

  • Device identifiers
  • App usage events
  • Screen views
  • Session duration
  • OS version and device model

Disclose analytics collection in both Data Safety and Nutrition Labels. Firebase sends data to Google servers.

Firebase Crashlytics

firebase_crashlytics / @react-native-firebase/crashlytics

Data collected:

  • Crash logs and stack traces
  • Device state at time of crash
  • Device identifiers (installation UUID)
  • OS version and app version

Classified as Diagnostics data. Disclose crash data collection and that it is sent to Google for processing.

Google AdMob

google_mobile_ads / react-native-google-mobile-ads

Data collected:

  • Advertising ID (GAID/IDFA)
  • Device info and IP address
  • Ad interaction data (clicks, impressions)
  • Approximate location (IP-based)

Triggers ATT on iOS. Must declare Third-Party Advertising purpose. Disclose personalized vs. non-personalized ads.

Sentry

sentry_flutter / @sentry/react-native

Data collected:

  • Error and crash reports
  • Device context (OS, memory, CPU)
  • Breadcrumbs (user interactions before error)
  • Optional: user identifiers if configured

Disclose error monitoring and what diagnostic data is captured. Sentry processes data on their servers.

RevenueCat

purchases_flutter / react-native-purchases

Data collected:

  • Purchase and subscription history
  • App user ID
  • Device identifiers
  • Transaction receipts

Handles in-app purchase data. Disclose purchase tracking and that transaction data is shared with RevenueCat servers.

OneSignal Push Notifications

onesignal_flutter / react-native-onesignal

Data collected:

  • Push notification tokens
  • Device identifiers
  • App usage data for segmentation
  • Optional: email, phone, tags

Disclose push notification data collection. OneSignal processes device tokens and may use data for segmentation.

Amplitude / Mixpanel

amplitude_flutter / mixpanel_flutter

Data collected:

  • User events and properties
  • Device identifiers
  • Session data
  • Custom user attributes

Full analytics SDK. Declare Analytics purpose. These SDKs send behavioral data to third-party servers.

Facebook SDK / Meta SDK

flutter_facebook_auth / react-native-fbsdk-next

Data collected:

  • Facebook user ID and profile info
  • Device identifiers and advertising ID
  • App events for ad attribution
  • Optional: friends list, email, birthday

Triggers ATT on iOS. Shares data with Meta for advertising. Must disclose Third-Party Advertising and Tracking purposes.

This is not an exhaustive list. Always audit your pubspec.yaml or package.json for every dependency and check its privacy documentation. PolicyForge helps you generate a policy that covers your specific SDK stack →

How to Add a Privacy Policy to Your Flutter App

Once you've generated your privacy policy, you need to make it accessible in three places: your app listing on Google Play, your app listing on the App Store, and inside the app itself. Here is exactly how to do each:

1. Add the URL to Google Play Console

1

Open Google Play Console

Go to play.google.com/console and select your app.

2

Go to Store Listing

In the left sidebar, navigate to Grow > Store presence > Main store listing.

3

Find the Privacy Policy field

Scroll to the bottom of the listing page. You'll see a 'Privacy policy' URL field.

4

Paste your privacy policy URL

Enter the full HTTPS URL. It must be publicly accessible — no login walls, no redirects to app stores.

5

Save and complete Data Safety

Save the listing, then go to App content > Data safety to complete the Data Safety section. Both must be done.

2. Add the URL to App Store Connect

1

Open App Store Connect

Go to appstoreconnect.apple.com and select your app.

2

Navigate to App Information

In the left sidebar under 'General', click 'App Information'.

3

Add Privacy Policy URL

Scroll to the 'App Privacy' section and paste your HTTPS URL in the Privacy Policy URL field.

4

Complete Privacy Nutrition Labels

In the same section, click 'Get Started' to declare your app's data collection for Nutrition Labels.

3. Add an In-App Privacy Policy Link (Flutter Code)

Apple requires a visible privacy policy link inside your app. Google recommends it. Here's how to implement it in Flutter:

// Add to your Settings or About screen

import 'package:url_launcher/url_launcher.dart';

ListTile(

leading: Icon(Icons.privacy_tip),

title: Text('Privacy Policy'),

onTap: () => launchUrl(

Uri.parse('https://your-domain.com/privacy-policy'),

),

),

For React Native / Expo:

// Add to your Settings or About screen

import { Linking } from 'react-native';

<TouchableOpacity

onPress={() =>

Linking.openURL('https://your-domain.com/privacy-policy')

}>

<Text>Privacy Policy</Text>

</TouchableOpacity>

Hosting tip: Host your privacy policy on your own domain (e.g., yourapp.com/privacy) rather than on a third-party service. This gives you full control over updates, avoids broken links, and looks more professional. Make sure it's accessible without authentication and loads over HTTPS.

Flutter-Specific Privacy Considerations

Flutter apps have unique characteristics that affect privacy compliance. Be aware of these framework-specific considerations:

>

Platform channels and native code

If your Flutter app calls native iOS (Swift/ObjC) or Android (Kotlin/Java) code via MethodChannel, any data accessed by that native code must be disclosed. This includes native SDKs not available as Flutter packages.

>

Flutter web builds

If you deploy your Flutter app as a web app (flutter build web), you need to disclose cookies, local storage, and browser-based tracking in addition to mobile data collection. Web builds may use different analytics and require a cookie consent banner for GDPR.

>

Shared preferences and local storage

Flutter's shared_preferences package stores data on-device using SharedPreferences (Android) and UserDefaults (iOS). While on-device storage doesn't need to be declared in Data Safety if data stays local, Apple's Privacy Manifests now require declaring UserDefaults access reasons.

>

Image picker and camera access

Using image_picker or camera packages? You must add NSCameraUsageDescription and NSPhotoLibraryUsageDescription to your iOS Info.plist, and declare photo/video data collection in both Data Safety and Nutrition Labels if images leave the device.

>

Location services

Packages like geolocator or location access GPS data. Declare precise or approximate location in both stores. iOS requires NSLocationWhenInUseUsageDescription or NSLocationAlwaysUsageDescription in Info.plist.

>

Push notifications (FCM)

Firebase Cloud Messaging generates device tokens that are sent to Firebase servers. This counts as collecting Device or Other IDs. Disclose push notification token collection in your privacy policy.

>

Dart DevTools and debug data

Ensure you're not shipping debug or profiling code in production builds. Debug builds may log sensitive data. Always use 'flutter build --release' for store submissions and verify no debug logging persists.

React Native & Expo Privacy Considerations

React Native and Expo apps have their own framework-specific privacy implications. Here is what you need to know:

>

Native modules and autolinking

React Native's autolinking automatically includes native code from node_modules. Review every package that includes native iOS/Android code — they may access device APIs and collect data even if you don't call those features directly.

>

Expo modules

Expo modules like expo-location, expo-camera, expo-contacts, and expo-notifications access sensitive device APIs. Each must be disclosed in your privacy policy. Check Expo's documentation for each module's specific data practices.

>

Expo Go vs. standalone builds

Expo Go (development client) includes all Expo modules and their permissions. Your standalone build only includes modules you import. Ensure your privacy policy matches your production build, not Expo Go.

>

Hermes engine

React Native's Hermes engine does not collect user data. However, if you use Hermes crash reporting (via Sentry or Bugsnag), those crash reports may include device identifiers and must be disclosed.

>

AsyncStorage

React Native's AsyncStorage stores data locally. Like Flutter's shared_preferences, on-device data that never leaves the device typically doesn't need Data Safety disclosure. But if you sync AsyncStorage data to a server, that must be declared.

>

CodePush / OTA updates

If you use CodePush or EAS Update for over-the-air updates, these services may collect device metadata (OS version, app version, device ID) to deliver updates. Check the service's privacy documentation and disclose if applicable.

GDPR, CCPA, and International Compliance for Cross-Platform Apps

App store requirements are just the baseline. If your Flutter or React Native app is available to users in the EU or California (which it almost certainly is, since both stores are global), you must also comply with GDPR and CCPA:

GDPR (EU Users)

  • Legal basis for processing (consent, legitimate interest, contract)
  • Right to access, rectify, delete, and port data
  • Data Processing Officer contact details (if applicable)
  • Cross-border data transfer disclosures
  • Fines up to 4% of annual revenue or EUR 20M

CCPA (California Users)

  • Right to know what personal info is collected
  • Right to delete personal information
  • Right to opt out of sale of personal info
  • "Do Not Sell My Personal Information" link
  • Financial incentives disclosure if offering them

PolicyForge generates policies that include GDPR and CCPA provisions by default when you select the Pro tier. For detailed GDPR guidance, see our GDPR Privacy Policy Generator or CCPA Privacy Policy Generator.

Generate Your Flutter / React Native Privacy Policy Now

PolicyForge generates privacy policies designed for cross-platform app developers. We cover both Google Play Data Safety and Apple Privacy Nutrition Label requirements, SDK-specific disclosures, ATT, GDPR, and CCPA — from a simple form you can complete in 2 minutes.

Google Play Data Safety aligned
Apple Nutrition Labels covered
SDK disclosures included
GDPR & CCPA ready
Single policy for both stores
Generate Now — FreeFree tier available · Pro from $4.99

Already Have a Privacy Policy?

Scan your app's privacy policy URL to check compliance across 10 categories — including both Google Play and App Store requirements, GDPR, CCPA, and data disclosure completeness.

Free Compliance Scan

Frequently Asked Questions

Do I need a privacy policy for my Flutter app?

Yes, absolutely. Both Google Play and the Apple App Store require a privacy policy for every published app. Google Play requires a privacy policy URL in your Play Console listing before you can publish. Apple requires one in App Store Connect and inside the app itself. Even if your Flutter app collects zero user data, you still need a privacy policy that explicitly states this. Without one, your app will be rejected during review on both platforms.

Does React Native need a different privacy policy than Flutter?

No. The privacy policy requirements are determined by the app stores, not the framework. Whether you build with Flutter, React Native, Expo, Xamarin, or native code, Google Play and the App Store have identical privacy policy requirements. The only difference is which SDKs and plugins you use — each SDK may collect different data types that must be disclosed. Your privacy policy should list all SDKs integrated into your app regardless of framework.

What is Google Play's Data Safety section and how does it relate to my privacy policy?

Google Play's Data Safety section (mandatory since July 2022) is a structured declaration displayed on your app's Play Store listing. It requires you to disclose what data your app collects, whether it's shared with third parties, and your security practices. Your privacy policy must be consistent with your Data Safety declarations — if your Data Safety form says you collect location data, your privacy policy must explain why and how. Google reviews both for consistency, and discrepancies can lead to enforcement actions or app removal.

How do I fill out the Data Safety form for a Flutter app?

In Google Play Console, go to App Content > Data Safety. For each data type, declare whether your app collects or shares it. You must account for data collected by all Flutter packages and plugins — not just your own code. Review each dependency's documentation to understand what data it collects. Common Flutter packages like firebase_analytics, google_mobile_ads, and sentry_flutter all collect data that must be declared. After completing the form, ensure your privacy policy matches every declaration.

Do I need to disclose data collected by Flutter plugins and packages?

Yes. Both Google Play and the App Store hold you responsible for all data collection in your app, including data collected by third-party packages, plugins, and SDKs. If you use firebase_analytics in your Flutter app, you must disclose the analytics data it collects even though you didn't write that code. Audit your pubspec.yaml (Flutter) or package.json (React Native) and check each dependency's privacy documentation to build a complete picture of your app's data collection.

What happens if my Flutter app uses platform channels — do I need to disclose native code data collection?

Yes. If your Flutter app uses platform channels (MethodChannel, EventChannel) to call native iOS or Android code, any data collected by that native code must be disclosed in your privacy policy. This includes native SDKs integrated via platform channels, native API calls that access device sensors or user data, and any native code that sends data to servers. Your privacy policy should cover all data collection regardless of whether it happens in Dart, Swift/Kotlin, or JavaScript.

My Expo/React Native app uses Expo Application Services (EAS). Does that affect my privacy policy?

EAS Build and EAS Update themselves don't collect end-user data — they are developer build and deployment tools. However, if you use expo-notifications, expo-location, expo-contacts, or other Expo modules that access user data, those must be disclosed. Expo's over-the-air update mechanism (EAS Update) sends update bundles to devices but does not collect personal data. Always check each Expo module's documentation for its specific data practices.

Can I use one privacy policy for both my iOS and Android versions?

Yes, and this is recommended. A single privacy policy can cover both platforms — just make sure it addresses platform-specific requirements. Mention Apple's Privacy Nutrition Labels and App Tracking Transparency for iOS, and Google Play's Data Safety section for Android. If your app collects different data on each platform (e.g., IDFA on iOS only, or Android Advertising ID only), note the platform-specific differences in your policy. PolicyForge generates policies that cover both stores simultaneously.

How quickly can I generate a privacy policy for my Flutter app with PolicyForge?

Under 2 minutes. PolicyForge's generator asks you targeted questions about your app's data collection, SDKs, and target audience. It then generates a privacy policy that covers both Google Play Data Safety requirements and Apple App Store Nutrition Label categories. The free tier lets you generate policies with essential coverage. The Pro tier ($4.99) adds SDK-specific disclosures, international compliance (GDPR, CCPA, PIPEDA), and unlimited generations.

What if my app doesn't collect any data at all?

You still need a privacy policy. Both stores require it even for apps with zero data collection. Your policy should explicitly state that your app does not collect, store, or share any personal data. In Google Play's Data Safety form, you can declare 'My app does not collect or share any user data.' In Apple's Nutrition Labels, select that no data is collected. Having a clear 'no collection' policy is still legally required and prevents review rejections.

Related Resources

Privacy Policy for Mobile Apps

General mobile app privacy requirements for iOS and Android

Privacy Policy for Apple App Store

Deep dive into Section 5.1.1, Nutrition Labels, and ATT

Terms of Service Generator

Generate Terms of Service for your app alongside your privacy policy