Your mobile app (iOS, Android, Windows, BlackBerry) must have a Privacy Policy if the app collects personal data from users.
You'll need the Privacy Policy even if you do not collect this kind of data yourself but instead use third-party tools (such as Google Analytics Mobile, Flurry) that will collect this data for you.
Personal data is any kind of data that could identify an individual:
A Privacy Policy is required by law in most countries:
The FTC, in the US, requires all apps that collect and use personal information from users to properly inform about the collection and use of users' personal information.
The FTC has provided guidance for developers and businesses on what to be aware of to ensure compliance.
The "Executive Summary" of the FTC's "Mobile Privacy Disclosures: Building Trust Through Transparency" document states that developers of mobile app should have a Privacy Policy in place and make sure it's easily accessible through app stores.
This requirement applies to all app stores, including iOS and Android:
If you're submitting the app to an app store and your app collects personal information from users that will be using your app, then you must have a Privacy Policy.
You must make the policy easily accessible through the app profile page of for users to view and read the Privacy Policy before they download and install your app.
Depending on your mobile app and your business, you may be subject to other legal requirements:
Your iOS app (developed for iPhone or iPad) is required to have a Privacy Policy if you access, collect and transmit personal information from users. This requirement is enforced by Apple for all iOS apps operating in the App Store.
"Apple's App Store Review Guidelines" states that apps that collect user data must get consent for the collection.
It also states that all apps must include a link to their Privacy Policy in the App Store Connect metadata field and within the app.
The "Review Guidelines" is a summary version based on their "Program License Agreement (PLA)" and other legal documents that iOS developers must read and agree to in order to have their apps published on Apple App Store.
Based on these documents, iOS developers should consider the following:
You may be subject to more requirements related to user data if:
Follow these steps to add the URL of your Privacy Policy for your iOS app:
Following the above steps would meet Apple's requirement of getting the Privacy Policy URL on the app's profile page:
Your iOS app may get rejected if you don't add the URL to your Privacy Policy when you submit the app for review. This rejection message happens if you don't have a URL to your Privacy Policy:
Apps should have all included URLs fully functional when you submit it for review, such as support and privacy policy URLs.
You must host the Privacy Policy on your own website. Apple isn't providing any hosting solutions for iOS developers to host the legal page.
Even if your website is merely a placeholder website, where users can only read intros about your app, host the policy on your website and make the URL available to users who just happen to browse your website.
The most common way to do this is to place the URL in the footer of your website:
The same URL from the footer of your website is the URL you need to add when submitting your app to Apple App Store.
Here are some examples of popular iOS apps and how they integrated their Privacy Policies in the app.
Slack
The Privacy Policy of Slack is placed in their iOS app at the Settings screen:
Thir policy is available on their website as well:
It's also available on the Apple App Store profile page. The URL links directly to the same page as above:
However, Slack's Privacy Policy is not available on their desktop app. Below is a screenshot of Slack's Mac OS X app:
Slack's legal pages has all the information for users to learn about Slack's privacy practices:
Dropbox
Dropbox's iOS app embeds its legal agreements (both Dropbox's Terms of Service page and Dropbox's Privacy Policy page) rather than force opening the user's mobile browser to read the agreement:
The same legal agreements are available on Dropbox's official website:
Booking.com
Booking.com's iOS app simply adds the links to its legal agreements (its Terms and Conditions page and its Privacy Statement page) at the "Information" screen in the app:
When a user taps on any of those links the Booking.com app force opens the mobile browser to open the legal agreement requested by the user.
Mint
Another example shows how the Mint's iOS app is letting users read the Privacy Policy of Mint.com before downloading the app and signing up for an account:
Including the link to your Privacy Policy on the App Store's profile page is a great way to keep users informed how your app may use personal information (including sensitive information such as with Mint's financial data).
Another example from Pinterest's iOS app shows how Pinterest handles their Privacy Policy page that is also linked from their app's profile page on App Store:
The user can then choose to either go "Back to App Store" (added in iOS 9) or click on the "Get the App" button that's been added on the web page
This is how it looks:
This makes it easy for a user to learn how the personal information will be used by Pinterest before downloading the app. The "Get the App" button added to the legal page makes it easy for a user to download the mobile app once the contents of the policy are reviewed.
Amazon Kindle
Another example is from the login and sign-up screens of Amazon's Kindle iOS app.
Kindle app can be downloaded from the App Store, but before the app can be opened and used (i.e. to read e-books) the user must register an account with Amazon.
By placing a link to the Privacy Policy agreement of Amazon on this screen, Amazon has a good case to prove that the user knew of these two legal agreements and agreed to adhere to the agreements before continuing to login or signing-up for a new account:
If you place the link to your Privacy Policy within the app and only make it available for the user after the user signed up it will be harder to prove - if necessary - that the user actually agreed to be bound by your legal terms upon signing up for a new account.