Does an app without an account need a privacy policy?

Yes if the app accesses sensitive permissions (camera, location, photos, contacts) or includes any third-party SDK that collects data. The App Privacy questionnaire asks about each data type.

Is the App Privacy nutrition label the same as the privacy policy?

No. The label is a structured summary inside App Store Connect; the privacy policy is a public document. Both must describe the same data flows in plain language.

Apple App Store policy requirements for app publishers

What the Apple App Store review process expects from a privacy policy URL, App Privacy nutrition label, and supporting documents.

Required surfaces

Apple requires the privacy policy URL on the App Store product page and in the developer account. Many apps also surface the policy from a settings screen. The URL must be reachable without a login and must not redirect to an unrelated page.

App Privacy nutrition label

App Store Connect asks per data type whether the app collects, links to identity, uses for tracking, and so on. The privacy policy must describe the same flows. Apple flags listings where the policy contradicts the label.

App Tracking Transparency

If the app calls the App Tracking Transparency API to access the IDFA or to track users across apps, the privacy policy must describe what tracking takes place and which third parties receive data. The policy text should align with the ATT prompt.

SDKs and third parties

Most apps include third-party SDKs (analytics, advertising, crash reporting). Each SDK's data flows count toward the App Privacy label and the policy. The policy should list categories of third parties and reference vendor notices where available.

Permissions narrative

For each iOS permission the app requests at runtime (Camera, Photos, Location, Contacts, Microphone), the privacy policy should describe the use case and whether the data leaves the device. Generic permission rationales are a common rejection reason.

Data retention and deletion

Apple requires apps that allow account creation to provide an in-app account deletion path. The policy should describe the path and the timeline. Even apps without accounts should explain how device-side data is removed when the app is uninstalled and how server-side data is deleted on request.

Children and Kids category

Apps in the Kids category cannot serve third-party advertising or analytics that aggregate personal data, and the policy must reflect those restrictions. Apps targeting children but not in the Kids category still need additional disclosures.

Subscriptions and refunds

If the app offers in-app purchases or subscriptions, the policy and the EULA should explain billing, renewal, and cancellation. Refunds for App Store purchases are handled by Apple, not the developer; the policy should set expectations accordingly.

Cross-links

Reference the terms of service or EULA, any acceptable use policy for user content, and any region-specific privacy addendum. Keep cross-links consistent with the website slug structure.

Common rejection reasons

Common rejection reasons are an unreachable policy URL, a privacy policy that contradicts the App Privacy label, missing in-app account deletion, generic permission rationales, and undisclosed third-party SDK data collection.

FAQ

The App Store review treats the privacy policy, the nutrition label, the ATT prompt, and the in-app screens as one consistent disclosure. Mismatches between any of them are reasons to expect a follow-up from review.