Privacy Policy for Mobile Apps in 2026 — iOS & Android Requirements
6 min read · Updated April 2026 · Not legal advice
In 2026, submitting an app to the Apple App Store or Google Play without a privacy policy will get it rejected immediately. Both stores require a privacy policy URL for every app — paid or free, collecting data or not. Here's exactly what you need to include and how to get it done for free.
Privacy Nutrition Labels (App Privacy section) must be filled out accurately
Data collection must match what's declared
Apps for children (COPPA) have stricter requirements
ATT prompt required before tracking across apps
🤖 Google Play
Privacy policy URL required for all apps
Data Safety section must be completed accurately
Must declare all data collected and shared
Apps for children need additional safeguards
Sensitive permissions require clear disclosure
Both stores have significantly tightened enforcement in recent years. Apps that misrepresent their data practices in either the privacy policy or the store's data disclosure forms risk being removed from the store entirely.
What your mobile app privacy policy must include in 2026
✓
Data you collect — Every category of personal data your app collects: name, email, phone number, location, device identifiers, usage data, photos, contacts, health data, financial data. Be exhaustive — undisclosed data collection is the most common reason for App Store rejection.
✓
Why you collect each data type — The purpose behind each category: account creation, analytics, advertising, customer support, app functionality. Apple's Privacy Nutrition Labels require you to map data to purposes.
✓
Device permissions — If your app requests camera, microphone, location, contacts, photos, or Bluetooth access, explain why in your privacy policy. Apple requires a usage description string for each permission, and users expect the policy to explain it.
✓
Third-party SDKs — Every third-party SDK in your app potentially collects data. Common culprits: Firebase, Crashlytics, Amplitude, Mixpanel, Facebook SDK, Google Analytics for Firebase, RevenueCat, AdMob. All must be disclosed.
✓
Data sharing — Who you share data with: analytics providers, advertising networks, payment processors, crash reporting services. "We don't sell personal data" should be explicitly stated if true.
✓
Data retention — How long you keep user data. When users delete their account, how long does their data persist? You must be able to answer this and honor deletion requests.
✓
Account deletion — Since 2023, Apple requires all apps with account creation to offer in-app account deletion. Your privacy policy should explain the deletion process and timeline.
✓
Children's privacy (COPPA) — If your app could be used by children under 13 (or under 16 in some EU countries), stricter requirements apply. State your minimum age requirement and how you handle parental consent.
✓
User rights — GDPR rights for EU users (access, correction, deletion, portability) and CCPA rights for California users (opt-out of sale). Include a contact method for these requests.
✓
Contact information — An email address where users can reach you with privacy questions and data requests. Required by both Apple and data protection regulations.
Generate your app privacy policy free
Covers iOS and Android requirements. No signup, 60 seconds.
Apple's Privacy Nutrition Labels — what they mean for your policy
Since 2020, Apple requires every app to complete a "Privacy Nutrition Label" in App Store Connect — a structured disclosure of what data your app collects, whether it's linked to users, and whether it's used for tracking. In 2026, this is thoroughly enforced.
Your privacy policy and your Nutrition Label must match. If your policy says you don't collect location data but your app requests location permissions, Apple will reject your submission. The most common mistake developers make is completing the Nutrition Label inaccurately because they forget about third-party SDKs that collect data independently.
Key categories Apple asks about: Contact info, Health & fitness, Financial info, Location, Sensitive info, Contacts, User content, Browsing history, Search history, Identifiers, Usage data, Diagnostics, Other data.
Google Play's Data Safety section
Google Play's equivalent is the "Data Safety" section in the Play Console. Like Apple's Nutrition Label, it requires you to declare what data your app collects, whether it's shared with third parties, whether it's encrypted in transit, and whether users can request deletion.
Since 2023, Google has been actively cross-checking Data Safety declarations against actual app behavior. Apps found to misrepresent their data practices are removed from the store. Your Data Safety section and privacy policy must tell the same story.
Where to host your app's privacy policy
Both Apple and Google require a publicly accessible URL for your privacy policy — it can't be inside the app itself. Common options:
A page on your website — e.g., yourapp.com/privacy — most professional option
GitHub Pages — Free hosting for a simple HTML page
Notion — Publish a Notion page as public and use that URL
Google Sites — Free, simple, and reliable
Generate your policy with PolicyFlyer, then paste the text into any of these options and use the resulting URL in your App Store Connect or Play Console submission.
Frequently asked questions
Yes — both Apple and Google require a privacy policy URL for all apps regardless of whether they collect data. If your app truly collects nothing, your policy should explicitly state this. However, be careful — most apps collect some data through third-party SDKs (crash reporters, analytics) even if your code doesn't directly collect it.
Generate a comprehensive privacy policy with PolicyFlyer, host it at a public URL, add that URL in App Store Connect (under App Information) or Play Console (under Store listing), and resubmit. Make sure your policy covers all the permissions your app requests and all the third-party SDKs you use.
Yes, if both apps collect the same data and use the same third-party SDKs. A single comprehensive privacy policy that covers all your data practices works for both platforms. Just make sure it's accessible at a public URL that you can enter in both App Store Connect and Play Console.
Yes. If your app tracks users across other companies' apps or websites for advertising purposes, you must request permission using ATT and disclose this tracking in your privacy policy. If you use advertising SDKs like AdMob, this likely applies to you. Your privacy policy should explain what tracking occurs and how users can opt out.
Get your app privacy policy — free in 60 seconds
No signup. Covers iOS, Android, GDPR, and CCPA requirements.