How to write an app privacy policy
To write an app privacy policy that satisfies both Apple and Google requirements, you need a publicly hosted document (not a PDF) that lists every data type your app and every bundled SDK collects, the purpose for each data type, the third parties that receive the data, the legal basis for processing (GDPR), the retention period, user rights (access, deletion, export), and a contact address. The policy text must stay consistent with your App Store App Privacy details and Google Play Data Safety declaration — the #1 rejection reason is divergence between the policy and those forms.
Step by step
Inventory every data point your app touches
Audit your code and every bundled SDK: Firebase Analytics (device ID, events), Crashlytics (device model, crash logs), RevenueCat (purchase events, user ID), Sentry (error stack traces), AdMob (advertising ID, app interactions), attribution SDKs (install referrer, IDFA). Map each to a schema.org data category.
Identify legal bases for processing (GDPR)
For each data type processed on EU users: is it contract performance (subscription billing), legitimate interest (crash logs, fraud prevention), or consent (analytics, advertising)? Consent-based items need a pre-collection opt-in, typically via a consent management SDK (UMP for Google, OneTrust, Didomi).
Draft the policy sections
Include: (1) What data we collect, (2) How we use it, (3) Who we share it with (named third parties), (4) How long we keep it, (5) Your rights and how to exercise them, (6) International transfers, (7) Children's data, (8) Cookie/tracking tech (if applicable), (9) Security measures, (10) Changes to this policy, (11) Contact. Use plain language, not lawyerese.
Host the policy on a public URL
Publish to a stable HTTPS URL — e.g. forvibe.app/legal/your-app/privacy. Do not use Google Docs, Notion public pages (format changes over time), or a PDF link — App Review explicitly rejects these under guideline 5.1.1.
Link the URL in App Store Connect and Play Console
In App Store Connect, set the Privacy Policy URL in App Information (required). In Play Console, set it under 'Store Presence → Main Store Listing → Privacy Policy'. Both platforms validate the URL on submit; broken URLs block the release.
Align with App Privacy details (Apple) and Data Safety (Google)
Fill out Apple's App Privacy nutrition label and Google's Data Safety form so every data type and purpose mentioned in your policy is also declared. Any inconsistency — 'our policy mentions analytics but App Privacy says Data Not Collected' — triggers automatic rejection.
Review and update on every SDK change
Every time you add, remove, or upgrade an SDK that touches user data, re-audit and update the policy and the store declarations together. A common failure mode is shipping a new analytics SDK without updating the policy, which triggers rejection on the next App Review.
How Forvibe does this
Forvibe's Legal Document Generator walks you through a 5-minute interview (what the app does, what SDKs it uses, which regions you target) and produces a privacy policy that is GDPR, CCPA, and COPPA compliant, hosted on a stable forvibe.app URL (or your custom domain). The output aligns automatically with the App Privacy and Data Safety declarations the Store Listing Manager generates, eliminating the top rejection vector.
See Legal Document Generator →Frequently asked questions
Do I need a privacy policy if my app collects no personal data?
Yes. Both Apple (guideline 5.1.1) and Google Play require every app to link to a privacy policy URL, even apps that genuinely collect zero data. The policy simply states that no personal data is collected — but the URL field cannot be left blank.
Can I use a free privacy policy generator?
Generic generators produce plausible text but rarely enumerate specific SDKs or align with App Privacy / Data Safety forms. They're a starting point, not a finished policy. If you use one, you must manually update the policy every time your SDK list changes, or you'll fail App Review the next time App Privacy details get audited.
What happens if my privacy policy disagrees with my App Privacy declaration?
Divergence is one of the most common App Review rejections under guideline 5.1.1 ('Legal — Privacy'). The reviewer opens the policy URL, compares it to the App Privacy nutrition label you declared, and rejects the submission if, for example, you declared 'Data Not Collected' but the policy mentions analytics. Always update both together.
Do I need separate policies for iOS and Android?
Usually no — a single policy covering both platforms is fine as long as it accurately describes what both versions collect. If the iOS and Android versions use different SDKs (for example, Android uses Firebase while iOS uses CloudKit), call out which platform collects which data type.
Does my privacy policy need to be translated?
Apple and Google accept an English-only policy in every locale, but GDPR recommends making the policy available in the user's language for EU users. Practically, if your app is marketed in French and German, translating the policy to those languages is a compliance best practice and avoids potential GDPR enforcement action.