Is a Privacy Policy required to submit an app to the App Store or Google Play?

Yes. Both the Apple App Store and Google Play Store require a valid Privacy Policy before approving your app. It must be publicly accessible, not hidden behind login, and specific to your app's data practices.

What device permissions must I disclose in my Privacy Policy?

All permissions your app requests: location, camera, microphone, contacts, calendar, photo library, and health data. For each one, explain why you need it and whether users can disable it. Sensitive permissions like location and health require explicit user consent.

Do I need to list third-party SDKs like Firebase and Amplitude in my Privacy Policy?

Yes. All third-party SDKs and libraries that collect data must be listed. This includes analytics (Firebase, Amplitude), crash reporting (Crashlytics), attribution (AppsFlyer), and ad networks. For each, explain what data they collect and link to their privacy policies.

What additional privacy rules apply if my app is for children under 13?

Children's apps have stricter requirements: no targeted advertising based on behavior, minimal data collection, no sensitive data like location, clear language understandable to parents, and often parental consent mechanisms. Many developers age-gate their apps to avoid these requirements.

Privacy Policy for Mobile Apps — Australia (App Store & Google Play Requirements)

App Store & Google Play Both Require a Privacy Policy

Before your app is published on the Apple App Store or Google Play Store, both platforms require a Privacy Policy. This isn't optional — it's a mandatory gatekeeping requirement. Without a valid Privacy Policy linked from your app listing, your app will be rejected.

Why platforms require this: Users expect to know how their data is handled. App stores enforce this to maintain trust and comply with regulations like Australia's Privacy Act 1988.

Your Privacy Policy must be:

Publicly accessible: Linked directly from your app listing (not hidden behind login)
Specific to your app: Not a template or boilerplate — it must describe your app's specific data practices
Up to date: If you add new features or integrations that collect data, your Privacy Policy must be updated within 30 days
Comprehensive: Cover all data collection, third-party tools, and permissions your app uses

Device Data Collection: What Requires Explicit Consent

iOS and Android apps can access sensitive device data like location, camera, microphone, contacts, and photo library. Australian privacy law (Privacy Act 1988) doesn't mandate upfront consent like GDPR, but app platforms do.

Device permissions that require explicit disclosure and user consent:

Location data: GPS, coarse location (cell tower triangulation). Your app must disclose why it needs location and allow users to refuse. If collected, it's treated as sensitive data.
Camera: Video or photos. Users must explicitly grant permission. Your Privacy Policy must explain what happens to captured images.
Microphone: Audio recording. Requires explicit consent. Must disclose if audio is stored, transmitted, or processed.
Contacts: Phone book access. Must explain why you need contacts and where they're stored.
Calendar: If your app reads or writes calendar events, this must be disclosed.
Photo library: If users upload photos, disclose storage, processing, and retention.
Health/fitness data: Any health, fitness, or medical data is treated as sensitive. Requires explicit consent and careful handling.

For each permission, your Privacy Policy should state: "[Permission name] is used for [specific purpose]. You can grant or deny this permission in Settings."

Push Notifications & Consent Disclosure

Push notifications are a key app feature, but they require explicit user consent under both iOS and Android guidelines.

First-time prompt: iOS and Android display a system dialog asking for push permission. Users can grant or deny.
Privacy Policy requirement: You must explain in your Privacy Policy why you send notifications and how users can manage them.
Data collection: Push notification tokens are device identifiers. Your Privacy Policy must disclose that you collect and store device tokens to deliver notifications.

Example text: "We collect device tokens to deliver app notifications. You can disable notifications at any time in [app settings / iOS Settings > Notifications]."

In-App Purchase Data Handling

If your app offers in-app purchases (subscriptions, consumables, non-consumables), Apple and Google process the payment, but you still have data obligations.

Purchase history: You may see transaction IDs and subscription status. You must disclose how long you retain this data.
User identification: You typically associate purchases with user accounts or identifiers. Explain how you link purchases to users.
Refund data: If users request refunds, you keep records for dispute resolution. State how long.
Payment processor linking: Apple and Google handle payment data (via AppStore, Google Play Billing), but you must disclose this in your Privacy Policy.

Your Privacy Policy should note: "In-app purchases are processed by [Apple/Google]. We store transaction history for [period] for account management and support."

Children's Apps: Additional Privacy Obligations

If your app is marketed to or could be used by children under 13, you have much stricter obligations under Australian law and international standards.

Important: If your app has any appeal to children, or could reasonably be used by someone under 13, you must treat it as a children's app for privacy purposes.

Additional requirements for children's apps:

No targeted advertising: You cannot use behavioral data to target ads to children
No collection of sensitive data: Avoid collecting location, health data, or anything not strictly necessary
Parental controls: If practical, offer parents the ability to manage their child's data and permissions
Clear language: Your Privacy Policy must be understandable to parents and older children — avoid legal jargon
Parental consent: Some jurisdictions (US has COPPA) require parental consent. Disclose your process.

Many app developers age-gate their apps (require users to be 13+) to avoid these stricter requirements.

App Analytics: Firebase, Crashlytics & Other SDKs

Most apps use analytics SDKs to track crashes, performance, and user behaviour. These are third-party integrations that must be disclosed.

Common SDKs that collect data:

Google Firebase: Crash reporting, event tracking, performance monitoring. Collects device IDs, app version, crash logs.
Firebase Crashlytics: Collects crash stack traces, device info, log data. Can identify individual users if you pass custom user IDs.
Amplitude, Mixpanel, Segment: Behavioural analytics. Track feature usage, user flows, custom events.
AppsFlyer, Adjust: Attribution and marketing analytics. Track installs, app opens, in-app events.
Sentry, Bugsnag: Error tracking. Collects stack traces, device info, user context.

For each SDK, your Privacy Policy must state:

What data it collects: "Firebase collects crash logs, device identifiers, and app performance metrics"
Purpose: "To improve app stability and performance"
Link to their privacy policy: "See Google's Firebase Privacy Policy for details"

Third-Party Libraries & Hidden Data Collection

Apps often use third-party libraries for features like authentication, ads, or UI components. Some collect data you may not realize:

Google Sign-In, Facebook Login: Collect identity data and link to user accounts
Advertising SDKs (Google Ads, AppLovin, Unity Ads): Collect device identifiers, IP addresses, app usage for ad targeting
Payment SDKs (Stripe, Paystack): Collect payment info and transaction data
Social sharing (Share Kit, native sharing): May collect social graph data

Review all third-party libraries you use and disclose them in your Privacy Policy.

Information to Prepare Before Generating

Your app name and company name
Company address and privacy contact email
Platform details: iOS only, Android only, or both?
All device permissions your app requests (location, camera, microphone, contacts, health, etc.)
Complete list of third-party SDKs and libraries (Firebase, Amplitude, AppsFlyer, ad networks, etc.)
In-app purchase details: Subscription types, pricing, refund policy
Is your app marketed to children? Even indirectly?
Data retention policies: How long you keep crash logs, analytics, purchase history
User account options: Can users delete accounts? Export data?

Audit your dependencies: Use a tool like GitHub's dependency checker or manually review your app's libraries to create a comprehensive list of third-party tools for your Privacy Policy. You'd be surprised how many SDKs collect data.

Generate your Mobile App Privacy Policy → Read the full Privacy Policy guide →

Privacy Policy for Mobile Apps: App Store, Google Play & Australian Law Requirements

App Store & Google Play Both Require a Privacy Policy

Device Data Collection: What Requires Explicit Consent

Push Notifications & Consent Disclosure

In-App Purchase Data Handling

Children's Apps: Additional Privacy Obligations

App Analytics: Firebase, Crashlytics & Other SDKs

Third-Party Libraries & Hidden Data Collection

Information to Prepare Before Generating

Also useful for Mobile Apps

Privacy Policy for Mobile Apps: App Store, Google Play & Australian Law Requirements

App Store & Google Play Both Require a Privacy Policy

Device Data Collection: What Requires Explicit Consent

Push Notifications & Consent Disclosure

In-App Purchase Data Handling

Children's Apps: Additional Privacy Obligations

App Analytics: Firebase, Crashlytics & Other SDKs

Third-Party Libraries & Hidden Data Collection

Information to Prepare Before Generating

Also useful for Mobile Apps

Related Pages for App Developers