Latest Insights/Back to Generator
By the Legal Policy Generator team · Published 2026-02-15

Privacy Policy for Mobile Apps — iOS & Android Guide (2026)

If you're publishing a mobile app on the Apple App Store or Google Play Store, a privacy policy isn't optional — it's a hard requirement. Both platforms will reject your app or remove it from the store if you don't have one. But the store rules are only the surface. The moment your app touches a phone belonging to someone in the EU, the UK, or California, binding privacy law — GDPR, CCPA, and COPPA among them — applies regardless of where you or your company are based.

This article is general information, not legal advice. Privacy obligations turn on the specific data you collect, where your users are, and what your app does, so treat the sections below as a map of the landscape rather than a checklist tailored to your situation. If you handle sensitive data or operate at scale, talk to a qualified lawyer in the relevant jurisdiction.

Why the law follows your users, not your office

Modern privacy laws are written to follow the user, not your company's address. GDPR applies to any organisation that offers goods or services to people in the EU or monitors their behaviour, even with no EU presence — so an app on a global store that anyone in Europe can download is squarely in scope. The same logic applies to the CCPA for California residents. The relevant question is rarely "does privacy law apply to me?" but "which laws, and what do they require?"

Platform Requirements

Apple App Store

Apple requires all apps to have a privacy policy, regardless of whether they collect user data. Key requirements:

  • A privacy policy URL must be provided in App Store Connect
  • You must complete App Privacy Labels ("nutrition labels") disclosing all data collection
  • If you use App Tracking Transparency (ATT), you must explain why in your policy
  • Apps targeting children must comply with Apple's strict data collection rules

Google Play Store

Google requires a privacy policy for all apps that:

  • Handle personal or sensitive user data
  • Access device permissions (camera, location, contacts, etc.)
  • Use advertising SDKs or analytics tools

You must also complete Google's Data Safety Section, which is similar to Apple's privacy labels.

What Your Mobile App Privacy Policy Must Include

1. Data Collection

Be specific about what data your app collects:

  • Account data: names, email addresses, phone numbers
  • Device data: device model, OS version, unique device identifiers
  • Location data: GPS, Wi-Fi-based location, IP geolocation
  • Usage data: app interactions, session duration, feature usage
  • Camera/microphone data: photos, videos, audio recordings
  • Health/fitness data: if applicable (triggers additional regulations)
  • Financial data: payment information, purchase history

2. Permissions

Explain why your app requests each permission:

  • Camera — "to allow profile photo uploads"
  • Location — "to show nearby results"
  • Contacts — "to find friends using the app"
  • Push notifications — "to send order updates"

3. Third-Party SDKs and Services

Mobile apps commonly integrate multiple SDKs that collect data independently. Disclose all of them:

  • Analytics: Google Analytics, Firebase, Mixpanel, Amplitude
  • Advertising: AdMob, Facebook Ads SDK, Unity Ads
  • Crash reporting: Crashlytics, Sentry, Bugsnag
  • Authentication: Google Sign-In, Apple Sign-In, Facebook Login
  • Push notifications: Firebase Cloud Messaging, OneSignal

4. Data Storage and Security

Explain where data is stored (on-device vs. cloud), encryption methods used, and how long data is retained.

5. Children's Privacy (COPPA and GDPR)

Children's data is one of the most heavily regulated and most aggressively enforced areas of privacy law, and the two main regimes draw the age line differently.

In the United States, the Children's Online Privacy Protection Act applies to operators of apps and online services directed to children, or that have actual knowledge they are collecting personal information from a child. Under the FTC's COPPA Rule, a "child" is an individual under the age of 13, and operators must post a privacy policy, give direct notice to parents, and obtain verifiable parental consent before collecting, using, or disclosing personal information from a child under 13. A 2025 amendment to the Rule went further, requiring separate verifiable parental consent before a child's personal information is disclosed to third parties for targeted advertising.

In the EU, the threshold is different. GDPR sets the default age for a child to consent to an online ("information society") service at 16, but Member States may lower that age in their own law, to no younger than 13. Below the applicable age, the service must obtain consent from, or have it authorised by, the holder of parental responsibility and make reasonable efforts to verify it.

If your app is, or could be seen as, directed at children, the practical baseline is to:

  • Obtain verifiable parental consent before collecting data
  • Limit data collection to what's strictly necessary
  • Avoid behavioral advertising and tracking aimed at children
  • Provide parents with access to, and the ability to delete, their child's data

6. User Rights

Include clear instructions for users to:

  • Access their data
  • Delete their account and data
  • Opt out of data collection (where applicable)
  • Export their data (data portability)

Both Google and Apple now require apps to offer an account deletion mechanism directly within the app.

What GDPR and CCPA Actually Require of Your App

Store policies tell you to have a privacy policy. GDPR and CCPA tell you what has to be in it and what rights you must honour. Getting these wrong is where the real legal exposure lies.

GDPR (EU and, in near-identical form, the UK)

When you collect personal data directly from a user, GDPR requires you to tell them — at the time of collection, in clear and plain language — who you are, what data you collect, why, the legal basis, who you share it with, how long you keep it, and their rights. Those rights include access, rectification, erasure ("right to be forgotten"), restriction, data portability, and the right to object. Your privacy policy is the primary home for this information, which is why a generic, copy-pasted policy rarely satisfies GDPR.

The enforcement stakes are not theoretical. For the most serious infringements — including breaches of the core data-protection principles and of data-subject rights — supervisory authorities can impose administrative fines of up to €20 million, or 4% of a company's total worldwide annual turnover, whichever is higher.

CCPA / CPRA (California)

For California residents, the California Consumer Privacy Act (as amended by the CPRA) grants a defined set of consumer rights that your app and its privacy policy must support. As the California Attorney General summarises them, consumers have the right to know what personal information is collected and how it is used and shared, the right to delete personal information held by a business, the right to opt out of the sale or sharing of their personal information, and the right not to be discriminated against for exercising these rights. If your app sells or "shares" data (which, under the law, can include disclosures for cross-context behavioural advertising), you must offer a way to opt out and honour browser-level opt-out signals such as Global Privacy Control.

Where to Display Your Privacy Policy

  1. App store listing — required by both platforms
  2. Within the app — typically in Settings → Privacy Policy
  3. During onboarding — before collecting any data
  4. Your website — link from app to web version

Keeping Your Policy Accurate Over Time

A privacy policy is not a one-time document. Apple's App Privacy labels and Google's Data Safety section both ask you to declare what data your app collects and how it's used, and those declarations have to match both your policy and your app's actual behaviour. When you add an SDK or a new permission, three things should change together: the code, the store data-safety declaration, and the privacy policy. Mismatches are a common reason apps get flagged in review. A few practical habits help:

  • Inventory your SDKs. Many SDKs collect data on their own. You're responsible for disclosing what they do, so keep a current list of every third party that receives user data.
  • Date your policy and note changes. A "last updated" date and a short summary of material changes help users and reviewers, and support the GDPR transparency requirement.
  • Match permissions to purposes. Only request permissions you genuinely use, and explain each one — both in the OS permission prompt and in the policy.
  • Re-check when you expand. Shipping to a new region or audience (especially children, or EU/UK/California users) can pull new obligations into scope.

Generate Your Mobile App Privacy Policy

Our free Privacy Policy Generator creates policies that cover mobile app requirements, including data collection disclosures for both iOS and Android. Just fill in your details and download your policy in HTML, PDF, or Word format.

Generate your app Privacy Policy now →