App Privacy Policy Template

If your mobile app collects and uses personal information from people who use it, you need to have a Privacy Policy.

This is a requirement from three different sources:

International laws
Mobile app stores (Apple App store, Google Play, etc.)
Third party app services (Google Analytics, Firebase, etc.)

Here's why your mobile app needs a Privacy Policy, what to include in your mobile app Privacy Policy and examples of policies.

What's a Privacy Policy

A Privacy Policy is a legal agreement between you and your users. It's where you let users know important information about your data collection practices including:

What personal information your app collects from users
Why your app collects this information
How your app uses this information
Security features that keep this information safe
Any third parties that collect or access personal information through the app
Any controls a user has over your information collection

Personal information is defined as any information that can be used to identify a user, including but not limited to data such as an email address, mailing address, financial account information, first and last name or IP address.

When apps are involved, personal information can include any of the above, as well as geolocation information, contact lists, app inventory lists, calendars, and access to cameras and microphones.

Requirements for a Mobile App Privacy Policy

As noted above, there are 3 sources of the Privacy Policy requirement: International laws, mobile app stores and third party app services.

International Laws

Laws around the world require that if your website/mobile app collects and uses personal information from users, you must provide users with access to a Privacy Policy.

Note that while most of these laws started with the goal of protecting internet and website users, they now apply to mobile apps because the two are so closely related. Often, a mobile app is just the mobile version of the standard website.

Also, because the laws were created with an aim towards protecting consumer privacy, they are interpreted to be broad in scope to offer maximum protection. This means they will apply to mobile apps as well as websites, and the laws have been updated to reflect this.

The US

There isn't one main law that requires a Privacy Policy in the US, but rather a number of federal and state laws that call for one. They include the following:

The California Online Privacy Protection Act (CalOPPA): This law requires that you include a link to a Privacy Policy on your website if it collects personal information from users in the state of California.
The Student Online Personal Information Protection Act (SOPIPA): This law prohibits using personal information from K-12 students in California for targeted advertising, and geolocation data collecting must be disclosed in a Privacy Policy.
The Health Insurance Portability and Accountability Act (HIPPA): This law requires that health care providers and other covered entities provide a notice of their privacy practices, which is typically done through a Privacy Policy.

Canada

In Canada, there's the Personal Information Protection and Electronic Documents Act (PIPEDA). This law requires that you give notice and obtain consent if your Canadian-based website/mobile app collects personal information from users.

The EU

In the EU, the Data Protective Directive applies to websites and mobile apps that collect and use personal information from users and requires a Privacy Policy.

Additional and similar laws can be found around the world including in Australia, Southeast Asia, the UK and others.

Mobile App Stores

All of the main mobile app stores require that if your app collects and uses personal information, you must include a Privacy Policy, usually both within your app and in the app store listing.

Apple App Store

Apple's App Store Review Guidelines states that "Apps that collect user or usage data must have a privacy policy..."

Apple's App Store Review Guidelines: Data Collection and Storage Clause

The iOS Developer Program License document states that developers "must provide clear and complete information to users regarding Your collection, use and disclosure of user or device data, e.g., a link to Your privacy policy on the App Store."

Apple iOS Developer Program License: Section 3

Google Play Store

For Android app developers, the Google Play Developer Policy Center says that if your app handles personal or sensitive user information, your app must post a privacy policy both within your app and in the Play Developer Console.

Windows Phone Store

If your app is going to be listed in the Windows Phone Store and it "accesses, collects or transmits personal information," you need to have a Privacy Policy both on the app's app store description page and within the app itself.

WIndows Phone Store' Privacy Policy requirement for mobile apps

Third Party Services

If your app uses analytics, advertising, developer platform services or other third party services, it's very likely that you'll need a Privacy Policy. The Terms and Conditions agreements for these services will typically require you to have a Privacy Policy if you use the service.

Google Mobile App Analytics and Advertising

The Google Analytics Terms of Service agreement states that developers "must post a Privacy Policy."

Google Analytics Terms of Service requires a Privacy Policy

If you use Google advertising services such as AdMob, Google's Behavioral Policies will apply. These policies let developers know that "your app's privacy policy may need to be updated to reflect the use of personalized advertising...served via the Google Mobile Ads SDK."

Firebase

Firebase by Google is commonly used by app developers. It has an analytics feature as well as other features and services that all fall under the scope of the Google APIs Terms of Service.

A section of the Google APIs Terms of Service deals with User Privacy and API Clients. It says that developers "will provide and adhere to a privacy policy for your API Client..."

Google API Terms of Service User Privacy and API Clients Clause

Mixpanel

Mixpanel's Terms of Use agreement requires that developers who use this service "provide appropriate notices" to users about the collection and use of personal information by the app.

It further states that "appropriate notices may include notice in the form of a privacy policy."

Mixpanel's Terms of Use requiring a Privacy notice for mobile apps

If your app collects and uses personal information, you're likely going to be required by laws, app stores that distribute your app and any third party services your app utilizes to have a Privacy Policy for your app.

What to Include in a Mobile App Privacy Policy

While the specific language of every mobile app's Privacy Policy will differ depending on the app's own unique data collection practices, here's what generally needs to be included in your Privacy Policy, at minimum:

1. A description of what personal information your app collects

In this clause, let your users know what types of information your app collects. This can include information a user provides during account registration, profile information, communications information, etc.

Instagram's mobile app Privacy Policy: Information We Collect clause

It can also include more technical personal information such as log data, information collected by cookies, user device information.

Spotify's mobile app Privacy Policy: Information We Collect clause

If your mobile app requests special permissions like access to a camera, contacts list and geolocation data, you should include this in your Privacy Policy as information that your app may collect.

Spotify's mobile app Privacy Policy: Your Mobile Device clause

2. How your app uses this information

After you let users know what information you collect, let them know how you use it. It's typical to see a clause with a list of ways that an app uses information it collects.

Instagram's mobile app Privacy Policy: How We Use Your Information clause

Be thorough and accurate here. You can include links to adjustable preferences settings, your Terms and Conditions or other resources that may help a user understand why and how you're using the collected information.

Spotify's mobile app Privacy Policy: How We Use the Information We Collect clause

It's possible to combine both of these sections (What information you collect and how you use it) into one clause about "Collection and Use."

This may work best for less complicated apps that don't collect a large amount of information.

Plants vs. Zombies 2 mobile game app Privacy Policy: Collection and Use of information clause

3. Cookies information

Even if you mention cookies in the clause about what information your app collects, you can and should still mention cookies use in its very own separate clause.

This is because cookies use is at the center of a few international privacy laws such as the EU Cookies Directive and adequately disclosing your use of cookies is very important. In some cases, you may even need a separate Cookies Policy.

At minimum, disclose your cookies usage thoroughly in your Privacy Policy.

Spotify's mobile app Privacy Policy: Cookies clause

4. How you secure the information you collect

This clause is usually short and rather general. It's standard to see a business simply say that "reasonable safeguards" are taken to protect data, that encryption is used to protect financial information, and that the business can't guarantee 100% security.

Electronic Arts mobile Privacy Policy: How We Protect Your Personal Information clause highlighted

If a user is responsible for any security measures, such as by protecting her username and password data, you can mention that here as a reminder for the user to be proactive with account and app security.

Spotify's mobile app Privacy Policy: Security clause

5. What third parties have access to the information you collect

This clause can include general information and doesn't need to specifically list out the names of every third party that may access the information. It's enough to say that you may share information with third party analytics or advertising services, or with affiliates of the business.

Instagram's mobile app Privacy Policy: Sharing of Your Information clause

Being general is a good choice because you won't need to update your Privacy Policy if you switch advertising services or bring in a new third party analytics service.

6. How users can access their information and request or make changes

Many privacy laws require that users are given access to the information you collect about them and are able to update it or request that you update it for them.

You can either provide a contact where users can email you with requests, or provide some sort of user interface where a user can log in and make changes himself.

Spotify's mobile app Privacy Policy: Accessing and Updating User Information clause

7. How users will be notified of Privacy Policy updates and changes

From time to time, you'll probably need to update your Privacy Policy. While not every single update will be material and something that would matter to your users, some of these changes will be.

Let users know that you may change your policy, and how you will let them know when you do make material changes.

Spotify lets users know that when material changes are made, users will be provided with a prominent notice or with a notice by email. In some cases, Spotify will give advanced notice of a change.

Spotify's mobile app Privacy Policy: Changes to the Privacy Policy clause

8. An effective date for the Policy

This is the last date of the update and can usually be found at the very top of a Privacy Policy.

Spotify's mobile app Privacy Policy with the effective date highlighted

While your mobile app may benefit from additional terms, or need them, this list is a great place to start. It covers the most common legally required clauses that your mobile app Privacy Policy will need.