This is a requirement from three different sources:
Personal information is defined as any information that can be used to identify a user, including but not limited to data such as an email address, mailing address, financial account information, first and last name or IP address.
When apps are involved, personal information can include any of the above, as well as geolocation information, contact lists, app inventory lists, calendars, and access to cameras and microphones.
Note that while most of these laws started with the goal of protecting internet and website users, they now apply to mobile apps because the two are so closely related. Often, a mobile app is just the mobile version of the standard website.
Also, because the laws were created with an aim towards protecting consumer privacy, they are interpreted to be broad in scope to offer maximum protection. This means they will apply to mobile apps as well as websites, and the laws have been updated to reflect this.
In Canada, there's the Personal Information Protection and Electronic Documents Act (PIPEDA). This law requires that you give notice and obtain consent if your Canadian-based website/mobile app collects personal information from users.
Additional and similar laws can be found around the world including in Australia, Southeast Asia, the UK and others.
Firebase by Google is commonly used by app developers. It has an analytics feature as well as other features and services that all fall under the scope of the Google APIs Terms of Service.
In this clause, let your users know what types of information your app collects. This can include information a user provides during account registration, profile information, communications information, etc.
It can also include more technical personal information such as log data, information collected by cookies, user device information.
After you let users know what information you collect, let them know how you use it. It's typical to see a clause with a list of ways that an app uses information it collects.
Be thorough and accurate here. You can include links to adjustable preferences settings, your Terms and Conditions or other resources that may help a user understand why and how you're using the collected information.
It's possible to combine both of these sections (What information you collect and how you use it) into one clause about "Collection and Use."
This may work best for less complicated apps that don't collect a large amount of information.
Even if you mention cookies in the clause about what information your app collects, you can and should still mention cookies use in its very own separate clause.
This clause is usually short and rather general. It's standard to see a business simply say that "reasonable safeguards" are taken to protect data, that encryption is used to protect financial information, and that the business can't guarantee 100% security.
If a user is responsible for any security measures, such as by protecting her username and password data, you can mention that here as a reminder for the user to be proactive with account and app security.
This clause can include general information and doesn't need to specifically list out the names of every third party that may access the information. It's enough to say that you may share information with third party analytics or advertising services, or with affiliates of the business.
Many privacy laws require that users are given access to the information you collect about them and are able to update it or request that you update it for them.
You can either provide a contact where users can email you with requests, or provide some sort of user interface where a user can log in and make changes himself.
Let users know that you may change your policy, and how you will let them know when you do make material changes.
Spotify lets users know that when material changes are made, users will be provided with a prominent notice or with a notice by email. In some cases, Spotify will give advanced notice of a change.