Every app submitted to the App Store — even ones that collect zero data — must have a live, hosted Privacy Policy URL pasted into App Store Connect before Apple will approve review. This guide walks through exactly where that field lives, what Apple expects the linked page to contain, how reviewers cross-check it against your App Privacy questionnaire, and the fastest way to generate a compliant page if you don't already have one.
Inside App Store Connect, open My Apps → select your app → App Information (in the left sidebar under the General section). Scroll to the General Information block. The field is labeled 'Privacy Policy URL'. It's a plain text field that expects a fully-qualified https:// URL.
There is a second Privacy Policy URL field on the Version page (under the current version you're submitting). Both should point to the same page. Apple's reviewers will actually click the link, so it has to resolve to a real, public web page — not a PDF, not a Google Doc behind sign-in, not a localhost or staging URL.
If you're using App Store Connect's API or Fastlane to submit, the field is called `privacyPolicyUrl` in the App metadata payload. Setting it via automation works identically to the web UI.
At minimum, your privacy policy must identify your app by name, describe what personal data (if any) the app collects, explain how that data is used and whether it's shared with third parties, and provide a way for users to contact you. If your app truly collects nothing, a short policy stating exactly that is acceptable — Apple just needs a hosted page that matches the privacy declarations you made in the App Privacy questionnaire.
Reviewers cross-reference your privacy policy against the Data Collection answers you submitted in App Store Connect. If the two disagree — for example, your questionnaire says you collect Usage Data but your policy doesn't mention analytics — you'll get a Guideline 5.1.1 or 5.1.2 rejection on the next review pass.
For apps targeting children or users in regulated jurisdictions (GDPR in the EU, CCPA in California, COPPA in the US), the policy also needs to describe user rights and the legal basis for processing. Most generators, including BaseTerms, include this language by default when you flag the relevant jurisdictions.
The most common rejection cause is a URL that 404s, redirects to a login, or points to a company homepage rather than an actual policy page. Other frequent issues: the policy mentions a different app name than what's submitted, the policy was copied from another app and still contains that app's name, or the policy fails to mention data categories that App Store Connect says the app collects.
Another subtle trap: hosting the policy behind a Cloudflare 'Under Attack' challenge or a country-blocked CDN. Apple's review team operates out of multiple global regions, and if the policy can't be accessed from their review location, the submission gets kicked back as if the URL were dead.
If you don't already have hosting for a policy page, BaseTerms generates one and hosts it at yourapp.baseterms.com/privacy. You enter your app name, toggle the data categories that apply (analytics, location, accounts, ads, payments), and the generated policy matches the exact language Apple's reviewers cross-check against. Paste the URL into the App Store Connect field and you're done — one-time $9, no subscription, no renewal fees.
Ready to ship?
Privacy Policy, Terms, Support, and Data Deletion — all 4 pages, ready to paste into App Store Connect and Google Play Console. Copy the raw Markdown free or host on a custom subdomain for $9 one-time.
One-time payment. No subscription. No renewal fees.