App Store RejectionGuideline 5.1.2Data Use and Sharing — Privacy Nutrition Label Accuracy

Your Privacy Nutrition Label Says One Thing, Your App Does Another

Claiming you collect no data when you clearly log user activity, or forgetting to declare what your third-party SDKs collect — these mismatches will get you rejected and can trigger deeper scrutiny from Apple.

What Apple said

The privacy information you provided in App Store Connect does not accurately reflect your app's data collection practices. Based on our review, your app appears to collect data types that are not disclosed in your privacy nutrition label. Please update your app privacy information to accurately reflect all data your app and any third-party partners collect.

What this actually means

Apple's privacy nutrition labels need to reflect not just your own code but every SDK embedded in your app. Analytics, crash reporting, advertising, and social login SDKs all collect data. If your label says 'Data Not Collected' but you've got Firebase Analytics or a third-party ad network embedded, that's a mismatch Apple will catch.

What Apple needs to see

  • A privacy nutrition label in App Store Connect that accurately lists every data type collected by your app code AND all embedded SDKs
  • Correct data-to-identity linkage — data types that identify users marked as 'linked to identity', anonymous data marked appropriately
  • A privacy policy URL in your App Store listing that's publicly accessible and details data collection practices
  • Third-party SDK privacy manifests included in your app bundle as required by Apple's new SDK requirements
  1. 1Audit every third-party SDK in your app and look up its privacy declarations — most major SDKs publish this information
  2. 2Update your App Store Connect privacy questionnaire to include all data types collected by SDKs, not just your own code
  3. 3Verify the 'Data Used to Track You' section — if any SDK does cross-app tracking, this must be declared
  4. 4Ensure your privacy policy at yourapp.baseterms.com/privacy is publicly accessible, not behind a login, and is current
  5. 5Include third-party SDK privacy manifests (PrivacyInfo.xcprivacy files) for all required SDKs in your Xcode project

While you're at it — Apple also requires these pages for every app.

Fix this rejection, then make sure you're covered on the compliance side too. Apple requires every app to link to a hosted Privacy Policy, Terms of Service, Support page, and Data Deletion page. No link means another rejection — just for a different reason.

Privacy Policy
Terms of Service
Support Page
Data Deletion Page
Generate my compliance pages — $9

Common questions

How do I find out what data each SDK collects?
Most major SDK vendors publish privacy nutrition label information in their documentation. For analytics like Firebase or Mixpanel, check their developer docs. For ad networks, they're required to provide this. If a vendor doesn't publish privacy information, that's a red flag about using their SDK.
I collect crash logs — does that count as data collection?
It depends on how they're collected. Crash logs that include user identifiers or device identifiers need to be declared. Generic, anonymized crash reports (without IP addresses or device fingerprints) can often be declared as not linked to identity. Review what your crash reporting SDK actually sends.
Can I just put everything as 'Data Not Collected' to avoid complexity?
No, and this is what triggers rejections and potential developer account actions. Apple's reviewers actively check for discrepancies between labels and observed behavior. An inaccurate label is worse than a complete one — it signals either incompetence or intentional deception.