Regulated business model risk — app operates in a regulated domain

Apple and Google maintain separate review tracks and documentation requirements for regulated domains: financial services, healthcare and medical devices, legal services, gambling, alcohol and tobacco, adult content, and firearms accessories. Operating in any of these domains means that all related regulated-industry checks in this audit carry blocking weight — a high-severity failure there is not a borderline case but a certain rejection. Reviewers in regulated categories may request documentation (regulatory licenses, age verification certification, data processing agreements) that can extend review timelines from days to weeks. GDPR Article 35 additionally requires a Data Protection Impact Assessment for high-risk data processing, which regulated-domain apps typically trigger.

Treat every high and critical finding from the regulated-industry checks in this audit as a blocking release prerequisite — not a post-launch fix. Prepare a reviewer documentation package before submitting:

• Financial services: regulatory license number, FINRA/SEC registration confirmation
• Healthcare: FDA 510(k) clearance number or CE mark documentation
• Gambling: state gaming commission license, age verification certification
• Adult content: age verification system documentation, regional restriction controls

Add this documentation to the App Review Notes field during submission — reviewers are trained to look for it in regulated-domain apps and will request it if absent, adding at least one review cycle. Expect longer review times (5–14 days vs. the standard 1–3 days) for any regulated-domain submission.

• ID: regulated-business-model

• Severity: info

• What to look for: Count all relevant instances and enumerate each. Assess whether the app's business model or primary domain is subject to regulatory oversight in any of the following: financial services (lending, investments, payments, insurance, cryptocurrency), healthcare and medical devices, legal services, gambling and gaming with real stakes, alcohol or tobacco (requires age verification), adult content (requires age verification and regional controls), firearms and weapons accessories. This is informational — operating in a regulated domain is not a violation. But it means that all related regulated-industry checks in this audit carry extra weight: a failure there is a serious policy violation, not a borderline case. It also means the reviewer will be more scrutinizing and may request documentation (regulatory approvals, age verification certification). Note which regulatory domains apply.

• Pass criteria: App does not operate in a regulated domain, OR it operates in a regulated domain and all relevant regulated-industry checks in this audit pass. Result is pass or skip only — never fail.

• Fail criteria: Not applicable — this is an informational check. Result is pass or skip only.

• Skip (N/A) when: App does not operate in any regulated domain (it is a general productivity, entertainment, or utility app with no financial, health, legal, gambling, or age-restricted content).

• Detail on fail: Not applicable — result is pass or skip only.

• Remediation: If the app operates in a regulated domain, treat every high and critical finding in this audit as a blocking issue before submission. Prepare documentation for reviewers: regulatory licenses, age verification certification, data processing agreements. Expect longer review times and potential reviewer questions.

  Review the configuration in src/ or app/ directory for implementation patterns.