Privacy policy linked in app metadata or UI

Why it matters

GDPR Art. 13, CCPA §1798.100, and COPPA §312.4 all require that a privacy policy be provided to users before or at the time of data collection. Apple's App Store Review Guidelines (5.1.1) mandate a privacy policy URL in app metadata for any app that collects user or device data — apps without one are rejected at review. Google Play similarly requires a privacy policy link in the store listing for apps with any data collection. A placeholder URL (e.g., https://example.com/privacy) satisfies neither the legal disclosure requirement nor the app store technical requirement — reviewers check that the URL resolves to actual policy content. COPPA additionally requires specific disclosures when an app may be used by children under 13.

Remediation

Add a real privacy policy URL to app.json and link to it from your Settings screen. The URL must resolve to actual policy content, not a placeholder or 404.

{
  "expo": {
    "privacy": "https://yourapp.com/privacy"
  }
}

// In your Settings or About screen
import { Linking } from 'react-native'

function LegalLinks() {
  return (
    <Pressable onPress={() => Linking.openURL('https://yourapp.com/privacy')}>
      <Text>Privacy Policy</Text>
    </Pressable>
  )
}

For COPPA compliance, the policy must explicitly state whether the app is directed at children and how parental consent is obtained. For GDPR, it must identify the data controller, legal basis for processing, and the user's rights under Arts. 15–22.

Detection

ID: mobile-permissions-privacy.privacy-compliance.privacy-policy-linked
Severity: high
What to look for: Check app.json for privacy URL field. Count all in-app links to privacy policy (Settings, About, legal section, onboarding). Quote the actual URL found or note its absence.
Pass criteria: At least 1 privacy policy link exists: either in app.json metadata, or in an in-app Settings/About/legal section, or bundled within the app. The link points to a real URL (not a placeholder like https://example.com).
Fail criteria: No privacy policy URL in app metadata and no privacy policy link anywhere in the app. Do NOT pass when the URL is a placeholder (e.g., https://example.com/privacy or TODO).
Skip (N/A) when: App is internal/development only with no published release and no user data collection.
Detail on fail: "No privacy policy URL in app.json and no privacy policy link found in app UI"
Cross-reference: For app store listing requirements related to privacy policy, the App Store Policy Compliance audit covers mandatory metadata fields.

Remediation: Add privacy policy URL to app metadata and link it from your app's UI:

{
  "app.json": {
    "privacy": "https://yourapp.com/privacy"
  }
}

And add a link in your Settings screen:

function SettingsScreen() {
  return (
    <ScrollView>
      {/* Other settings */}
      <Pressable onPress={() => Linking.openURL('https://yourapp.com/privacy')}>
        <Text>Privacy Policy</Text>
      </Pressable>
    </ScrollView>
  )
}

Why it matters

Remediation

Add a real privacy policy URL to app.json and link to it from your Settings screen. The URL must resolve to actual policy content, not a placeholder or 404.

{
  "expo": {
    "privacy": "https://yourapp.com/privacy"
  }
}

// In your Settings or About screen
import { Linking } from 'react-native'

function LegalLinks() {
  return (
    <Pressable onPress={() => Linking.openURL('https://yourapp.com/privacy')}>
      <Text>Privacy Policy</Text>
    </Pressable>
  )
}

Detection

ID: mobile-permissions-privacy.privacy-compliance.privacy-policy-linked
Severity: high
What to look for: Check app.json for privacy URL field. Count all in-app links to privacy policy (Settings, About, legal section, onboarding). Quote the actual URL found or note its absence.
Pass criteria: At least 1 privacy policy link exists: either in app.json metadata, or in an in-app Settings/About/legal section, or bundled within the app. The link points to a real URL (not a placeholder like https://example.com).
Fail criteria: No privacy policy URL in app metadata and no privacy policy link anywhere in the app. Do NOT pass when the URL is a placeholder (e.g., https://example.com/privacy or TODO).
Skip (N/A) when: App is internal/development only with no published release and no user data collection.
Detail on fail: "No privacy policy URL in app.json and no privacy policy link found in app UI"
Cross-reference: For app store listing requirements related to privacy policy, the App Store Policy Compliance audit covers mandatory metadata fields.

Remediation: Add privacy policy URL to app metadata and link it from your app's UI:

{
  "app.json": {
    "privacy": "https://yourapp.com/privacy"
  }
}

And add a link in your Settings screen:

function SettingsScreen() {
  return (
    <ScrollView>
      {/* Other settings */}
      <Pressable onPress={() => Linking.openURL('https://yourapp.com/privacy')}>
        <Text>Privacy Policy</Text>
      </Pressable>
    </ScrollView>
  )
}

Privacy policy linked in app metadata or UI

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Privacy policy linked in app metadata or UI

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History