Privacy policy URL is set and accessible

A valid, publicly accessible privacy policy is a non-negotiable prerequisite for App Store and Google Play submission — both platforms validate the URL during review and reject the binary if the link is broken or the policy is a placeholder. Under GDPR Art. 13, users must be informed of data processing purposes before data is collected; a missing policy means every install is processing personal data without the legally required disclosure. Under CCPA §1798.100, California users have a right to disclosure that cannot be honored without a policy in place. A privacy policy URL that resolves to a 404 or https://example.com/privacy placeholder causes immediate submission rejection and, if discovered post-publication, risks app removal and regulatory scrutiny.

Host a real privacy policy at a public HTTPS URL, then reference it in app.json. The policy must cover every permission and data collection your app performs — a generic template that doesn't mention your actual permissions will be flagged in manual review.

// app.json
{
  "expo": {
    "privacy": "https://yourapp.com/privacy"
  }
}

Write the policy to cover: data collected (by permission type), storage location, third-party sharing, user deletion rights, and contact method. Free generators (Termly, iubenda, PrivacyPolicies.com) can scaffold a GDPR/CCPA-compatible policy in minutes. Verify the URL returns HTTP 200 before submitting — store review infrastructure makes a live HTTP check against the URL at submission time.

• ID: privacy-policy-configured
• Severity: critical
• What to look for: Check app.json for privacy field or check iOS Info.plist for NSPrivacyAccessedAPITypes and privacy-related URLs. Count all privacy policy URL references found across config files. Check android/app/src/main/AndroidManifest.xml or app config for privacy policy URL reference. The URL should point to a public, accessible privacy policy (e.g., https://example.com/privacy). Verify the URL is valid and the policy is readable.
• Pass criteria: Privacy policy URL is set in app config or metadata with a valid HTTPS URL (at least 20 characters). Before evaluating, extract and quote the exact privacy policy URL value found in app.json or Info.plist. The URL must be publicly accessible and the privacy policy must cover the app's data practices.
• Fail criteria: No privacy policy URL found, URL is broken or inaccessible, URL uses HTTP instead of HTTPS, or privacy policy does not address the app's permissions or data collection. Do NOT pass when a placeholder URL like https://example.com/privacy is used — the URL must point to an actual, reachable privacy policy.
• Skip (N/A) when: Never — app stores require a privacy policy.
• Detail on fail: "No privacy policy URL found in app.json or Info.plist" or "Privacy policy URL points to 404: https://example.com/privacy-policy"
• Remediation: App stores require a public privacy policy. Create and link one:
  1. Write a privacy policy covering:
     • What data your app collects (location, photos, contacts, etc.)
     • How the data is used
     • How users can delete their data
     • Third-party data sharing (if any)
  2. Host it publicly (e.g., https://yoursite.com/privacy)
  3. In app.json:

     "privacy": "https://yoursite.com/privacy"
     

  4. For iOS, also set in Info.plist via app.json:

     "ios": {
       "infoPlist": {
         "NSUserTrackingUsageDescription": "...",
         "NSPrivacyTracking": false
       }
     }
     

  5. For Android, reference in AndroidManifest.xml or app metadata
  6. Ensure the policy is up-to-date and accurate before submission