Privacy Policy

Get and save privacy policy wizard data via the OrbitKit API.

The privacy policy endpoints manage the wizard data that drives OrbitKit’s Apple-compliant privacy policy generator. Policy data is organized into sections that mirror the wizard steps: app info, data collection, third-party sharing, data retention, and children/tracking.

See Apple’s App Store Review Guidelines §5.1.1 and App privacy details on the App Store for privacy policy requirements.

Endpoints

Method	Path	Description
GET	`/api/apps/:appId/policy`	Get policy data
PUT	`/api/apps/:appId/policy`	Save policy data
GET	`/api/apps/:appId/policy-versions`	List policy version snapshots
GET	`/api/apps/:appId/policy-versions/:versionId`	Get a policy version

Get policy data

GET /api/apps/:appId/policy

Returns the current privacy policy wizard data for the app.

Response

{
  "app-info": {
    "app_name": "My Weather App",
    "developer_name": "Weather Co",
    "email": "privacy@weather.co"
  },
  "data-collection": {
    "collects_data": "yes",
    "data_types": ["location", "usage-data"],
    "purposes": ["app-functionality", "analytics"]
  },
  "third-party": {
    "shares_data": ["analytics"],
    "third_party_list": "Google Analytics"
  },
  "data-retention": {
    "retains_data": "yes",
    "retention_period": "12 months"
  },
  "children-tracking": {
    "children_or_tracking": "no",
    "collects_from_children": [],
    "uses_tracking": []
  },
  "_seenSections": {
    "app-info": true,
    "data-collection": true
  }
}

Returns 404 NOT_FOUND if the wizard has not been started.

Save policy data

PUT /api/apps/:appId/policy

Saves the privacy policy wizard data. The API applies server-side sanitization and cross-field validation, returning any warnings.

Request body

Field	Type	Required	Description
`data`	object	Yes	Section-keyed policy data

Full example

curl -X PUT https://api.orbitkit.io/api/apps/-NtestApp123/policy \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "data": {
      "app-info": {
        "app_name": "My Weather App",
        "developer_name": "Weather Co",
        "email": "privacy@weather.co"
      },
      "data-collection": {
        "collects_data": "yes",
        "data_types": ["location"],
        "purposes": ["app-functionality"]
      }
    }
  }'

let policyData: [String: Any] = [
    "data": [
        "app-info": [
            "app_name": "My Weather App",
            "developer_name": "Weather Co",
            "email": "privacy@weather.co"
        ],
        "data-collection": [
            "collects_data": "yes",
            "data_types": ["location"],
            "purposes": ["app-functionality"]
        ]
    ]
]

var request = URLRequest(url: URL(string: "https://api.orbitkit.io/api/apps/\(appId)/policy")!)
request.httpMethod = "PUT"
request.setValue("Bearer \(token)", forHTTPHeaderField: "Authorization")
request.setValue("application/json", forHTTPHeaderField: "Content-Type")
request.httpBody = try JSONSerialization.data(withJSONObject: policyData)

let (data, _) = try await URLSession.shared.data(for: request)

const res = await fetch(`https://api.orbitkit.io/api/apps/${appId}/policy`, {
  method: "PUT",
  headers: {
    Authorization: `Bearer ${token}`,
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    data: {
      "app-info": { app_name: "My Weather App", developer_name: "Weather Co" },
      "data-collection": { collects_data: "yes", data_types: ["location"], purposes: ["app-functionality"] },
    },
  }),
});
const { warnings } = await res.json();

Response

{
  "warnings": []
}

Warnings are advisory — the data is always saved regardless of warnings. Example warning:

{
  "warnings": [
    "At least one purpose is required when data collection types are selected."
  ]
}

Policy sections

Section key	Fields
`app-info`	`app_name`, `developer_name`, `email`
`data-collection`	`collects_data`, `data_types[]`, `purposes[]`
`third-party`	`shares_data[]`, `third_party_list`
`data-retention`	`retains_data`, `retention_period`
`children-tracking`	`children_or_tracking`, `collects_from_children[]`, `uses_tracking[]`

List policy version snapshots

GET /api/apps/:appId/policy-versions

Returns lightweight metadata for policy snapshots, newest first (max 20). Snapshots are created automatically on each deploy.

Response

[
  {
    "id": "-NabcVersionKey123",
    "snapshotAt": 1712345678000,
    "trigger": "deploy",
    "appName": "My Weather App"
  }
]

Get a policy version

GET /api/apps/:appId/policy-versions/:versionId

Returns the full policy data snapshot for a specific version.

Response

{
  "snapshotAt": 1712345678000,
  "trigger": "deploy",
  "appName": "My Weather App",
  "policyData": {
    "app-info": { "app_name": "My Weather App" },
    "data-collection": { "collects_data": "yes", "data_types": ["location"] }
  }
}

Errors

Code	Status	When
`VALIDATION_FAILED`	400	Invalid version ID format
`NOT_FOUND`	404	Version not found