The web side of shipping an iOS app, mapped.
Not a feed — a problem-first hub. Find the track that matches where you're stuck: first submission, App Review, privacy manifest, Universal Links, or choosing a tool.
Ship your first app
You built the app. Apple also wants a pile of web URLs nobody told you about — here's the whole non-code path.
Shipping your first app after WWDC: the web requirements Xcode never mentions
Every June, WWDC produces a wave of finished first apps that stall at submission — not on code, but on the web URLs Apple requires. Here's the whole non-code checklist.
You finished your app in the WWDC afterglow — the App Store web checklist before you hit Submit
A copy-paste pre-submission checklist for the web URLs App Store Connect requires, with the exact field each maps to and a 60-second way to verify each one.
From Swift Student Challenge to the App Store: the non-code part nobody teaches
You built something great for the Swift Student Challenge. Turning it into a public App Store app means a developer account and a set of web URLs no tutorial covered — here they are.
Every URL and file Apple requires for iOS and macOS App Store submission
Privacy policy URL, support URL, AASA, account deletion, privacy manifest — every page and file App Review verifies for iOS, iPadOS, macOS, tvOS, visionOS, and CarPlay apps.
Pass App Store Review
Privacy-policy, support, and data-use rejections — what Review actually checks and how to satisfy it the first time.
App Store Guideline 5.1.1 explained: every sub-section, every common rejection
Section 5.1.1 of the App Store Review Guidelines covers privacy policies, permissions, data minimization, account deletion, and six more rules. A complete walkthrough.
iOS privacy policy generator: what to use and why most options fail App Review
Most generic privacy policy generators fail App Review because they miss 5 specific sections Apple cross-checks. What an iOS, iPadOS, macOS, tvOS, or visionOS app actually needs.
Does a no-data-collection app still need a privacy policy? (Yes — here's why)
Your iOS app collects zero data. Do you still need a privacy policy URL for the App Store? Yes, always. Why, what it must say, and the SDK trap that voids 'no data'.
iOS privacy nutrition labels: what each of Apple's 14 data categories actually means
A category-by-category guide to Apple's App Privacy Details. What counts as 'Identifiers' vs 'Usage Data', when an analytics SDK becomes 'Diagnostics' vs 'Other Data', and the SDK-specific gotchas that get nutrition labels wrong.
The 'We noticed your app collects data' App Review email, decoded
App Review emailed you about data collection or your privacy questionnaire. What that email actually means, what they want back, and how to respond so it doesn't recur.
Guideline 5.1.2 — Data Use and Sharing rejection: why, and the fix
App Review rejected your app under Guideline 5.1.2. What 'Data Use and Sharing' actually prohibits, the common triggers, and how to get the resubmission approved.
Designing your iOS account deletion flow for App Store Guideline 5.1.1(v)
What Apple actually requires for account deletion since June 2022 — the in-app path, the public URL, the Sign in with Apple revoke step, and the subscription cancel chain that catches every team off guard.
Creating a compliant App Store support URL for your iOS app
What App Review actually checks when it visits your Support URL — and why the most common rejections come down to four fixable issues. Plus a structure that passes review on the first try.
Mac App Store vs iOS App Store: the web-requirement differences
The web URLs and files Apple requires are mostly identical for Mac and iOS App Store apps — but four differences trip up developers shipping to both.
visionOS App Store submission: what's different from iOS
Submitting a visionOS app to the App Store: which web requirements carry over from iOS unchanged, which differ, and the privacy specifics for spatial apps.
Privacy manifest & ITMS errors
PrivacyInfo.xcprivacy and the ITMS-9xxxx codes that block your upload before Review even sees it.
Resolving ITMS-91053: a complete guide to PrivacyInfo.xcprivacy for iOS
App Store Review rejected your build with ITMS-91053? Here's the systematic walkthrough — what the error actually means, how to find which Required Reason APIs your binary uses, and the exact xcprivacy declarations that resolve it.
The complete Required Reason API reference for PrivacyInfo.xcprivacy
Every Required Reason API category Apple gates, the approved reason codes for each, and what each code means. The reference for resolving ITMS-91053.
ITMS-91061: Missing privacy manifest for a third-party SDK — the fix
App Store Connect flagged ITMS-91061 for a third-party SDK. What the error means, how to find which dependency is missing its privacy manifest, and the two ways to resolve it.
ITMS-90683: Missing purpose string in Info.plist — the fix
App Store Connect rejected your build with ITMS-90683. Here's exactly which Info.plist key is missing, why, and the precise usage-description string that resolves it.
ITMS-90078: Missing Push Notification Entitlement — the fix
App Store Connect rejected your build with ITMS-90078. Why it happens even when you didn't add push on purpose, and the exact entitlement + capability fix.
Universal Links, App Clips & well-known files
The AASA and .well-known plumbing behind Universal Links, App Clips, Passkeys, Apple Pay, and Sign in with Apple.
How to generate and host an apple-app-site-association file (the right way)
A complete guide to creating, hosting, and serving an AASA file for Universal Links, App Clips, Passkeys, and Handoff — including the gotchas that silently break iOS deep linking.
Universal Links on iOS without running a web server
You don't need to run nginx or Cloudflare to ship Universal Links on your iOS app. Three serverless-friendly options — and the gotcha that catches every shortcut.
Set up Universal Links AASA hosting without nginx (or any web server)
iOS Universal Links don't actually need nginx, Apache, or any traditional web server. Five real alternatives for hosting the AASA file — and the gotcha each one hides.
Universal Links not working? A debugging checklist for iOS
When Universal Links silently open Safari instead of your app, the cause is almost always one of these ten gotchas. A systematic checklist to find which one is biting you.
App Clips invocation URLs and the AASA appclips key
App Clips need an apple-app-site-association file with an appclips key plus configured invocation URLs. How the AASA appclips section works and the common mistakes.
Apple Pay on the web: merchant domain verification step-by-step
Apple Pay on the web requires a domain-association file at /.well-known/apple-developer-merchantid-domain-association. Where it comes from and how to host it correctly.
Sign in with Apple domain association: the .well-known file setup
Using Sign in with Apple on the web needs a verification file at /.well-known/apple-developer-domain-association.txt. Where it comes from, how to host it, and the gotchas.
Smart App Banner: the meta tag, the gotchas, and when it silently fails
The Smart App Banner meta tag is one line, but it silently does nothing in five common situations. The correct tag, the parameters, and why yours isn't showing.
Choose a tool & automate it
Comparing the options — and wiring App Store compliance into your CI pipeline or AI agent.
Best privacy policy generators for mobile apps in 2026
A practical comparison of privacy policy generators for iOS and Android apps in 2026 — which are built for App Store submission vs. general web compliance, and how to choose.
Termly vs OrbitKit for iOS apps: which actually passes App Review?
Termly is a website legal-compliance platform; OrbitKit is built for Apple App Store submission. A structural comparison for iOS, iPadOS, and macOS developers.
TermsFeed vs OrbitKit: which for App Store submission?
TermsFeed sells generated legal documents; OrbitKit hosts the full set of web files Apple's App Review requires. A structural comparison for app developers.
iubenda alternative for iOS and macOS developers
iubenda is a web legal-compliance suite. If you specifically need the App Store's web requirements — privacy policy, support, deletion, AASA — here's the Apple-native alternative.
The OrbitKit CLI: App Store web compliance from your terminal and CI
Generate, configure, and deploy your privacy policy, AASA file, support page, and more from the command line — scriptable for CI/CD. The OrbitKit CLI reference.
The OrbitKit MCP server: manage App Store web compliance from an AI agent
OrbitKit hosts a Model Context Protocol server so Claude, Cursor, and other MCP clients can generate and deploy your privacy policy, AASA, and more. How it works.
Browse all 35 guides — or filter by topic
What WWDC 26 could change for iOS app web requirements
Pattern-based predictions for what WWDC 26 (June 8, 2026) is likely to add to the App Store compliance list — privacy manifest, AASA, App Store Connect URLs — based on Apple's last four conferences.
Preparing your PrivacyInfo.xcprivacy for iOS 27
An evergreen pre-WWDC checklist for iOS 27 privacy manifest readiness — auditing existing reason codes, vendoring third-party SDK manifests, and the process you'll need in place to ship a new required-reason category within a week of Apple announcing it.
The 'We noticed your app collects data' App Review email, decoded
App Review emailed you about data collection or your privacy questionnaire. What that email actually means, what they want back, and how to respond so it doesn't recur.
visionOS App Store submission: what's different from iOS
Submitting a visionOS app to the App Store: which web requirements carry over from iOS unchanged, which differ, and the privacy specifics for spatial apps.
Set up Universal Links AASA hosting without nginx (or any web server)
iOS Universal Links don't actually need nginx, Apache, or any traditional web server. Five real alternatives for hosting the AASA file — and the gotcha each one hides.
TermsFeed vs OrbitKit: which for App Store submission?
TermsFeed sells generated legal documents; OrbitKit hosts the full set of web files Apple's App Review requires. A structural comparison for app developers.
Termly vs OrbitKit for iOS apps: which actually passes App Review?
Termly is a website legal-compliance platform; OrbitKit is built for Apple App Store submission. A structural comparison for iOS, iPadOS, and macOS developers.
From Swift Student Challenge to the App Store: the non-code part nobody teaches
You built something great for the Swift Student Challenge. Turning it into a public App Store app means a developer account and a set of web URLs no tutorial covered — here they are.
Smart App Banner: the meta tag, the gotchas, and when it silently fails
The Smart App Banner meta tag is one line, but it silently does nothing in five common situations. The correct tag, the parameters, and why yours isn't showing.
Sign in with Apple domain association: the .well-known file setup
Using Sign in with Apple on the web needs a verification file at /.well-known/apple-developer-domain-association.txt. Where it comes from, how to host it, and the gotchas.
Shipping your first app after WWDC: the web requirements Xcode never mentions
Every June, WWDC produces a wave of finished first apps that stall at submission — not on code, but on the web URLs Apple requires. Here's the whole non-code checklist.
The complete Required Reason API reference for PrivacyInfo.xcprivacy
Every Required Reason API category Apple gates, the approved reason codes for each, and what each code means. The reference for resolving ITMS-91053.
The OrbitKit MCP server: manage App Store web compliance from an AI agent
OrbitKit hosts a Model Context Protocol server so Claude, Cursor, and other MCP clients can generate and deploy your privacy policy, AASA, and more. How it works.
The OrbitKit CLI: App Store web compliance from your terminal and CI
Generate, configure, and deploy your privacy policy, AASA file, support page, and more from the command line — scriptable for CI/CD. The OrbitKit CLI reference.
Mac App Store vs iOS App Store: the web-requirement differences
The web URLs and files Apple requires are mostly identical for Mac and iOS App Store apps — but four differences trip up developers shipping to both.
iubenda alternative for iOS and macOS developers
iubenda is a web legal-compliance suite. If you specifically need the App Store's web requirements — privacy policy, support, deletion, AASA — here's the Apple-native alternative.
ITMS-91061: Missing privacy manifest for a third-party SDK — the fix
App Store Connect flagged ITMS-91061 for a third-party SDK. What the error means, how to find which dependency is missing its privacy manifest, and the two ways to resolve it.
ITMS-90683: Missing purpose string in Info.plist — the fix
App Store Connect rejected your build with ITMS-90683. Here's exactly which Info.plist key is missing, why, and the precise usage-description string that resolves it.
ITMS-90078: Missing Push Notification Entitlement — the fix
App Store Connect rejected your build with ITMS-90078. Why it happens even when you didn't add push on purpose, and the exact entitlement + capability fix.
iOS privacy policy generator: what to use and why most options fail App Review
Most generic privacy policy generators fail App Review because they miss 5 specific sections Apple cross-checks. What an iOS, iPadOS, macOS, tvOS, or visionOS app actually needs.
Does a no-data-collection app still need a privacy policy? (Yes — here's why)
Your iOS app collects zero data. Do you still need a privacy policy URL for the App Store? Yes, always. Why, what it must say, and the SDK trap that voids 'no data'.
Best privacy policy generators for mobile apps in 2026
A practical comparison of privacy policy generators for iOS and Android apps in 2026 — which are built for App Store submission vs. general web compliance, and how to choose.
Apple Pay on the web: merchant domain verification step-by-step
Apple Pay on the web requires a domain-association file at /.well-known/apple-developer-merchantid-domain-association. Where it comes from and how to host it correctly.
You finished your app in the WWDC afterglow — the App Store web checklist before you hit Submit
A copy-paste pre-submission checklist for the web URLs App Store Connect requires, with the exact field each maps to and a 60-second way to verify each one.
Every URL and file Apple requires for iOS and macOS App Store submission
Privacy policy URL, support URL, AASA, account deletion, privacy manifest — every page and file App Review verifies for iOS, iPadOS, macOS, tvOS, visionOS, and CarPlay apps.
Guideline 5.1.2 — Data Use and Sharing rejection: why, and the fix
App Review rejected your app under Guideline 5.1.2. What 'Data Use and Sharing' actually prohibits, the common triggers, and how to get the resubmission approved.
App Store Guideline 5.1.1 explained: every sub-section, every common rejection
Section 5.1.1 of the App Store Review Guidelines covers privacy policies, permissions, data minimization, account deletion, and six more rules. A complete walkthrough.
App Clips invocation URLs and the AASA appclips key
App Clips need an apple-app-site-association file with an appclips key plus configured invocation URLs. How the AASA appclips section works and the common mistakes.
Resolving ITMS-91053: a complete guide to PrivacyInfo.xcprivacy for iOS
App Store Review rejected your build with ITMS-91053? Here's the systematic walkthrough — what the error actually means, how to find which Required Reason APIs your binary uses, and the exact xcprivacy declarations that resolve it.
iOS privacy nutrition labels: what each of Apple's 14 data categories actually means
A category-by-category guide to Apple's App Privacy Details. What counts as 'Identifiers' vs 'Usage Data', when an analytics SDK becomes 'Diagnostics' vs 'Other Data', and the SDK-specific gotchas that get nutrition labels wrong.
Creating a compliant App Store support URL for your iOS app
What App Review actually checks when it visits your Support URL — and why the most common rejections come down to four fixable issues. Plus a structure that passes review on the first try.
Designing your iOS account deletion flow for App Store Guideline 5.1.1(v)
What Apple actually requires for account deletion since June 2022 — the in-app path, the public URL, the Sign in with Apple revoke step, and the subscription cancel chain that catches every team off guard.
Universal Links on iOS without running a web server
You don't need to run nginx or Cloudflare to ship Universal Links on your iOS app. Three serverless-friendly options — and the gotcha that catches every shortcut.
Universal Links not working? A debugging checklist for iOS
When Universal Links silently open Safari instead of your app, the cause is almost always one of these ten gotchas. A systematic checklist to find which one is biting you.
How to generate and host an apple-app-site-association file (the right way)
A complete guide to creating, hosting, and serving an AASA file for Universal Links, App Clips, Passkeys, and Handoff — including the gotchas that silently break iOS deep linking.
No guides in this topic yet.