App Store Compliance

You finished your app in the WWDC afterglow — the App Store web checklist before you hit Submit

A copy-paste pre-submission checklist for the web URLs App Store Connect requires, with the exact field each maps to and a 60-second way to verify each one.

By · · 7 min read

The app builds. It runs on a device. You archived it, opened App Store Connect, and now you’re staring at fields that want URLs you don’t have yet. This is the pre-Submit checklist for that exact moment — each item names the App Store Connect field it fills, why Apple wants it, and a 60-second way to confirm it’s actually correct before you submit instead of after a rejection.

For the bigger picture of why submission stalls on the web and not the code, start at shipping your first app after WWDC. This is the tactical companion you run down line by line.

Before you open App Store Connect: one decision

Write down, honestly, everything your app collects — including anything an SDK you added does (analytics, crash reporting, ads). Every item below derives from this one list. If you skip it, you’ll pass some checks and fail the cross-checks. The data-collection rejection email is what that failure looks like.

The checklist

☐ 1. Privacy Policy URL

  • Field: App Store Connect → App Information → Privacy Policy URL.
  • Why: Required for every app per Apple’s App Information reference. No “collects nothing” exemption.
  • 60-second verify: Open the URL in a private browser window on your phone. It must load over HTTPS, not 404, not redirect to a parked page, and actually describe your app’s data. A still-default template is a yellow flag — see iOS privacy policy generator.

☐ 2. App Privacy answers match the policy

  • Field: App Store Connect → App Privacy (Apple’s questionnaire).
  • Why: App Review compares your nutrition label, your policy, and your binary. They must agree.
  • 60-second verify: For every data type you answered “collected,” confirm the privacy policy names it. For “Data Not Collected,” confirm you have zero SDKs that phone home. Mismatch = rejection.

☐ 3. Support URL

  • Field: App Store Connect → App Information → Support URL (Guideline 1.5).
  • Why: Reviewers need a real way to reach you; a bare mailto: or empty page gets bounced.
  • 60-second verify: Load it on a phone-width screen. Contact method visible without scrolling, no horizontal scroll. What passes vs. fails: creating a compliant App Store support URL.

☐ 4. Account deletion — only if your app has accounts

  • Field: In-app flow plus a supporting web page; referenced from your privacy/support content.
  • Why: Guideline 5.1.1(v). Applies only if users can create an account. No accounts → skip it; don’t bolt on deletion language you don’t need.
  • 60-second verify: Walk the in-app deletion path yourself end to end. Decision tree: the account deletion flow guide.

☐ 5. Privacy manifest in the bundle

  • Field: PrivacyInfo.xcprivacy inside the app target (this one’s in Xcode, not App Store Connect).
  • Why: Declares Required Reason API usage; must match items 1–2. Apple’s privacy manifest docs.
  • 60-second verify: Confirm the declared data types are the same set as your App Privacy answers. Full reference: the Required Reason API complete reference.

☐ 6. AASA — only if you use Universal Links / App Clips / Passkeys

  • Field: apple-app-site-association served at /.well-known/apple-app-site-association.
  • Why: Universal Links / App Clips / Passkeys silently break without it. Most first apps don’t need it day one.
  • 60-second verify: curl -sI https://yourdomain/.well-known/apple-app-site-association200, Content-Type: application/json, no redirect. Setup without a server: Universal Links / AASA without nginx.

The single failure mode behind most of these

Items 1, 2, and 5 are the same facts in three places. First-time rejections are almost always one of them drifting from the others — the policy says one thing, the nutrition label another, the manifest a third. Derive all three from the one list you wrote at the top and the cross-checks pass the first time. Apple’s submission overview covers the binary; this list is the web side.

How OrbitKit handles it

OrbitKit generates items 1, 3, 4, and 6 — hosted on your own domain with automatic SSL — and a PrivacyInfo.xcprivacy for item 5, all from one wizard pass, so the policy / nutrition label / manifest agree by construction instead of by careful manual reconciliation. The dashboard preview shows exactly what App Review will see before you submit. Your first app is free for 30 days (limited-time launch offer; card required, cancel anytime before it renews), then $5/mo per app. Start your free trial or see features.