App Store Compliance

Does a no-data-collection app still need a privacy policy? (Yes — here's why)

Your iOS app collects zero data. Do you still need a privacy policy URL for the App Store? Yes, always. Why, what it must say, and the SDK trap that voids 'no data'.

By · · 6 min read

You built a calculator. Or an offline flashlight, a single-player game, a unit converter. It collects nothing, talks to no server, has no accounts. You’re about to submit and you hit the Privacy Policy URL field in App Store Connect and wonder: do I actually need one?

Yes. Every app on the App Store needs a privacy policy URL — no exceptions for “we don’t collect data.” This is why, what a no-data policy must say, and the trap that turns “we collect nothing” into a rejection.

For the full requirement list, see every URL and file Apple requires for an iOS App Store submission.

The rule, plainly

Apple’s App Store Connect App Information reference lists Privacy Policy URL as required for every iOS and macOS app. There is no “skip if no data collected” path. The field is mandatory; you cannot submit without a valid, reachable URL in it.

This surprises people because intuitively “no data = nothing to disclose.” But Apple’s position is that the user deserves a statement confirming that — “this app does not collect any data” is itself information the policy must convey. Absence of collection is a privacy practice that has to be stated, not assumed.

What a no-data-collection privacy policy must contain

It can be short, but it must:

  1. Identify the developer — your name or legal entity, and a contact email that actually works.
  2. State plainly that the app collects no personal data — and ideally why (e.g., “the app runs entirely on-device and makes no network requests”).
  3. Match your App Privacy questionnaire — if you answer “Data Not Collected” in App Store Connect, the policy must say the same. A policy that contradicts the questionnaire gets flagged.
  4. Cover account deletion only if you have accounts — a true no-data app has no accounts, so 5.1.1(v) doesn’t apply. Don’t add deletion language you don’t need.
  5. Be hosted at a public URL that stays live for the lifetime of the app.

A compliant no-data policy can be a few short paragraphs. It does not need GDPR/CCPA boilerplate if you genuinely collect nothing — over-lawyering a calculator’s policy is unnecessary.

The trap: “no data” is rarely actually true

This is where most “no data collection” submissions go wrong. An SDK collects data even if your code doesn’t. Common culprits in apps developers think are data-free:

  • Crash reporting (Crashlytics, Sentry, Bugsnag) — collects device identifiers and diagnostics. Not “no data.”
  • Analytics you added “just to see installs” — collects usage data and identifiers.
  • An ad SDK in a free app — collects identifiers, often for tracking.
  • A networking/CDN SDK that phones home with device info.
  • Apple’s own frameworks triggering Required Reason API declarations (that’s not “collection” but is a related disclosure — see the Required Reason API reference).

If any SDK collects anything, you are not a no-data app. You must declare what the SDK collects in both the privacy policy and the App Privacy questionnaire, or you’ll get the data-mismatch rejection email. Declaring “Data Not Collected” with a crash reporter present is one of the most reliable ways to get rejected.

Audit before you claim “no data”:

# List every third-party framework bundled in your archive
ls -1 "YourApp.xcarchive/Products/Applications/YourApp.app/Frameworks"

# Each one's privacy manifest declares what it collects:
find . -name "PrivacyInfo.xcprivacy" -path "*Frameworks*" -exec plutil -p {} \;

If that returns only your own bundle and nothing else, you’re genuinely a no-data app and a short honest policy is all you need.

Genuinely-no-data policy structure (the short version)

A real no-data app’s policy can be as simple as: who you are, the explicit statement that the app collects, stores, and transmits no personal data and runs entirely on-device, a contact email, and an effective date. That’s a compliant policy for a true offline single-purpose app — accuracy matters more than length.

How OrbitKit handles it

OrbitKit’s privacy policy generator has a no-data path: indicate the app collects nothing and it produces a short, honest, hosted policy that matches a “Data Not Collected” App Privacy answer — without bolting on GDPR clauses a calculator doesn’t need. If you later add an SDK, update one wizard answer and the policy and (paired) privacy manifest update together. $5/mo per app, hosted URL that stays live. Start free or see features.