Contract effective date: September 18, 2024. Runtime consent, request, security, audit, and deployment timestamps remain factual records.
App Store Platform Disclosure Policy
Purpose
This policy ensures that app-store submissions and in-app disclosures match actual product behavior for Apple App Store, Google Play, Samsung Galaxy Store, Amazon Appstore, Microsoft Store, Huawei AppGallery and enterprise distribution.
Mandatory disclosure reconciliation
Before every release, the release owner must reconcile:
- source code permissions and APIs;
- SDKs, libraries, plug-ins and pixels;
- server-side data collection;
- app-store forms and privacy labels;
- privacy policy and in-app privacy screens;
- account deletion and data deletion flows;
- AI provider data sharing;
- analytics, advertising and attribution data;
- crash/error/performance telemetry;
- children, health, biometric, location and financial data;
- retention and deletion claims.
Store-specific gates
- Apple: App Review Guidelines, App Privacy Details, privacy policy URL, in-app access, purpose strings, SDK privacy manifests and tracking consent where applicable.
- Google Play: User Data policy, Data Safety form, prominent disclosure and consent, restricted permissions declarations, AI-generated content reporting where applicable and account/data deletion flows.
- Samsung Galaxy Store: consent, data minimization, privacy URL, data safety information, kids category privacy URL and no excessive permissions.
- Amazon Appstore: privacy labels, privacy policy URL where user data is collected/transferred and content policy review.
- Microsoft Store: personal information policy review, crash/error data restrictions and annual audit obligations where applicable.
- Huawei AppGallery: in-app and AppGallery privacy policy links, consent withdrawal, personalized advertising disable option, minimization, secure transmission and recipient disclosures.
Release blockers
A release must not be submitted when platform labels differ from actual code behavior, when a privacy policy URL is broken, when a third-party SDK is undisclosed, when AI data sharing is omitted, or when a required user deletion/consent withdrawal flow is absent.