Privacy Policy & Legal Requirements

Both Apple and Google require a privacy policy before your app can go live. Most indie builders skip this and get rejected. Here’s how to set it up in minutes.

What you need

Privacy Policy — Mandatory for all apps on both stores, even if your app collects no data. It describes what data your app collects and how it’s used.

Terms & Conditions — Recommended. Limits your liability and defines usage rules. Not strictly required by the stores, but protects you legally.

EULA (End User License Agreement) — Apple provides a standard EULA that’s automatically applied to all App Store apps. Select “Apple’s Standard EULA” in App Store Connect unless you have specific legal needs. You don’t need to write your own.

Generating your privacy policy

You don’t need a lawyer. Free tools generate compliant policies in minutes.

1. Go to a privacy policy generator

   Pick one of these — they all produce store-ready output:

   • Termly (termly.io) — Recommended. Fast, App Store-ready.
   • PrivacyPolicies.com — Simple questionnaire-based generator.
   • Iubenda (iubenda.com) — Good for apps with international users (GDPR, CCPA).

2. Answer questions about your app

   The generator asks what data you collect (if any), whether you use analytics, ads, authentication, or third-party services. Be accurate — a policy that doesn’t match your app’s actual behavior can get you rejected or into legal trouble.

3. Review the generated policy

   Read through it. Make sure it accurately describes what your app does. If your app uses Firebase for authentication, the policy should mention Google/Firebase as a third-party service. If you use AdMob, it should mention advertising data collection.

4. Export and host

   Most generators give you a hosted URL automatically. If not, see the hosting options below.

Where to host your policy

You need a public URL for your privacy policy. Options from easiest to most professional:

• Generator hosting — Most tools (Termly, Iubenda) host the policy for you and give you a URL. Easiest option. Use this unless you have a reason not to.
• Your own website — If you have a domain, create a /privacy-policy page.
• Free hosting — Use Carrd, a Notion public page, or GitHub Pages to host a simple page with your policy text.
• Google Docs — Publish a Google Doc as a web page (File → Share → Publish to web). Quick but looks less professional.

Where to link your policy

You need to provide your privacy policy URL in three places:

App Store (iOS)

In App Store Connect, go to your app → App Information → Privacy Policy URL. Paste your URL there.

You also need to complete Apple’s App Privacy questionnaire in the same section. This generates the privacy “nutrition label” users see on your listing. Answer honestly based on what your app actually collects.

Google Play

In the Google Play Console, go to your app → Store presence → Store listing → Privacy policy URL. Paste your URL there.

You also need to complete the Data Safety form under Policy → App content → Data safety. This generates the data safety section users see on your listing.

Inside your app: Both stores expect your privacy policy to be accessible from within the app itself. Ask Primio to add it:

“Add a Settings screen with a ‘Privacy Policy’ link that opens [your-url] in the browser when tapped, and a ‘Terms of Service’ link that opens [your-terms-url].”

Caution

Both Apple and Google will reject your app if the privacy policy URL is missing, broken, or returns a 404. Test your link in a private/incognito browser window before submitting.

Terms & Conditions

Use the same generator tool — most bundle privacy policy and terms together. Host them at separate URLs or on the same page with clear sections.

Terms typically cover:

• Acceptable use of the app
• Limitations of liability
• Intellectual property rights
• Account termination conditions
• Governing law and jurisdiction

Data safety and privacy labels

Both stores now require you to declare what data your app collects, even if the answer is “none.” These declarations are separate from your privacy policy — they’re interactive forms you fill out in each store’s console. Getting them wrong can delay or block your submission.

Common data types to consider:

• Authentication data — If you use Firebase Auth, Google Sign-In, or any login system, you collect email addresses and user identifiers.
• Analytics data — If you use Firebase Analytics, Google Analytics, or similar, you collect usage data and device identifiers.
• Advertising data — If you use AdMob, you collect advertising identifiers and may share data with ad networks.
• User-generated content — If users create profiles, posts, or upload images, that’s personal data.
• Device information — Most apps collect basic device info (OS version, device model) through their analytics or crash reporting tools.

If your app genuinely collects no data (no analytics, no auth, no ads), you can declare that. But most apps collect something, even if it’s just through Firebase.

Google Play Data Safety form

The Data Safety form is in Google Play Console under Policy → App content → Data safety. It asks a series of questions about what data your app collects, whether it’s shared with third parties, and for what purpose. Here’s how to fill it out based on what your app uses.

1. Does your app collect or share any of the required user data types?

   If your app uses any login system, analytics, or ads — the answer is Yes. Select “Yes” and proceed.

2. Is all of the user data encrypted in transit?

   Select Yes. Flutter apps use HTTPS by default, which encrypts all data in transit.

3. Do you provide a way for users to request that their data is deleted?

   If your app has user accounts, you should provide a delete account option. If your app has no accounts, select “No” — you can’t delete data you don’t store.

4. Select the data types your app collects

   This is the most important step. Use the table below to determine what to select based on your Primio app’s integrations.

Data Safety declarations by integration:

Integration	Data types to select	Collected or Shared?	Purpose
Firebase Auth	Email address, Name (if collected), User IDs	Collected	Account management
Firebase Analytics	App interactions, Device or other IDs	Collected	Analytics
AdMob	Device or other IDs, Ad data	Collected AND Shared	Advertising
Supabase (with auth)	Email address, User IDs	Collected	Account management
Supabase (with storage)	Files, Photos (if applicable)	Collected	App functionality
Crash reporting	Crash logs, Diagnostics	Collected	App functionality
No integrations	You can declare “No data collected”	—	—

For each data type you select, Google asks follow-up questions:

• Is this data collected, shared, or both? — “Collected” means your app gathers the data. “Shared” means it’s transferred to a third party (e.g., AdMob shares data with ad networks).
• Is this data processed ephemerally? — Select “No” unless the data is only used in memory and never stored.
• Is this data collection required or optional? — If the user can’t use the app without providing this data (e.g., email for login), it’s required.
• Why is this data collected? — Select the matching purpose (e.g., “Account management” for auth data, “Analytics” for Firebase Analytics, “Advertising or marketing” for AdMob).

Caution

The most common mistake is forgetting to declare data collected by Firebase Analytics or AdMob. These SDKs collect data automatically — even if you didn’t explicitly write code to collect it. If your app includes these SDKs, you must declare them.

Apple App Privacy labels

Apple’s privacy labels (the “nutrition label” on your App Store listing) are configured in App Store Connect → your app → App Privacy.

Apple asks whether your app collects data in several categories and whether that data is “linked to the user” or “used to track the user.” Here’s how to answer based on your integrations.

1. Do you or your third-party partners collect data from this app?

   If you use any login, analytics, or ads — select Yes. If your app truly has no backend, no analytics, and no ads, you can select No and you’re done.

2. Select the data categories your app collects

   Use the table below to determine which categories to select.

3. For each category, answer the follow-up questions

   Apple asks how each data type is used and whether it’s linked to the user’s identity.

App Privacy declarations by integration:

Integration	Data categories to select	Linked to user?	Used for tracking?
Firebase Auth	Contact Info (email), Identifiers (user ID)	Yes	No
Firebase Analytics	Usage Data (product interaction), Identifiers (device ID)	No (unless you link analytics to user accounts)	No (unless used with ads)
AdMob	Identifiers (device ID), Usage Data	No	Yes — this is the key one. AdMob tracks users across apps for ad targeting.
Supabase (with auth)	Contact Info (email), Identifiers (user ID)	Yes	No
User-generated content	User Content (photos, files, etc.)	Yes	No

Understanding Apple’s three categories:

• Data Used to Track You — Data used to link your app’s user data with third-party data for advertising purposes, or shared with a data broker. If you use AdMob, this applies.
• Data Linked to You — Data connected to the user’s identity (their account, email, etc.). Login data falls here.
• Data Not Linked to You — Anonymous data like aggregated analytics. Firebase Analytics data (without user ID linking) usually falls here.

Tip

If you use AdMob, you must also declare that your app uses data for tracking. This triggers the App Tracking Transparency (ATT) prompt on iOS — a system popup that asks users for permission to track them. Primio’s AdMob integration handles this automatically when you follow the AdMob setup guide.

Tip

Get your privacy policy and terms set up early — don’t wait until you’re submitting to the store. It takes 10 minutes and prevents a frustrating rejection that adds days to your timeline.

Quick checklist

Before submitting to either store, verify:

• Privacy policy is hosted at a public, working URL
• Privacy policy URL is entered in App Store Connect and/or Google Play Console
• Privacy policy is accessible from within the app (Settings screen)
• App Privacy questionnaire (Apple) or Data Safety form (Google) is completed
• Policy accurately reflects your app’s data collection practices
• Terms of Service URL is entered (if you have one)

Next steps

App Store Submission

Submit to the App Store — your privacy policy is one of the required fields.

Google Play Submission

Submit to Google Play — includes the Data Safety form walkthrough.