Publishing an App on the Apple Store: Legal Considerations

The first and most important thing to understand about the intricacies of listing an app is that it must comply with all legal requirements wherever you offer your services. Below are only recommendations from Apple itself, but the legal requirements must be complied with in the first place. In extreme cases, for example, if the app is found to promote human trafficking and/or child exploitation or to encourage or promote criminal or reckless behavior, the app will be removed from the site and the appropriate authorities will be notified.

What are Apple’s own legal requirements and guidelines for apps?

1. Privacy

The GDPR (General Data Protection Regulation) is very helpful when it comes to privacy requirements for your app. Contrary to popular belief that it only applies to the EU territory – it establishes the highest, but quite reasonable and most importantly, realistic requirements in the field of Privacy. Compliance with this document will allow you to add your application to the Apple Store with confidence.

Protecting user privacy is paramount in the Apple ecosystem, and you should be careful when handling personal data to make sure you comply with privacy best practices, applicable law, and the terms of the Apple Developer Program License Agreement, not to mention customer expectations. In particular:

1.1 Data Collection and Storage

All apps must include a link to their privacy policy in the App Store Connect metadata field and within the app in an easily accessible form. The privacy policy must clearly and explicitly:

  • Define what data, if any, the app/service collects, how it collects that data, and all uses of that data.
  • Confirm that any third party with whom the app shares user data – will provide the same or equal protection for user data as outlined in the app’s privacy policy and required by Apple management.
  • Explain the data retention/deletion policy and describe how the user can withdraw consent and/or request the deletion of user data.

And also conforms to basic principles in personal data protection such as:

  • User Consent.
  • Data minimization
  • Notification to the user
  • Possibility to personalize processed data

We would like to pay special attention to applications providing services in highly regulated areas such as banking and financial services, health care, gambling, legal cannabis use, air travel) or any other services that require users to provide “sensitive” information. Sensitive information means any information – the disclosure or loss of which could significantly affect the life of the data subject.

An important aspect here is that such services must be provided by a legal entity and not by an individual developer (a natural person).

1.2 Using and sharing data

Unless otherwise permitted by law, you may not use, transfer or share someone’s personal data without first obtaining their consent. You must provide access to information about how and where the data will be used. Data collected in the apps may only be shared with third parties to improve the app or to advertise (in accordance with the Apple Developer Program License Agreement). Explicit consent must be obtained from users using the App Tracking Transparency API to track user activity.

1.3 Health and Medical Surveys

Health, fitness, and medical data is particularly sensitive, so apps in this area have some additional rules to ensure that customer privacy is protected:

  • Apps may not use or disclose health data collected to third parties,
  • Apps must not record false or inaccurate data in HealthKit or any other medical research and health monitoring app (an example is any health tracking app in a smartwatch) and must not store personal health information in iCloud.
  • Apps conducting health-related research on humans must obtain consent from participants or, in the case of minors, their parents or guardians.
  • Apps conducting health-related research on humans must obtain approval from an independent ethics board. Proof of such approval must be provided upon request.

1.4 Children

Because of the special attention of regulators to this type of personal data due to the frequent inability of children (under 16 years of age the consent of a parent or guardian is required) to be careful with their personal data – it is extremely important to exercise caution when dealing with such data and in this context should be shown by studying local laws and major acts on data protection as CCPA and GDPR.

1.5 Geolocation

You should only collect this type of metadata when it is directly related to the features and services provided by the application. If your application uses location services, be sure to explain their purpose in your application.

2. intellectual property.

Once you’ve gone through the compliance of the primes, you can move on to the second equally important point – intellectual property rights.

For you personally as the developer of the application, you need to ensure that your application contains only the content that you have created or licensed yourself.

Different countries and regions have different intellectual property laws, but at least try to avoid the following common mistakes:

2.1 In general.

Do not use protected third-party material, such as trademarks, copyrighted works, or patented ideas, in your application without permission, and do not include misleading, false or imitative representations, names, or metadata in the application package or another developer’s name. Applications must be submitted by a person or entity that owns or has licensed intellectual property and other relevant rights.

2.2 Third Party Sites/Services

If your app uses, accesses, monetizes access to, or displays content from third-party services, make sure you have specific permission to do so in accordance with the terms of service.

2.3 Downloading audio/video

Applications must not facilitate illegal file sharing or provide the ability to save, convert or download media files from third-party sources (such as Apple Music, YouTube, SoundCloud, Vimeo, etc.) without the express permission of those sources.

3. Developer Code of Conduct

This section is more of a recommendation than a legal requirement, but failure to follow it can prevent you from operating on the platform.

Everything should be treated with respect. Whether it’s your responses to App Store reviews, customer service requests, or communications with Apple, including your responses to App Store Connect. Do not engage in harassment of any kind, discriminatory actions, intimidation, bullying, or encourage others to engage in any of the above. Repeated manipulative or deceptive behavior or other fraudulent activities will result in your expulsion from the Apple Developer Program.

Customer trust is the cornerstone of App Store success. Apps must not deceive or try to steal from users, trick them into making unwanted purchases, cause them to share unnecessary data, raise prices fraudulently, charge for features or content that are not provided, or engage in any other manipulative behavior inside or outside the app.

Your Developer Program account will be terminated if you engage in activities or behaviors that are not consistent with the Developer Code of Conduct.

3.1 App Store Customer Feedback

User feedback on the App Store can be an integral part of the App Store experience, so you should treat your users with respect by responding to their comments. Respond to user comments and do not include personal information, spam, or marketing in your response.

Use the API provided to invite users to leave feedback on your app; this functionality allows users to leave a rating and review on the App Store without having to leave your app.

3.2 Developer Identification

Providing accurate information to Apple and customers is critical to customer trust. Your representation of yourself, your business, and your offerings on the App Store must be accurate. The information you provide must be truthful, current, and up-to-date so that Apple and customers understand who they are working with and can contact you with any questions.

3.3 Fraud Detection

Participating in the App Store requires honesty and a commitment to building and maintaining customer trust. Manipulating any elements of the App Store user experience, such as charts, searches, reviews, or links to your app, undermines customer trust and is not allowed.

3.4 App Quality

Failure to maintain high quality can be a factor in deciding whether a developer complies with the Developer Code of Conduct. An app’s quality is also assessed through user feedback.

This concludes the basic legal requirements of the platform, but there are certain types of apps that Apple pays special attention to. You can find a list of them below.

4. Gaming apps, gambling, and lotteries

Managing gambling, games of chance and lotteries can be tricky, and they tend to be some of the most regulated types of apps in the App Store. A thorough legal analysis should be done in this case.

Some points to keep in mind:

4.1 Sweepstakes and contests must be sponsored by the app developer.

4.2 Official rules for sweepstakes, contests and raffles must be provided in the app and clearly state that Apple is not sponsoring or in any way involved in the event.

4.3 Apps must not use in-app purchases to purchase credits or currency for use in conjunction with any real money games.

4.4 Apps that offer real money gambling (e.g. sports betting, poker, casino games, horse racing) or lotteries must have the necessary licenses and permits in the locations where the app is used, must be geographically restricted in those locations, and must be free in the App Store.

5. VPN applications

Applications offering VPN services must use the NEVPNManager API and can only be offered by developers registered as legal entities. You must clearly specify which user data will be collected and how it will be used on the application screen before the user takes an action to purchase or otherwise use the service.

Applications that offer VPN services cannot sell, use or disclose to third parties any data for any purpose and must confirm it in their privacy policy. VPN applications must not violate local laws, and if you choose to make your VPN application available in a territory where a VPN license is required, you must provide information about the appropriate license. Parental control, content blocking, and security applications from approved providers may also use the NEVPNManager API.

6. Mobile device management applications

Mobile Device Management (MDM) applications must obtain prior approval from Apple to host such an application. Only commercial enterprises, educational institutions or government agencies and, in limited circumstances, companies that use MDM for parental control or device security services, may publish such apps.

Applications offering MDM services may not sell, use or disclose to third parties any data for any purpose and must acknowledge this in their privacy policy. In limited cases, third party analytics may be permitted, provided that these services collect or transmit data only about the performance of the developer’s MDM application and not any data about the user, the user’s device or other applications used on that device.


Listing an app, especially on a platform like the AppStore, is a laborious process that requires a lot of attention to detail, but it is easier than it might seem at first glance. The main thing to remember in this case is that all legal regulations must be complied with. In the case of Apple – their recommendations, though secondary compared to the laws, are still a very important aspect.

The main thing an application developer should keep in mind for the successful launch of the latter, in addition to the basic laws of his country, is the need to comply with the legislation on the protection of personal data and intellectual property rights. In the era of globalization and the rapid development of technology, these areas are becoming increasingly important, and the penalties for non-compliance with such regulations are growing.

An excellent initial step on this path can be Gap Analysis: search for gaps and detailed testing of your own product. As well as going through personal data compliance, in order to understand what personal data you are collecting, whether you can collect such data, and whether you can reduce the amount of data you collect. Along with the personal data policy comes the cookie policy, which will be an integral part of your application.


Mon-Fri 10:00-19:00


Konyskoho St. 55А, Kyiv, Ukraine, 04053


Mon-Fri 10:00-19:00


Harju maakond, Tallinn, Kesklinna linnaosa, Tuukri tn 19-315, 10152


Mon-Fri 10:00-19:00

United States

228 Park Ave S PMB 516920 New York, New York 10003-1502 US