Iubenda logo
Start generating

Documentation

Table of Contents

Privacy Policy for Your Android App

Want to learn more about how to add a privacy policy to your Android app? It can be a tricky task since there are quite a few requirements to follow! But, we’ve got you covered.

Google Play has made it a basic requirement to make certain privacy-related disclosures to users, in accordance with applicable law. These disclosures are typically made available to users via a privacy notice that is easily accessible from within the app.

👀 In this comprehensive guide we explain all the main legal privacy requirements for Android apps and how you can easily generate a privacy for your app. Let’s dive in!

Here’s what Google had to say in their Developer Policy Center’s User Data guidelines:

You must be transparent in how you handle user data (e.g., information provided by a user, collected about a user, and collected about a user’s use of the app or device), including by disclosing the collection, use, and sharing of the data, and you must limit use of the data to the description in the disclosure. If your app handles personal or sensitive user data, there are additional requirements described below. This policy establishes Google Play’s minimum privacy requirements; you or your app may need to comply with additional restrictions or procedures if required by an applicable law.

Now, Google Play only explicitly requires that a link to a privacy policy be visible on your app’s store listing page and within your app in cases where:

  • Your app handles personal or sensitive user data, as defined in the user data policies (including personally identifiable information, financial and payment information, authentication information, phonebook or contact data, microphone and camera sensor data, and sensitive device data).
  • Your app is in the “Designed for Families” program (regardless of access to sensitive permissions or data).

However, it is critical to note here that, platform requirements aside, under the vast majority of legislations, and particularly under the GDPR, privacy notices are legally required.

Generally, failure to adhere to these laws can result in hefty fines, sanctions, audits and/or leave you open to litigation.

Privacy Policy Requirements for an Android App

A lot of people ask for sample privacy policies for apps. The exact required contents of a privacy policy depends upon the law applicable to you and may even need to address requirements across geographical boundaries and legal jurisdictions.

For this reason, it’s always advisable that you approach your (legally mandated) privacy policy with the strictest applicable regulations in mind. You can read our in-depth Legal Overview Guide here.

💡 Not sure what privacy laws actually apply to you?

🚀 Do this free 1-min quiz to find out!

Let’s start with the legal minimum requirements.

These are the most basic elements that a privacy policy should have:

  • Who is the app owner?
  • What data is being collected? How is that data being collected?
  • What is the legal basis for the collection? (e.g consent, necessary for your service, legal obligation etc.) – This is more specifically related to the GDPR and EU Law, however, even if you fall outside of GDPR obligations, under most countries’ legislations, you’ll still need to say why you’re processing the personal data of users.
  • For which specific purposes are the data collected? Analytics? Email Marketing?
  • Which third parties will have access to the information? Will any third party collect data through widgets (e.g. social buttons) and integrations (e.g. Facebook Connect)?
  • What rights do users have? Can they request to see the data you have on them, can they request to rectify, erase or block their data? (under European regulations most of this is mandatory)
  • Description of process for notifying users and visitors of changes or updates to the privacy policy
  • Effective date of the privacy policy

Android App: Sensitive permissions

In addition to the above, you need to make sure that you disclose your use of any of the following “dangerous” permission groups.

These personal or sensitive user data mentioned earlier include:

  • calendar;
  • camera;
  • contacts;
  • location;
  • microphone;
  • phone;
  • sensors;
  • SMS;
  • storage.

What should I do?

You have two options:

  • remove all requests for user data or sensitive permissions (you will not need to add a privacy policy if you remove these requests); or
  • add a valid privacy policy in two places: your app’s Store listing page and within your app.

💡 More on How to Add Android and iOS Mobile Permissions for Device Data.

Android App: Prominent disclosures

If your app processes the personal data of users for reasons unrelated to the functionality of your app, you’re required to make additional, easily visible disclosures about this usage and collect user consent where required.

If your app collects and transmits personal or sensitive user data unrelated to functionality described prominently in the app’s listing on Google Play or in the app interface, then prior to the collection and transmission, it must prominently highlight how the user data will be used and have the user provide affirmative consent for such use.

Your in-app disclosure:

  • Must be within the app itself, not only in the Play listing or a website;
  • Must be displayed in the normal usage of the app and not require the user to navigate into a menu or settings;
  • Must describe the type of data being collected;
  • Must explain how the data will be used;
  • Cannot only be placed in a privacy policy or terms of service; and
  • Cannot be included with other disclosures unrelated to personal or sensitive data collection.

Your app’s request for consent:

  • Must present the consent dialog in a clear and unambiguous way;
  • Must require affirmative user action (e.g. tap to accept, tick a check-box, a verbal command, etc.) in order to accept;
  • Must not begin personal or sensitive data collection prior to obtaining affirmative consent;
  • Must not consider navigation away from the disclosure (including tapping away or pressing the back or home button) as consent; and
  • Must not utilize auto-dismissing or expiring messages.

💡 It’s worth noting that it seems that Google considers any data collection activity that isn’t made obvious from your app page or from within your interface to be covered by this prominent disclosure policy.

👉 Therefore a separate user notice is required in addition to your privacy policy – which your notice should ultimately link – to for a full explanation of the data processed. Again, the data must not be processed until you have affirmative consent by your user.

👉 Furthermore, under regulations like the GDPR, you are legally required to obtain informed, explicit consent before processing any personal data of users specifically where it falls outside the what’s required for the functioning of your service.

What should I do?

With this in mind, you have 2 options when it comes to dealing with this kind of data processing. You can either:

  • remove this type of data collection; or
  • properly inform via in-app disclosures, link that notice to the respective privacy policy and collect valid consent.

🔍 If you fall within the scope of the GDPR, you’ll likely also need to maintain valid records of consent.

Privacy Policy Example for an Android App

privacy policy for android app

Here’s a full example of a privacy policy for an Android app, created with our Privacy and Cookie Policy Generator:

Google Play and Child Safety

Google has introduced a few policy updates in order to make the Play Store more child-friendly. If an app is likely to be used by kids, developers are subject to additional safety requirements which came into force on September 1, 2019.

1. Target Audience and App Content

Apps on Google Play are categorized, and policies applied, according to the following target audience groups: children, children and older users, older users. Google states that they will verify that the target audience selected is in fact correct.

All apps whose target audience is primarily children must follow Families policy and Designed for Families program requirements.

In short:

  • App content that is accessible to children must be appropriate for children.
  • Both new and existing apps are now subject to the target audience questionnaire. You must accurately answer the questions in the Google Play Console and ensure that those answers are correctly updated if you make any changes to your app.

💡 We have a great recap on app privacy requirements for kids. Read it here!

2. APIs, SDKs and Neutral Age Screen

Apps that solely target children must not contain any APIs or SDKs that are not approved for use in child-directed services.

Apps that target both children and older audiences should not implement APIs or SDKs that are not approved for use in child-directed services unless they are used behind a neutral age screen or implemented in a way that does not result in the collection of data from children.

“A neutral age screen is a mechanism to verify a user’s age in a way that doesn’t encourage them to falsify their age and gain access to areas of your app that aren’t designed for children, for example an age gate. An example of this would be a system that asks users to freely enter their month, day, and year of birth. An incorrect setup of a neutral age screen would be presetting the birth date to the required age (e.g., 13 years old) or indicating that a certain age is required to access areas of the app.”

3. Ads

In order to make sure that any ads served to children (or users of unknown age) are appropriate and compliant with Google’s policies, you must use Google Play certified ad networks.

4. Android Apps with unintentional appeal to children

Google also wants developers to ensure that their apps don’t inadvertently attract children (for example with youthful animations or young characters in the graphic assets) if their content is actually designed for adults. More info on how to display the “Not designed for children” label in the store listing can be found here.

🔍 Terms and Conditions for Mobile Apps

Terms and Conditions (also called ToS – Terms of Service, Terms of Use or EULA – End User License Agreement) set the way in which your product, service or content may be used, in a legally binding way.

In general, you’ll likely need to set Terms and Conditions if you have an app that participates in some form of commerce (whether selling to users directly or facilitating trading). Additionally, some specific instances where they might be needed are where you:

  • need to make legally required disclosures related to consumer rights (especially withdrawal and cancellation rights);
  • have different user levels (eg. registered vs non-registered);
  • your platform allows users to sell or trade with other users;
  • facilitate or otherwise process payments and/or other sensitive user data;
  • want to set the rules for user behavior and state grounds for termination of accounts;
  • participate in affiliate programs;
  • provide a software or service which can potentially cause harm if misused;
  • would like to have some legally enforceable control over, and set rules about, how your app may be used.

👋 Learn more on how to write Terms and Conditions for your app.

How to Add a Privacy Policy to your Android App

iubenda makes solving this issue easy: with hundreds of available clauses, our privacy policies contain all elements commonly required across many regions and services, while applying the strictest standards by default – giving you the option to fully customize as needed.

🚀 Our policies are created by lawyers, monitored by our lawyers and hosted on our servers to ensure that they are always up-to-date with the latest legal changes and third-party requirements.

The process is straightforward and intuitive, simply:

  1. click to add your services;
  2. fill out your web/app owner and contact details;
  3. embed.

💡 Click here to read the full guide on how to generate a Privacy Policy.

Here’s how you can use iubenda to create a privacy policy for your Android app:

1. Add your services

  • If you use Twitter or other auth (=OAuth) services for user management, then add the respective service by clicking “Add a service” then start typing the name of the service you’d like to add. Remember to include all services processing personal information. If you handle user registration yourself, don’t forget to add the “Direct Registration” service.
  • Select applicable services from the list and add the specific types of personal data you collect 👉 our lawyer-crafted clauses automatically include the relevant user-rights disclosures and service definitions based on your input here.
  • Add our service called “Device permissions for Personal Data access” if your app requests sensitive permissions (e.g. camera, microphone, accounts, contacts, or phone) or user data: Add 'Device permissions for Personal Data access' service
  • If you’d like to add a custom service clause, simply click the “Create custom service” button and fill out the built-in form.

2. Fill out your app owner and contact details

Enter:

  • name and full address;
  • email address.

🎉 Congratulations! Your policy has been created. Simply check that all the details are correct, then embed.

3. Embed

As we said above, you have to include a link to your privacy policy within the app and in the Google Play Store app listing (and – potentially – on the marketing site you operate for it).

Within the App

For apps, the direct link or direct text embedding methods are best. If your app processes user data while offline, be sure to provide users with an in-app offline method of accessing the privacy policy in order to be legally compliant.

Whichever embed method you choose, remember that you’re required to choose a location that is easily accessible and visible to users.

Google Play Store Listing

When your app is ready, in addition to the app’s internal link, you’ll have to include a link to your privacy policy on the Google Play Store. Here’s how to meet this requirement:

  • Go to your Google Play Console
  • Select an app
  • Select Store presence > Store listing
  • Under “Privacy Policy”, enter the iubenda direct link (since we host your policy, you won’t get the “You are not allowed that domain for a privacy policy URL” error)
  • Save your changes
Privacy Policy URL on Google Play Console

This will make sure that you have your privacy policy linked under Additional information > Developer on the Google Play Store like so:

Instagram on the Google Play Store - Privacy Policy link
🔍 In short
  • Platform requirements aside, under the vast majority of legislations (and particularly under the GDPR) privacy notices are legally required.
  • If your app handles personal or sensitive user data, or is in the “Designed for Families” program, you need to add a valid privacy policy in two places: your app’s Store listing page and within your app.
  • If applicable, you have to disclose how you treat sensitive user and device data.
  • If your app processes personal data for reasons unrelated to its functionality, you must highlight – prior to the collection and transmission – how the user data will be used and collect user consent.
  • If your app is likely to be used by kids, you are subject to additional safety requirements.
  • With iubenda you can create a privacy policy (and a Terms and Conditions document) for your Android app.

Create a privacy policy for your Android app

Get started now

See also