I am about to submit an app to the Apple AppStore built in Swift that uses Crashlytics to capture crash information. As users of Crashlytics know, some information about usage, duration, crashes, etc. is captured and stored on the Crashlytics servers. My application does not ask for, store or attempt to capture any user data.
My question is about the privacy policy for my application. Since I don't capture any user data, I want to state that in my privacy policy but I'm not sure that's factual since I am using Crashlytics. Any feedback on people that have used Crashlytics in their app and have an actual privacy policy?
Thanks
--Vinny
Quick answer: yes, you need that privacy policy. There are ways to get it done fast, too.
Longer answer:
Third parties (here Crashlytics)
When dealing with a third party service like this, often a quick look into their legal documents will help (for Crashlytics in this case as described in your question).
(...) At all times during the term of this Agreement, Developer shall
maintain a privacy policy (a) that is readily accessible to users from
its website or within its online service (as applicable), (b) that
fully and accurately discloses to its users what information is
collected about its users and (c) that states that such information is
disclosed to and processed by third party providers like Crashlytics
in the manner contemplated by the Services, including, without
limitation, disclosure of the use of technology to track users’
activity and otherwise collect information from users. (...)
And
Developer shall at all times comply with all applicable laws, rules
and regulations relating to data collection, privacy and security,
including, without limitation, the Children’s Online Privacy
Protection Act (“COPPA”). Crashlytics may, at its sole discretion from
time to time during the Term of this Agreement, audit Developer Data
to verify compliance.
Crashlytics is actually being unusually vocal about this topic.
The App Store
At the time of writing (and since iOS8) Apple requires privacy policies for 5 categories:
Kids Category, HomeKit, HealthKit, Apple Pay, and Keyboard Extentions. Also they require privacy policies for user registrations (more). I can't tell if any of the above for your app is true. Apple still says in their App Store Review Guidelines that you need to be compliant with all applicable laws. This brings us to the third and most important reason.
Privacy related regulations
All of the above is just there because of global privacy regulations, these companies would most likely not care otherwise. As soon as you work with User data you are mostly under an obligation to disclose these facts. It's personal data like names, addresses or the tracking of user behaviour. It's been written at length why analytics services need privacy policies. All of it is more important as soon as you share data and use third party services for it. Mostly the disclosure or some kind of consent is the condition for it's compliant usage.
If you are interested in reading more about the matter in the context of mobile apps I'd suggest any of these documents:
ICO UK
Ireland
USA/California
Canada
Australia
Hope this helps.
(For proper disclosure: I do some work for iubenda, a tool that helps creating privacy policies for apps and websites)
Vinny, I think it's not mandatory (I've seen apps using Crashlytics wihtout a privacy policy), but it's recommended to have transparency in the communications with your users.
Crashlytics already has a privacy policy so you can just use that policy and add a statement informing that you are not collecting any sensitive information from the user, such as email or phone number.
Related
Namastey!
I have completed my first android app. and i am about to upload it on play store.
But recently i came to know that google play store requires a privacy policy link while uploading application on the store.
I have so many doubts and questions regarding this
I don't know how to get or create new a privacy policy for my app?
I don't have a company of my own, so how can i write a privacy policy and is it legal to do so?
can anyone tell me how to deal with this situation. I really need some help right now.
Any help would be appreciated!
You don't need a Privacy Policy if you don't collect personal information from users through your Android app.
If you do collect personal information (directly or indirectly through a third party such as Google Analytics, AdMob, Mixpanel etc.), then Google Play Store requires you (and the law as well) to have a Privacy Policy in place.
Related to your questions:
Your Privacy Policy should be adapted based on what kind of personal information you collect from users. Do you collect email address, do you need camera access from users etc.?
WordPress.com open-sourced their legal agreements (Privacy Policy and Terms of Service) but keep in mind that legal agreements should be customized based on app, app functionality, and other factors.
This question is better answered by a lawyer but keep in mind that a Privacy Policy is the statement where you need to disclose what, how and why you collect personal information from users.
Depending on your country, it might be helpful to look into the following law acts on privacy of user data:
CalOPPA in the US
PIPEDA in Canada
DPA in the UK
IT Act 2000 in India
Privacy Act in Australia
Do I have to put a copy of Privacy Policy inside the app itself, or should i only put the url to it inside google play without even mentioning it inside my app.
Both as much as possible.
A public URL would most likely be required for that Privacy Policy field by Google Play Store if your app requests sensitive permissions.
If you don't add the URL and your app needs sensitive permissions, you'll receive a violation warning email from Google. Your app may be unlisted if you don't fix the violation.
Keep in mind that your business "must conspicuously link to a Privacy Policy".
That's a requirement from CalOPPA in the US, but most privacy regulations around the world have a similar requirement: PIPEDA in Canada, Privacy Act in Australia etc.
You have multiple options how to link to your Privacy Policy from within your app: About or Settings screen, Sign-up or Login screens, separate item in the menu etc.
In most cases the privacy policy is associated with the company that is publishing the app rather than the app. After all, that is the entity that people are trusting to implement the policy. So I think it is enough to have it on a company website and refer to this in Google Play. A key thing is that people should be able to search the web for the company name, or app and find the privacy policy. While not specifically about Android apps, the following link gives some guidance on this
Note that there are particular circumstances where user's need to be made aware of your approach to their data at the time they would be entering it. See Google's website
If your app collects and transmits personal or sensitive user data unrelated to functionality described prominently in the app’s listing on Google Play or in the app interface, then prior to the collection and transmission, it must prominently highlight how the user data will be used and have the user provide affirmative consent for such use.
You NEED your privacy policy on the Play Store page PLUS within the app
Since February 2017 Google enforces a strict privacy policy requirement on apps requesting sensitive permissions and user data policies.
Please check the following provided by Google to determine if either needs to have a policy or not:
For apps that request access to sensitive permissions or data (as defined in the user data policies: You must link to a privacy policy on your app's store listing page and within your app. Make sure your privacy policy is available on an active URL, applies to your app, and specifically covers user privacy.
For apps in the Designed for Families program: You must link to a privacy policy on your app's store listing page and within your app, regardless of your app's access to sensitive permissions or data. Make sure your privacy policy is available on an active URL, applies to your app, and specifically covers user privacy.
For other apps: You're not required to post a privacy policy.
Once you've identified what your app needs, your privacy policy will need the following:
The privacy policy must, together with any in-app disclosures, comprehensively disclose how your app collects, uses and shares user data, including the types of parties with whom it's shared. Outline which sensitive permissions/user data you process and for what purpose:
Say you will access their microphone
Say what purpose that serves
And other user data you process (name, email, address, etc)
If you need more information you can go to iubenda - Privacy Policy for Android
I am having trouble here, this is my first app and there is so much involved, I did not think it was this hard, currently I am stuck on adding a link to my app's PRIVACY POLICY my app is very simple.
It does not share any data but I do use Google Analytics, one more thing is that I do not have a website, so supposedly I had the privacy policy link where would I put it apart from a site I own?
Thanks.
website hosting
checkout GitHub's GitHub Pages services. they host a simple static website for you for free! basic instructions:
create a public repository on GitHub named [username].github.io (replace "[username]")
commit an index.html file to the root of the repo.
you can see your site online at http://[username].github.io/.
privacy policy
basic privacy policy template here....it'll give you a template that you can simply copy and paste and modify to fit your needs. unlike most other places that are after your money and/or personal information!!! 😠😠😠
This is
a simple guide from google itself. you can host your site in google sites no need to host github sites
Simplest steps to resolve Google Play Console privacy policy link issue:
Create your own app privacy policy.
After created, hosted in any website hosting (In my case, I hosted in GitHub Pages) and copy the privacy policy url.
Pasted the privacy policy url in the Google Play Console Privacy Policy section.
Save and wait for review.
Done!
You might not need one. You could inform the user in-app that you're using Analytics. Otherwise, you can check out free sites like Google Sites to easily create a web-page with its own URL that you can link to.
My app doesn't share or collect any data, but I need to complete data safety form and part of it is a link to privacy policy.
Privacy Policies are very important legal agreements. Make absolutely sure you are not using any 3rd party solutions that might be tracking your users unwittingly. Adding analytics or user login to your app usually requires a more comprehensive privacy policy.
If your app really doesn't collect data remotely or use third party services that do, then that makes your privacy policy very simple. In that case, I suggest stating the following:
Your app doesn't track users
Your app doesn't collect data; or that data is stored securely on the user's device and stays private
Data is not shared with your company or any third parties without permission (since you might want to collect user feedback like bug reports with the user's explicit permission)
You can easily write your own privacy policy, but here's a minimal template for the bullet points above:
app_name_or_legal_entity's commitment to privacy is simple: We don't track you! We don't collect or transmit your data; instead, information you submit in our app is stored privately and securely on your device. Your information won't ever be shared with us or any third party without your explicit permission.
Keep in mind that this is subjective, but I suggest keeping it short and adding a section where you explain why your business doesn't collect user data. It could be as simple as stating something like "We believe privacy is a human right."
I had massive problems with my privacy policy getting rejected, no matter what I wrote in it. But in the end it turned out that there was nothing wrong with the actual contents of my policy, the problem was instead that I hosted it on my web page using a client-rendered Vue application. I guess that this prevented Google's system from properly crawling the URL that I supplied to them. When pasted the same privacy policy in a Google Docs and used the "Publish to Web" option in order to get a URL, it got approved right away.
A pity that the error message wasn't more clear on that.
There are many reasons why you'd want a privacy policy, one is the fact that you are using Google Analytics. Here is what the Google Analytics terms of use say under "7. Privacy":
You will have and abide by an appropriate Privacy Policy and will
comply with all applicable laws, policies, and regulations relating to
the collection of information from Visitors. You must post a Privacy
Policy and that Privacy Policy must provide notice of Your use of
cookies that are used to collect data. You must disclose the use of
Google Analytics, and how it collects and processes data. (...)
Sure, you can trick your way around the requirement, but that doesn't mean the problem goes away. You can find a lot of information around the web about how to write a privacy policy for apps and more, the advice I'd give depends on a lot of factors.
How to get your privacy policy done:
Proper disclosure to start this section: I work at iubenda where we create solutions for problems like yours, our software generates privacy policies based on user input.
I've posted about privacy policies for the Play Store on iubenda's company blog a while ago, this might help you out and give you the right ideas.
iubenda also helps with your problem of not having a site, the privacy policy is generated and hosted on our site, you can just copy-paste the link into the app and the app store.
You might be able to click the "Not submitting a privacy policy URL at this time" check box at the "Store Listing" page:
Screenshot from Google Play Store Store Listing page
But even if you don't collect personal data, you're still required by Google Analytics Terms of Service to have the Privacy Policy agreement:
Screenshot from Google Analytics Terms of Service
However, it's important to keep in mind that if you use third party tools like Google Analytics you may also be required by those parties to have the Privacy Policy.
But Google Play Store requires you to have the policy before the app is public. Here's a quote from the Google Play Developer Distribution Agreement:
You agree that if you use the Store to distribute Products, you will
protect the privacy and legal rights of users. If the users provide
you with, or your Product accesses or uses, user names, passwords, or
other login information or personal information, you must make the
users aware that the information will be available to your Product,
and you must provide a legally adequate privacy notice and protection
for those users.
There are many websites to make a privacy policy like this and this. You can create the privacy policy there and then copy the text. Then, you can host a file on GitHub and then set this text in the file
My recently uploaded version of an existing app on Google Play wasn't published since it didn't meet certain privacy policy criteria . Now, I've updated the privacy policy on my website; however how do I re-submit the app so that the new version goes live?
With millions of emails sent by Google warning developers you are definitely not alone. Before resubmitting, update your privacy policy correctly, you do want to make sure you submit it with the necessary changes.
You say you've updated your privacy policy on your site, however Google requires the privacy policy to be there compliant in the Google Play store as well. That's likely where you need to resubmit.
To add it to the Store Listing:
Log into your Google Play Developer Console
Next, select All Applications and select the application whose privacy policy you'd like to edit.
After that, select Store Listing.
Then, scroll to the section marked Privacy Policy and enter the URL where you have the privacy policy hosted online.
Lastly, be sure to click Save or update.
More information about how to write your privacy policy for the Play Store
The best way to comply is to have a readable, understandable and easily accessible privacy policy, which at a minimum informs users about:
who you are (identity and contact details),
what precise categories of personal data the app wants to collect and process,
why the data processing is necessary (for what precise purposes),
whether data will be disclosed to third parties (not just a generic but a specific description to whom the data will be disclosed),
what rights users have, in terms of withdrawal of consent and deletion of data.
With that said, if you do decide to create your own policy, here are some tips:
Outline which dangerous/sensitive permissions you request
Outline any other user data you collect, for instance advertisement services!
Describe what purpose they serve and use them only for that purpose
Information about the site/app owner.
The kind of data being collected and how it is collected.
The purpose of the data collection (i.e. analytics, email marketing).
Any third parties that have access to the information and through which means (widgets and integrations).
The rights of users regarding their data (i.e. the ability to request to see the data, to rectify, erase, or block).
The process for notifying users and visitors regarding material changes to the privacy policy.
Effective date of the privacy policy.
(p.s I work on a tool called iubenda that helps with the generation of a privacy policy - link)
Before I add the Flurry library into my .APK, I'd like to know how are they able to provide a free analytic service?
They see all the data I ship back from my app. but how do they monetize that? What does an app developer give up or give away by using someone else's analytics SDK?
Peter
As with many/most "freemium" solutions, they are providing the analytics at the cost of data privacy. While they do clearly state that they don't want you sending PII, they are saying that they have the right to use the information you send, in return for the right to use the analytics solution.
Per their terms of service (TOS): http://www.flurry.com/about-us/legal/tos.html
Privacy and Information Collection
As a condition of your access to the Analytics Service, you agree that Flurry has the right, for any purpose, to retain, use, and publish in an aggregate manner, subject to the terms of its Privacy Policy located here (or such other URL that Flurry may provide from time to time), information collected in your use of the Analytics Service, including without limitation, User Data. Flurry will not disclose to any third parties any User Data collected by the Analytics Service from your applications in a manner that contains or reveals any personally identifiable information or is specifically attributable to you, your applications or your customers. You will not (and will not allow any third party to) use the Analytics Service to track or collect personally identifiable information of end users, nor will you (or will you allow any third party to) associate any data gathered from your application(s) with any personally identifying information from any source as part of your use (or such third parties' use) of the Analytics Service. You agree that you have and will abide by an appropriate privacy policy and will comply with all applicable laws relating to the collection of information from end users of your applications. You must post a privacy policy and that policy must provide notice of your use of a tracking pixel, agent or any other visitor identification technology that collects anonymous data about end users of your applications.
Also, on their legal page look at the disclosure section: http://www.flurry.com/about-us/legal/privacy.html
How We Disclose or Share Information with Others
Except as described in this policy, Flurry does not rent, sell, or share personally identifiable information collected on the Sites or through the Flurry Services with other people or nonaffiliated companies unless we have your consent, or under the following circumstances:
* with third party vendors, consultants and other service providers who work for us and need access to your information to do that work;
* to comply with laws or to respond to lawful requests and legal process;
* to protect the rights and property of Flurry our agents, customers, users, and others including to enforce our agreements, policies and terms of use;
* in an emergency to protect the personal safety of Flurry, its customers, or any person;
* in connection with or during negotiation of any merger, sale of company assets, financing or acquisition of all or a portion of our business to another company.
We may also share aggregated or anonymized information in a form that does not directly identify you or your End Users with any third parties.
For some organizations giving up rights to your data is acceptable in return for the ability to do analysis. If that is something that your company is not ok with you may want to research other analytic options available. Many traditional web analytics vendors and some non-free mobile analytic vendors (such as Localytics) provide more strict data privacy policies.