App Rejected for Data Collection: Disclosure and Compliance Guide
Data collection disclosures have become one of the most technically challenging compliance areas. Your app might collect data through third-party SDKs you did not even realize were tracking users. Here is how to audit your data practices and get your disclosures right.
Scan your app against 180+ review rules
Get a detailed compliance report in under 5 minutes. Single scan $9, Pro $29/mo.
Why Data Collection Rejections Happen
Both Apple and Google now require detailed disclosure of all data your app collects, including data collected by third-party SDKs. The most common mistake: developers accurately disclose their own data collection but forget about analytics SDKs, ad networks, crash reporters, and social login frameworks that also collect data. Apple and Google's automated systems can detect SDK data collection and flag mismatches.
Auditing Your Data Collection
To get this right, audit every dependency in your app: check all third-party SDKs (Firebase, Amplitude, Facebook SDK, AdMob, etc.) for their data collection practices, review your own API calls for data sent to your servers, check for device identifiers being collected (IDFA, Android Advertising ID), and verify location, contacts, photos, and other sensitive data access matches your disclosures.
Getting Disclosures Right
Apple's Privacy Nutrition Labels and Google's Data Safety Section both require you to declare: data types collected, purposes for collection, whether data is linked to user identity, whether data is shared with third parties, and whether data is used for tracking. NoReject AI scans your binary to detect SDK usage and compares it against your declared disclosures.
Frequently Asked Questions
Do I need to disclose data collected by third-party SDKs?
Yes. Both Apple and Google require you to disclose all data collection, including data collected by third-party SDKs integrated into your app. You are responsible for your dependencies.
How do I find out what data my SDKs collect?
Check each SDK's privacy documentation. Apple also requires SDKs to provide privacy manifests. NoReject AI can scan your binary to detect known SDKs and their typical data collection patterns.
What is the difference between collected and shared data?
Collected data is data your app or its SDKs gather from the device. Shared data is data sent to third parties. Both must be disclosed, but the distinction affects how you fill out Apple's privacy labels and Google's Data Safety section.
Related Resources
App rejected for privacy policy violations? Learn exactly what Apple and Google require in your privacy policy and how to fix compliance issues.
App Rejected for Tracking TransparencyFix App Tracking Transparency rejection issues. How to properly implement ATT on iOS and comply with tracking policies on both platforms.
iOS Privacy Manifest RequirementsGuide to iOS privacy manifest requirements. What APIs require justification, how to create your manifest, and avoiding rejection.
Stop Guessing. Start Scanning.
Join developers who pass app store review on their first try.
Start Free ScanSingle scan $9 · Pro $29/mo · Team $79/mo