7 – How to provide your iOS app’s privacy manifest

Context #

On WWDC23 Apple introduced privacy manifests, a new tool to help developers identify the privacy practices of their app’s dependencies. These Privacy Manifest should include:

  • Required Reasons APIs. The use of APIs considered by Apple as “privacy APIs”.
  • Privacy Nutrition Labels. The privacy data used by your app.
  • Tracking Domains. Apple defines tracking as “the act of linking user or device data collected from your app with user or device data collected from other companies’ apps, websites, or offline properties for targeted advertising or advertising measurement purposes.”

Situm SDK uses some of these Privacy Nutrition Labels (privacy data) and Required Reason APIs but not Tracking Domains.

Starting on May 1st 2024 developers will need to declare approved reasons for using a set of APIs in their app’s Privacy Manifest. Before May 1st 2024 we will publish an SDK version that will already include this data in its privacy manifest. If you don’t plan to upgrade or if you don’t want to wait for this new release, you will have to add the following information in your app.

Situm SDK doesn’t use any of the privacy data for Analytics purpose, however if within your app data provided by Situm is used for this purpose you will have to add this information in your app privacy manifest. You can find detailed information about the privacy data used by Situm here.

Situm SDK doesn’t link data to the user, however if whitin your app you associate our anonymized user id with some private user information as it may be the user email or phone number ou will have to add this information in your app privacy manifest.

Information to include in your app Privacy Manifest #

Required Reason APIs used by Situm SDK #

As April 25th, 2024 there appears to be to be a bug in App Store Connect that is impacting SDKs distributed as static frameworks that declare required reasons in privacy manifests. As result of this bug you may reveive a mail from Apple when you try to publish your app. In this mail, Apple warns you that there are three issues with your app of the type ITMS-91053: Missing API declaration for the three required reason APIs used by Situm. To solve this issue you need to add to your’s app’s privacy manifest the NSPrivacyAccessedAPITypes showed in Adding the Privacy Manifest info for Situm SDK.

Situm SDK uses some of the Required Reason APIs. You can find the list of the Required Reason APIs and the reasons you should provide here.

The APIs used by Situm and the reasons are the following:

Required reason APIsReasons
File Timestamp APIsC617.1
System Boot Time APIs35F9.1
User Default APIsCA92.1

Privacy Nutrition Levels (privacy data) used by Situm SDK #

Situm SDK requires some user data that is marked as private by Apple. You can find more information about privacy data and the reason to use it here.

The Privacy Nutrition Labels (privacy data) used by Situm and their purposes are showed in the following table as Situm Purposes. However if your app uses Situm SDK with analitycs purposes, you will have to include the following data types with analytics purposes in your app privacy manifest.

Collected Data TypeSitum PurposesApp Optional Purposes
Precise LocationApp FunctionalityAnalytics (e.g. if you use location-based heatmaps)
Device IDApp FunctionalityAnalytics (e.g. if you retrieve trajectories for each user)
Product InteractionApp FunctionalityAnalytics (e.g. if you retrieve MapViewer usage reports, such as knowing the most clicked POIs)
Search HistoryApp FunctionalityAnalytics (e.g. if you retrieve MapViewer usare reports related to the most searched POIs)
Performance DataApp FunctionalityNone
Other diagnostic dataApp FunctionalityNone

How to compose your app’s Privacy Manifest to include Required Reasons APIs and Privacy Nutrition Labels #

Apple provides a guide to adding your app’s privacy manifest file here. We replicated that guide by adding some images to facilitate its understanding.

  • Open your app with Xcode
  • Go to File>New>File
  • Go to Resource and choose App Privacy
  • Check your app in the target list
  • Click Create.
  • Add the proper info to the file a explained in the next section

Adding the Privacy Manifest info for Situm SDK #

If you use Situm SDK, your Privacy Manifest should look like this. Note that you might need to include other info if required by your app or other libraries you use.

If you prefer to copy & paste the code of the Privacy Manifest, it should look like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>NSPrivacyCollectedDataTypes</key>
	<array>
		<dict>
			<key>NSPrivacyCollectedDataType</key>
			<string>NSPrivacyCollectedDataTypePreciseLocation</string>
			<key>NSPrivacyCollectedDataTypeLinked</key>
			<false/>
			<key>NSPrivacyCollectedDataTypeTracking</key>
			<false/>
			<key>NSPrivacyCollectedDataTypePurposes</key>
			<array>
				<string>NSPrivacyCollectedDataTypePurposeAppFunctionality</string>
			</array>
		</dict>
		<dict>
			<key>NSPrivacyCollectedDataType</key>
			<string>NSPrivacyCollectedDataTypeDeviceID</string>
			<key>NSPrivacyCollectedDataTypeLinked</key>
			<false/>
			<key>NSPrivacyCollectedDataTypeTracking</key>
			<false/>
			<key>NSPrivacyCollectedDataTypePurposes</key>
			<array>
				<string>NSPrivacyCollectedDataTypePurposeAppFunctionality</string>
			</array>
		</dict>
		<dict>
			<key>NSPrivacyCollectedDataType</key>
			<string>NSPrivacyCollectedDataTypeProductInteraction</string>
			<key>NSPrivacyCollectedDataTypeLinked</key>
			<false/>
			<key>NSPrivacyCollectedDataTypeTracking</key>
			<false/>
			<key>NSPrivacyCollectedDataTypePurposes</key>
			<array>
				<string>NSPrivacyCollectedDataTypePurposeAppFunctionality</string>
			</array>
		</dict>
		<dict>
			<key>NSPrivacyCollectedDataType</key>
			<string>NSPrivacyCollectedDataTypeSearchHistory</string>
			<key>NSPrivacyCollectedDataTypeLinked</key>
			<false/>
			<key>NSPrivacyCollectedDataTypeTracking</key>
			<false/>
			<key>NSPrivacyCollectedDataTypePurposes</key>
			<array>
				<string>NSPrivacyCollectedDataTypePurposeAppFunctionality</string>
			</array>
		</dict>
		<dict>
			<key>NSPrivacyCollectedDataType</key>
			<string>NSPrivacyCollectedDataTypePerformanceData</string>
			<key>NSPrivacyCollectedDataTypeLinked</key>
			<false/>
			<key>NSPrivacyCollectedDataTypeTracking</key>
			<false/>
			<key>NSPrivacyCollectedDataTypePurposes</key>
			<array>
				<string>NSPrivacyCollectedDataTypePurposeAppFunctionality</string>
			</array>
		</dict>
		<dict>
			<key>NSPrivacyCollectedDataType</key>
			<string>Other diagnostic data</string>
			<key>NSPrivacyCollectedDataTypeLinked</key>
			<false/>
			<key>NSPrivacyCollectedDataTypeTracking</key>
			<false/>
			<key>NSPrivacyCollectedDataTypePurposes</key>
			<array>
				<string>NSPrivacyCollectedDataTypePurposeAppFunctionality</string>
			</array>
		</dict>
	</array>
	<key>NSPrivacyAccessedAPITypes</key>
	<array>
		<dict>
			<key>NSPrivacyAccessedAPIType</key>
			<string>NSPrivacyAccessedAPICategoryFileTimestamp</string>
			<key>NSPrivacyAccessedAPITypeReasons</key>
			<array>
				<string>C617.1</string>
			</array>
		</dict>
		<dict>
			<key>NSPrivacyAccessedAPIType</key>
			<string>NSPrivacyAccessedAPICategorySystemBootTime</string>
			<key>NSPrivacyAccessedAPITypeReasons</key>
			<array>
				<string>35F9.1</string>
			</array>
		</dict>
		<dict>
			<key>NSPrivacyAccessedAPIType</key>
			<string>NSPrivacyAccessedAPICategoryUserDefaults</string>
			<key>NSPrivacyAccessedAPITypeReasons</key>
			<array>
				<string>CA92.1</string>
			</array>
		</dict>
	</array>
</dict>
</plist>

Subscribe to our newsletter

BASIC INFORMATION ON DATA PROTECTION

Data controller: SITUM TECHNOLOGIES, S.L.
Contact: Data controller: situm@situm.es
Responsible for protection: dpo@situm.es
Purpose and legal basis: To manage the sending of SITUM newsletters only with consent.
Legitimation: Express consent of the interested party.
Recipients: The data will not be passed on to third parties with the exception of legal obligations.
Retention period: As long as the interested party remains subscribed to the newsletter (a link to unsubscribe will be available in each newsletter sent by Situm).
Rights: The interested party may at any time revoke their consent, as well as exercise their rights of opposition, access, conservation, rectification, limitation, deletion of data and not be subject to a decision based only on automated data processing, by writing to SITUM at the addresses indicated.
Additional Information: You can consult additional and detailed information on Data Protection in our privacy policy.

Please, download your copy here

Thank you for downloading our whitepaper. Please do not hesitate to contact us if you would like to know more about how our solutions can help your business. Download whitepaper


Close window