App Store Privacy Labels: What Every React Native Developer Needs to Know
Apple's App Store privacy nutrition labels — the "Data used to track you" and "Data linked to you" sections on every App Store listing — are often filled out inaccurately. Not because developers are dishonest, but because most developers fill them out based on their own code without auditing their third-party SDKs. Every SDK you include in your app inherits its data practices into your label.
This guide walks through every category, what it means for React Native apps with common SDKs, and how to audit your app correctly.
The Privacy Label Categories Explained
Apple divides data collection into 14 categories:
Tracking data (requires ATT permission):
- Cross-app tracking uses IDFA, GAID, or any persistent identifier to link a user's behavior across apps you don't own.
Non-tracking data linked to identity (no ATT required, but must be disclosed):
| Category | What counts | Common SDK offenders |
|---|---|---|
| Contact Info | Name, email, phone, address | Firebase (Google Account) |
| Health & Fitness | Heart rate, steps, health data | Apple Health SDKs |
| Financial Info | Payment info, credit scores | Payment SDKs |
| Location | Precise or coarse GPS | Maps SDKs, analytics |
| Sensitive Info | Race, religion, sexual orientation | Survey/form SDKs |
| Contacts | Address book data | Social SDKs |
| User Content | Emails, messages, photos | Chat/upload SDKs |
| Browsing History | URLs browsed in a web view | In-app browser SDKs |
| Search History | Search terms | Search SDKs |
| Identifiers | Device ID, User ID, advertising ID | Most analytics SDKs |
| Usage Data | App interactions, crash data | Crash reporters, analytics |
| Diagnostics | Crash logs, performance data | Crash reporters |
What Common React Native SDKs Collect
Firebase Crashlytics
- Diagnostics — Crash logs ✓
- Identifiers — Firebase Installation ID (FID) — linked to user if you set
setUserId() - Device info — Device model, OS version (Usage Data)
Apple treats Firebase Analytics and Crashlytics separately. If you only use Crashlytics, your label is simpler. If you use Firebase Analytics, it adds significant categories including Usage Data linked to identity.
Sentry
- Diagnostics — Crash logs ✓
- Identifiers — Session ID, optional User ID
- Usage Data — Session replay (if enabled) — this is significant: video replay captures User Content
BugsPulse
- Diagnostics — Crash logs ✓
- Usage Data — App interactions (taps, navigation) — not linked to user identity (random session ID)
- No identifiers linked to real user identity
The difference: BugsPulse's event-based replay avoids the User Content category because no screen content is captured. Video-based replay (Sentry, Instabug, FullStory) requires disclosing User Content.
How to Audit Your App Correctly
Step 1: List every SDK in your app. Check your package.json (React Native), Podfile.lock, and Gradle dependencies. Don't miss transitive dependencies.
Step 2: For each SDK, find its privacy documentation. Most reputable SDKs publish an "App Store privacy details" or "Privacy manifest" page. Apple now requires privacy manifests (PrivacyInfo.xcprivacy) from third-party SDKs — check if yours have been updated.
Step 3: Use a network proxy to observe actual behavior. Run a proxy (Charles Proxy, Proxyman) against a debug build and watch all outbound connections. Document what data each SDK sends.
Step 4: Fill out the label based on observed behavior, not vendor claims. If a vendor says their SDK is "privacy-safe" but you observe it sending device IDFA in network traffic, the network traffic is ground truth.
Common Label Mistakes
Underreporting SDK data collection. Developers fill out labels based on their own code and forget Firebase, Mixpanel, or advertising SDKs that collect additional data categories.
Marking device ID as "not linked to identity." If your crash reporter uses a persistent device ID and you also call setUserId() anywhere in your app, that device ID becomes linked to identity.
Forgetting web views. If your app has a web view that loads pages with tracking pixels or analytics scripts, that data collection must be disclosed even though it's happening in the web view.
Not updating the label when adding new SDKs. Every time you add a new third-party SDK, re-audit the label.
Apple's Privacy Manifests (Required Since Spring 2024)
Apple now requires third-party SDKs that access certain APIs (User Defaults, File timestamp, System boot time, Disk space, Active keyboard list) to include a PrivacyInfo.xcprivacy manifest. If you're using older SDK versions that predate this requirement, you may receive App Store submission warnings.
Update all SDKs to versions that include the manifest. Check each SDK's release notes for "PrivacyInfo" or "privacy manifest" mentions.
Submitting the Label
In App Store Connect, go to your app → App Privacy → Data Types. For each category you collect, you'll specify:
1. Whether it's collected
2. Whether it's linked to the user's identity
3. Whether it's used for tracking
4. What purpose it serves
Be accurate. Apple has rejected apps for inaccurate privacy labels, and inaccurate labels can violate consumer protection laws in some jurisdictions.