App Store Submission Skill

Triggers: app store, app store connect, privacy declaration, data tracking, app submission, iOS submission, app review

Context

This skill activates when working on App Store Connect submissions, particularly privacy declarations and data collection forms.

Key Learnings from Past Sessions

Privacy Declarations

1. AI Apps and Third-Party Content: If your app uses AI (like Claude/OpenAI), it DOES "contain, show, or access third-party content" since AI responses are generated by external services.

2. Data Tracking Definition: Tracking specifically refers to:

   • Linking user data with third-party data for targeted advertising
   • Sharing data with data brokers
   • Sharing IDs with ad networks for retargeting

   NOT tracking:

   • Data linked solely on the user's device
   • Data used for first-party analytics only
   • Fraud prevention or security purposes

3. Data Linking to Identity: Data is considered "linked to identity" unless you:

   • Strip direct identifiers before collection
   • Manipulate data to prevent re-linkage
   • Use aggregation techniques

Common Gotchas

1. UI Changes: App Store Connect's layout changes frequently. Don't assume sections exist based on documentation - verify against actual screenshots.

2. In-App Purchases Location: The In-App Purchases section may not appear on the main app page - it could be under different navigation paths depending on your app's configuration.

3. Data Collection Categories: Select ALL applicable data types your app collects. Common ones for apps with auth:

   • Name (if users have profiles)
   • Email Address (if used for login)
   • User ID (if you track logged-in users)
   • Crash Data (if using crash reporting)

Privacy Labels Workflow

1. First Question: Does your app collect data?

   • If app has ANY user accounts, analytics, or crash reporting: Yes

2. Data Types Selection: For each type, you'll answer:

   • Is it linked to user identity?
   • Is it used for tracking purposes?

3. For Apps with User Auth:

   • Name: Usually linked, not for tracking
   • Email: Linked if used for login, not tracking unless shared with ad networks
   • User ID: Linked by definition, not tracking unless shared externally

4. For Apps using AI:

   • User Content: May be collected (prompts/inputs)
   • Consider what you send to AI APIs

Best Practices

1. Be Conservative: When in doubt, disclose more rather than less
2. Document Decisions: Keep records of why you answered each question
3. Review Third-Party SDKs: Each SDK may collect additional data
4. Update Regularly: Review privacy labels when adding new features or SDKs

Example Answers for Common App Types

App with Firebase Auth + AI Features

• Collects data: Yes
• Email Address: Yes, linked to identity, not for tracking
• Name: Yes (if displayed), linked to identity, not for tracking
• User ID: Yes, linked to identity, not for tracking
• User Content: Yes (AI prompts), linked to identity, not for tracking
• Crash Data: Yes (if using Crashlytics), linked to identity, not for tracking
• Third-party content: Yes (AI responses)

App with Analytics Only

• Collects data: Yes
• Device ID: Yes, not linked (if using anonymized analytics)
• Usage Data: Yes, not linked, not for tracking
• Crash Data: Yes, not linked, not for tracking

References

• Apple Privacy Labels
• App Store Review Guidelines