When you submit an app to Apple, your public App Store product page is part of what reviewers and users see. Two privacy elements live there: the privacy nutrition label ("App Privacy" — the data-collection summary you fill out in App Store Connect) and the privacy policy link Apple expects every app to carry. A missing or broken privacy policy reference is one of the most avoidable reasons a launch stalls in review under Apple App Review Guideline 5.1.2.
LaunchTrust passively inspects your own published App Store listing and reports whether a privacy-policy reference is present. It does not grade your app or claim approval — it surfaces a signal you can act on before you hit submit.
What LaunchTrust checks
This detector (appstore_listing) works in two steps, using only public Apple endpoints:
- It calls Apple's public iTunes Lookup API with your app's bundle ID to confirm the app exists on the App Store and to read its product-page URL.
- It fetches that public listing page (on
apps.apple.com) and looks, case-insensitively, for the phrase "privacy policy" in the page content.
The signal it returns:
- Detected — your App Store listing was found and a privacy-policy reference is present on the public product page. This is the signal you want (the detector's polarity is positive: presence is good).
- Not detected — the app was found and its public page was read, but no privacy-policy reference appeared. This is flagged at medium severity with a prompt to verify the privacy-policy URL in App Store Connect.
- Unable to determine — the scan could not reach a conclusion. This happens when there is no bundle ID on file, the iTunes lookup fails, no App Store app matches the bundle ID (it may be Android-only or unpublished), or the listing page could not be read. LaunchTrust deliberately returns "unable" rather than guessing, so you never see a false "not detected."
One important boundary: the privacy nutrition label itself (the structured App Privacy data-types card) is not exposed in the public Lookup API. So this check confirms a privacy-policy reference on your listing — a reasonable, machine-readable proxy that your privacy setup is wired up — rather than asserting that your nutrition label is complete or accurate. Treat a "detected" result as "the privacy plumbing is visible," not as a review of the label's contents.
Why it matters
Apple App Review Guideline 5.1.2 (Data Use and Sharing) is explicit that apps handling user data must have a privacy policy and must follow it. Separately, App Store Connect requires you to complete the App Privacy questionnaire — the input that produces your nutrition label — before a build can be submitted. Reviewers can and do reject submissions when the public-facing privacy policy is missing, a placeholder, or points to a dead URL.
For an indie developer shipping fast, the failure mode is mundane: you set a privacy-policy URL once, the hosting moves, the link rots, and a routine update gets bounced. A pre-submission signal that the live listing actually shows a privacy policy reference closes that gap before it costs you a review cycle.
A concrete example
A typical "not detected" case: your App Store Connect entry has a privacy-policy URL field filled in months ago, but the page has since moved:
Privacy Policy URL: https://example.com/privacy (404 — page moved to /legal/privacy)The build still ships, but the public product page no longer surfaces a working privacy-policy reference. LaunchTrust reads the live page, finds no "privacy policy" reference, and returns not detected (medium) with the note to verify the URL in App Store Connect. The remediation is a one-field fix — but only if you catch it before review does.
How to address it
- Open App Store Connect and go to your app's App Information page. Confirm the Privacy Policy URL field is populated and points to a live, public page (open it in a private browser tab to be sure it loads without a login).
- Complete the App Privacy questionnaire under App Privacy, declaring every data type you (and your SDKs) collect. This is what generates the nutrition label users see.
- Make the privacy policy reachable on your marketing site too, so the same URL resolves for users coming from outside the store. See the related privacy policy detector for site-side checks.
- Re-publish or submit, then wait for the listing to refresh and re-scan to confirm the reference now appears.
- Add a recurring check to your release routine so a moved or expired policy URL is caught on the next cycle rather than at review.
Check this in 30 seconds
Run a free LaunchTrust scan against your app's bundle ID. It confirms your App Store listing via Apple's public Lookup API and tells you whether a privacy-policy reference is visible on the live page — detected, not detected, or unable. No login, no SDK, no access to your App Store Connect account required.
FAQ
Does this confirm my App Store privacy setup is correct or guarantee approval? No. LaunchTrust surfaces a signal — whether a privacy-policy reference is visible on your public listing — and nothing more. It is not legal advice, not a certification, and not a guarantee that your app passes App Review. Use it to spot a missing or broken reference early; the policy's content and your App Privacy answers are still your responsibility.
Does it read my privacy nutrition label directly? No. The structured nutrition label (App Privacy data types) is not available in Apple's public Lookup API, so this detector checks for a privacy-policy reference on the public product page as a proxy. Verify the label itself inside App Store Connect.
Why did I get "unable to determine"? The most common reasons are: no bundle ID on file, the app isn't published on the App Store yet (or is Android-only), the iTunes lookup returned an error, or the listing page could not be read. "Unable" means inconclusive — it is never a hidden "not detected."
It says "not detected" but I have a privacy policy — what now? The detector reads the live public page, so a not-detected result usually means the privacy-policy URL in App Store Connect is missing, points to a dead or login-gated page, or hasn't propagated yet. Re-check the URL field, open it anonymously, and re-scan after the listing refreshes.
Compliance aid, not legal advice. LaunchTrust reports signals, not a verdict or certification.