LaunchTrust
Log inStart trial

Detector registry

Privacy Policy Detection for App and Store Submissions

Detect whether your site links a privacy policy before submitting. See what stores and GDPR expect, and how to fix a missing-policy signal.

Updated 2026-06-19app store privacy policy requirementSignals, not a verdict
Run free scanStart trial

A missing or unlinked privacy policy is one of the most common, most avoidable reasons an app submission or a store listing gets bounced back. Apple, Google, and most data-protection regimes expect a reachable privacy policy, and reviewers (human or automated) often look for it before they look at anything else. If you are a solo developer or a store owner racing to ship, this is the kind of detail that quietly stalls a launch.

LaunchTrust passively scans your own public page and reports whether a privacy-policy signal is present. It does not judge whether your policy is correct, complete, or legally sufficient — it only tells you whether the signal a reviewer would expect to find is actually there.

What LaunchTrust checks

This detector (privacy_policy) fetches your page and inspects the returned HTML for evidence that a privacy policy is reachable. It runs against web surfaces and reports one of three outcomes:

  • Detected (link found): The page contains an anchor (<a href=...>) whose URL includes a privacy-related token — for example privacy, datenschutz, gizlilik, privacidad, or confidentialit. This is the strongest signal, because it means a clickable path to a policy actually exists in the markup.
  • Detected (wording found): No qualifying link was found, but the page text contains recognizable privacy-policy phrasing — such as "privacy policy", "privacy notice", "datenschutz", "política de privacidad", or "politique de confidentialité". This is a weaker, lower-confidence signal: the words are present, but the scanner could not confirm a working link.
  • Not detected: Neither a privacy-related link nor recognizable privacy wording was found on the fetched page. This is flagged at high severity because stores and GDPR generally expect a privacy policy to be discoverable.

This is a positive signal: the thing you want is for it to be present. "Detected" means the expected element was found; "not detected" means it was absent on the page that was scanned. Because the check reads only the single fetched page's HTML, a policy that lives on another page without a link from the scanned surface may read as "not detected" even if it exists elsewhere — that is an "unable to confirm from here" situation, not proof that you have no policy. Always verify where a policy is actually required for your product.

Why it matters

A reachable privacy policy maps to several real obligations:

  • Apple App Review Guideline 5.1.2 expects apps that handle user data to have an accessible privacy policy, and App Store Connect has a dedicated privacy policy URL field. A broken or missing link is a frequent rejection trigger.
  • Google Play requires a privacy policy link in the Play Console and on the store listing where your app collects personal or sensitive data, and it ties into the Data safety section you must complete.
  • GDPR centers on transparency: where you process personal data of people in the EU, you are generally expected to provide clear, accessible information about what you collect and why. A linked privacy notice is the common way that information is surfaced.

These are commonly expected practices, not a guarantee that any particular policy satisfies the law. The point of the detector is narrow and useful: confirm the signal exists before a reviewer goes looking for it.

A concrete example

When the detector finds a link, the underlying markup typically looks like this:

<a href="/legal/privacy">Privacy Policy</a>

The URL token (privacy) is what trips the "detected (link found)" path. The same is true for localized routes such as /datenschutz or /gizlilik. If your footer instead reads only the words "Privacy Policy" as plain text with no link, you would land in the weaker "wording found" bucket — visible to a human, but not a confirmed, clickable path.

How to address it

  1. Publish a real privacy policy page at a stable URL (for example /privacy or /legal/privacy) that describes what data you collect, how you use it, retention, third parties, and how users can contact you or request deletion.
  2. Link to it from your scanned surface — typically the global footer — using a normal anchor so the URL contains a recognizable token like privacy. Avoid burying it behind JavaScript that only renders after interaction; the scanner reads the fetched HTML.
  3. Add the URL to both stores. Paste the policy link into the App Store Connect privacy policy field and the Google Play Console listing, and keep it consistent with the one on your site.
  4. Check that the link actually resolves (no 404, no redirect loop, correct domain) before you submit. A present-but-broken link still fails review.
  5. Re-scan after changes to confirm the signal flips to "detected (link found)" rather than the weaker wording-only state.

Check this in 30 seconds

Run your homepage through the free LaunchTrust scanner. It fetches the page and tells you immediately whether a privacy-policy link or wording is detected, so you can fix a missing link before a reviewer ever sees your submission. Pair it with the related terms of service and contact / imprint checks to cover the legal-pages cluster reviewers scan for.

FAQ

Does running this check confirm my app meets store requirements? No — it surfaces a signal, not a verdict. The detector only reports whether a privacy-policy link or wording was found on the page it fetched. It does not read your policy, judge its contents, or confirm that it satisfies GDPR, Apple, or Google. It is a compliance aid, not legal advice or certification.

My policy is on a separate page but the scan says "not detected." Why? The detector reads only the single page it fetched. If that page does not link to your policy with a recognizable URL, the scanner cannot confirm it from there. Add a footer link to the policy and re-scan — that is the difference between "unable to confirm here" and an actual missing policy.

Is "wording found" good enough for store submission? It is a weaker signal. Reviewers and stores generally expect a working link, and the App Store and Play Console both require an actual policy URL. Treat "wording found" as a prompt to add a proper, clickable link rather than as a pass.

Do I need a privacy policy if my app collects almost no data? Often yes. Both major stores expect a privacy policy where any personal or device data is handled, and many privacy regimes expect transparency regardless of volume. Frame your policy around what you actually collect — see the GDPR checklist for indie apps, the App Store privacy check, and the Google Play Data safety check.

Compliance aid, not legal advice. LaunchTrust reports signals, not a verdict or certification.