privacy-policy

# Privacy Policy & Legal Document Generator

Generate ready-to-use privacy policies, terms of service, and EULAs tailored to your app's data practices, third-party services, and target markets.

> **Disclaimer:** This skill generates template legal documents based on common indie app scenarios. Consult a qualified lawyer for apps handling sensitive data (health, financial, children's data), apps with complex data sharing arrangements, or apps operating in highly regulated industries. These templates are a strong starting point -- not a substitute for legal counsel.

## When This Skill Activates

Use this skill when the user:
- Needs a privacy policy for their app
- Needs terms of service or EULA
- Apple requires a privacy policy for App Store submission
- Is adding analytics, ads, or crash reporting and needs to update their privacy policy
- Asks about data collection disclosure or privacy compliance
- Mentions GDPR, CCPA, DPDP, or COPPA requirements for their app
- Wants to know what to declare in Apple's Privacy Nutrition Labels

## Pre-Generation Checks

Before generating documents, gather context from the project.

### 1. Look for Existing Legal Documents

```
Glob: **/privacy*.md, **/privacy*.html, **/privacy*.txt
Glob: **/terms*.md, **/terms*.html, **/terms*.txt
Glob: **/eula*.md, **/eula*.html, **/eula*.txt
Glob: **/legal/**
```

If existing documents found, ask user whether to replace or update them.

### 2. Check for Third-Party SDK Usage

```
Grep: "Firebase" or "GoogleAnalytics" or "Crashlytics"
Grep: "Mixpanel" or "Amplitude" or "PostHog"
Grep: "AdMob" or "AppLovin" or "UnityAds"
Grep: "FacebookSDK" or "GoogleSignIn" or "SignInWithApple"
Grep: "Sentry" or "Bugsnag" or "DataDog"
Grep: "RevenueCat" or "Adapty" or "Qonversion"
Grep: "TelemetryDeck" or "Plausible" or "CountlySDK"
```

Note detected SDKs to auto-populate data collection sections.

### 3. Detect Data Collection Patterns in Code

```
Grep: "UserDefaults" -- Local preferences storage
Grep: "CoreData" or "SwiftData" or "NSPersistentContainer" -- Local database
Grep: "CloudKit" or "CKContainer" -- Cloud sync
Grep: "URLSession" or "Alamofire" -- Network calls
Grep: "HealthKit" or "HKHealthStore" -- Health data
Grep: "CLLocationManager" or "CoreLocation" -- Location data
Grep: "AVCaptureSession" or "PHPhotoLibrary" -- Camera/photos
Grep: "Contacts" or "CNContactStore" -- Contacts access
Grep: "ATTrackingManager" -- App Tracking Transparency
Grep: "ASAuthorizationAppleIDProvider" -- Sign in with Apple
```

### 4. Check Info.plist for Permission Usage Descriptions

```
Grep: "NSCameraUsageDescription" or "NSPhotoLibraryUsageDescription"
Grep: "NSLocationWhenInUseUsageDescription" or "NSLocationAlwaysUsageDescription"
Grep: "NSHealthShareUsageDescription" or "NSHealthUpdateUsageDescription"
Grep: "NSContactsUsageDescription" or "NSMicrophoneUsageDescription"
Grep: "NSUserTrackingUsageDescription"
```

## Configuration Questions

Ask the user via AskUserQuestion:

### 1. What documents do you need?

- Privacy Policy only
- Terms of Service only
- EULA only
- All three (recommended for App Store apps)

### 2. What data does your app collect?

- No user data (fully offline, no accounts)
- Anonymous analytics only (usage events, crash data)
- Account with email (sign-in required)
- Account with personal info (name, email, profile, preferences)
- Health or financial data (triggers additional compliance sections)

### 3. What third-party services does your app use?

- None
- Analytics only (e.g., TelemetryDeck, Firebase Analytics)
- Analytics + crash reporting (e.g., Sentry, Crashlytics)
- Advertising (e.g., AdMob, AppLovin)
- Social login (e.g., Sign in with Apple, Google Sign-In)
- Multiple of the above (list them)

### 4. Does your app target or allow children under 13?

- No
- Yes (triggers COPPA section and stricter data practices)

### 5. Where will you host these documents?

- GitHub Pages (free, Markdown to HTML)
- In-app (Settings screen with WKWebView or Text view)
- Personal/company website
- All of the above (recommended -- Apple requires a publicly accessible URL)

## Generation Process

### Step 1: Select Template Sections

Read `templates.md` for the document templates.

Based on configuration answers, include or exclude sections:

| Answer | Sections Added |
|--------|---------------|
| No user data | Minimal privacy policy (no collection, no sharing) |
| Anonymous analytics | Analytics disclosure, third-party services list |
| Account with email | Account data, authentication, data retention |
| Personal info | Full data collection, user rights, data portability |
| Health/financial | Sensitive data handling, enhanced security, additional consent |
| Children under 13 | COPPA section, parental consent, limited data collection |

### Step 2: Fill in App-Specific Details

Replace template placeholders with detected or user-provided values:
- `[APP_NAME]` -- App display name
- `[DEVELOPER_NAME]` -- Developer or company name
- `[CONTACT_EMAIL]` -- Privacy contact email
- `[EFFECTIVE_DATE]` -- Document effective date
- `[WEBSITE_URL]` -- Developer website or privacy page URL

### Step 3: Add Region-Specific Sections

Include sections based on target markets:

**GDPR (European Union users):**
- Data controller identification
- Lawful basis for processing (consent, legitimate interest, contract)
- Data subject rights (access, rectification, erasure, portability, objection)
- Data Protection Officer contact (if applicable)
- Data retention periods
- Right to lodge complaint with supervisory authority

**CCPA (California users):**
- Categories of personal information collected
- Business purposes for collection
- "Do Not Sell or Share My Personal Information" notice
- Right to know, delete, and opt-out
- Non-discrimination for exercising rights
- Financial incentive disclosure (if applicable)

**DPDP (India users):**
- Data fiduciary identification
- Purpose of data processing
- Consent mechanism
- Data principal rights (access, correction, erasure, grievance redressal)
- Data retention limitations
- Processing of children's data (under 18)

**COPPA (children under 13):**
- Parental consent requirement
- Limited data collection (only what is strictly necessary)
- No behavioral advertising to children
- Parental rights (review, delete, refuse further collection)
- Safe harbor program compliance (if applicable)

### Step 4: Generate Apple Privacy Nutrition Label Mapping

Based on detected data practices, generate a mapping for App Store Connect:

```
Apple Privacy Nutrition Label Mapping
=====================================

Data Types to Declare:
- [ ] Contact Info: Email Address -- Used for: App Functionality, Account
- [ ] Identifiers: User ID -- Used for: App Functionality
- [ ] Usage Data: Product Interaction -- Used for: Analytics
- [ ] Diagnostics: Crash Data -- Used for: App Functionality
- [ ] Diagnostics: Performance Data -- Used for: Analytics

Data Linked to User: [List items linked to user identity]
Data Used to Track: [List items used for cross-app tracking, if any]

Tracking: [Yes/No -- triggers ATT requirement if Yes]
```

### Step 5: Output Documents

Generate documents in Markdown format. Place files based on user's hosting preference:

- **GitHub Pages**: `docs/privacy-policy.md`, `docs/terms-of-service.md`, `docs/eula.md`
- **In-app**: `Resources/Legal/privacy-policy.md`, etc.
- **Website**: Output to clipboard/file for manual upload
- **All**: Generate in `docs/` with guidance for in-app integration

## Apple-Required Privacy Disclosures

### App Store Connect Privacy Questions

When submitting to the App Store, Apple asks about data practices. Map generated privacy policy to these questions:

| Apple Question | Where to Find Answer |
|---------------|---------------------|
| Do you or your third-party partners collect data? | "Information We Collect" section |
| Data types collected | Privacy Nutrition Label mapping (Step 4) |
| Is data linked to user identity? | "How We Use Information" section |
| Is data used for tracking? | "Third-Party Services" section |

### Privacy Nutrition Labels

Declare these data types based on your app's practices:

| If Your App... | Declare These Types |
|----------------|-------------------|
| Has user accounts | Contact Info, Identifiers |
| Uses analytics | Usage Data (Product Interaction) |
| Has crash reporting | Diagnostics (Crash Data, Performance Data) |
| Shows ads | Identifiers (Device ID), Usage Data |
| Uses location | Location (Precise or Coarse) |
| Accesses photos | Photos or Videos |
| Accesses health data | Health & Fitness |
| Uses Sign in with Apple | Contact Info (Email), Identifiers (User ID) |

### When ATT (App Tracking Transparency) Is Required

ATT is required when your app:
- Accesses the IDFA (Identifier for Advertisers)
- Links user data with third-party data for advertising
- Shares user data with data brokers

ATT is NOT required for:
- First-party analytics that stays on your server
- Crash reporting
- Fraud detection
- Attribution that does not use IDFA (e.g., SKAdNetwork)

## Hosting Guidance

### GitHub Pages (Free, Recommended for Indie Devs)

1. Create `docs/` folder in your repo
2. Add privacy-policy.md, terms-of-service.md, eula.md
3. Enable GitHub Pages in repo Settings > Pages > Source: `/docs`
4. Your URL: `https://yourusername.github.io/yourapp/privacy-policy`

### In-App Display

```swift
// Option 1: WKWebView for hosted HTML
import WebKit

struct LegalDocumentView: UIViewRepresentable {
    let url: URL

    func makeUIView(context: Context) -> WKWebView { WKWebView() }
    func updateUIView(_ webView: WKWebView, context: Context) {
        webView.load(URLRequest(url: url))
    }
}

// Option 2: Bundled Markdown rendered as Text
struct PrivacyPolicyView: View {
    var body: some View {
        ScrollView {
            Text(LocalizedStringKey(privacyPolicyMarkdown))
                .padding()
                .textSelection(.enabled)
        }
        .navigationTitle("Privacy Policy")
    }
}
```

### Apple Requirements for Privacy Policy URL

- Must be publicly accessible (not behind login or in-app only)
- Must be a working URL at all times (Apple checks during review)
- Required in App Store Connect under "App Privacy"
- Must also be accessible from within the app (Settings or About screen)

## Output Format

After generation, provide:

### Files Created

```
docs/
 ├── privacy-policy.md     # Privacy policy with region-specific sections
 ├── terms-of-service.md   # Terms of service (if requested)
 └── eula.md               # End-user license agreement (if requested)
```

### Apple Privacy Nutrition Label Checklist

Provide a checklist the user can follow in App Store Connect.

### Integration Checklist

- [ ] Host documents at a publicly accessible URL
- [ ] Add privacy policy URL to App Store Connect
- [ ] Add legal links to app Settings or About screen
- [ ] Complete Privacy Nutrition Labels in App Store Connect
- [ ] If using ATT, add `NSUserTrackingUsageDescription` to Info.plist
- [ ] Test that privacy policy URL loads correctly
- [ ] Set a calendar reminder to review documents annually

## References

- **templates.md** -- Full legal document templates with placeholders
- Related: `generators/consent-flow` -- GDPR/CCPA consent UI generation
- Related: `generators/account-deletion` -- Account deletion flow (App Store requirement)
- Related: `generators/permission-priming` -- Pre-permission UI for ATT
- Related: `monetization/` -- Subscription terms and pricing disclosures
- Apple App Review Guidelines Section 5.1 (Privacy)
- Apple App Store Connect Privacy Details documentation