Set up App Store privacy nutrition labels (data collection declarations) for an app. Use when the user needs to declare what data their app collects, how it's used, and whether it's linked to the user. Handles both "no data collected" and full data collection declarations.
Use this skill to configure App Store privacy nutrition labels for an app. This is the "App Privacy" section in App Store Connect where you declare what data your app collects, what purposes it's used for, and how it's protected.
asc web auth login, or call asc_web_auth MCP tool)ASC_APP_ID or --app)Each privacy declaration is a tuple of three dimensions:
Grouped by type:
| Grouping | Categories |
|---|---|
| CONTACT_INFO | NAME, EMAIL_ADDRESS, PHONE_NUMBER, PHYSICAL_ADDRESS, OTHER_CONTACT_INFO |
| HEALTH_AND_FITNESS | HEALTH, FITNESS |
| FINANCIAL_INFO | PAYMENT_INFORMATION, CREDIT_AND_FRAUD, OTHER_FINANCIAL_INFO |
| LOCATION | PRECISE_LOCATION, COARSE_LOCATION |
| SENSITIVE_INFO | SENSITIVE_INFO |
| CONTACTS | CONTACTS |
| USER_CONTENT | EMAILS_OR_TEXT_MESSAGES, PHOTOS_OR_VIDEOS, AUDIO, GAMEPLAY_CONTENT, CUSTOMER_SUPPORT, OTHER_USER_CONTENT |
| BROWSING_HISTORY | BROWSING_HISTORY |
| SEARCH_HISTORY | SEARCH_HISTORY |
| IDENTIFIERS | USER_ID, DEVICE_ID |
| PURCHASES | PURCHASE_HISTORY |
| USAGE_DATA | PRODUCT_INTERACTION, ADVERTISING_DATA, OTHER_USAGE_DATA |
| DIAGNOSTICS | CRASH_DATA, PERFORMANCE_DATA, OTHER_DIAGNOSTIC_DATA |
| OTHER_DATA | OTHER_DATA_TYPES |
| Purpose ID | Meaning |
|---|---|
APP_FUNCTIONALITY | Required for the app to work |
ANALYTICS | Used for analytics |
PRODUCT_PERSONALIZATION | Used to personalize the product |
DEVELOPERS_ADVERTISING | Used for developer's advertising |
THIRD_PARTY_ADVERTISING | Used for third-party advertising |
OTHER_PURPOSES | Other purposes |
| Protection ID | Meaning |
|---|---|
DATA_NOT_COLLECTED | App does not collect this data (mutually exclusive with others) |
DATA_LINKED_TO_YOU | Collected and linked to user identity |
DATA_NOT_LINKED_TO_YOU | Collected but not linked to identity |
DATA_USED_TO_TRACK_YOU | Used for tracking (no purpose needed) |
Before proceeding, understand the app's data practices. Ask:
If the user is unsure, analyze the app's source code to determine data collection practices (look for analytics SDKs, location APIs, user accounts, etc.).
If the app collects no data:
# Create the declaration file
cat > /tmp/privacy.json << 'EOF'
{
"schemaVersion": 1,
"dataUsages": []
}
EOF
# Apply (this sets DATA_NOT_COLLECTED)
asc web privacy apply --app "APP_ID" --file /tmp/privacy.json --allow-deletes --confirm
# Publish
asc web privacy publish --app "APP_ID" --confirm
Create a declaration file listing all collected data types with their purposes and protections:
cat > /tmp/privacy.json << 'EOF'
{
"schemaVersion": 1,
"dataUsages": [
{
"category": "EMAIL_ADDRESS",
"purposes": ["APP_FUNCTIONALITY"],
"dataProtections": ["DATA_LINKED_TO_YOU"]
},
{
"category": "NAME",
"purposes": ["APP_FUNCTIONALITY"],
"dataProtections": ["DATA_LINKED_TO_YOU"]
},
{
"category": "CRASH_DATA",
"purposes": ["ANALYTICS"],
"dataProtections": ["DATA_NOT_LINKED_TO_YOU"]
}
]
}
EOF
Each entry in dataUsages specifies:
category — one category ID from the table abovepurposes — array of purpose IDs (what the data is used for)dataProtections — array of protection IDs (how it's handled)Each combination of (category, purpose, protection) becomes a separate tuple in the API. For tracking data, use DATA_USED_TO_TRACK_YOU as the protection (no purpose needed for tracking entries).
asc web privacy plan --app "APP_ID" --file /tmp/privacy.json --pretty
This shows a diff of what will be created, updated, or deleted. Review with the user before applying.
asc web privacy apply --app "APP_ID" --file /tmp/privacy.json --allow-deletes --confirm
--allow-deletes removes remote entries not in the local file--confirm confirms destructive operationsasc web privacy publish --app "APP_ID" --confirm
This makes the declarations live. Must be done after apply.
asc web privacy pull --app "APP_ID" --pretty
{
"schemaVersion": 1,
"dataUsages": [
{
"category": "CRASH_DATA",
"purposes": ["ANALYTICS"],
"dataProtections": ["DATA_NOT_LINKED_TO_YOU"]
}
]
}
{
"schemaVersion": 1,
"dataUsages": [
{
"category": "NAME",
"purposes": ["APP_FUNCTIONALITY"],
"dataProtections": ["DATA_LINKED_TO_YOU"]
},
{
"category": "EMAIL_ADDRESS",
"purposes": ["APP_FUNCTIONALITY"],
"dataProtections": ["DATA_LINKED_TO_YOU"]
},
{
"category": "USER_ID",
"purposes": ["APP_FUNCTIONALITY"],
"dataProtections": ["DATA_LINKED_TO_YOU"]
},
{
"category": "PRODUCT_INTERACTION",
"purposes": ["ANALYTICS"],
"dataProtections": ["DATA_LINKED_TO_YOU"]
},
{
"category": "CRASH_DATA",
"purposes": ["ANALYTICS"],
"dataProtections": ["DATA_NOT_LINKED_TO_YOU"]
}
]
}
{
"schemaVersion": 1,
"dataUsages": [
{
"category": "HEALTH",
"purposes": ["APP_FUNCTIONALITY"],
"dataProtections": ["DATA_LINKED_TO_YOU"]
},
{
"category": "FITNESS",
"purposes": ["APP_FUNCTIONALITY"],
"dataProtections": ["DATA_LINKED_TO_YOU"]
},
{
"category": "PRECISE_LOCATION",
"purposes": ["APP_FUNCTIONALITY"],
"dataProtections": ["DATA_LINKED_TO_YOU"]
}
]
}
If asc web privacy commands fail with 401 or session errors, authenticate via the Blitz MCP tool:
Call the asc_web_auth MCP tool to open the Apple ID login window
Or ask the user to run in their terminal:
asc web auth login --apple-id "EMAIL"
DATA_NOT_COLLECTED (empty dataUsages array) is mutually exclusive — cannot coexist with collected data entriespurpose and one dataProtectionDATA_USED_TO_TRACK_YOU entries are stored without a purpose (tracking is category-wide)publish step is required after apply — changes are not live until publishedplan to preview changes before apply — show the diff to the userpublish after successful applypull to verify the final stateasc web commands handle auth internallyasc_web_auth MCP tool or ask user to run asc web auth loginschemaVersion: 1) is the canonical format used by asc web privacyasc web privacy catalog to get the full list of available tokens if needed