# Guideline 5.1.1 - Privacy: HealthKit Without Required Descriptions

**Guideline:** 5.1.1 · **Store:** Apple App Store · **Risk:** high · **Difficulty:** medium

Canonical URL: https://appstorereject.com/rejections/apple/5/guideline-511-privacy-healthkit-without-required-descriptions

## Description

Your app has the HealthKit entitlement but is missing required Info.plist usage descriptions. Health data apps receive extra scrutiny during Apple review.

## Resolution steps

1. **Add both required usage descriptions** — In Info.plist, add:
   - `NSHealthShareUsageDescription` — why you need to READ health data. Example: "Chain reads your heart rate and workout data to show real-time stats during rides."
   - `NSHealthUpdateUsageDescription` — why you need to WRITE health data. Example: "Chain saves your cycling workouts to Apple Health so they appear in your Activity rings."

2. **Request only the data types you need** — In your `HKHealthStore.requestAuthorization` call, only include the specific `HKObjectType`s your app uses. Don't request all types. Apple compares what you request against what your app actually does.

3. **Add HealthKit to required device capabilities** — If your app requires HealthKit to function, add `healthkit` to `UIRequiredDeviceCapabilities` in Info.plist. If HealthKit is optional, omit this.

4. **Handle authorization denial gracefully** — Users can deny individual health data types. Your app must work (possibly with reduced functionality) when specific types are denied. Never crash or show error dialogs.

5. **Complete the App Privacy section** — In App Store Connect, declare health data under "Health & Fitness" in the App Privacy section. Specify whether data is linked to the user's identity and what it's used for.

**Prevention:**
- Add usage descriptions at the same time you add the HealthKit entitlement
- Request the minimum set of HKObjectTypes needed
- Test with all health permissions denied to verify graceful degradation

---
*Machine-readable source: https://api.appstorereject.com/api/rejections/detail?slug=guideline-511-privacy-healthkit-without-required-descriptions*