# Guideline 5.4 - Legal: VPN App Without Data Usage Declaration

**Guideline:** 5.4 · **Store:** Apple App Store · **Risk:** medium · **Difficulty:** medium · **Typical turnaround:** 2-8 hours

Canonical URL: https://appstorereject.com/rejections/apple/5/guideline-54-legal-vpn-app-without-data-usage-declaration

## Description

Apple is rejecting your VPN app because it does not clearly declare what user data the VPN collects, how it is used, and how long it is retained. Guideline 5.4 requires VPN apps to include a clear, specific data usage declaration both within the app and in the privacy policy, because VPN services by nature have access to sensitive user traffic. This rejection differs from the individual-developer or NEVPNManager rejections under the same guideline — here, the organization and technical requirements may be met, but the data transparency is insufficient. Apple wants users to make informed decisions about which VPN to trust with their traffic. The declaration must go beyond a generic 'we collect some data' privacy policy. Apple expects VPN apps to specifically address: whether browsing activity or DNS queries are logged, whether connection timestamps and IP addresses are recorded, whether bandwidth usage data is stored, how long any collected data is retained, whether any data is shared with third parties or law enforcement, and what happens to data when the account is deleted.

## Common variations

- VPN app lacks clear data usage declaration
- Privacy policy does not address VPN-specific data collection
- VPN app does not disclose logging practices
- Insufficient transparency about VPN data handling
- VPN app missing data retention and deletion policy

## Example rejection email

```
Guideline 5.4 - Legal - VPN Apps

Your VPN app does not include an adequate declaration of what user data is collected and how it is used.

Specifically, your app's privacy policy and in-app disclosures do not clearly address:
- Whether browsing activity or connection logs are collected.
- How long user data is retained.
- Whether data is shared with any third parties.

Next Steps:
Please update your app and privacy policy to clearly declare:
1. Exactly what user data your VPN service collects (browsing logs, connection timestamps, IP addresses, bandwidth data).
2. How collected data is used.
3. How long data is retained.
4. Whether data is shared with third parties, including in response to law enforcement requests.
5. What happens to user data when the account is deleted.
```

## Resolution steps

## Quick Assessment
- **Risk level:** Medium
- **Resolution path:** Fix & Resubmit
- **Typical turnaround:** 2-8 hours

## The Fix

01. **Create a VPN-specific data section** — In your privacy policy, add a dedicated section titled 'VPN Data Practices' or similar that addresses each required disclosure point.

02. **Declare logging practices** — Explicitly state whether your VPN logs: browsing activity, DNS queries, connection timestamps, source IP addresses, destination IP addresses, or bandwidth usage. If you have a no-logs policy, state it clearly and specifically.

03. **State data retention periods** — For any data collected, state how long it is retained (e.g., '30 days,' 'until account deletion,' 'never stored').

04. **Address third-party sharing** — Declare whether any VPN data is shared with third parties, including in response to law enforcement, legal processes, or government requests.

05. **Add in-app disclosure** — Beyond the privacy policy, add a clear data practices summary within the app itself — in the settings, about screen, or during onboarding.

06. **Update App Privacy labels** — Ensure your App Privacy nutrition labels in App Store Connect accurately reflect the VPN's data practices.

## Prevention
- Write VPN-specific privacy disclosures before first submission
- Review competitor VPN apps' privacy policies for industry-standard disclosures
- Keep privacy policy and in-app disclosures synchronized with actual practices
- Update disclosures whenever server infrastructure or logging practices change

## Appeal guidance

Appeal if your privacy policy and in-app disclosures already contain the required information but the reviewer missed it. Provide specific excerpts showing where each required declaration appears. Otherwise, update and resubmit.

## Before / after examples

**Before:** VPN app's privacy policy contains a single generic paragraph: 'We may collect certain data to provide our services. We take privacy seriously.'
**After:** Privacy policy includes a 'VPN Data Practices' section stating: 'We do not log browsing activity, DNS queries, or destination IP addresses. We retain connection timestamps and bandwidth usage for 24 hours for abuse prevention. No VPN data is shared with third parties. Upon account deletion, all data is purged within 7 days.'
**Why it works:** VPN privacy policies must be specific about exactly what traffic data is and isn't logged. Generic statements are insufficient.

## Common questions

**Can you appeal a 5.4 rejection?**

Appeal if your privacy policy and in-app disclosures already contain the required information but the reviewer missed it. Provide specific excerpts showing where each required declaration appears. Otherwise, update and resubmit.

**How long does this typically take to fix?**

Typical turnaround is 2-8 hours (difficulty: medium). After resubmission, most re-reviews complete within 24-48 hours.

---
*Machine-readable source: https://api.appstorereject.com/api/rejections/detail?slug=guideline-54-legal-vpn-app-without-data-usage-declaration*