Guideline 5.1.1

Guideline 5.1.1 - Data Collection and Storage: Incomplete Privacy Manifest

Medium RiskMedium DifficultyTypical Fix: 2-4 hours0 Reports
Also known as:Privacy manifest missing API category declarationReason code not approved for API categoryNSPrivacyAccessedAPITypes incompleteThird-party SDK uses API not declared in manifestManifest declares wrong reason code for API usageNSPrivacyCollectedDataTypes does not cover all collected data

Our Take

Your app includes a PrivacyInfo.xcprivacy file but it does not declare all Required Reason APIs that your app or its embedded SDKs actually use. Apple's automated scan detects API usage in the binary that has no corresponding entry in NSPrivacyAccessedAPITypes, or the declared reason codes do not match approved reasons for the detected API category. This also covers cases where NSPrivacyCollectedDataTypes is present but incomplete — for example, the app collects precise location data but the manifest only declares coarse location.

Resolution Guide

01

**Generate a privacy report** — In Xcode 15+, archive your app and select "Generate Privacy Report." This produces a PDF listing every Required Reason API detected in your binary and each embedded framework, compared against the declared manifests.


02

**Identify gaps** — The report highlights API categories referenced in code but missing from the manifest. Common gaps:

  • `NSPrivacyAccessedAPICategoryDiskSpace` — triggered by `FileManager` disk space queries or third-party analytics SDKs
  • - `NSPrivacyAccessedAPICategorySystemBootTime` — triggered by `ProcessInfo.systemUptime` or crash reporters

    - `NSPrivacyAccessedAPICategoryFileTimestamp` — triggered by `stat()`, `NSFileModificationDate`, or caching libraries

    03

    **Add missing declarations** — For each missing API category, add an entry to `NSPrivacyAccessedAPITypes` in your `PrivacyInfo.xcprivacy` with:

  • The correct `NSPrivacyAccessedAPIType` category string
  • - One or more approved `NSPrivacyAccessedAPITypeReasons` codes from Apple's documentation

    04

    **Choose the right reason codes** — Apple publishes approved reasons for each API category. Using a reason code that does not match your actual usage will trigger a rejection. Common codes:

  • UserDefaults: `CA92.1` (app functionality)
  • - File timestamp: `C617.1` (inside app container), `DDA9.1` (display to user)

    - Disk space: `E174.1` (app functionality), `85F4.1` (display to user)

    - System boot time: `35F9.1` (measure elapsed time)

    05

    **Audit third-party SDKs** — Run `grep -r NSPrivacyAccessedAPIType` in your Pods/SPM directories. If an SDK's manifest is missing entries, update the SDK or add declarations to your app-level manifest.


    06

    **Verify collected data types** — Cross-reference `NSPrivacyCollectedDataTypes` with your actual data collection. Include analytics events, crash data, device identifiers, and any data collected by SDKs.


    07

    **Re-archive and verify** — Generate the privacy report again. Confirm zero warnings before resubmitting.


    Example Rejection Email

    From:Apple App Review Team
    Subject:Guideline 5.1.1 - Data Collection and Storage: Incomplete
    ITMS-91053: Missing API declaration - Your app's code in the "YourApp" target references one or more APIs that require reasons, including the following API categories: NSPrivacyAccessedAPICategoryDiskSpace. However, your app's privacy manifest does not include this API category or does not provide an approved reason for its use. Update your privacy manifest to include all required API declarations with approved reasons.

    Consider Appealing

    If the detected API usage comes from a system framework you do not directly call, explain the indirect dependency chain (e.g., UIKit internally calls stat()). Apple sometimes accepts this if the reason code is valid. For SDK-originated gaps, provide evidence that you have raised the issue with the vendor.

    Generate Appeal

    Before & After

    Before — Rejected

    PrivacyInfo.xcprivacy declares UserDefaults only:

    <key>NSPrivacyAccessedAPITypes</key>

    <array>

    <dict>

    <key>NSPrivacyAccessedAPIType</key>

    <string>NSPrivacyAccessedAPICategoryUserDefaults</string>

    <key>NSPrivacyAccessedAPITypeReasons</key>

    <array><string>CA92.1</string></array>

    </dict>

    </array>


    But the app also calls FileManager.attributesOfItem (file timestamps) and ProcessInfo.systemUptime (boot time).

    After — Approved

    PrivacyInfo.xcprivacy updated with all three API categories:

    <key>NSPrivacyAccessedAPITypes</key>

    <array>

    <dict>

    <key>NSPrivacyAccessedAPIType</key>

    <string>NSPrivacyAccessedAPICategoryUserDefaults</string>

    <key>NSPrivacyAccessedAPITypeReasons</key>

    <array><string>CA92.1</string></array>

    </dict>

    <dict>

    <key>NSPrivacyAccessedAPIType</key>

    <string>NSPrivacyAccessedAPICategoryFileTimestamp</string>

    <key>NSPrivacyAccessedAPITypeReasons</key>

    <array><string>C617.1</string></array>

    </dict>

    <dict>

    <key>NSPrivacyAccessedAPIType</key>

    <string>NSPrivacyAccessedAPICategorySystemBootTime</string>

    <key>NSPrivacyAccessedAPITypeReasons</key>

    <array><string>35F9.1</string></array>

    </dict>

    </array>

    What changed: Every Required Reason API detected in the binary must have a matching declaration with an approved reason code

    Community Solutions · 0

    Sign in to share your solution.

    More Guideline 5 (Legal) rejections

    View all Guideline 5 rejections