Guideline 5.1.1
Guideline 5.1.1 - Data Collection and Storage: Incomplete Privacy Manifest
Our Take
Your app includes a PrivacyInfo.xcprivacy file but it does not declare all Required Reason APIs that your app or its embedded SDKs actually use. Apple's automated scan detects API usage in the binary that has no corresponding entry in NSPrivacyAccessedAPITypes, or the declared reason codes do not match approved reasons for the detected API category. This also covers cases where NSPrivacyCollectedDataTypes is present but incomplete — for example, the app collects precise location data but the manifest only declares coarse location.
Resolution Guide
**Generate a privacy report** — In Xcode 15+, archive your app and select "Generate Privacy Report." This produces a PDF listing every Required Reason API detected in your binary and each embedded framework, compared against the declared manifests.
**Identify gaps** — The report highlights API categories referenced in code but missing from the manifest. Common gaps:
- `NSPrivacyAccessedAPICategorySystemBootTime` — triggered by `ProcessInfo.systemUptime` or crash reporters
- `NSPrivacyAccessedAPICategoryFileTimestamp` — triggered by `stat()`, `NSFileModificationDate`, or caching libraries
**Add missing declarations** — For each missing API category, add an entry to `NSPrivacyAccessedAPITypes` in your `PrivacyInfo.xcprivacy` with:
- One or more approved `NSPrivacyAccessedAPITypeReasons` codes from Apple's documentation
**Choose the right reason codes** — Apple publishes approved reasons for each API category. Using a reason code that does not match your actual usage will trigger a rejection. Common codes:
- File timestamp: `C617.1` (inside app container), `DDA9.1` (display to user)
- Disk space: `E174.1` (app functionality), `85F4.1` (display to user)
- System boot time: `35F9.1` (measure elapsed time)
**Audit third-party SDKs** — Run `grep -r NSPrivacyAccessedAPIType` in your Pods/SPM directories. If an SDK's manifest is missing entries, update the SDK or add declarations to your app-level manifest.
**Verify collected data types** — Cross-reference `NSPrivacyCollectedDataTypes` with your actual data collection. Include analytics events, crash data, device identifiers, and any data collected by SDKs.
**Re-archive and verify** — Generate the privacy report again. Confirm zero warnings before resubmitting.
Example Rejection Email
Consider Appealing
If the detected API usage comes from a system framework you do not directly call, explain the indirect dependency chain (e.g., UIKit internally calls stat()). Apple sometimes accepts this if the reason code is valid. For SDK-originated gaps, provide evidence that you have raised the issue with the vendor.
Before & After
PrivacyInfo.xcprivacy declares UserDefaults only:
<key>NSPrivacyAccessedAPITypes</key>
<array>
<dict>
<key>NSPrivacyAccessedAPIType</key>
<string>NSPrivacyAccessedAPICategoryUserDefaults</string>
<key>NSPrivacyAccessedAPITypeReasons</key>
<array><string>CA92.1</string></array>
</dict>
</array>
But the app also calls FileManager.attributesOfItem (file timestamps) and ProcessInfo.systemUptime (boot time).
PrivacyInfo.xcprivacy updated with all three API categories:
<key>NSPrivacyAccessedAPITypes</key>
<array>
<dict>
<key>NSPrivacyAccessedAPIType</key>
<string>NSPrivacyAccessedAPICategoryUserDefaults</string>
<key>NSPrivacyAccessedAPITypeReasons</key>
<array><string>CA92.1</string></array>
</dict>
<dict>
<key>NSPrivacyAccessedAPIType</key>
<string>NSPrivacyAccessedAPICategoryFileTimestamp</string>
<key>NSPrivacyAccessedAPITypeReasons</key>
<array><string>C617.1</string></array>
</dict>
<dict>
<key>NSPrivacyAccessedAPIType</key>
<string>NSPrivacyAccessedAPICategorySystemBootTime</string>
<key>NSPrivacyAccessedAPITypeReasons</key>
<array><string>35F9.1</string></array>
</dict>
</array>
What changed: Every Required Reason API detected in the binary must have a matching declaration with an approved reason code
Community Solutions · 0
Sign in to share your solution.
More Guideline 5 (Legal) rejections
- Guideline 5 - Legal: Remove Watermark Feature
- Guideline 5.1.1 - Data Collection and Storage: Missing Purpose Strings
- Guideline 5.1.1 - Data Collection and Storage: Privacy Manifest Missing
- Guideline 5.1.1 - Data Collection and Storage: Privacy Nutrition Label Mismatch
- Guideline 5.1.1 - Data Collection and Storage: Privacy Policy
- Guideline 5.1.1 - Privacy: ATT Framework Without Tracking Usage Description