Guideline 5.1.2

Guideline 5.1.2(vi) - Privacy: Using HealthKit Data for Advertising

High RiskHardTypical Fix: 1-3 days0 Reports
Also known as:HealthKit data used for advertising or marketingHealth data shared with third-party ad SDKsHealthKit data used for data mining or user profilingHealth research data shared for non-health purposesCareKit data accessible to analytics or marketing services

Our Take

Apple is rejecting your app because it uses data collected through HealthKit, CareKit, MovementDisorderAPI, or health-related clinical research APIs for advertising, marketing, or data mining purposes. Guideline 5.1.2(vi) strictly prohibits using health data to serve ads, sell to advertisers or data brokers, or build marketing profiles. This is one of Apple's hardest lines — health data must only be used to provide health-related services directly to the user. There is no consent mechanism that makes advertising use acceptable. Even if the user explicitly agrees to share their health data for marketing, Apple will still reject the app. The rejection typically occurs when: (1) an ad SDK has access to HealthKit data (even indirectly through shared analytics), (2) the app shares health metrics with a third-party service that uses data for advertising, or (3) the app's privacy policy indicates health data may be used for marketing purposes. Apple reviewers scrutinize health apps closely, and any intersection between health data flows and advertising data flows will trigger this rejection.

Resolution Guide

01

**Isolate HealthKit data** — Ensure HealthKit data is stored in a completely separate data store from analytics/advertising data. No shared databases, no shared APIs, no shared user identifiers between health and ad systems.


02

**Remove ad SDK access to health data** — Audit your ad and analytics SDKs. Ensure they cannot access any HealthKit data, directly or through shared user profiles or event streams.


03

**Separate analytics streams** — If you track health feature usage for analytics, use a health-specific analytics pipeline that does not feed into advertising systems.


04

**Update privacy policy** — Explicitly state that health data is not used for advertising, marketing, or data mining. Remove any language suggesting health data may be shared for non-health purposes.


05

**Review data sharing agreements** — If your backend shares data with any third party, ensure health data is excluded from all non-health data sharing agreements.

Prevention

  • Architect health data flows as completely separate from advertising/analytics from day one
  • Never pass HealthKit data through general-purpose analytics events
  • Audit data flows before every submission to ensure isolation is maintained
  • Consider using on-device-only processing for health data when possible
  • Example Rejection Email

    From:Apple App Review Team
    Subject:Guideline 5.1.2 - Guideline 5.1.2(vi) - Privacy: Using Hea
    Guideline 5.1.2 - Legal - Privacy - Data Use and Sharing Your app uses data collected through HealthKit for advertising or marketing purposes. Specifically, health data obtained from HealthKit is accessible to or shared with third-party advertising or analytics SDKs in your app. Data collected through HealthKit, CareKit, or health research APIs may not be used for advertising, data mining, or to build user profiles for marketing. Next Steps: Please update your app to ensure that HealthKit data is: 1. Used only to provide health or fitness services directly to the user. 2. Not shared with or accessible to advertising or marketing SDKs. 3. Not used for data mining or to build marketing profiles. 4. Stored securely and only shared with user consent for health-related purposes.

    Consider Appealing

    Appeal only if health data is genuinely isolated from all advertising SDKs and the reviewer made an error. Provide a detailed data flow diagram showing complete separation between HealthKit data and advertising infrastructure. Otherwise, refactor and resubmit.

    Generate Appeal

    Before & After

    Before — Rejected

    Fitness app sends HealthKit step count and heart rate data as custom events to Firebase Analytics, which feeds into Google Ads for targeted advertising

    After — Approved

    HealthKit data is processed entirely on-device; only aggregated, non-identifying fitness summaries are stored server-side in a dedicated health database; Firebase Analytics tracks only non-health UI events; ad targeting uses no health signals

    What changed: Health data and advertising data must have completely separate pipelines with no intersection points.

    Community Solutions · 0

    Sign in to share your solution.

    More Guideline 5 (Legal) rejections

    View all Guideline 5 rejections