Guideline 5.1.2
Guideline 5.1.2(vi) - Privacy: Using HealthKit Data for Advertising
Our Take
Apple is rejecting your app because it uses data collected through HealthKit, CareKit, MovementDisorderAPI, or health-related clinical research APIs for advertising, marketing, or data mining purposes. Guideline 5.1.2(vi) strictly prohibits using health data to serve ads, sell to advertisers or data brokers, or build marketing profiles. This is one of Apple's hardest lines — health data must only be used to provide health-related services directly to the user. There is no consent mechanism that makes advertising use acceptable. Even if the user explicitly agrees to share their health data for marketing, Apple will still reject the app. The rejection typically occurs when: (1) an ad SDK has access to HealthKit data (even indirectly through shared analytics), (2) the app shares health metrics with a third-party service that uses data for advertising, or (3) the app's privacy policy indicates health data may be used for marketing purposes. Apple reviewers scrutinize health apps closely, and any intersection between health data flows and advertising data flows will trigger this rejection.
Resolution Guide
**Isolate HealthKit data** — Ensure HealthKit data is stored in a completely separate data store from analytics/advertising data. No shared databases, no shared APIs, no shared user identifiers between health and ad systems.
**Remove ad SDK access to health data** — Audit your ad and analytics SDKs. Ensure they cannot access any HealthKit data, directly or through shared user profiles or event streams.
**Separate analytics streams** — If you track health feature usage for analytics, use a health-specific analytics pipeline that does not feed into advertising systems.
**Update privacy policy** — Explicitly state that health data is not used for advertising, marketing, or data mining. Remove any language suggesting health data may be shared for non-health purposes.
**Review data sharing agreements** — If your backend shares data with any third party, ensure health data is excluded from all non-health data sharing agreements.
Prevention
Example Rejection Email
Consider Appealing
Appeal only if health data is genuinely isolated from all advertising SDKs and the reviewer made an error. Provide a detailed data flow diagram showing complete separation between HealthKit data and advertising infrastructure. Otherwise, refactor and resubmit.
Before & After
Fitness app sends HealthKit step count and heart rate data as custom events to Firebase Analytics, which feeds into Google Ads for targeted advertising
HealthKit data is processed entirely on-device; only aggregated, non-identifying fitness summaries are stored server-side in a dedicated health database; Firebase Analytics tracks only non-health UI events; ad targeting uses no health signals
What changed: Health data and advertising data must have completely separate pipelines with no intersection points.
Community Solutions · 0
Sign in to share your solution.
More Guideline 5 (Legal) rejections
- Guideline 5 - Legal: Remove Watermark Feature
- Guideline 5.1.1 - Data Collection and Storage: Incomplete Privacy Manifest
- Guideline 5.1.1 - Data Collection and Storage: Missing Purpose Strings
- Guideline 5.1.1 - Data Collection and Storage: Privacy Manifest Missing
- Guideline 5.1.1 - Data Collection and Storage: Privacy Nutrition Label Mismatch
- Guideline 5.1.1 - Data Collection and Storage: Privacy Policy