Guideline 5.4

Guideline 5.4 - Legal: VPN App Without Data Usage Declaration

Medium RiskMedium DifficultyTypical Fix: 2-8 hours0 Reports
Also known as:VPN app lacks clear data usage declarationPrivacy policy does not address VPN-specific data collectionVPN app does not disclose logging practicesInsufficient transparency about VPN data handlingVPN app missing data retention and deletion policy

Our Take

Apple is rejecting your VPN app because it does not clearly declare what user data the VPN collects, how it is used, and how long it is retained. Guideline 5.4 requires VPN apps to include a clear, specific data usage declaration both within the app and in the privacy policy, because VPN services by nature have access to sensitive user traffic. This rejection differs from the individual-developer or NEVPNManager rejections under the same guideline — here, the organization and technical requirements may be met, but the data transparency is insufficient. Apple wants users to make informed decisions about which VPN to trust with their traffic. The declaration must go beyond a generic 'we collect some data' privacy policy. Apple expects VPN apps to specifically address: whether browsing activity or DNS queries are logged, whether connection timestamps and IP addresses are recorded, whether bandwidth usage data is stored, how long any collected data is retained, whether any data is shared with third parties or law enforcement, and what happens to data when the account is deleted.

Resolution Guide

01

**Create a VPN-specific data section** — In your privacy policy, add a dedicated section titled 'VPN Data Practices' or similar that addresses each required disclosure point.


02

**Declare logging practices** — Explicitly state whether your VPN logs: browsing activity, DNS queries, connection timestamps, source IP addresses, destination IP addresses, or bandwidth usage. If you have a no-logs policy, state it clearly and specifically.


03

**State data retention periods** — For any data collected, state how long it is retained (e.g., '30 days,' 'until account deletion,' 'never stored').


04

**Address third-party sharing** — Declare whether any VPN data is shared with third parties, including in response to law enforcement, legal processes, or government requests.


05

**Add in-app disclosure** — Beyond the privacy policy, add a clear data practices summary within the app itself — in the settings, about screen, or during onboarding.


06

**Update App Privacy labels** — Ensure your App Privacy nutrition labels in App Store Connect accurately reflect the VPN's data practices.

Prevention

  • Write VPN-specific privacy disclosures before first submission
  • Review competitor VPN apps' privacy policies for industry-standard disclosures
  • Keep privacy policy and in-app disclosures synchronized with actual practices
  • Update disclosures whenever server infrastructure or logging practices change
  • Example Rejection Email

    From:Apple App Review Team
    Subject:Guideline 5.4 - Legal: VPN App Without Data Usage Declar
    Guideline 5.4 - Legal - VPN Apps Your VPN app does not include an adequate declaration of what user data is collected and how it is used. Specifically, your app's privacy policy and in-app disclosures do not clearly address: - Whether browsing activity or connection logs are collected. - How long user data is retained. - Whether data is shared with any third parties. Next Steps: Please update your app and privacy policy to clearly declare: 1. Exactly what user data your VPN service collects (browsing logs, connection timestamps, IP addresses, bandwidth data). 2. How collected data is used. 3. How long data is retained. 4. Whether data is shared with third parties, including in response to law enforcement requests. 5. What happens to user data when the account is deleted.

    Consider Appealing

    Appeal if your privacy policy and in-app disclosures already contain the required information but the reviewer missed it. Provide specific excerpts showing where each required declaration appears. Otherwise, update and resubmit.

    Generate Appeal

    Before & After

    Before — Rejected

    VPN app's privacy policy contains a single generic paragraph: 'We may collect certain data to provide our services. We take privacy seriously.'

    After — Approved

    Privacy policy includes a 'VPN Data Practices' section stating: 'We do not log browsing activity, DNS queries, or destination IP addresses. We retain connection timestamps and bandwidth usage for 24 hours for abuse prevention. No VPN data is shared with third parties. Upon account deletion, all data is purged within 7 days.'

    What changed: VPN privacy policies must be specific about exactly what traffic data is and isn't logged. Generic statements are insufficient.

    Community Solutions · 0

    Sign in to share your solution.

    More Guideline 5 (Legal) rejections

    View all Guideline 5 rejections