What Is a Privacy Manifest?
A privacy manifest is a file called PrivacyInfo.xcprivacy that you include in your app's Xcode project. It declares what data your app collects, why it accesses certain APIs, and what tracking domains it contacts. Apple introduced this requirement in 2024, and as of 2026, it is strictly enforced for all app submissions.
The privacy manifest works alongside the privacy labels you declare in App Store Connect, but it lives inside your app binary and can be verified by Apple's automated tools during review.
Why Apple Requires It
The privacy manifest solves a problem that privacy labels alone could not: verification. With labels, developers self-report their data practices. With privacy manifests, Apple can cross-reference what you declare against what your app actually does.
Key goals:
- Transparency - Users and Apple can see exactly why your app uses sensitive APIs
- Accountability - Developers must justify each API usage with a valid reason
- SDK oversight - Third-party SDKs must include their own privacy manifests
- Automated enforcement - Apple can reject apps that use APIs without declared reasons
Required Reason APIs
Apple maintains a list of APIs that require a declared reason for use. These APIs provide access to device signals that could potentially be used for fingerprinting:
Categories of Required Reason APIs
| API Category | Example APIs | Common Valid Reasons |
|---|---|---|
| File timestamp | NSFileCreationDate, NSFileModificationDate | Display file info to user |
| System boot time | systemUptime, mach_absolute_time | Calculate elapsed time |
| Disk space | volumeAvailableCapacity | Check storage before download |
| User defaults | UserDefaults (shared containers) | App group data sharing |
| Active keyboard | activeInputModes | Language detection |
For each API you use, you must select from Apple's predefined list of acceptable reasons. You cannot create custom reasons.
Creating Your Privacy Manifest
Step 1: Add the File
In Xcode:
- Select your app target
- File > New > File
- Choose "App Privacy" under Resource
- Name it PrivacyInfo.xcprivacy
Step 2: Declare Data Collection
In the manifest file, declare:
- NSPrivacyTracking - Boolean indicating whether your app uses data for tracking
- NSPrivacyTrackingDomains - List of domains used for tracking (empty array if no tracking)
- NSPrivacyCollectedDataTypes - Array of data types your app collects, with purposes
- NSPrivacyAccessedAPITypes - Array of required reason APIs your app uses, with declared reasons
Step 3: Include SDK Manifests
Every third-party SDK in your app should include its own privacy manifest. Major SDKs have been required to provide manifests since spring 2024.
If an SDK does not include a privacy manifest:
- Check for an updated version that does
- Contact the SDK developer
- Consider switching to an alternative SDK
- As a last resort, declare the SDK's data practices in your own manifest
Third-Party SDK Signatures
Starting in 2024, Apple also requires that commonly used third-party SDKs are signed with a developer certificate. This prevents supply chain attacks where a malicious SDK could be substituted.
Affected SDKs include popular frameworks like Firebase, Facebook SDK, Google Analytics, and many others. Apple maintains a list of SDKs that require signatures.
If you integrate an unsigned version of a listed SDK, your app submission will be rejected.
Common Issues
Missing Required Reason API Declarations
The most common rejection reason related to privacy manifests. Your app (or one of your SDKs) uses a required reason API but does not declare it in the manifest.
Fix: Audit your code and all SDK dependencies for required reason API usage. Use Xcode's build logs to identify which APIs need declarations.
Manifest/Label Mismatch
Your privacy manifest declares different data practices than your App Store Connect privacy labels.
Fix: Keep both in sync. When you update one, update the other.
Outdated SDK Without Manifest
A third-party SDK in your project does not include a privacy manifest.
Fix: Update to the latest version. If no manifest is available, evaluate replacing the SDK.
Verification Checklist
Before submitting your app:
- PrivacyInfo.xcprivacy exists in your main app target
- All required reason API usages are declared with valid reasons
- Tracking domains are listed if NSPrivacyTracking is true
- Collected data types match your App Store Connect privacy labels
- All third-party SDKs include their own privacy manifests
- All listed third-party SDKs are properly signed