Mobile and App Store Privacy
UpdatedWe’re dedicated to safeguarding your users’ privacy while empowering you with the flexibility to handle data as you need to. Apple and Google both require developers to provide information about their privacy practices in the App Store and Google Play Store. Here’s what you need to know about our mobile SDK privacy practices.
Take immediate action before May 1, 2024
Beginning May 1, 2024, Apple’s App store requires SDKs to include a privacy manifest describing the data they collect and use. This includes Customer.io’s SDKs!
To ensure that your app meets Apple’s requirements, you must update the Customer.io SDK to a version that includes the privacy manifest. If you don’t, your app may be rejected from the App Store. Update to the following versions (or later):
- iOS: ≥ 3.1.0 or ≥ 2.13.0
- React Native: ≥ 3.6.0
- Flutter: requires iOS ≥ 2.13.0. Follow our update instructions to update the iOS native package in Flutter.
- Expo: requires React Native ≥ 3.6.0. Install the latest React Native SDK and run
expo prebuild --clean
.
You must add Expo privacy declarations manually
Apple has a known issue parsing PrivacyInfo
files for Expo. You’ll need to copy the reasons included in our iOS library’s node_modules/customerio-reactnative/ios/PrivacyInfo.xcprivacy
file to your app’s PrivacyInfo.xcprivacy file or the configuration in the app.json.
What data does Customer.io SDKs collect?
Our SDKs collect user IDs and product metrics to enable app functionality, analytics, and message personalization.
You can pass other data to our SDKs, but we don’t collect that information automatically. If you pass email addresses, phone numbers, or other personal information to our SDKs, you need to declare that data in your app’s privacy settings or in the respective Google Play and Apple App Store privacy declarations.
Why doesn’t Customer.io declare email as a collected data type?
Our SDKs don’t automatically collect your users’ email addresses. Your application collects email addresses and passes them to our SDKs. If you use email addresses, you you should declare that you collect email addresses in your apps’ privacy settings.
Is the data Customer.io collects linked to users?
It’s common practice to link data with users’ personal identities to enhance engagement through targeted communications. If you, like most of our customers, link data to users, you need to declare that you collect and link data (userId and product metrics) to users when you submit your app to Apple.
Our SDKs’ privacy manifests don’t declare that data is linked to users because there are some use cases where you might not connect the data to a user.
Apple’s App Store and privacy requirements
Apple requires developers to provide information about their privacy practices in the App Store. This includes a privacy manifest that describes the data collected by your app and how it’s used.
Our SDKs (the versions listed above or later) include a privacy manifest declaring the data directly collected by Customer.io. You can see the complete manifest in each individual module in our iOS SDK. But, in summary, Customer.io only directly collects a unique user and links product metrics to your users when you identify them.
You can collect additional information, like email addresses, phone numbers, usernames, etc, and pass it to our SDKs. You’ll need to declare the kinds of data you collect in accordance with Apple’s standards in both your app’s own privacy manifest and when you answer Data privacy questions about your app in the App Store.
Google Play Store and privacy requirements
Google requires privacy disclosures for your app and updates. You’ll answer some questions about data safety in the Google Play Console’s App Privacy tab. Google has an article to help you complete your disclosures.
When you use our SDKs, you’ll need to disclose how you collect and use data with Customer.io. As explained above, we only collect user IDs and product metrics. You’ll need to declare additional data you collect, like email addresses, phone numbers, and so on.