How to Create a Privacy Manifest for Your iOS App or SDK
Table of Contents
- Introduction
- What is a Privacy Manifest?
- Creating a Privacy Manifest in Xcode
- Configuring the Privacy Manifest
- Additional Considerations
- Conclusion

Introduction
As privacy becomes an increasingly important concern for users, Apple is tightening its grip on how apps and third-party SDKs handle sensitive data and APIs. Starting May 1, 2024, Apple will require all iOS, iPadOS, tvOS, visionOS, and watchOS apps and SDKs submitted to the App Store to include a privacy manifest file, describing their use of certain privacy-sensitive APIs and the reasons for accessing them.
This new requirement aims to prevent misuse of these APIs for fingerprinting or tracking users without their consent, even if the user has granted permissions to the app. Failure to comply with this mandate will result in your app or SDK being rejected from the App Store.
In this blog post, we’ll walk you through the process of creating a privacy manifest for your iOS app or third-party SDK, ensuring that you meet Apple’s upcoming requirements.
What is a Privacy Manifest?
A privacy manifest is a property list file (with the extension .xcprivacy) that contains information about your app’s or SDK’s data collection practices and the reasons for using specific privacy-sensitive APIs. This file must be included in your app’s or SDK’s bundle and added to your target’s resources in Xcode.
Creating a Privacy Manifest in Xcode
Follow these steps to create a privacy manifest in Xcode:
- Go to File > New > File.
- Under the Resource section, select “App Privacy File” as the file type.
- Click Next, and ensure that your app’s or SDK’s target is checked in the Targets list.
- Click Create.
By default, the file will be named PrivacyInfo.xcprivacy, which is the required name for bundled privacy manifests.

Configuring the Privacy Manifest
After creating the privacy manifest file, you need to add the following top-level keys to the dictionary:
NSPrivacyTracking
A boolean indicating whether your app or SDK uses data for tracking as defined under the App Tracking Transparency framework.
NSPrivacyTrackingDomains
An array of strings listing the internet domains your app or SDK connects to for tracking purposes.
NSPrivacyCollectedDataTypes
An array of dictionaries describing the data types your app or SDK collects.
NSPrivacyAccessedAPITypes
An array of dictionaries describing the privacy-sensitive API types your app or SDK accesses and the reasons for accessing them.
The NSPrivacyAccessedAPITypes array is where you’ll list the specific API categories and the approved reasons for using them, as outlined by Apple.
For each category of required reason APIs that your app or SDK uses, you’ll need to add a dictionary to the NSPrivacyAccessedAPITypes array. Each dictionary should contain the following keys:
- NSPrivacyAccessedAPIType: A string identifying the category of required reason APIs your app or SDK uses. The value must be one of the approved categories listed by Apple.
- NSPrivacyAccessedAPITypeReasons: An array of strings identifying the approved reasons for using the APIs. The values must be the approved reasons associated with the accessed API type, as listed by Apple.
Apple provides a list of API categories and approved reasons that can be included in the privacy manifest. Your app or SDK can only use these APIs for the stated approved reasons, and these reasons must be consistent with your app’s functionality as presented to users.
Additional Considerations
- If you distribute your third-party SDK as a static library, use the support for static frameworks in Xcode 15 or later to bundle resources, including the privacy manifest file.
- If your app uses a third-party SDK that utilizes privacy-sensitive APIs, the SDK itself must include a privacy manifest describing its API usage.
- Your privacy manifest should accurately reflect your app’s or SDK’s functionality and data usage practices. Providing misleading information or using the APIs for purposes other than the declared reasons may result in your app or SDK being rejected or removed from the App Store.
Conclusion
By following these steps and adhering to Apple’s guidelines, you can ensure that your iOS app or third-party SDK meets the upcoming privacy manifest requirements, providing transparency to users and maintaining a strong commitment to privacy.
Stay tuned for more updates and best practices as we approach the May 1, 2024 deadline.


