2026 Technical Compliance Guide

1.1 Privacy Labels

• Privacy label information must be accurately filled in the App Store backend. "Data Linked to User" must be strictly checked because data such as IDFA and purchase records are linked to the user profile. Data association must not be concealed.
• Data collection scope, purpose, and third-party sharing must be accurately described and must be consistent with this privacy policy. Submitting false information will result in app review rejection or removal.

1.2 ATT Mandatory Enforcement (2026 Upgrade Requirements)

• Before obtaining `device_id` (IDFA), the `requestTrackingAuthorization` interface must be called first, with a popup requesting user authorization. The authorization text must clearly inform the user of the authorization purpose (such as precision ad delivery). Users must not be misled.
• If the user denies authorization, `allow_tracking = false` must be passed to all third-party SDKs. IDFA must not be obtained or used without authorization, and the ATT framework restrictions must not be circumvented by other means.
• Adapted to the latest iOS 18 requirements: the ATT authorization popup may be displayed only once. Users must not be repeatedly prompted. After the user refuses, no further authorization requests may be made. Users may only be guided to enable authorization through the device system settings.
• User device identifiers must not be obtained through non-ATT channels, and other device parameters (such as MAC address) must not be used as substitutes for IDFA to circumvent privacy policy requirements.

1.3 Other Technical Compliance Requirements

• Hidden functions or illegal code must not be included in the app, and App Store review rules (such as hidden payment entries, false function descriptions) must not be circumvented.
• Adapted to the latest iOS 18 system privacy requirements: access to sensitive data (such as photos, contacts) requires per-instance user authorization. Default authorization or forced authorization is prohibited.
• Prices and subscription periods of in-app purchases must be clearly marked. Inducement purchase traps must not be set, and users must not be misled into paying.
• If the app contains AI-generated content, it must be clearly marked on the App Store detail page to comply with Apple's AI compliance requirements.

2.1 Data Safety Form

• The data safety form must be accurately filled in the Google Play backend. It must be clearly declared that data in transit is processed using encryption (must use HTTPS protocol encryption), and data at rest is processed using AES-256 encryption.
• Data collection scope, purpose, and third-party sharing must be accurately filled in. Data processing behavior must not be concealed. Submitting false information will result in app review rejection or removal.

2.2 SDK Transparency (2026 Upgrade Requirements)

• Google requires developers to bear full responsibility for the behavior of integrated third-party SDKs. All integrated SDK versions must support the latest Android 14+ Privacy Sandbox. Outdated SDKs (which may contain privacy vulnerabilities) must not be used.
• The complete list of integrated third-party SDKs must be publicly disclosed in the Google Play backend. SDK name, purpose, and data collection scope must be clearly specified to ensure SDK data processing compliance. If an SDK engages in illegal data collection, that SDK must be removed immediately and rectified.
• Adapted to the latest Android 15 requirements: integrated SDKs must not request permissions unrelated to app functionality, must not collect user personal information without authorization, and must not interfere with the normal operation of the device.
• If the app supports the Android 15 Private Space feature, the logic must be adjusted according to the app type. Medical apps must clearly inform users not to install in Private Space to avoid affecting core function operation. Launcher apps must declare related permissions to adapt to Private Space app display requirements.

2.3 Other Technical Compliance Requirements

• Adapted to the latest Android 15 privacy protection measures. Support for dynamic password (OTP) hiding function is required: hide sensitive content during screen sharing, with the ability to manually mark app-sensitive fields to protect user privacy and security.
• Malicious code or advertising plug-ins must not be included in the app. Forced push of ads or inducement for users to click ads is prohibited. Ad display must comply with Google Play advertising policies.
• Apps must support 64-bit architecture. 32-bit-only versions are not allowed, ensuring compatibility with the latest Android devices.
• If the app contains subscription services, the subscription management entry must be clearly marked within the app. Users must be able to cancel their subscription at any time, complying with Google Play subscription policies.

4.1 Double Confirmation Mechanism

• Before a user makes a large-amount IAP purchase (recommended ≥ USD 50 / EUR 50), an in-app secondary confirmation popup must be added. The purchase amount, product name, and payment method must be clearly stated. The user must manually click "Confirm Purchase" before they can jump to the payment page, avoiding misoperation.
• For auto-renewing subscriptions, after the user clicks the "Subscribe" button, a confirmation popup must be displayed. The subscription period, price, and renewal rules must be clearly stated, avoiding user mis-subscription.

4.2 Easy Accessibility of Privacy Policy (Mandatory Requirement)

The privacy policy link must exist in the following three locations simultaneously to ensure users can view it at any time, in compliance with global regulatory requirements:

1. App store detail page (App Store / Google Play description page, in a prominent position)
2. App launch splash screen (or login page). Users may click the link to view the full privacy policy. The splash screen must provide "Agree" and "Decline" buttons. If the user declines, the app may not be used
3. App "Settings" or "About" menu. The link must be placed in a prominent position. Clicking it allows the user to directly view the privacy policy, supporting user access at any time

4.3 Other Interaction Compliance Recommendations

• Permission requests: When requesting user permissions (such as camera, photo album, location), the purpose of the permission must be clearly stated. Default or forced authorization is prohibited. Users may withdraw authorization at any time in in-app or device system settings.
• Ad interaction: Rewarded video ads must clearly mark "Watch the full ad to receive reward" and provide a "Skip Ad" button (available after 5 seconds of ad playback). Users must not be forced to watch ads.
• Complaint & feedback: Convenient complaint and feedback channels must be set up in the app, including privacy complaints, advertising complaints, and UGC content complaints. The handling time limit must be clearly defined (no more than 7 business days), and users must be informed of the handling result.
• Transparency display: Ad delivery rules, algorithm recommendation logic, and data processing workflows (simplified version) must be displayed prominently in the app, complying with DSA transparency requirements and protecting users' right to know.
• Screen sharing reminder: Adapted to the latest Android 15 requirements. During screen sharing, casting, or recording, an eye-catching reminder label must be displayed in the status bar, reminding the user that they are currently in screen sharing mode. The user may click the label to quickly stop sharing.

5.1 Compliance Risk Control Measures

• Establish a compliance review mechanism: Before app research and release, a comprehensive compliance review of app code, privacy policy, service agreement, and interaction design must be performed to ensure compliance with App Store, Google Play policies, and global regional regulatory requirements and avoid violations.
• Regularly update compliance knowledge: Special personnel must be assigned to monitor the latest changes in global privacy regulations and app store policies (such as U.S. state privacy laws, EU DSA updates, and Android 15 / iOS 18 system policy changes). App and agreement content must be adjusted in time.
• Third-party partner management: Regularly check the compliance of third-party ad platforms, SDK providers, and payment processors. Sign compliance agreements and clarify data processing responsibilities. If a third party has illegal behavior, cooperation must be terminated immediately.
• User request handling: A handling mechanism for user data-related requests (access, correction, deletion, complaint) must be established to ensure response and processing within the specified time limit. Handling records must be retained for supervision by users and regulatory authorities.
• Security protection: Strengthen app data security protection. Adopt encrypted storage, transmission encryption, and access permission control technologies to prevent data leakage, tampering, and loss. Periodic data security detection and risk assessment must be carried out.
• Staff training: Regularly conduct compliance training for R&D, operation, customer service, and other related employees to popularize privacy regulations, app store policies, and anti-fraud rules. Employee compliance awareness must be improved to avoid violations caused by improper operation.

5.2 Periodic Review Requirements

Due to the continuously changing global legal environment (especially U.S. state privacy laws and EU DSA implementation rules), and continuous updates of app store policies and technical standards, it is recommended to conduct a routine review of this agreement and our compliance posture every 6 months. The specific review content includes:

• Agreement terms: Check whether the agreement terms comply with the latest regulations and app store policies, and whether they need to be supplemented or modified (e.g., adding regional compliance terms, updating anti-fraud penalty rules)
• App compliance: Check whether the app code, SDK version, and interaction design comply with the latest technical compliance requirements (such as Android 15 / iOS 18 adaptation, ATT framework execution)
• Data processing: Check whether the data collection, storage, transmission, and sharing processes are compliant, whether data residency complies with local requirements, and whether third-party data sharing is controllable
• Anti-fraud mechanism: Check whether the advertising and in-app purchase anti-fraud rules are complete, and whether penalty measures need to be updated according to the latest fraud methods
• User requests: Check the handling of user data-related requests, whether there is a situation where response or processing is not timely or improper, and optimize the handling process