An Australian Mobile App Privacy Policy is a legally required document that explains how your mobile application collects, uses, stores, discloses, and protects personal information from Australian users, in compliance with the Privacy Act 1988 (Cth), the 13 Australian Privacy Principles (APPs), the Apple App Store Review Guidelines, and the Google Play Developer Program Policies. Unlike a standard website privacy policy, a mobile app privacy policy must address a range of additional issues specific to mobile environments: device permissions (location, camera, microphone, contacts), push notifications, in-app purchases, third-party analytics and tracking SDKs, App Tracking Transparency on iOS, and the Google Play Data Safety section.

The Privacy Act 1988 (Cth) — administered by the Office of the Australian Information Commissioner (OAIC) — imposes legally binding obligations on APP entities through the 13 Australian Privacy Principles. APP 1 requires every APP entity to have a clearly expressed and up-to-date Privacy Policy that is freely available to the public. For mobile apps, this means the Privacy Policy must be accessible within the app and through the app’s listing page in the App Store and Google Play.

Australia’s privacy law is technology-neutral: the same obligations that apply to personal information collected through a website apply equally to personal information collected through a mobile app. However, mobile apps typically collect a broader range of personal information than websites — including precise GPS location, biometric data (face ID, fingerprints), device health data, and behavioural data — and therefore require more detailed privacy disclosures.

The global regulatory environment is also relevant. If your app is distributed in the European Union, you must also comply with the General Data Protection Regulation (GDPR). If your app is distributed in California, the California Consumer Privacy Act (CCPA) may apply. This Australian Mobile App Privacy Policy template is specifically tailored for compliance with Australian law and app store requirements.

A Mobile App Privacy Policy is required whenever you publish a mobile application on the Apple App Store or Google Play that collects any personal information from users — regardless of your company's size, location, or annual turnover. Both Apple and Google enforce this requirement at the point of app review, meaning apps submitted without a Privacy Policy (or with a Privacy Policy that does not match the app's actual data practices) will be rejected.

You need an Australian Mobile App Privacy Policy if: you are an Australian developer publishing an app on the Apple App Store or Google Play, regardless of whether your target audience is Australian or global; your app is published outside Australia but available to Australian users and collects their personal information; your app integrates any third-party SDK that collects user data, including analytics tools (Firebase, Mixpanel, Amplitude), advertising networks (Meta Audience Network, AdMob), crash reporting tools (Crashlytics), or social login providers (Sign in with Apple, Google Sign-In).

The scope of what triggers the need for a privacy policy is broad. Essentially, any app feature that involves: creating a user account or profile; collecting contact details (name, email, phone); requesting device permissions (location, camera, microphone, contacts, health data); sending push notifications; displaying personalised advertisements; processing in-app purchases; or using analytics to track user behaviour within the app — will trigger the need for a comprehensive Mobile App Privacy Policy.

Apps in the Kids Category on the Apple App Store and apps participating in Google Play’s Families Program have additional and more stringent privacy requirements, including restrictions on data collection, advertising, and analytics SDKs. Apps targeting children require enhanced privacy policies that specifically address parental consent and children’s data protections.

A compliant Australian Mobile App Privacy Policy must address several key elements that go beyond a standard website privacy policy.

Device permissions disclosure is a fundamental requirement. For every device capability your app requests access to — including location (precise and approximate), camera, microphone, contacts, calendar, photo library, health data, Bluetooth, and face ID — the Privacy Policy must explain what data is accessed, how it is used, and with whom it may be shared. Apple requires a usage description string for each permission in the app’s Info.plist file, which appears in the system permission prompt shown to users. Google Play requires disclosure of all permissions in the app’s Data Safety form.

Third-party SDK disclosure is increasingly scrutinised by both Apple and Google and by regulators including the OAIC. Every analytics, advertising, crash reporting, social login, or attribution SDK integrated into the app may independently collect personal information from users. Your Privacy Policy must disclose all such SDKs, identify the third-party provider, and explain what data each SDK collects and for what purpose. Each SDK provider’s own privacy policy should be referenced.

App Tracking Transparency (ATT) compliance on iOS requires apps that track users across other apps and websites to disclose this practice and obtain explicit user consent through Apple’s standardised permission prompt before accessing the IDFA. Your Privacy Policy must explain what tracking means in the context of your app and how users can opt out.

Google Play Data Safety compliance requires an accurate and complete Data Safety form in the Play Store listing, which must be consistent with your Privacy Policy. The Data Safety section covers data collection, data sharing, security practices, and compliance with the Families Policy for children’s apps.

Account deletion functionality is now required by the Apple App Store for all apps that support account creation. Your Privacy Policy should explain how users can request deletion of their account and associated personal data, and the timeframe within which deletion requests will be actioned.

The APP 8 cross-border disclosure requirements are particularly relevant for mobile apps, which typically use overseas cloud infrastructure (AWS, Google Cloud, Azure), analytics platforms hosted in the United States or Europe, and global payment processors. Your Privacy Policy must disclose the countries where personal information may be sent and the steps taken to ensure overseas recipients comply with the APPs.