Privacy Policy for In-app Payments

Last updated on 19 September 2019
Privacy Policy for In-app Payments

If you have a mobile app with in-app purchase options, you'll need to have a Privacy Policy for your app.

There are two main reasons for this:

  • Privacy laws
  • App store requirements

Financial information is protected by privacy laws around the world, so if your app collects or uses this information, you're legally required to have a Privacy Policy.

When you distribute your app through an app store, you'll have to agree to the store's Terms and Conditions agreement. In this agreement, you'll likely be required to have a Privacy Policy.

You'll also likely have to use the app store's in-app payment functions for all in-app payment processing, billing and purchases that you allow your users to do.

Let's take a look at these requirements and how you can update your Privacy Policy to reflect them.


What is a Privacy Policy?

What is a Privacy Policy?

A Privacy Policy is a legal agreement that lets your users know all of the various types of personal information you collect, store, use, share, sell and disseminate.

Privacy laws in the US and abroad require companies to disclose to users when they're collecting personally identifiable information from them. This is accomplished by providing a publicly-available Privacy Policy.

Why is a Privacy Policy Required for Mobile In-app Purchases?

As mentioned earlier, there are two main reasons for this. First, let's look at the laws that require this.

Privacy Policy Required by Law

Privacy is a global concern, which means a number of countries have laws in place to protect the privacy of their citizens.

In the US, the National Conference of State Legislatures (NCSL) has created a resource guide to privacy laws in all 50 states and the US territories. The guide explains state laws for online privacy policies, including for mobile apps.

Flag of California

In 2013, the state of California was the first state to enact a specific privacy law. The California Online Privacy Protection Act of 2003 (CalOPPA) affects operators of commercial websites and online services around the world that collect personally identifiable information about Californians.

CalOPPA requires websites and mobile apps to conspicuously post a privacy policy and to comply with it.

In the EU, there's the General Data Protection Regulation, or GDPR.

Flag of EU

The GDPR extends to all companies collecting personal data from anyone located in the EU, regardless of whether the processing of the information takes place in the EU or not, or whether the company is an EU-based company.

One of its key requirements is an easy-to-read, easily-accessible Privacy Policy that lets users know what personal information you collect or process. Note that there are some specific requirements for what you must disclose in your Privacy Policy, so if users in the EU download your app, make sure you become familiar with the GDPR.

Because in-app purchases require the collection of personal and private data, privacy laws require you to inform your users of what you are collecting by providing a Privacy Policy.

Privacy Policy Required by App Stores

In-app payments are typically processed by app stores and not by individual apps themselves. App stores explicitly require apps that collect personal information from app users to have a Privacy Policy.

Because your mobile app is distributed on an app store and that app allows in-app purchases to be made, your app is essentially allowing the app store to collect personal information through your app. In essence, that's why the app store requires you to have a Privacy Policy.

Here's how Apple's App Store Review Guidelines informs developers that any app that collects user data must have a Privacy Policy:

Apple App Store Review Guidelines: Privacy - Data Collection and Storage clause

Google's guidelines are similar and state that "if your app handles personal or sensitive user data" including "financial and payment information" you must post a Privacy Policy:

Google Developer Policy Center: Privacy, Security and Deception Section - Personal and Sensitive Information clause with requirement for Privacy Policy

Google's Developer Policy includes a Payments section that requires apps with in-app payments to use the Google Play payment system:

Google Play Store Developer Policy: Payments section

As you can see, when your app offers in-app payments, the app store you distribute it on is likely going to :

  • Require you to have a Privacy Policy in place, and
  • Require you to use their in-app payment processing functionality

Examples of In-App Payments Clauses in Privacy Policies

Let's take a look at a few examples of apps that offer different in-app payment features and functionalities, and how this is addressed in the related Privacy Policies.

In-app payments are very common with app games, whether you're spending real money on fake game currency to advance your gameplay, unlocking new levels or unlocking an ad-free version of a game.

Gardenscapes is a popular game from Playrix. While the game itself is free to download and play, it offers a variety of paid features to enhance gameplay:

Gardenscapes mobile app game: Screenshot of purchase option

When a user clicks "Buy Now" the App Store platform will open to confirm the purchase:

Gardenscapes mobile app game: Screenshot of App Store purchase confirmation

Even though the app itself never physically collects payment information like a credit card number from its users, it still should address payment information in its Privacy Policy, which it does.

The Privacy Policy is accessible from the app itself, in the About section:

Gardenscapes mobile app game: About section with Privacy Policy and Terms of Use links

The Privacy Policy discloses that no information is shared with any third parties, except with verified and secure e-commerce payment providers.

The clause goes on to say that the app itself cannot access the credit card information, and that the e-commerce provider handles and secures the personal information:

Playrix mobile Privacy Policy: Personal Information clause

The third party referenced here is the app store.

More information about payments is included in a different clause in the Playrix Privacy Policy, as well.

The Information Collection and Use clause lets users know that credit card or bank information may be collected, but it isn't stored:

Playrix mobile Privacy Policy: Information Collection and Use clause

Spotify offers both a free and paid premium service with its music streaming app:

Spotify mobile app: Premium subscribe page

The Spotify Privacy Policy has a Payment data clause where users are told that credit, debit card and other financial data may be collected and stored by Spotify and/or the payment processors with which Spotify works.

This clause also mentions that payment processors may provide Spotify with some limited information about users. This information includes unique tokens that enable users to make purchases using the information the payment processor has stored, the credit card type, expiration date and limited digits of the card number.

Spotify mobile Privacy Policy: Payment data clause

Audible's mobile app allows users to purchase and download books. Because Audible is an Amazon company, you can purchase books for the app through both Audible and Amazon.

Audible mobile app: Discover page screenshot

Because Amazon owns Audible, the Amazon Privacy Notice will apply here. When you navigate to the Privacy Notice from within the Audible app, the Amazon Privacy Notice opens from within the app:

Audible mobile app: Amazon Privacy Notice - Does Amazon.com Share the Information It Receives clause

The Privacy Notice lets users know that Amazon/Audible employs companies to perform functions on its behalf, including the processing of credit card payments. These third parties will have access to personal information needed to perform such functions.

This lets users know that a third party will receive credit card information for in-app payments.

The Lyft mobile app lets users pay through the app for rides they receive from Lyft drivers. From within the app, you can see the price for the ride as well as the last 4 digits of the credit card information you have on file for payment:

Lyft mobile app: Set destination page screenshot

This may make it seem like your credit card information must be stored and handled by Lyft. However, when you check out the Lyft Privacy Policy you learn otherwise.

In its Payment Method clause, users are told that when credit cards and payment information is added to a Lyft account, a third party handles that payment and receives the payment information.

Lyft does not have access to full credit card information like the third party does:

Lyft mobile Privacy Policy: Information You Provide to Us clause with Payment Method

While your mobile app may not actually store or collect financial information from users, if you're offering in-app purchases you're allowing a third party to collect and use this information.

That's why you will need a Privacy Policy for your app when you allow in-app payment or purchase options.

Important Points

If your app offers in-app payments:

  • Read the Terms and Conditions and Developer Agreements for the app stores you distribute your app on. It's very likely that they'll require you to:
    • Have a Privacy Policy
    • Use their payment processing system
  • Have a Privacy Policy that discloses to users:
    • That your app collects or may collect financial information for purchases,
    • Whether or not your app/business stores this information when collected,
    • That you share this information with third parties for payment processing
Article categories