// Legal & Engineering

Technical Compliance Guide

2026 Global Full-Compliance Edition · Version 4.3 · Effective 18 June 2026 · Covers Apple App Store, Google Play, ATT framework, Privacy Sandbox, data residency, and the 2026 iOS 18 / Android 15 platform requirements.

Last updated: 18 June 2026

This Technical Compliance Guide combines the latest 2026 policies of the Apple App Store and Google Play with the global regional regulatory requirements of each market. It defines technical execution standards, ensuring full compliance during the development, launch, and operation of all Apps, avoiding risks such as App removal or penalties due to technical violations. This guide is adapted to the latest system version requirements of Android 15 and iOS 18.

1. Apple App Store (iOS) — 2026 Latest Requirements

1.1 Privacy Labels

We must accurately fill in the privacy label information in the App Store backend and strictly check "Data Linked to You" (data linked to the user), because data such as IDFA and purchase records will be linked to the user profile. We must not conceal the data linkage relationship. At the same time, we must accurately fill in the scope, purpose, and third-party sharing of data collection, ensuring consistency with this Privacy Policy. Submitting false information will result in the App being rejected or removed from the App Store.

1.2 ATT Mandatory Enforcement (2026 Upgrade Requirements)

  • Before obtaining the device_id (IDFA), we must first call the requestTrackingAuthorization interface to display a pop-up requesting the user's authorisation. The authorisation copy must clearly inform the user of the purpose of the authorisation (e.g. for precise ad targeting) and must not mislead the user.
  • If the user refuses authorisation, allow_tracking = false must be passed to all third-party SDKs. We must not obtain or use the IDFA without authorisation, nor circumvent the ATT framework restrictions through other means.
  • Adapted to the latest iOS 18 requirements, the ATT authorisation pop-up may be displayed only once. The user must not be harassed with multiple pop-ups. If the user refuses authorisation, no further requests for authorisation may be made. The user can only be guided to enable authorisation through the device system settings.
  • We must not obtain user device identifiers through non-ATT channels, nor use other device parameters (such as MAC address) as an IDFA substitute to circumvent the privacy policy requirements.

1.3 Other Technical Compliance Requirements

  • Apps must not contain hidden features or non-compliant code, and must not circumvent the App Store review rules (e.g. hiding payment entry points, false feature descriptions).
  • Adapted to the latest iOS 18 privacy requirements, access to sensitive data (e.g. photos, contacts) requires per-use authorisation from the user. Default authorisation or forced authorisation is not permitted.
  • In-app purchase items must clearly state the price and subscription period. Inducement-based purchase traps must not be set, and the user must not be misled into paying.
  • If the App includes AI-generated content, it must be clearly marked on the App Store detail page, in compliance with Apple's AI compliance requirements.
  • Apps distributed in the EU must use the In-App Purchase system for all digital goods and services, and must not direct users to alternative payment methods, in compliance with the Digital Markets Act (DMA).
  • All submitted binaries must be built with the latest iOS 18 SDK and must declare the minimum supported iOS version in App Store Connect.

2. Google Play (Android) — 2026 Latest Requirements

2.1 Data Safety Form

We must accurately fill in the Data Safety Form in the Google Play backend, explicitly declaring that the data in transit is protected by encryption (HTTPS protocol must be used) and that the data at rest is protected by AES-256 encryption. We must accurately fill in the scope, purpose, and third-party sharing of data collection, and must not conceal data processing behaviour. Submitting false information will result in the App being rejected or removed.

2.2 SDK Transparency (2026 Upgrade Requirements)

  • Google requires developers to bear full responsibility for the behaviour of the third-party SDKs they integrate. We must ensure that all integrated SDK versions support the latest Android 14+ Privacy Sandbox. Outdated SDKs (which may contain privacy or security vulnerabilities) must not be used.
  • We must publicly disclose in the Google Play backend a list of all integrated third-party SDKs, clearly stating the SDK name, purpose, and data collection scope, ensuring that the SDK's data processing behaviour is compliant. If an SDK has non-compliant data collection behaviour, the SDK must be removed immediately and the App must be rectified.
  • Adapted to the latest Android 15 requirements, the integrated SDK must not request permissions unrelated to the App's functionality, must not collect user personal information without authorisation, and must not interfere with the normal operation of the device.
  • If the App supports the Android 15 Private Space feature, the logic must be adjusted based on the App's type. Medical Apps must clearly inform users not to install them in Private Space to avoid affecting the operation of core functions. Launcher Apps must declare the relevant permissions and adapt to the display requirements of Private Space Apps.

2.3 Other Technical Compliance Requirements

  • Adapted to the latest Android 15 privacy protection measures, supporting the OTP (one-time password) hiding feature. During screen sharing, sensitive content is hidden, and sensitive App fields can be manually marked to protect user privacy.
  • Apps must not contain malicious code or ad plug-ins, must not force push ads, and must not induce users to click ads. Ad display must comply with the Google Play ad policy.
  • Apps must support 64-bit architecture, and must not provide only 32-bit versions, ensuring compatibility with the latest Android devices.
  • If the App includes subscription services, the subscription management entry must be clearly marked in the App, and users must be able to cancel the subscription at any time, in compliance with the Google Play subscription policy.
  • All submitted APKs / AABs must target the latest API level (Android 15, API 35) and must declare all sensitive permissions in the manifest with a clear justification.

3. 2026 Data Residency Compliance

With the rising global awareness of data sovereignty in 2026, more countries and regions have introduced stricter data localisation requirements. We must strictly follow the rules below to avoid violations:

  • If the App has a large user base in a specific country / region (e.g. China, India, Saudi Arabia, Brazil, the EU, Canada) (the specific threshold is subject to local regulations), the local user data must be stored on compliant servers within the country / region, and must not be transferred abroad without authorisation.
  • Cross-border data transfers must strictly follow local regulatory requirements, such as the GDPR adequacy decision of the EU, the security assessment / standard contract requirements of China's "Provisions on Promoting and Regulating the Cross-Border Flow of Data," and the cross-border transfer approval requirements of India's DPDP Act. User data must not be transferred abroad without approval.
  • With respect to the global data sovereignty disputes mentioned in the 2026 U.S. Trade Report, attention must be paid to avoiding trade compliance risks triggered by cross-border data transfers. If the App is targeted at U.S. users, it must follow the requirements of the CLOUD Act and cooperate with U.S. regulatory authorities' data access requests (where applicable).
  • Data storage locations must be reviewed regularly to ensure compliance with local regulatory changes, such as Canada, Japan, Bolivia, Colombia, and other countries that have introduced new data localisation requirements in 2026. Data storage strategies must be adjusted in a timely manner to avoid violations.
  • A data residency compliance ledger must be established to record user data storage locations and transfer situations. Regular compliance self-checks must be carried out, and we must cooperate with inspections by local regulatory authorities.

4. Interaction Design Recommendations (UX Compliance)

4.1 Double Confirmation Mechanism

  • Before the user makes a large-value IAP purchase (recommended single amount ≥ USD / EUR 50), an in-app secondary confirmation pop-up must be added, clearly informing the user of the purchase amount, product name, and payment method. The user must manually click "Confirm Purchase" before the App jumps to the payment page, to avoid mistaken operations.
  • For auto-renewing subscriptions, after the user clicks the "Subscribe" button, a confirmation pop-up must appear again, clearly informing the user of the subscription period, price, and renewal rules, to avoid mistaken subscription by the user.

4.2 Easy Accessibility of the Privacy Policy (Mandatory Requirement)

The link to the Privacy Policy must exist in all three of the following locations simultaneously, ensuring that users can view it at any time and meeting global compliance requirements:

  1. App Store detail page (in a prominent position on the App Store / Google Play description page)
  2. App launch splash screen (or login page). The user can click the link to view the full Privacy Policy. The splash screen must be set with "Agree" and "Refuse" buttons. If the user refuses, the App must not be used.
  3. In-app "Settings" or "About" menu. The link must be placed in a prominent position, and the user can directly view the Privacy Policy by clicking it, supporting user access at any time.

4.3 Other Interaction Compliance Recommendations

  • Permission Requests: When requesting the user to grant permissions (e.g. camera, photo album, location), the purpose of the permission must be clearly stated. Default authorisation or forced authorisation is not permitted. The user can withdraw the authorisation at any time in the App or in the device system settings.
  • Ad Interaction: Rewarded video ads must be clearly marked with "Watch the full ad to earn a reward," and a "Skip Ad" button must be provided (the ad can be skipped after 5 seconds of playback). Users must not be forced to watch ads.
  • Complaint Feedback: Convenient complaint feedback channels must be set in the App, including privacy complaints, ad complaints, and UGC content complaints. The processing time limit must be clearly stated (no more than 7 working days), and the processing result must be fed back to the user.
  • Transparency Display: In a prominent position in the App, ad delivery rules, algorithm recommendation logic, and data processing flow (simplified version) must be displayed, meeting the DSA transparency requirements and ensuring the user's right to know.
  • Screen Sharing Indicator: Adapted to the latest Android 15 requirements. During screen sharing, screen casting, or screen recording, a prominent notification tag must be displayed in the status bar to remind the user that the screen is currently being shared. The user can click the tag to quickly stop sharing.
  • Ad Frequency Capping: Cap interstitial frequency at one per minute per session, rewarded video at one per three minutes per session, and ensure that banners do not refresh more than once per 30 seconds.

5. Compliance Risk Controls

  • Establish a compliance review mechanism: Before App development and launch, conduct a comprehensive compliance review of the App code, Privacy Policy, Service Agreement, and interaction design, ensuring compliance with App Store, Google Play policies, and global regional regulatory requirements, avoiding violations.
  • Update compliance knowledge regularly: Designate dedicated personnel to monitor the latest changes in global privacy regulations and app store policies (such as U.S. state privacy laws, EU DSA updates, and Android 15 / iOS 18 system policy changes), and adjust the App and agreement content in a timely manner.
  • Third-party partner management: Regularly review the compliance of third-party ad platforms, SDK providers, and payment processors, sign compliance agreements, clarify data processing responsibilities, and immediately terminate cooperation if a third party engages in non-compliant behaviour.
  • User request handling: Establish a processing mechanism for user data-related requests (access, rectification, deletion, complaints), ensuring response and handling within the prescribed time limit, retaining processing records, and accepting supervision by users and regulatory authorities.
  • Security: Strengthen App data security, adopt encrypted storage, transmission encryption, access control, and other technologies to prevent data leakage, tampering, and loss. Conduct regular data security testing and risk assessments.
  • Employee training: Regularly conduct compliance training for R&D, operations, customer service, and other related employees, popularise privacy regulations, app store policies, and anti-fraud rules, enhance employee compliance awareness, and avoid violations caused by improper operation.
  • Incident response plan: Maintain a documented incident response plan with a 72-hour breach notification commitment to EU / UK regulators and affected users where required.

6. Periodic Review Requirements

As the global legal environment (especially U.S. state privacy laws and EU DSA implementation rules) is constantly changing, and app store policies and technical standards are constantly being updated, it is recommended to conduct a routine review of this Agreement and the App's compliance every 6 months. The specific review contents include:

  • Agreement Clauses: Check whether the agreement clauses comply with the latest regulations and app store policies, and whether new regional compliance clauses need to be added or modified (e.g. new regional compliance clauses, updated anti-fraud penalty rules).
  • App Compliance: Check whether the App code, SDK versions, and interaction design comply with the latest technical compliance requirements (e.g. Android 15 / iOS 18 adaptation, ATT framework execution).
  • Data Processing: Check whether the data collection, storage, transmission, and sharing processes are compliant, whether the data residency meets local requirements, and whether the third-party data sharing is controllable.
  • Anti-Fraud Mechanism: Check whether the ad and IAP anti-fraud rules are sound, and whether the penalty measures need to be updated based on the latest fraud methods.
  • User Requests: Check the handling of user data-related requests to see if there is any failure to respond in a timely manner or improper handling, and optimise the handling process.

7. Contact Channels

If you have any questions, feedback, or complaints, please contact us through the following channels:

— End of Technical Compliance Guide —
nixbyteflowcore · Version 4.3 · 18 June 2026