Flutter App Store Privacy Checklist: Apple Privacy Manifests and Google Play Data Safety

Last updated on June 22, 2026

Flutter apps are cross-platform, but privacy review is still native. Your pubspec.yaml dependencies can pull in iOS pods, Android libraries, analytics SDKs, crash reporters, payment SDKs, Firebase packages, and permission handlers that affect App Store and Google Play disclosures.

This checklist is written for Flutter teams preparing a real release. It is not legal advice. It is the engineering work you should finish before legal review, store submission, or client handoff.

Start with pubspec.yaml

The first privacy artifact in a Flutter app is the dependency list.

Audit:

• Firebase packages;
• analytics packages;
• crash reporting packages;
• attribution or ads packages;
• payment packages;
• social login packages;
• location, contacts, camera, microphone, and photo packages;
• webview and browser packages;
• storage and file picker packages.

For each package, record:

• what user data it can access;
• whether it sends data to a third party;
• whether it adds native iOS or Android permissions;
• whether it includes its own privacy documentation;
• whether the version is current enough for store requirements.

Flutter makes dependency reuse easy. Store privacy review makes dependency ownership unavoidable.

iOS: Privacy Manifests and Required Reason APIs

Apple's privacy manifest system requires teams to understand what the app and included SDKs collect or access. Apple also requires approved reasons for certain API categories when they are used.

For Flutter apps, check:

• ios/Runner/PrivacyInfo.xcprivacy if your app needs its own manifest;
• privacy manifests included by third-party SDKs;
• CocoaPods pulled in by Flutter plugins;
• required reason APIs used by packages;
• App Store Connect upload warnings;
• native permissions in Info.plist.

Do not assume a pure Dart package and a native Flutter plugin have the same privacy impact. Native plugins can bring iOS SDK behavior that never appears in your Dart code.

Android: Permissions and Data Safety

Google Play's Data safety section asks developers to explain data collection, sharing, and security practices. For Flutter apps, those answers should match both Dart code and native Android behavior.

Review:

• android/app/src/main/AndroidManifest.xml;
• permissions added by dependencies;
• Firebase or analytics data collection;
• crash reports and diagnostics;
• location, media, contacts, and device identifiers;
• account deletion or data deletion flows;
• encryption in transit;
• data shared with service providers.

If your Play Data safety form says the app does not collect a data category, make sure no plugin or SDK collects it in release builds.

Build a Data Flow Inventory

A useful privacy inventory has one row per data flow:

Feature	Data	SDK or service	Purpose	Required?
Sign up	Email, name	Firebase Auth	Account creation	Yes
Profile photo	Image	Firebase Storage	User profile	Optional
Crash report	Device and diagnostics	Crash reporting SDK	Stability	Yes
Push notifications	Push token	FCM	User re-engagement	Optional

This makes store forms easier because you answer from the implementation, not memory.

Mega Bundle Sale is ON! Get ALL of our React Native codebases at 90% OFF discount 🔥

Get the Mega Bundle

Instaflutter Release Context

Instaflutter templates give teams a structured Flutter codebase, but privacy answers still depend on the final app configuration.

Review privacy impact after adding:

• Firebase modules;
• social login;
• push notifications;
• in-app purchases;
• maps or location;
• media upload;
• analytics;
• ads;
• custom backend APIs.

Useful internal docs:

• Firebase Authentication in Flutter
• Flutter Phone Auth with Firebase
• Instaflutter In-App Purchases
• Flutter App Icons

Release Checklist

Before submission:

• Audit pubspec.yaml dependencies.
• Audit iOS pods and Android Gradle dependencies.
• Review iOS Info.plist permissions.
• Review Android manifest permissions.
• Confirm privacy manifests for SDKs that require them.
• Add app-level PrivacyInfo.xcprivacy if needed.
• Complete App Store privacy labels from the final build.
• Complete Google Play Data safety from the final build.
• Verify privacy policy URL.
• Verify account deletion and data deletion paths.
• Confirm analytics and crash logs do not include sensitive content.
• Run release builds before answering store forms.

Common Flutter Mistakes

Avoid:

• answering privacy forms before plugins are finalized;
• ignoring transitive native SDKs;
• leaving unused permissions in native config;
• assuming debug behavior matches release behavior;
• collecting raw chat messages or user content in analytics events;
• copying privacy answers from another app template;
• treating App Store Connect warnings as launch-day cleanup.

Useful Official References

• Apple privacy manifest files
• Apple privacy requirement reminder
• Google Play Data safety section
• Apple App Review Guidelines

Final Thoughts

Flutter helps teams ship faster across platforms. It does not make privacy review platform-agnostic.

Treat dependency review, native permissions, privacy manifests, and Play Data safety as release artifacts. If you keep them current throughout development, store submission becomes a predictable checklist instead of a last-minute risk.

Looking for a custom mobile application?

Our team of expert mobile developers can help you build a custom mobile app that meets your specific needs.

Get in Touch