App Privacy Policy

General Guidance

As a reminder, your privacy policy and in-product privacy notifications must be:

  • Linked on your app homepage and prominently displayed in your app interface so that users can easily find this information
  • Current and notify users if you change how your app uses Google user data
  • Hosted on a verified domain you own
  • Clearly linked to your application and/or organization. Do not submit a template, example, or sample privacy policy. 

In addition, your privacy policy must comprehensively disclose how your app accesses, uses, stores, or shares Google user data.

Important! Not meeting these requirements can slow down the verification process. Please make sure your homepage has met the above criteria before including it in your submission.

Examples of Common Issues

Need further guidance on your privacy policy submission? Navigate to the relevant finding for targeted remediation instructions.

Your privacy policy is improperly formatted

Your privacy policy must be: 

  • Available to users in an HTML plain or rich text format
  • In the body of a dedicated privacy policy web page
  • Hosted on a domain that you own

Our systems are unable to process embedded PDFs, documents, or other file formats in web components (for example, iframes).

Update the configuration on your OAuth consent screen with an updated URL to your privacy policy:

  1. Go to the OAuth consent screen page for your project. You can find it by updating the following URL with your project ID: https://console.cloud.google.com/apis/credentials/consent?project=[PROJECT_ID]

  2. Update the required privacy policy URL field with a link to a responsive privacy policy.

  3. Once the URL is updated, click Prepare for verification at the bottom of the last page.

  4. On the Prepare for verification screen, confirm that the information is correct, then click Submit for verification on the final page.

Helpful tip! This is also a great opportunity to make sure your privacy policy and data handling practices meet all other requirements. Doing so will help expedite the remainder of the verification process.

The provided privacy policy URL is unresponsive

Your privacy policy must be easy to access, easy to understand, and relevant to the app you have submitted for verification.

Update the configuration on your OAuth consent screen with an accessible URL to your privacy policy:

  1. Go to the OAuth consent screen page for your project. You can find it by updating the following URL with your project ID: https://console.cloud.google.com/apis/credentials/consent?project=[PROJECT_ID]

  2. Update the required privacy policy URL field with a link to a responsive privacy policy.

  3. Once the URL is updated, click Prepare for verification at the bottom of the last page.

  4. On the Prepare for verification screen, confirm that the information is correct, then click Submit for verification on the final page.

Helpful tip! This is also a great opportunity to make sure your privacy policy and data handling practices meet all other requirements. Doing so will help expedite the remainder of the verification process.

Your privacy policy does not appear to be associated with your application/ brand

This issue indicates that your privacy policy is not sufficiently associated with your application/ brand. Your privacy policy must be hosted on a domain that meets one of the criteria below. Please proceed with the best options for your project:

Option 1: Host the privacy policy for your app on the same domain as your app homepage

  1. Update where your privacy policy is hosted such that the domain for your privacy policy matches the domain for your app home page

  2. Go to the OAuth consent screen page for your project. You can find it by updating the following URL with your project ID: https://console.cloud.google.com/apis/credentials/consent?project=[PROJECT_ID]

  3. Update the required privacy policy URL field with a link to the updated privacy policy URL.

  4. Once all issues have been remediated, click "Submit for verification" on the final page.

Option 2: Host your privacy policy on a domain verified under your ownership.

  1. Follow these instructions to verify the submitted privacy policy domain belongs to you.

  2. Respond to the email you received to confirm that ownership has been verified.

If you have an alternative privacy policy domain that is registered to you, you can resubmit for verification with the verified domain. 

Option 3: Host the privacy policy for your app on a domain that belongs to your organization or parent organization.

We understand that some applications adhere to the privacy policy belonging to a parent organization. In these situations, it may not be hosted on the same domain as your application homepage. If this is the case, we ask that the submitted privacy policy explicitly mentions either:

  1. The name of the application
  2. The name of the developer
  3. The name of the organization responsible for development 

If the submitted privacy policy meets these criteria:

There is no need to update your OAuth consent screen configuration. Instead, reply to the email you received confirming that the privacy policy belongs to your parent organization.

If the submitted privacy policy is missing this information:

Your privacy policy must meet one of the following criteria. Please proceed with the best option for your application. 

Option 3a: Update the originally submitted privacy policy 

Work with your parent organization to update the privacy policy with the criteria listed above. Once updated, reply to the email you received confirming that the privacy policy belongs to your parent organization, and the language now explicitly names your application, developer, or organization name. 

Option 3b: Submit a new privacy policy

  1. Go to the OAuth consent screen page for your project. You can find it by updating the following URL with your project ID: https://console.cloud.google.com/apis/credentials/consent?project=[PROJECT_ID]

  2. Update the required privacy policy URL field with a link to a policy that is:

    1. Hosted on the same domain as your homepage

    2. Hosted on a domain verified under your ownership

    3. A parent organization's policy that explicitly references your application, developer, or organization by name

  3. Once the URL is updated, click Prepare for verification at the bottom of the last page.

  4. On the Prepare for verification screen, confirm that the information is correct, then click Submit for verification on the final page.

Helpful tip! This is also a great opportunity to make sure your privacy policy and data handling practices meet all other requirements. Doing so will help expedite the remainder of the verification process.  

The privacy policy URL you gave us is the same as your homepage URL

Please update the configuration on your OAuth consent screen to include a link to your privacy policy that is different from the link to your homepage. Once the configuration is updated, click “Submit for Verification.”

Your privacy policy does not state what Google user data is collected by your application

Please update your privacy policy to include disclaimers around what Google user data is collected by your application. Examples include: 

  • “The data we collected about you is what you have provided to us, including your name, cell phone number, address, etc”

  • “We may collect, or process on behalf of our customers, the following categories of personal data when you use or interact with our products and services.”

If the URL to your privacy policy changes as a result, please update your consent screen configuration in the Cloud Console. Otherwise, directly respond to the email you received to notify the OAuth Verification team that the updates have been completed. 

Your privacy policy does not state how your application uses Google user data

Please update your privacy policy to include disclaimers around how Google user data is used by your application. Examples include: 

  • "We will use your data to provide you with the services you requested, such as email notification and newsletter, etc."

  • "We will not sell your data to third parties, but we may share it with our partners who help us provide our services."

If the URL to your privacy policy changes as a result, please update your consent screen configuration in the Cloud Console. Otherwise, directly respond to the email you received to notify the OAuth Verification team that the updates have been completed. 

Your privacy policy does not state with whom you share, transfer, or disclose Google user data

Please update your privacy policy to include disclaimers around how you share, transfer, or disclose Google user data. Examples include: 

  • “We do not transfer or disclose your information to third parties for purposes other than the ones provided” 

If the URL to your privacy policy changes as a result, please update your consent screen configuration in the Cloud Console. Otherwise, directly respond to the email you received to notify the OAuth Verification team that the updates have been completed. 

Your privacy policy does not specify any data protection mechanisms for sensitive data

Please update your privacy policy to include information about how you protect Google user data. Examples include: 

  • “Security procedures are in place to protect the confidentiality of your data”

  • “We use encryption to protect your information”

If the URL to your privacy policy changes as a result, please update your consent screen configuration in the Cloud Console. Otherwise, directly respond to the email you received to notify the OAuth Verification team that the updates have been completed. 

Your privacy policy indicates that it sells Google user data to third-parties

Our policy does not allow for the sale of Google user data to third-parties. Please change your data handling process to prohibit the sale of Google user data, and update your privacy policy to reflect these changes.

If the URL to your privacy policy changes as a result, please update your consent screen configuration in the Cloud Console. Otherwise, directly respond to the email you received to notify the OAuth Verification team that the updates have been completed.

Your privacy policy does not include any disclosures about data retention or deletion

Please update your privacy policy to include disclaimers around data retention and deletion to inform users about any actions you take on their behalf. Examples include:

  • “We store your personal information for a period of time that is consistent with our business purposes.”
  • “We will retain your personal information for the length of time needed to fulfill the purposes outlined in this privacy policy unless a longer retention period is required or permitted by law.”
  • “When the data retention period expires for a given type of data, we will delete or destroy it.”
  • “You may request for your data to be deleted by...”

If the URL to your privacy policy changes as a result, please update your consent screen configuration in the Cloud Console with the new URL. Otherwise, directly respond to the email you received to notify the OAuth Verification team that the updates have been completed.

Your privacy policy indicates that it uses Google user data for reasons other than providing or improving your application's functionality

Our policy requires that you limit your use of data to providing or improving user-facing features. All other uses of Google user data are prohibited, including any of the following reasons:

  • Targeted advertising
  • Selling to data brokers
  • Providing to information resellers
  • Determining credit-worthiness
  • Lending purposes
  • User advertisements
  • Personalized advertisements
  • Retargeted advertisements
  • Interest-based advertisements
  • Creating databases
  • Training AI models

Please change your data handling process to prohibit such use of Google user data, and update your privacy policy to reflect these changes. If the URL to your privacy policy changes as a result, please update your consent screen configuration in the Cloud Console. Otherwise, directly respond to the email you received to notify the OAuth Verification team that the updates have been completed.

Your privacy policy indicates that it transfers Google user data to third parties for reasons other than providing or improving your application’s functionality

Our policy does not allow for the transfer of data to third-parties for any of the following reasons: 

  • Targeted advertising

  • Selling to data brokers

  • Providing to information resellers

  • Determining credit-worthiness

  • Lending purposes

  • User advertisements

  • Personalized advertisements

  • Retargeted advertisements

  • Interest-based advertisements

Please change your data handling process to prohibit such use of Google user data, and update your privacy policy to reflect these changes.

If the URL to your privacy policy changes as a result, please update your consent screen configuration in the Cloud Console. Otherwise, directly respond to the email you received to notify the OAuth Verification team that the updates have been completed.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
9225634015267049107