Developer Console

Privacy and Security Policy

This page describes the Amazon Appstore policy for privacy and security. The examples in this section describe specific app scenarios that violate the Amazon Appstore Content Policies and will be rejected by the Appstore. These lists are not exhaustive, and the examples may change over time as new scenarios arise.

User Data

As detailed in the Amazon Developer Services Agreement, if your app (or any third-party plug-in or service provider your app uses) collects personal data from end users, your app must adhere to the below requirements. Personal data includes personally identifiable information, financial and payment information, authentication information, contacts, phonebook, SMS and call related data, microphone and camera sensor data, location data, and sensitive device or usage data.

  • Only collect and use the data required to support and improve the features and services your app provides (e.g., the features described on the app's detail page).

  • Display a legally adequate privacy policy within the app and on the app detail page. The privacy policy, together with any in-app disclosures, must comprehensively disclose what personal data your app collects, how it is used, and the types of parties with whom it is shared.

  • Obtain applicable consent of users to collect, use, or share such data, and only use or share the data in a way that end users have consented to.

  • Ensure that your collection and use of that data complies with your privacy policy and all applicable laws, including, if applicable, COPPA (see Child-targeted App (COPPA) Policy) and privacy and data protection laws.

  • If end users would not expect their personal data to be required to support and improve the features and services your app provides, the app's disclosure and consent for such data collection, use and sharing must be more prominent. For example, your app must disclose what data is collected and how it's used, and the disclosure must be part of the normal operation of the app (not behind a menu, policy, or terms of service) and must not be part of disclosures unrelated to personal data collection. Your app must present a clear consent dialogue and get consent through an affirmative user action (e.g., tap or click, not navigating away or from an auto-expiring message) before your app begins collecting such data.

  • Handle personal data securely, e.g., transmitting it over HTTPS.

Prior to submitting an app that collects personal data from end users, you are required to supply a privacy policy that will be displayed to end users on your app's product detail page.

Permissions

Request permissions in your app only when these permissions are required to implement the features and services your app currently provides. Any data about or from end users that you receive through permissions requests must only be used for the purposes disclosed to and permitted by the user, and as permitted by our Policies and applicable law.

On devices that support it (Android N and Fire OS 6 devices and above), you must request permissions in context, at the time the app requires them.

Deceptive and Malicious Behavior and User Privacy

Your app must not engage in malicious or deceptive behavior and must not violate the privacy of your users:

  • Your app cannot engage in network or device abuse, including throttling a user's network.
  • Your app cannot contain references to or include malicious hacking, such as phishing or Trojans or contain cracking content in the app or app metadata. This includes but is not limited to rooting a device or circumventing Amazon's or any developer's digital rights management (DRM) software, and illegal torrents, emulators, and downloaders.
  • Your app cannot claim to contain anti-virus features unless your app actually includes this functionality.
  • Apps representing financial institutions must have adequate user security in place. Banking apps must be submitted by or on behalf of the financial institution represented by the app.
  • Apps cannot mis-use customer personally identifiable information or sensitive personal information, such as by transferring users’ personal data to third-party ad networks or other third-party service providers without those users’ consent.
  • Apps that include or describe malicious tracking or stalking, or that secretly collect data or device usage information, such as surveillance or spyware apps, are prohibited. Apps with tracking and reporting features that are clearly marketed and exclusively designed for family monitoring or enterprise management are permitted, as long as they do not mislead users about such functionality, show users a persistent notification about such functionality and a unique icon that clearly identifies the app, and they do not provide the ability to activate or access functionality that violate these policies, such as linking to a non-compliant APK outside Appstore.

Examples of Privacy and Security Violations

The following are a few examples of apps that violate Amazon's privacy and security policies:

  • An app that collects a user's personal information without applicable consent, uses the information in a way that the user didn't consent to, or sells that information to another party without the user's consent.
  • An app that accesses a user's contacts, but doesn't need contacts to provide the app's services.
  • An app that accesses a user's personal information to support a feature that is not yet available.
  • An app that mimics an app for a particular bank but is not the official app for that bank.

Third-Party Programs

Developers that offer apps on Amazon devices sometimes integrate external programs or services into their apps. For example, apps that include advertising may integrate with third-party ad services. Within 30 days of Amazon’s request, developers must disclose to Amazon which external programs or services are integrated into their apps. For privacy and security reasons, Amazon may request that developers remove such third-party programs or services. In the event Amazon makes such a request, developers must comply within 6 months.


Last updated: Jun 07, 2023