The privacy manifest is the file that finally makes Apple's data declarations machine-checkable, and React Native apps need one as much as native ones do. PrivacyInfo.xcprivacy declares the data your app collects, the tracking it does, and the reasons it calls a handful of APIs Apple treats as sensitive. Since early 2025 it is effectively required when your app or an SDK it uses touches those APIs. The wrinkle for React Native is that much of the obligation comes from your dependencies, not your own code. Here is what the file contains and how to add it.
Short answer
A privacy manifest is a file named PrivacyInfo.xcprivacy that you add to your iOS app target to declare collected data, tracking, and the reasons your app uses certain "required reason" APIs. Per Apple's privacy manifest documentation, since February 12, 2025 a new app or an update that adds a privacy-impacting SDK must include the manifest from that SDK, and your app must declare approved reasons for required reason APIs like UserDefaults. In a bare React Native or Expo app you create the file in Xcode and add it to the target, or in managed Expo you configure it in app.json. You must also gather the required reasons from your third-party libraries.
What you should know
- It is a real file in your target: PrivacyInfo.xcprivacy lives in the iOS app bundle.
- It declares three things: collected data, tracking, and required reason API usage.
- Required reason APIs need reasons: UserDefaults, file timestamp, boot time, disk space, keyboard.
- 2025 enforcement: adding a privacy-impacting SDK requires its manifest.
- Dependencies drive it: much of the obligation comes from your libraries, not your code.
What is a privacy manifest, and when is it required?
It is a property list that tells Apple, in a structured form, how your app handles privacy. The manifest declares the data types your app collects and links them to purposes, whether the app does tracking and which domains it contacts for that, and the approved reasons your code calls APIs that can be misused for fingerprinting. As of February 12, 2025, Apple requires that when a new app includes a privacy-impacting SDK, or an update adds one, that SDK ships its own privacy manifest, and apps must declare reasons for the required reason APIs they use. So the manifest is not optional for most modern apps, because nearly all use at least one SDK or API in scope.
What the manifest declares
The file has a few well-defined sections. The table summarizes them.
| Manifest section | What it declares |
|---|---|
| NSPrivacyAccessedAPITypes | Required reason APIs you call, each with an approved reason code |
| NSPrivacyCollectedDataTypes | Data types your app collects and the purposes for each |
| NSPrivacyTracking | Whether the app uses data for tracking |
| NSPrivacyTrackingDomains | Domains the app contacts that are used for tracking |
The required reason APIs are the ones to know, since they trip up otherwise compliant apps: accessing UserDefaults, file timestamps, system boot time, available disk space, and the active keyboard list each need a declared reason. The collected-data and tracking sections must line up with your App Privacy answers in App Store Connect, so the manifest and the nutrition label tell the same story.
How to add it to a React Native app
The path depends on whether you use bare React Native or managed Expo. In a bare React Native or bare Expo project, create the file in Xcode with File, New, App Privacy File, name it PrivacyInfo.xcprivacy, add it to your app target, and fill in the API reasons and data types using Xcode's editor. In managed Expo, you do not edit Xcode directly; instead you configure the manifest in app.json under the iOS privacy manifests key, and Expo generates the file at build time. Either way, the core React Native framework contributes reasons for some APIs it uses, but you remain responsible for your app's own usage and for aggregating what your dependencies require.
What to watch out for
The first trap is forgetting third-party libraries, since a single dependency that touches UserDefaults or another required reason API adds an obligation; check each library's ios directory in node_modules for its own PrivacyInfo.xcprivacy and fold the required reasons into your manifest. The second is a manifest that disagrees with your App Privacy label, which invites a privacy enforcement issue, so keep the collected-data section aligned with App Store Connect. The third is assuming you call none of the required reason APIs when a dependency does it for you. A pre-submission scan such as PTKD.com (https://ptkd.com) reads the compiled IPA against OWASP MASVS and surfaces the SDKs and API usage in your build, which helps you see what your dependencies actually touch so your manifest covers it. Writing the declarations themselves is work you do in the project.
What to take away
- PrivacyInfo.xcprivacy is a file you add to your iOS app target that declares collected data, tracking, and required reason API usage.
- Since February 12, 2025, adding a privacy-impacting SDK requires its manifest, and required reason APIs like UserDefaults need declared reasons.
- In bare React Native or Expo you create the file in Xcode; in managed Expo you configure it in app.json and Expo generates it.
- Aggregate the required reasons from your dependencies, keep the manifest aligned with your App Privacy label, and use a pre-submission scan such as PTKD.com to see what SDKs your build actually uses.
