All posts
App StorePlay Storemobile compliance

Mobile App Store Compliance in 2026: India, US, EU — What’s Changed and What to Do

Dr Ishit Karoli
January 20, 2026
2 min read· 6 sections

Mobile App Store Compliance in 2026: India, US, EU — What’s Changed and What to Do

App store rejections jumped sharply through 2025, especially for non-US developers. Apple’s privacy manifests, Google’s data safety questionnaire, the EU’s DSA requirements, and India’s DPDP Act all landed in roughly the same window. Most rejections we see now are policy issues, not technical ones — and they’re largely preventable.

Apple’s privacy manifest, in plain English

Every third-party SDK now has to declare why it accesses required-reason APIs (file timestamps, system boot time, disk space, etc.). Your app’s privacy manifest aggregates these. If a major SDK in your bundle is missing a manifest, Apple now blocks the upload. The fix is updating SDKs to versions that ship manifests — most major ones (Firebase, Sentry, Branch, OneSignal) shipped manifest-compliant versions through 2024.

Google Play data safety: the questionnaire that bites

Google’s data safety section requires you to declare every type of data your app collects, how it’s used, whether it’s shared, and how the user can request deletion. This is read by reviewers, not just stored. Mismatches between your declared data practices and what the app actually does are the leading rejection reason on Play in 2026.

India DPDP Act: the new normal

India’s Digital Personal Data Protection Act is now enforced. Apps must:

  • Show a clear consent flow for personal data collection (not buried in T&Cs).
  • Provide a way to withdraw consent and request deletion.
  • Identify a Data Protection Officer for apps over a threshold of users.
  • Notify breaches to the Data Protection Board within stipulated timelines.

Most apps targeting India failed at least one of these in early audits. Get this right at submission, not after.

EU Digital Services Act

If you’re distributing in the EU and your app has user-generated content or recommender systems, the DSA brings transparency, illegal-content reporting, and recommender-control obligations. Even mid-sized apps now need basic compliance posture here.

The submission checklist we run

  • Privacy manifest generated and validated (Apple).
  • Data safety form completed and matched against actual app behaviour (Google).
  • Privacy policy and T&Cs reviewed for each target market.
  • Consent flows tested with reviewer-style adversarial paths.
  • Account-deletion flow shipped and easy to find.
  • Region-specific store listing and screenshots reviewed.

How we ship this at Velura Labs

Every Mobile App Development engagement includes the store-submission compliance pass — privacy manifests, data-safety questionnaire, regional consent flows. Read our Flutter vs React Native guide for the stack-side considerations. Talk to us if a recent submission was rejected and you need a clean re-submission.

⌖ How Velura Labs delivers this

Related services.

Service
AI Strategy & Roadmap
See details Service
AI Lead Generation
See details Service
Document Processing
See details

Keep reading.

All posts

Headless Commerce + AI: A 2026 Playbook for Indian D2C Brands

Headless Shopify plus AI personalisation is the highest-leverage replatform we ship for D2C brands. Here is what works and what does not.

The Unit Economics of AI Voice Agents: When Per-Call Pricing Beats Headcount

AI voice agents work financially when the unit economics work. Here is the model we use to decide if your call centre is a candidate.

Now booking Q3 2026

Let's build the
next chapter of your business.

Quick chat on WhatsApp. We'll map your highest-leverage AI bet, show you a reference architecture, and price the first slice.

80+
shipped projects
12
industries
ISO 9001:2015
certified
98.4%
CSAT