Using a Single Sign On (SSO) concept without violating Guideline 5.1.1 - Legal - Privacy - Data Collection and Storage

Hi all

We have recently had an issue with using a single sign on login concept in a submission which was flagged under Guideline 5.1.1 - Legal - Privacy - Data Collection and Storage and we are wondering what the development best practices were in this circumstance.

The reason being was because if the user did not already have an account, we provided a button which then loaded the 3rd parties registration form in a web frame. However the system we are using requires the users address and phone number for various reasons, although our app does not use that data at all - therefore we were told we are breaking the guidelines.

Our app is not collecting, or storing any of this information (or even has visibility to it), and it is all covered in both ours, and the third parties privacy policies, however it seems that we are still violating the clause.

My question to other developers and Apple support - is how is this dealt with in other apps that use larger SSO systems such as iCloud, Google and Facebook?

If you use one of those for login, they require various fields, and personal data, which is then may not be used within apps themselves, however they seem not to violate the same policy, or at least may not have been flagged to do so.

Our system is in context of holiday park bookings and this is an outline of the two processes that may happen:

User already has account

  • User books holiday on holiday parks booking system (The SSO Controller)
  • This process includes the registration process so user will have email and password
  • Before, or during the users holiday they download our app, and use this same username and password to add their booking information to our app

User does not already have an account

  • User books holiday in person, or over the phone
  • They do not have a web account - but want to still download and use our app
  • If they wish to login with their booking they need to then create an account on the booking system (SSO) - which for CRM and payment reasons, requires the users address and phone numbers
  • Our app provides a button to load the registration in a web frame, and once the user is registered can then login to the app

This second circumstance is the issue we are having, and for now have had to remove this to comply. Only people who originally booked their holiday online now being able to login with their booking.

There are potentially other avenues we can explore with the booking system, but before we roadmap more development time for these, I was hoping the community, or Apple themselves could point us towards best practices, or documentation for this, and how others have dealt with it

Using a Single Sign On (SSO) concept without violating Guideline 5.1.1 - Legal - Privacy - Data Collection and Storage
 
 
Q