AboutPatientsPractitionersHealthcare FacilitiesWeva Hub
Get Started
Explore
HomeAbout UsWeva Hub
Weva For
PatientsPractitionersHealthcare Facilities
Get Started

User Data

Updated:
December 30, 2024

You must be transparent in how you handle user data (for example, information collected from or about a user, including device information). That means disclosing the access, collection, use, handling, and sharing of user data from your app, and limiting the use of the data to the policy compliant purposes disclosed. Please be aware that any handling of personal and sensitive user data is also subject to additional requirements in the "Personal and Sensitive User Data" section below. The Weva App Store requirements are in addition to any requirements prescribed by applicable privacy and data protection laws.

If you include third party code (for example, an SDK -Software Development Kit) in your app, you must ensure that the third party code used in your app, and that third party’s practices with respect to user data from your app, are compliant with the Weva App Store Developer Program policies, which include use and disclosure requirements. For example, you must ensure that your SDK providers do not sell personal and sensitive user data from your app. This requirement applies regardless of whether user data is transferred after being sent to a server, or by embedding third-party code in your app.0

Personal and Sensitive User Data

Personal and sensitive user data includes, but isn't limited to, personally identifiable information, financial and payment information, authentication information, phonebook, contacts, device location, SMS and call-related data, health data, inventory of other apps on the device, microphone, camera, and other sensitive device or usage data. If your app handles personal and sensitive user data, then you must:

  • Limit the access, collection, use and sharing of personal and sensitive user data acquired through the app to app and service functionality and policy-conforming purposes reasonably expected by the user:
    • Apps that extend usage of personal and sensitive user data for serving advertising must comply with the Weva App Store’s Ads policy.
  • You may also transfer data as necessary to service providers or for legal reasons such as to comply with a valid governmental request, applicable law, or as part of a merger or acquisition with legally adequate notice to users.
  • Handle all personal and sensitive user data securely, including transmitting it using modern cryptography (for example, over HTTPS).
  • Not sell personal and sensitive user data.
    • "Sale" means the exchange or transfer of personal and sensitive user data to a third party for monetary consideration.
      • User-initiated transfer of personal and sensitive user data (for example, when the user is using a feature of the app to transfer a file to a third party, or when the user chooses to use a dedicated purpose research study app), is not regarded as sale.

Prominent Disclosure & Consent Requirement

In cases where your app’s access, collection, use, or sharing of personal and sensitive user data may not be within the reasonable expectation of the user of the product or feature in question (for example, if data collection occurs in the background when the user is not engaging with your app), you must meet the following requirements:

Prominent disclosure: You must provide an in-app disclosure of your data access, collection, use, and sharing. The in-app disclosure:

  • Must be within the app itself, not only in the app description or on a website;
  • Must be displayed in the normal usage of the app and not require the user to navigate into a menu or settings;
  • Must describe the data being accessed or collected;
  • Must explain how the data will be used and/or shared;
  • Cannot only be placed in a privacy policy or terms of service; and
  • Cannot be included with other disclosures unrelated to personal and sensitive user data collection.

Consent and runtime permissions: Requests for in-app user consent and runtime permission requests must be immediately preceded by an in-app disclosure that meets the requirement of this policy. The app's request for consent:

  • Must present the consent dialog clearly and unambiguously;
  • Must require affirmative user action (for example, tap to accept, tick a check-box);
  • Must not interpret navigation away from the disclosure (including tapping away or pressing the back or home button) as consent;
  • Must not use auto-dismissing or expiring messages as a means of obtaining user consent; and
  • Must be granted by the user before your app can begin to collect or access the personal and sensitive user data.

Apps that rely on other legal bases to process personal and sensitive user data without consent, such as a legitimate interest under the EU GDPR, must comply with all applicable legal requirements and provide appropriate disclosures to the users, including in-app disclosures as required under this policy.

To meet policy requirements, it’s recommended that you reference the following example format for Prominent Disclosure when it’s required:

  • “[This app] collects/transmits/syncs/stores [type of data] to enable ["feature"], [in what scenario]."
  • Example: “XXY app collects location data to enable fitness tracking even when the app is closed or not in use and is also used to support advertising.”
  • Example: “XXX app collects read and write call log data to enable contact organization even when the app is not in use.”

If your app integrates third party code (for example, an SDK) that is designed to collect personal and sensitive user data by default, you must, within 2 weeks of receipt of a request from the Weva App Store (or, if the Weva App Store’s request provides for a longer time period, within that time period), provide sufficient evidence demonstrating that your app meets the Prominent Disclosure and Consent requirements of this policy, including with regard to the data access, collection, use, or sharing via the third party code.

For more information on the Prominent Disclosure and Consent requirement.

Restrictions for Personal and Sensitive Data Access

In addition to the requirements above, the table below describes requirements for specific activities.

Data Safety Section

All developers must complete a clear and accurate Data safety section for every app detailing collection, use, and sharing of user data. The developer is responsible for the accuracy of the label and keeping this information up-to-date. Where relevant, the section must be consistent with the disclosures made in the app’s privacy policy.

Privacy Policy

All apps must post a privacy policy link in the designated field within the Weva App Store, and a privacy policy link or text within the app itself. The privacy policy must, together with any in-app disclosures, comprehensively disclose how your app accesses, collects, uses, and shares user data, not limited by the data disclosed in the Data safety section. This must include:

  • Developer information and a privacy point of contact or a mechanism to submit inquiries.
  • Disclosing the types of personal and sensitive user data your app accesses, collects, uses, and shares; and any parties with which any personal or sensitive user data is shared.
  • Secure data handling procedures for personal and sensitive user data.
  • The developer’s data retention and deletion policy.
  • Clear labelling as a privacy policy (for example, listed as “privacy policy” in title).

The entity (for example, developer, company) named in the app’s in the Weva App store listing must appear in the privacy policy or the app must be named in the privacy policy. Apps that do not access any personal and sensitive user data must still submit a privacy policy.

Please make sure your privacy policy is available on an active, publicly accessible and non-geofenced URL (no PDFs) and is non-editable.

Account Deletion Requirement

If your app allows users to create an account from within your app, then it must also allow users to request for their account to be deleted. Users must have a readily discoverable option to initiate app account deletion from within your app and outside of your app (for example, by visiting your website). A link to this web resource must be entered in the designated URL form field within the Weva App Store.

When you delete an app account based on a user’s request, you must also delete the user data associated with that app account. Temporary account deactivation or disabling the app account does not qualify as account deletion. If you need to retain certain data for legitimate reasons such as security, fraud prevention, or regulatory compliance, you must clearly inform users about your data retention practices (for example, within your privacy policy).

Weva FAQsPrivacy PolicyTerms & ConditionsDocuments & Policies
Weva Practitioner HubWeva Corporate Hub
Practitioner
Policies
App Developer
Policies
© Weva 2025