App Store & Play Store submission.

• Image bytes never leave the device. Detection runs locally via NudeNet 320n over ONNX Runtime.
• After each scan the SDK POSTs a small telemetry event to antinude.site/api/v1/scan with the API key as a Bearer token. The body contains the verdict, the top detection (class name + score), all retained per-class detections (class name + score, no bbox), inference latency, and the on-device model version.
• The SDK does not access the contact list, location, advertising identifier, photo library outside of bytes you pass in, or any tracking signal.
• You can pass reportToServer: false at construction to suppress telemetry entirely — scans then run fully offline.

Use this list when filling out review questionnaires — every answer below derives from it.

2.1 Privacy “Nutrition” questionnaire

For the data the SDK contributes, answer as follows (selections in App Store Connect → App Privacy):

• Do you or your third-party partners collect data from this app? Yes.
• Data types collected by AntiNude SDK:
  • Diagnostics → Performance Data and Other Diagnostic Data — purpose: App Functionality, Analytics. Not linked to user. Not used for tracking.
  • Usage Data → Product Interaction — purpose: App Functionality, Analytics. Not linked to user. Not used for tracking.
  • Identifiers → none (the SDK does not send a device identifier or IDFA).
  • User Content → none (image bytes never leave the device).
• Tracking: No. The SDK does not link data to third-party data for advertising and does not share with a data broker.

2.2 Privacy Manifest (PrivacyInfo.xcprivacy)

The SDK does not ship its own PrivacyInfo.xcprivacy in v0.3 — you are responsible for covering the SDK’s telemetry endpoint (https://antinude.site/api/v1/scan) in your app’s top-level manifest. Minimum suggested content:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <!-- AntiNude SDK itself reads no tracked categories;
       the entries below cover the data your APP sends to AntiNude. -->
  <key>NSPrivacyTracking</key>
  <false/>
  <key>NSPrivacyCollectedDataTypes</key>
  <array>
    <dict>
      <key>NSPrivacyCollectedDataType</key>
      <string>NSPrivacyCollectedDataTypeCrashData</string>
      <key>NSPrivacyCollectedDataTypeLinked</key>
      <false/>
      <key>NSPrivacyCollectedDataTypeTracking</key>
      <false/>
      <key>NSPrivacyCollectedDataTypePurposes</key>
      <array>
        <string>NSPrivacyCollectedDataTypePurposeAppFunctionality</string>
      </array>
    </dict>
    <dict>
      <key>NSPrivacyCollectedDataType</key>
      <string>NSPrivacyCollectedDataTypeProductInteraction</string>
      <key>NSPrivacyCollectedDataTypeLinked</key>
      <false/>
      <key>NSPrivacyCollectedDataTypeTracking</key>
      <false/>
      <key>NSPrivacyCollectedDataTypePurposes</key>
      <array>
        <string>NSPrivacyCollectedDataTypePurposeAnalytics</string>
        <string>NSPrivacyCollectedDataTypePurposeAppFunctionality</string>
      </array>
    </dict>
  </array>
  <key>NSPrivacyAccessedAPITypes</key>
  <array/>
</dict>
</plist>

2.3 Age rating questionnaire

The presence of NSFW moderation does not require a 17+ rating, but if your app allows user-generated imagery you typically need to answer:

• Unrestricted Web Access: answer per your app — unrelated to the SDK.
• User-generated content: Yes, if applicable. Apple expects you to describe the moderation pipeline; AntiNude is part of that answer.

“User-uploaded images are scanned on-device by the AntiNude SDK before display. Images classified as containing nudity are blocked from the public feed and queued for human review. Our intake flow restricts uploads from contexts that may include minors.”

2.4 Export Compliance

The SDK uses standard cryptography (TLS via the OS, SHA-256 via Apple’s CryptoKit) and qualifies for the mass-market exemption under EAR §740.17(b)(1). Set ITSAppUsesNonExemptEncryption to false in your Info.plist unless your app uses non-exempt crypto elsewhere.

3.1 Data safety form

Declare the AntiNude SDK’s contributions as follows:

• Does your app collect or share any of the required user data types? Yes.
• App activity → App interactions: Collected, not shared. Processed ephemerally? No. Required or optional? Required. Purpose: App functionality, Analytics.
• App info and performance → Diagnostics: Collected, not shared. Purpose: App functionality, Analytics.
• Device or other IDs: Not collected by the SDK (we use a project-scoped API key, not a device identifier).
• Photos and videos: Not collected by the SDK. Image bytes never leave the device.
• Encryption in transit: Yes — TLS 1.2+.
• Users can request data deletion: Yes — via your in-app flow (forward to privacy@antinude.io).

3.2 Sensitive Content / CSAM policy

Play’s Inappropriate Content and Child Endangerment policies require you to describe your moderation pipeline if the app permits user-generated imagery. Suggested wording for the Play Console “Policy declarations” section:

“All user-uploaded imagery is classified on-device by the AntiNude SDK before being displayed to other users. Content classified as containing nudity is blocked and routed to human review. Our intake flow restricts uploads from contexts that may include minors; suspected CSAM is reported to NCMEC as required by law.”

3.3 Target API and 16 KB pages

The Android AAR targets API 34 and is built with 16 KB-page-aligned native libraries (required for Play submissions from November 1, 2025). No additional configuration is required on your side.

You must reference AntiNude as a subprocessor in your own privacy policy. Two ready-to-paste blocks below — adapt to your tone and language.

4.1 Short version (one paragraph)

“We use the AntiNude SDK to detect nudity in images on your device before they are uploaded or displayed. Image bytes do not leave your device. AntiNude receives a small telemetry event (verdict, per-class detection scores, inference latency, and your request IP address) so that the service can be billed and abuse can be detected. See AntiNude’s Privacy Policy for details.”

4.2 Long version (with legal basis)

“Content safety classification. To protect our users and comply with applicable law, we embed the AntiNude SDK (provided by AntiNude) in our application. The SDK performs nudity detection locally on the device. Image bytes are not transmitted to AntiNude. After each scan, the SDK sends a fixed-shape telemetry event to AntiNude that contains the verdict (safe / unsafe), the per-class detection scores produced by the on-device model, inference latency, the on-device model version, and the request IP address. The lawful basis for this processing is our legitimate interest in detecting and preventing abuse and in maintaining the integrity of the service (GDPR art. 6(1)(f)) and, where required, your consent (GDPR art. 6(1)(a)). AntiNude acts as our processor under a Data Processing Addendum and is subject to the restrictions described in its Privacy Policy. You can also configure the SDK with reportToServer: false to suppress telemetry entirely.”

§3 of our Terms of Service prohibits running the SDK on images depicting identifiable minors outside of a legitimate child-safety, parental-control, or law-enforcement context. The SDK itself does not perform age estimation — it identifies adult nudity using NudeNet’s body-part detector. If your product’s user flow may include images of minors (UGC, camera-roll scanning, social features), you are responsible for gating uploads before calling scanImage.

Practical gating options

• Restrict the upload feature to age-verified accounts (KYC at signup or via a third-party verification provider).
• Run a separate, age-aware classifier of your own choosing as a pre-pass — there are several open-source and commercial options. AntiNude does not recommend a specific one.
• For CSAM detection specifically, pair AntiNude with PhotoDNA, Thorn Safer, or an equivalent service. Follow your jurisdictional reporting obligations (e.g. NCMEC in the US).

“What third-party SDKs does your app contain and what do they collect?”

“The AntiNude SDK (antinude.io) detects nudity in images on-device using the NudeNet 320n model via ONNX Runtime. It collects telemetry limited to the verdict, per-class detection scores, inference latency, model version, SDK version, and the request IP. It does not collect device identifiers, location, contacts, advertising IDs, image bytes, or bounding-box coordinates. Open-source components and their licenses are listed at antinude.io/licenses.”

“Where is data processed and stored?”

“Image classification runs on the user’s device. The telemetry event is sent to AntiNude infrastructure in the United States or the European Union depending on the customer’s region selection. See antinude.io/privacy §7 for transfer mechanisms.”

“How can a user request deletion of their data?”

“Users can request deletion through the in-app account screen. Requests are forwarded to privacy@antinude.io and fulfilled within 30 days, per AntiNude’s data-subject-rights process.”

• Privacy Manifest (iOS) committed to repo and signed in TestFlight build.
• Data Safety form (Play) updated and saved as draft before upload.
• Privacy policy on your website references AntiNude as a subprocessor.
• Your own gating in place if the upload flow may include images of minors (see §5) — the SDK itself does not perform age estimation.
• NOTICES.txt from the SDK bundle included in your “Open-source licenses” screen (NudeNet upstream attribution is required).
• Support contact in App Store / Play listing reachable; in-app data-deletion flow tested end-to-end.