If you use User Defaults or collect user data, you need to fill out a manifest. Everything you specify will appear on the application page.

If the framework has a manifest, it doesn't need to be duplicated into your manifest. When you archive a project, all manifests are merged into one.

Press ⌘+N and select App Privacy-file.

Each target has its own Manifest, so be careful to checkmark the right target. If the Manifest is the same for all targets, you can specify several targets at once.

The Manifest is a plist-file with the .xcprivacy extension.

The manifest contains three fields. The first is about tracking — you fill it out when you collect mail or name. The second one for system API, for example, User Defaults. The third one for IDFA.

Let's break down each field in more detail.

The Privacy Nutrition Label Types field describes what data collect about the user. Anything specify in the manifest will be visible in the App Privacy field on the application page:

Collected Data Type — is the type of data collect about the user. For example, contacts or payment information. All types are on the official website, you cannot add your own. Add a line from Data type to the plist-file.

For each data type, create a new Item. The fields below must be specified for each data type:

Linked to User — if you collect data related to the user's identity, put YES.

Used for Tracking — if the data is used for tracking, put YES.

Collection Purposes — here specify the reasons why are collecting the data. For example, analytics, advertising or authentication. Choose from the available list of reasons, you can't list your own.

There is Privacy Accessed API Types field for APIs. You recive email with error descriptions exactly about this field. Here we specify which API we are using and reason for it.

These are the system APIs that need to be specified in the Manifest:

• developer.apple.com

  File Timestamp

  Get the time when the file was created or modified

• developer.apple.com

  System Boot Time

  Information about application startup and OS runtime

• developer.apple.com

  Disk Space

  Available storage space on the device

• developer.apple.com

  Active Keyboard

  Access to the list of active keypads

• developer.apple.com

  User Defaults

  If used User Defaults

For each API by link you get a list of availalbe reasons. You can't specify your own reasons.

If you are using IDFA, add the Privacy Tracking Enabled field and set YES. Add the Privacy Tracking Domains field as well, here you need to specify all domains that work in IDFA.

To get which domains are used for IDFA, open the Product → Profile profiler. Now select Network in the window:

In the upper left corner, click Start Recording. Select the Points of Interest tab, this will list all the domains. The Start Message column shows the domain and indicates that it has not been added to the Manifest.

The profile sometimes fails. If Points of Interest doesn't show anything or disappears altogether, here's the second way. Select your application tab, and can see all domains in the sessions.

Now you will have to check each domain to see if it participates in IDFA. You will have to do it yourself.

If the framework developer has not added a Manifest, you must fill in the Manifest themselves.

If there is a Manifest in the framework, and it is complete, there is no need to duplicate to your manifest. All Manifests are merged into one when we collect the archive.

If there are errors in the Manifest, the developer will have to complete the Manifest himself within the project. For example, Firebase Crashlytics uses the domain firebase-settings.crashlytics.com. They didn't specify this in their manifest:

We found it with the help of a profiler. In this case add the domain to your Manifest, this will override the problem field in the Firebase Manifest.

Framework Manifests make mistakes — be sure to double-check.

Only errors about the system API will come to the mail:

To quickly find the keys, type NS in the search. These are the ones that are missing from your Manifest. Even if you don't use this API, it can be used by frameworks that you have added to your project.

Here are the NS keys, and links to the key and the reason on Apple's website:

1. NSPrivacyAccessedAPICategoryFileTimestamp
2. NSPrivacyAccessedAPICategorySystemBootTime
3. NSPrivacyAccessedAPICategoryDiskSpace
4. NSPrivacyAccessedAPICategoryActiveKeyboards
5. NSPrivacyAccessedAPICategoryUserDefaults

Collect the archive Product -> Archive. Right-click on the archive, select Generate Privacy Report.

In the export PDF-file. All manifests merged into the final one:

All fields with .app extension are from your Manifest. Other fields are third-party frameworks in your project.