Data & Privacy
This page answers the privacy, security, and operational questions most teams ask when evaluating the Zeta iOS SDK for production use.
This page is for developers and compliance teams evaluating or auditing the SDK's data practices before shipping to production.
On this page
- Privacy manifest (
PrivacyInfo.xcprivacy) - App Tracking Transparency (ATT)
- Data subject rights (GDPR / CCPA)
- Offline behavior and event queueing
- Error handling surface
- Secrets handling
- Privacy references
Privacy manifest (PrivacyInfo.xcprivacy)
PrivacyInfo.xcprivacy)Apple requires third-party SDKs to ship a PrivacyInfo.xcprivacy manifest. The Zeta iOS SDK ships one. The manifest declares which required-reason APIs the SDK uses, what categories of data it collects, and which tracking domains it contacts.
| Module | Ships manifest? | Required-reason APIs | Tracking domains |
|---|---|---|---|
ZetaCore | Yes | NSPrivacyAccessedAPICategoryUserDefaults — reasons CA92.1, 1C8F.1 | None (NSPrivacyTrackingDomains empty; NSPrivacyTracking = false) |
ZetaNotificationService | Yes | NSPrivacyAccessedAPICategoryUserDefaults — reason 1C8F.1 | None (NSPrivacyTrackingDomains empty; NSPrivacyTracking = false) |
Reason-code reference (from Apple's required-reason API docs for UserDefaults):
- 1C8F.1 — read/write information that is only accessible to the app itself.
- CA92.1 — read/write information accessible to the same app group (used by ZetaCore for host-app ↔ notification-service-extension sharing).
Collected data categories. Declared in the manifests today (all entries are Linked = true, Tracking = false; purposes are Analytics, AppFunctionality, ProductPersonalization):
ZetaCore
| Data type (Apple key) | Used for Tracking | Linked to User |
|---|---|---|
| NSPrivacyCollectedDataTypeProductInteraction | No | Yes |
| NSPrivacyCollectedDataTypeDeviceID | No | Yes |
| NSPrivacyCollectedDataTypeUserID | No | Yes |
ZetaNotificationService
| Data type (Apple key) | Used for Tracking | Linked to User |
|---|---|---|
| NSPrivacyCollectedDataTypeProductInteraction | No | Yes |
App Tracking Transparency (ATT)
- The SDK does not prompt the user for ATT. Prompting the user for the ATT permission is your app's responsibility.
- The SDK accepts IDFA and IDFV values via
updateIDFA(_:)andupdateIDFV(_:)onZTUserManagable. - Expected behavior when ATT is denied or not determined: App is responsible to pass IDFA only if ATT permission is accepted.
See Contact Management / Passing IDFA, IDFV, and push tokens.
Data subject rights (GDPR / CCPA)
The SDK exposes opt-in / opt-out as the primary mechanism for stopping data collection. See Getting Started / Tracking opt-in and opt-out.
- Calling
ZetaClient.shared.optOutFromTracking()or initializing withoptIn: falseimmediately stops the SDK from sending any further data to the backend and clears any locally cached data. - Calling
ZetaClient.shared.user?.clear()clears the identity session on device.
For server-side profile deletion or data export requests, contact your Zeta account team.
Offline behavior and event queueing
The iOS SDK queues events locally when the device is offline and delivers them to ZMP when connectivity returns.
- Queue cap: There is no explicit cap on queued events.
- Event removal: An event is removed from the queue when sync succeeds, when the server returns a non-retryable error (4xx other than 401), or when the event expires.
- Retry behavior: There is no in-flight retry per request. Retries happen at the batch level, triggered by the same schedule that drives normal sync.
Error handling surface
| Feature | API style | Error surface |
|---|---|---|
| App Inbox | async throws (Swift) / completion-handler with NSError (Obj-C) | Errors are surfaced to the caller; wrap in do / catch. |
| User, Event, Push, In-App | Non-throwing | The SDK logs failures via ZTLogger. Call ZTLogger.setLogLevel(.error) (default in debug) or lower to surface them. |
Secrets handling
clientSecret is passed into ZTConfig at initialization time or set later via ZetaClient.shared.setClientSecret(_:). Store it securely — load it from Keychain, remote configuration, or build-time injection. Do not hardcode it in your source code or commit it to version control.
See the security callout in Overview / Quickstart.
Privacy references
- iOS Privacy Nutrition Label — Apple privacy label guidance for ZMP.
- iOS Data Collection — what the Zeta iOS SDK collects.
See also
- Getting Started / Tracking opt-in and opt-out
- Versioning & Support
- GDPR/CCPA Overview — regulatory compliance from a business perspective.
- Platform support -- feature availability by platform and SDK version.