Do I need to disclose Apple ResearchKit in my privacy policy?

Yes. Any app or service using Apple ResearchKit to collect health data for research purposes must disclose this in your privacy policy, as it involves collection of special category health data. This is required under GDPR Article 9, CCPA health provisions, and HIPAA if applicable. You must explain the research purpose, data uses, participant rights, and any institutional review board (IRB) oversight.

What specific data does Apple ResearchKit collect?

Apple ResearchKit collects survey and questionnaire responses, active task performance metrics (such as memory or fitness tests), motion and sensor data from the device (accelerometer, gyroscope), digitally signed consent forms, and optionally integrates with HealthKit to access existing health records like heart rate or medication data. The specific datasets depend on the individual research study design.

Does Apple ResearchKit require a cookie consent banner?

No. Apple ResearchKit does not use cookies, so a cookie consent banner is not required for this technology. However, you must still provide clear informed consent for the health data collection itself, typically through in-app consent flows and privacy disclosures specific to the research study.

Who processes ResearchKit data and where is it stored?

Apple ResearchKit is self-hosted, meaning data is not transferred to third-party processors by the framework itself. However, the app developer or research institution controls where data is stored and processed. You must disclose your specific data storage location, security measures, and whether data may be transferred internationally, as this affects GDPR and CCPA compliance.

Health & Fitness

Privacy policy clauses for Apple ResearchKit

Apple ResearchKit is a framework that enables developers to create medical research and clinical study applications on iOS devices. It collects health data, survey responses, and device sensor information from study participants to support medical research, typically requiring informed consent and institutional oversight.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Apple ResearchKit collects

Your privacy policy must disclose each of the following data types when you use Apple ResearchKit.

Survey and questionnaire responses

Active task performance data

Motion and sensor data from device

Consent form signatures

Health records (when paired with HealthKit)

When does Apple ResearchKit trigger privacy obligations?

Installation and First Data Collection

Apple ResearchKit triggers privacy obligations the moment you integrate the framework and begin collecting survey responses, active task data, or sensor readings—even in a pilot or beta study. ResearchKit does not require third-party processors, but this does *not* exempt you from compliance.

Regulated Data Category

Common compliance pitfalls

Pitfall 1: Forgetting to Disclose Active Task and Sensor Data

ResearchKit's active tasks (gait, memory tests, voice) and sensor integrations generate behavioral and biometric data *beyond* survey responses. Developers often mention "surveys" in privacy policies but omit motion data, microphone access, or camera usage.

Why it happens: ResearchKit abstracts these data streams; they are not explicitly instantiated in app code the way HealthKit calls are. Developers assume users understand "research data" generically.

Consequence: GDPR non-compliance (incomplete Article 13 disclosures), CCPA/CPRA violations (failure to list "motion sensor" or "voice" as collected data), and loss of informed consent—invalidating the study legally and ethically.

Pitfall 2: Storing ResearchKit Data Without Encryption or Access Controls

Many indie founders self-host ResearchKit data (which is permitted) but do not implement TLS in transit or AES-256 encryption at rest, nor do they audit database access.

Why it happens: ResearchKit does not enforce storage; the burden falls entirely on the app operator. Developers prioritize feature velocity and assume a small user base means low risk.

Consequence: HIPAA breach (45 CFR § 164.404 requires breach notification and OCR investigation), GDPR Article 32 violation (inadequate security measures), state health privacy fines (e.g., Massachusetts 201 CMR 17.00 requires encryption), and potential civil liability if user data is compromised.

Pitfall 3: Missing or Vague Data Retention and Deletion Policies

ResearchKit apps often do not specify how long survey responses, consent signatures, and sensor data will be retained, or whether users can request deletion.

Why it happens: Research studies traditionally keep data indefinitely for secondary analysis. GDPR and CPRA introduce rights (Article 17, CPRA § 1798.105) that conflict with this practice.

Consequence: GDPR "right to erasure" violations, CPRA violation of the "right to delete," IRB protocol violations if retention terms change post-launch, and regulatory investigations (DPAs will flag absence of deletion policies as a red flag).

Privacy policy clauses for Apple ResearchKit

What data Apple ResearchKit collects

When does Apple ResearchKit trigger privacy obligations?

Installation and First Data Collection

Regulated Data Category

IRB and Informed Consent

First Concrete Step

Common compliance pitfalls

Pitfall 1: Forgetting to Disclose Active Task and Sensor Data

Pitfall 2: Storing ResearchKit Data Without Encryption or Access Controls

Pitfall 3: Missing or Vague Data Retention and Deletion Policies

Legal note

Sample privacy policy clause

What regulators look for

DPA Audit Priorities for ResearchKit

Relevant Enforcement Precedent

Frequently asked questions

Do I need to disclose Apple ResearchKit in my privacy policy?

What specific data does Apple ResearchKit collect?

Does Apple ResearchKit require a cookie consent banner?

Who processes ResearchKit data and where is it stored?

Don't ship without Bandit.