Must React Native Contacts be disclosed in a privacy policy?

Yes. React Native Contacts accesses sensitive personally identifiable information (contact names, phone numbers, and email addresses), which qualifies as PII under GDPR and CCPA. Any app using React Native Contacts must explicitly disclose this access in its privacy policy and obtain prior informed consent from users before the library requests permission to read contacts.

What specific data does React Native Contacts collect?

React Native Contacts collects contact names, phone numbers, and email addresses from the user's device contact list. The library does not collect location data, browsing history, or other device identifiers. Collection occurs only when a user explicitly grants permission and interacts with a feature requesting contact access.

Does React Native Contacts require a cookie consent banner?

No. React Native Contacts does not use cookies or web-based tracking technologies. However, since it accesses sensitive PII, you must still obtain explicit user consent through your app's native permission request system before the library can read contacts. This is handled at the operating system level, not through cookie consent tools.

Who processes data collected by React Native Contacts and where is it transferred?

React Native Contacts is a self-hosted, open-source library with no third-party data processors. Data remains on the user's device and is not automatically transferred to external servers. Any data sharing occurs only if your app's backend explicitly sends contact information—the responsibility for that transfer and compliance lies entirely with your application.

Social & Communication

Privacy policy clauses for React Native Contacts

React Native Contacts is a JavaScript library that enables mobile applications built with React Native to access a device's native contact list. Developers integrate it to allow users to select or import contacts directly within their apps, streamlining communication and social features without manual data entry.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data React Native Contacts collects

Your privacy policy must disclose each of the following data types when you use React Native Contacts.

Contact names

Phone numbers

Email addresses

When does React Native Contacts trigger privacy obligations?

Installation and First Run

React Native Contacts triggers privacy obligations the moment it is integrated into your mobile application and requests permission to access the device's contact list. Unlike web SDKs that load silently, React Native Contacts requires explicit user-facing permission prompts on both iOS and Android—this is your compliance trigger point.

Data Flow and Applicability

The library accesses three categories of sensitive personally identifiable information (PII): contact names, phone numbers, and email addresses. These are not anonymized or aggregated; they are raw personal data stored on the user's device. Under GDPR Article 4(1), this constitutes personal data. Under CCPA Section 1798.100, phone numbers and email addresses are explicitly listed as personal information requiring disclosure.

GDPR applies if: You operate in the EU, have EU users, or your app is distributed via the EU App Store. Contact data is processed when React Native Contacts reads the device's contact list—this is a processing activity under GDPR Article 4(2).

Common compliance pitfalls

Pitfall 1: Confusing OS Permission Prompts with Legal Consent

The mistake: Developers assume the native iOS/Android permission dialog ("Allow [App] to access your contacts?") satisfies GDPR Article 7 consent or CCPA opt-in requirements.

Why it happens with React Native Contacts: The OS-level prompt is granular and user-facing, creating a false sense of compliance. However, these prompts do not disclose *why* contact data is being collected, *how long* it is retained, *who* has access to it, or *what rights* users have. GDPR Article 13 and CCPA Section 1798.100 require this information *before* collection.

Consequence: Regulators (particularly EU DPAs) treat OS prompts as technical controls, not legal consent. Enforcement actions against apps using React Native Contacts have resulted in fines for "unclear consent mechanisms." Users can claim they were not properly informed. Your app may be delisted from app stores for inadequate privacy disclosures.

Pitfall 2: No Data Retention or Deletion Policy

The mistake: Developers integrate React Native Contacts, read contacts into the app database, and retain them indefinitely without a documented retention schedule or user deletion mechanism.

Why it happens with React Native Contacts: The library fetches data once; the burden of *managing* that data after collection falls on your app. Many teams forget this boundary and treat contact data as a free resource to query repeatedly.

Consequence: GDPR Article 5(1)(e) (storage limitation) and CCPA Section 1798.105 (deletion rights) are violated. Users cannot exercise their right to erasure. DPAs flag indefinite retention as a breach; CCPA enforcement can result in statutory damages of $100–$750 per user.

Pitfall 3: Missing or Outdated Data Processing Agreements (DPA)

The mistake: If you process contacts on behalf of another entity (e.g., a B2B contact management platform), you fail to sign a Data Processing Agreement (DPA) as required by GDPR Article 28.

Why it happens with React Native Contacts: React Native Contacts is self-hosted, so developers may believe no third-party processor is involved and skip DPA documentation. However, if your backend infrastructure (cloud hosting, analytics, logging) processes contact data, a DPA is required between you and that processor. Updating your privacy policy is not a substitute.

Consequence: GDPR Article 28 violations carry fines up to €10 million or 2% of global annual turnover. A DPA audit will immediately flag the absence of written processor agreements.

Privacy policy clauses for React Native Contacts

What data React Native Contacts collects

When does React Native Contacts trigger privacy obligations?

Installation and First Run

Data Flow and Applicability

First Concrete Step

Common compliance pitfalls

Pitfall 1: Confusing OS Permission Prompts with Legal Consent

Pitfall 2: No Data Retention or Deletion Policy

Pitfall 3: Missing or Outdated Data Processing Agreements (DPA)

Legal note

Sample privacy policy clause

What regulators look for

Primary Audit Focus: Consent and Transparency

CCPA-Specific Priority

First Flag in an Audit

Frequently asked questions

Must React Native Contacts be disclosed in a privacy policy?

What specific data does React Native Contacts collect?

Does React Native Contacts require a cookie consent banner?

Who processes data collected by React Native Contacts and where is it transferred?

Don't ship without Bandit.