Hi!
After over a year published in the App Store and with all 5-star ratings, my free, ad-free and open source app has been rejected this week during a routine bugfix update (literally a 1-line change in the code).
The reviewer claims my app breaks this rule:
(ix) Apps that provide services in highly regulated fields (such as banking and financial services, healthcare, gambling, legal cannabis use, and air travel) or that require sensitive user information should be submitted by a legal entity that provides the services, and not by an individual developer. Apps that facilitate the legal sale of cannabis must be geo-restricted to the corresponding legal jurisdiction.
All my app does is use an open, public and free API offered by an investment firm in my country that allows their customers to access their account data programatically. This allows them to integrate things like their account balance or history in spreadsheets, websites, widgets, etc. For instance, people are already using Scriptable to create homescreen widgets that show their live balance in the homescreen.
You just log in to the official firm's website, generate a personal token, and then input that token in whichever app/spreadsheet you want in order to make the corresponding HTTP requests.
Now, my app does NOT collect any data whatsoever. When you open it, the app fetches your account data from these GET (read-only) endpoints and shows it to you with a nice presentation, including pleasant interactive charts that users really like. But the data only lives in memory, and as soon as you exit the app, it's all gone. No account creation, no data collection, no data storage, nothing. Zero. It's like sending a Postman request, but having the response plotted in nice charts for you. That's all.
The ONLY thing that can (optionally) be stored locally in your device is your access token, so you don't have to copy and paste it every time you open the app. And it is securely encrypted in your iPhone and protected biometrically. That's it.
The reviewer claims that, because my app presents sensitive financial information to the user, it must be published directly through the official company account of the investment firm, not by me.
But isn't that what hundreds of popular banking/brokerage aggregators do? They just use read-only, open APIs to consolidate all your positions across banks/broker accounts, then present it to you in a single place. I understand these apps are not breaking any rules, right? So how is my app different? Am I missing something?
To add to this, the investment firm is well aware of the existence of my app, and they not only approve of it, but are highly supportive and have encouraged me to continue improving it, as it shows the kind of things that are possible with their API. They've repeatedly helped me solve technical doubts whenever I've had any issues. So this is really a win-win for everyone and there's zero conflicts here.
Do you think the reviewer is right? Or is he misinterpreting the policy?
My impression is that the policy is aimed at apps that COLLECT sensitive data, not those who just PRESENT it to the user. But even though I've tried to explain this to him, he won't budge.
What options do I have?
Just to be clear, my app doesn't offer "financial services" of any kind on top of this. It simply shows you the same information you can see in the raw JSON that the API returns, or in the official app/website, but in a nicer format. It's clean, aseptic, unadulterated data, without any commercial business behind it. No offering or soliciting of any other products, just a pure and clean presentation of the data.
Any advice would be greatly appreciated, as I'd like to get a second opinion before sending a FOURTH reply to the reviewer. I'd hate having to make my app an Android exclusive because of a simple policy misinterpretation :(