We got rejected three times before BauGPT Mobile went live.
Not for bad UX. Not for crashes. For policy violations we didn't even know existed.
Here's what we learned — so you don't waste 6 weeks finding it out the hard way.
Rejection #1: Guideline 3.1.1 (In-App Purchase)
Our first build was almost exactly what we wanted. Clean UI, fast AI responses, solid onboarding. Apple reviewed it in 48 hours and rejected it.
The reason: "Your app allows users to access premium features via a subscription that isn't purchased through Apple's in-app purchase system."
We had a Stripe subscription flow. The user paid on our website, got a subscription token, and logged in on mobile with full access. Completely normal for B2B SaaS.
Not according to Apple.
Guideline 3.1.1 says: if users can unlock features inside your app, Apple wants its 30% cut. There are exceptions, but they're narrow. "Reader apps" (Netflix, Spotify) can link to their website to subscribe. B2B "multi-platform services" have a carve-out if the app doesn't let you sign up at all.
We thought we qualified for the B2B exception. Apple disagreed.
What we did: Removed the "Subscribe" CTA from the mobile app entirely. Users who want a subscription get directed to baugpt.com to sign up. The app itself only accepts login credentials. It can't initiate a purchase of any kind.
Took 3 days to implement. Got through on re-review.
Rejection #2: Guideline 5.1.1 (Data Collection & Privacy)
This one was sneaky.
The privacy guidelines require your app to only collect data "necessary for the app to function." Our app collected device model, OS version, and app version for our analytics. Standard stuff.
Apple's reviewer flagged our privacy manifest. We had declared the data as "App Analytics" purpose, but our backend was also using it for debugging crashes. Apple wanted a more specific declaration.
The real issue wasn't what we collected — it was what we said about it. Our privacy policy and manifest were slightly out of sync.
Fix: Updated both the privacy manifest (PrivacyInfo.xcprivacy) and our privacy policy to match exactly. Listed every API we call that touches device data. Added specific purpose strings for each data type.
Not exciting work. But Apple is serious about this now. Reviewers are checking manifests carefully since the April 2024 requirements kicked in. If you haven't audited yours recently, do it before you submit.
Rejection #3: Guideline 5.1.1 (Again, Different Reason)
Third submission. New issue.
We use an AI model that processes user-submitted text: construction questions, site descriptions, occasionally photos of building plans. Apple's reviewer asked: "Where does this data go? Who can access it? How long is it retained?"
Our privacy policy said "we process data to provide our service." Too vague.
We had to rewrite the AI data section of our privacy policy to be specific:
- What data the AI processes
- Whether it's retained for training (ours isn't)
- What third-party AI APIs we use (OpenAI)
- User rights to delete their data
We also had to add a data deletion flow in the app itself. Apple wants users to be able to request data deletion without emailing support.
Fix: Added a "Delete My Data" option in Settings → Account. Added the implementation note in our privacy policy. Took 2 days.
Got approved on the fourth submission.
What I'd Tell Myself at Submission #1
Read the guidelines. Actually read them.
Not the summaries. The actual text. Especially 3.1.1 and 5.1.1. They're long, but every clause is there for a reason. We skipped this step and paid for it.
File your privacy manifest early.
The PrivacyInfo.xcprivacy file is mandatory now and it's not auto-generated by Xcode. You have to write it yourself. Start by listing every SDK you use and look up whether they require reason strings. Firebase, Amplitude, Sentry all need entries.
Build the data deletion flow before submitting.
Don't wait for a rejection to build this. It's not hard to implement and Apple will ask for it if your app touches any personal data. Build it in sprint one, not sprint ten.
Expect 48-hour review cycles, minimum.
Each rejection resets the clock. Our three rejections cost us 12+ days just in review time, not counting the fixes. If you're racing a launch deadline, pad it.
Use the Resolution Center.
When you get rejected, you can reply in App Store Connect's Resolution Center before resubmitting. We used this on rejection #2 to ask for clarification on what Apple wanted. The reviewer replied with a clear answer. Saved us from a fourth cycle.
Three rejections and 6 weeks later, BauGPT Mobile is live on the App Store.
The irony is none of the rejections were for anything wrong with the app itself. The AI works. The UX is solid. Apple's review process cares about policies, not product.
Learn the policies first. Build the product second. Or at minimum, build them in parallel.