Understanding Google Play's VpnService policy

The VpnService is a base class for applications to extend and build their own VPN solutions. If your app requires VpnService, you need to submit the declaration form, now available in Play Console, by 31 August 2023 to avoid further enforcement.

This article provides an overview of the policy, its prominent disclosure and consent requirements, and a preview of associated declaration questions. It is not a substitute for the policy itself. Read the policy in its entirety to ensure that you understand and comply with its contents. All apps that use the VpnService must complete the declaration form to avoid violating the policy, resulting in potential enforcement actions.

Using the VpnService

Only apps that use the VpnService and have VPN as their core functionality can create a secure device-level tunnel to a remote server. Exceptions include apps that require a remote server for core functionality, such as:

  • Parental control and enterprise management apps
  • App usage tracking
  • Device security apps (for example, anti-virus, mobile device management, firewall)
  • Network-related tools (for example, remote access)
  • Web browsing apps
  • Operator apps that require the use of VPN functionality to provide telephony or connectivity services

The VpnService cannot be used to:

  • Collect personal and sensitive user data without prominent disclosure and consent.
  • Redirect or manipulate user traffic from other apps on a device for monetisation purposes (for example, redirecting ad traffic through a country different from that of the user).

Apps that use the VpnService must:

Prominent disclosure and consent requirements

Apps eligible for the use of the VpnService must meet the prominent disclosure and consent requirements described in Google Play’s User data policy if they access or collect any personal and sensitive user data. Those apps must include a prominent disclosure that:

  • Must be within the app itself and cannot only be in the app description or on a website;
  • Must be displayed in the normal usage of the app and not require the user to navigate through a menu or settings;
  • Must describe the data being accessed or collected through the VpnService API;
  • Must explain how the data will be used and/or shared;
  • Must require affirmative user action for consent (for example, tap to accept, or tick a tick box);
  • Cannot only be placed in a privacy policy or Terms of Service;
  • Cannot be included with other disclosures pertaining to personal or sensitive data collection. This should be a separate disclosure indicating why the app requires the VpnService API and any potential use cases.
Important: If you change how your app uses this API, you must submit the form again with updated and accurate information. Deceptive and non-declared uses of these APIs may result in a suspension of your app and/or termination of your developer account.

VPN service declaration

Starting from 1 November 2022, apps that are using VpnService will be able to submit a new policy declaration in Play Console. This is subject to Google Play’s approval.

Here’s a preview of the declaration questions:

1. Is providing a VPN the core functionality of your application?

  • Yes
  • No

[If you answered No to 1.]

2. Which permitted functionality does your app provide? Select all that apply.

  • App usage tracking
  • Operator app requiring VPN functionality to provide telephony or connectivity services
  • Device security (including anti-virus and firewall)
  • Enterprise management apps
  • Network-related tools (including remote access)
  • Parental control
  • Browsers
  • None of the above

Note: Selecting a category that does not match the core purpose of your app may lead to a rejection. Being in one of these categories is not sufficient. Your application must also:

  • Document your use of VpnService in your Google Play listing
  • Encrypt the data from the device to the VPN tunnel endpoint

[If you answered None of the above to 2.]

2 (a).

You declared that your app’s core purpose is not on the list of permitted functionalities. Apps using VpnService outside of the permitted functionalities will be rejected. If you think that you need to use VpnService, explain in detail how your app’s functionality meets the criteria.

Otherwise, remove all VPN services from all active artifacts across all release tracks to meet Google Play policy.

3. To help us review your app, provide a link to a short video (90 seconds or shorter). The video must show your app being opened and your VPN being used. If it isn’t obvious how the VPN service is being used, provide a voice-over or captions to help explain. Enter a YouTube or cloud storage URL to an MP4, or other common video file format.

4. (a). What data does your VPN service collect or share? Select all that apply. Learn more.

  • Yes
  • No

[If you answered Yes to 4. (a).]

4. (b). What data do you collect or share using the VpnService?

  • Location
    • Approximate location
    • Precise location
  • Personal info
    • Name
    • Email address
    • Personal identifiers
    • Address
    • Phone number
    • Race and ethnicity
    • Political or religious beliefs
    • Sexual orientation or gender identity
    • Other personal info
  • Financial info
    • Credit card, debit card or bank account number
    • Purchase history
    • Credit info
    • Other financial info
  • Health and fitness
    • Health information
    • Fitness information
  • Messages
    • Emails
    • SMS or MMS messages
    • Other in-app messages
  • Photos or videos
    • Photos
    • Videos
  • Audio files
    • Voice or sound recordings
    • Music files
    • Other audio files
  • Files and docs
    • Files and docs
  • Calendar
    • Calendar events
  • Contacts
    • Contacts
  • App activity
    • Page views and taps in app
    • In-app search history
    • Installed apps
    • Other user-generated content
    • Other actions
  • Web browsing
    • Web browsing history
  • App info and performance
    • Crash logs
    • Diagnostics
    • Other app performance data
  • Device or other identifiers
    • Device or other identifiers

5. To help us review your app, provide a link to a short video (90 seconds or shorter). The video must show the prominent disclosure shown to users in your app. The prominent disclosure in your app must explain why your app requires use of the VpnService, and how it's used. If you collect and/or share any personal or sensitive user data using the VpnService, you must declare this to the users, and explain its intended purpose. Enter a YouTube or cloud storage URL to an MP4, or other common video file format.

Guidance for video showcasing your app’s prominent disclosure

The video that you provide as part of the declaration must include the following:

  • The opening of your app on the device.
  • The user flows to get to the prominent disclosure and consent screen for VpnService.
    • Make sure that the video includes the full disclosure. If it requires scrolling, make sure that you slowly scroll so that all text is visible in the video.
  • The user flow when the user consents, including granting your app VpnService.
  • The user flow when the user does not consent, including the process when the user triggers the prominent disclosure and consent screen again.


5. (a). Does your application redirect or manipulate user traffic from other apps on a device for monetisation purposes?

  • Yes
  • No

[if you answered Yes to 5. (a).]

5. (b). Your app does not meet the allowed categories for use of VpnService. If you believe that your monetisation use case meets the category for use in alignment with policy, please explain.

Note: Any manipulation of ads that can impact monetisation will result in rejection.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
3174118637851453039
true
Search Help Centre
true
true
true
true
true
92637
false
false