App Store & Play Store submission

• Image bytes never leave the device. Classification runs locally via an embedded ONNX model.
• The SDK sends a fixed-shape telemetry event per scan: API key id, SDK version, verdict + scores, image dimensions and file size, inference latency, OS / device class, a SHA-256 hash of the image bytes, and the truncated request IP (/24 or /48).
• The hash is one-way; AntiNude cannot reconstruct the image from it.
• The SDK does not access the contact list, location, advertising identifier, or any tracking signal.

Use this list when filling out review questionnaires — every answer below derives from it.

2.1 Privacy “Nutrition” questionnaire

For the data the SDK contributes, answer as follows (selections in App Store Connect → App Privacy):

• Do you or your third-party partners collect data from this app? Yes.
• Data types collected by AntiNude SDK:
  • Diagnostics → Performance Data and Other Diagnostic Data — purpose: App Functionality, Analytics. Not linked to user. Not used for tracking.
  • Usage Data → Product Interaction — purpose: App Functionality, Analytics. Not linked to user. Not used for tracking.
  • Identifiers → none (the SDK does not send a device identifier or IDFA).
  • User Content → none (image bytes never leave the device in the default integration).
• Tracking: No. The SDK does not link data to third-party data for advertising and does not share with a data broker.

If you enabled the Hosted Cloud API, additionally declare User Content → Photos or Videos with purpose “App Functionality”, “Not linked”, “Not used for tracking”.

2.2 Privacy Manifest (PrivacyInfo.xcprivacy)

The AntiNude SDK ships its own PrivacyInfo.xcprivacy covering the SDK’s own collection. Your app still needs a top-level manifest. Minimum suggested content:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <!-- AntiNude SDK itself reads no tracked categories;
       the entries below cover the data your APP sends to AntiNude. -->
  <key>NSPrivacyTracking</key>
  <false/>
  <key>NSPrivacyCollectedDataTypes</key>
  <array>
    <dict>
      <key>NSPrivacyCollectedDataType</key>
      <string>NSPrivacyCollectedDataTypeCrashData</string>
      <key>NSPrivacyCollectedDataTypeLinked</key>
      <false/>
      <key>NSPrivacyCollectedDataTypeTracking</key>
      <false/>
      <key>NSPrivacyCollectedDataTypePurposes</key>
      <array>
        <string>NSPrivacyCollectedDataTypePurposeAppFunctionality</string>
      </array>
    </dict>
    <dict>
      <key>NSPrivacyCollectedDataType</key>
      <string>NSPrivacyCollectedDataTypeProductInteraction</string>
      <key>NSPrivacyCollectedDataTypeLinked</key>
      <false/>
      <key>NSPrivacyCollectedDataTypeTracking</key>
      <false/>
      <key>NSPrivacyCollectedDataTypePurposes</key>
      <array>
        <string>NSPrivacyCollectedDataTypePurposeAnalytics</string>
        <string>NSPrivacyCollectedDataTypePurposeAppFunctionality</string>
      </array>
    </dict>
  </array>
  <key>NSPrivacyAccessedAPITypes</key>
  <array/>
</dict>
</plist>

2.3 Age rating questionnaire

The presence of NSFW moderation does not require a 17+ rating, but if your app allows user-generated imagery you typically need to answer:

• Unrestricted Web Access: answer per your app — unrelated to the SDK.
• User-generated content: Yes, if applicable. Apple expects you to describe the moderation pipeline; AntiNude is part of that answer.

“User-uploaded images are scanned on-device by the AntiNude SDK before display. Images classified as unsafe are blocked from the public feed and queued for human review. The SDK’s built-in age pre-filter aborts processing for images estimated to depict minors and the event is reported to our trust & safety team.”

2.4 Export Compliance

The SDK uses standard cryptography (TLS via the OS, SHA-256 via Apple’s CryptoKit) and qualifies for the mass-market exemption under EAR §740.17(b)(1). Set ITSAppUsesNonExemptEncryption to falsein your Info.plist unless your app uses non-exempt crypto elsewhere.

3.1 Data safety form

Declare the AntiNude SDK’s contributions as follows:

• Does your app collect or share any of the required user data types? Yes.
• App activity → App interactions: Collected, not shared. Processed ephemerally? No. Required or optional? Required. Purpose: App functionality, Analytics.
• App info and performance → Diagnostics: Collected, not shared. Purpose: App functionality, Analytics.
• Device or other IDs: Not collected by the SDK (we use a project-scoped API key, not a device identifier).
• Photos and videos: Not collected by the SDK in default mode. Mark as collected only if you enabled the Hosted Cloud API.
• Encryption in transit: Yes — TLS 1.2+.
• Users can request data deletion: Yes — via your in-app flow (forward to privacy@antinude.io).

3.2 Sensitive Content / CSAM policy

Play’s Inappropriate Content and Child Endangerment policies require you to describe your moderation pipeline if the app permits user-generated imagery. Suggested wording for the Play Console “Policy declarations” section:

“All user-uploaded imagery is classified on-device by the AntiNude SDK before being displayed to other users. Content classified as sexual, sexual-violence, or gore is blocked and routed to human review. Images estimated by the SDK’s age pre-filter to depict minors are blocked before NSFW classification and the event is escalated to our trust & safety team for follow-up, including reporting to NCMEC where applicable.”

3.3 Target API and 16 KB pages

The Android AAR targets API 34 and is built with 16 KB-page-aligned native libraries (required for Play submissions from November 1, 2025). No additional configuration is required on your side.

You must reference AntiNude as a subprocessor in your own privacy policy. Two ready-to-paste blocks below — adapt to your tone and language.

4.1 Short version (one paragraph)

“We use the AntiNude SDK to classify images for unsafe content on your device before they are uploaded or displayed. Image bytes do not leave your device. AntiNude receives a small telemetry event (verdict, image dimensions, a one-way hash of the image, OS version, and a truncated IP address) so that the service can be billed and abuse can be detected. See AntiNude’s Privacy Policy for details.”

4.2 Long version (with legal basis)

“Content safety classification. To protect our users and comply with applicable law, we embed the AntiNude SDK (provided by AntiNude, Inc.) in our application. The SDK performs NSFW image classification locally on the device. Image bytes are not transmitted to AntiNude. After each scan, the SDK sends a fixed-shape telemetry event to AntiNude that contains the verdict and category scores, the image dimensions and file size, inference latency, a SHA-256 hash of the image (which cannot be reversed into the image), the operating system and device class, and the request IP address truncated to a /24 (IPv4) or /48 (IPv6) prefix. The lawful basis for this processing is our legitimate interest in detecting and preventing abuse and in maintaining the integrity of the service (GDPR art. 6(1)(f)) and, where required, your consent (GDPR art. 6(1)(a)). AntiNude acts as our processor under a Data Processing Addendum and is subject to the restrictions described in its Privacy Policy.”

4.3 Hosted Cloud API addendum (only if enabled)

“If you upload images through features marked with a cloud icon, the image bytes are transmitted over TLS to AntiNude’s Hosted Cloud API for classification, processed in volatile memory, and deleted immediately after the response is returned. AntiNude does not retain the image and does not use it to train its models.”

§3 of our Terms of Service requires you to enable the SDK’s age pre-filter (or an equivalent control) whenever your app’s user flow may include images of minors. The pre-filter performs an on-device age-estimation pass before NSFW classification and aborts processing for images estimated to depict a minor. The default value is .on; only set it to .off if you operate exclusively in an adults-only authenticated context (e.g. ID-verified 18+ platforms).

5.1 iOS (Swift)

import AntiNude

let scanner = Scanner(key: "ak_live_…")
scanner.threshold = .strict
scanner.agePreFilter = .on   // .on | .off | .strict

let result = try await scanner.scan(uiImage)
switch result.verdict {
case .blockedMinor:
    // Image was estimated to depict a minor; classification was aborted.
    // Do NOT log, upload, or further process this image.
    break
case .safe, .unsafe:
    handle(result)
}

5.2 Android (Kotlin)

import com.antinude.Scanner
import com.antinude.AgePreFilter

val scanner = Scanner(
    key = "ak_live_…",
    agePreFilter = AgePreFilter.ON, // ON | OFF | STRICT
)

when (val r = scanner.scan(bitmap)) {
    is Verdict.BlockedMinor -> {
        // Estimated minor — do not log, upload, or further process.
    }
    is Verdict.Safe, is Verdict.Unsafe -> handle(r)
}

What happens when the pre-filter triggers

• NSFW classification is not performed; verdict is blockedMinor.
• No image bytes, hash, or telemetry are sent to AntiNude for that scan — the event is dropped on-device.
• Your app should treat the image as unprocessable: do not store, upload, share, or display it. Show the user a neutral “this image can’t be processed” message and offer an in-app appeal path if appropriate.
• If your app independently classifies the image as CSAM (e.g. via PhotoDNA), follow your jurisdictional reporting obligations. AntiNude’s NCMEC workflow described in Privacy §6 applies only when AntiNude itself classifies the image, which the pre-filter prevents.

“What third-party SDKs does your app contain and what do they collect?”

“The AntiNude SDK (antinude.io) classifies images for unsafe content on-device. It collects telemetry limited to verdict, category scores, image dimensions, a one-way SHA-256 hash, inference latency, OS / device class, SDK version, and a truncated request IP. It does not collect identifiers, location, contacts, advertising IDs, or image bytes. Open-source components and their licenses are listed at antinude.io/licenses.”

“Where is data processed and stored?”

“Image classification runs on the user’s device. The telemetry event is sent to AntiNude infrastructure in the United States or the European Union depending on the customer’s region selection. See antinude.io/privacy §7 for transfer mechanisms.”

“How can a user request deletion of their data?”

“Users can request deletion through the in-app account screen. Requests are forwarded to privacy@antinude.io and fulfilled within 30 days, per AntiNude’s data-subject-rights process.”

• Privacy Manifest (iOS) committed to repo and signed in TestFlight build.
• Data Safety form (Play) updated and saved as draft before upload.
• Privacy policy on your website references AntiNude as a subprocessor.
• Age pre-filter set to .on or .strict in production builds; .off only with documented justification.
• NOTICES.txt from the SDK bundle included in your “Open-source licenses” screen.
• Support contact in App Store / Play listing reachable; in-app data-deletion flow tested end-to-end.
• If using the Hosted Cloud API: declare image upload in both stores and update your privacy policy with §4.3.