I’m building an iOS app that collects user PII (emails, names) and stores it in my backend database. I already use HTTPS for data transfer, but I’m unsure if Apple requires server-side encryption for stored data.
For example:
If a user’s email is stored in plain text on my server (but transmitted securely via HTTPS), will this violate App Store guidelines?
Does Apple explicitly mandate encryption-at-rest for PII, or is it just a recommendation?
Are there exceptions for non-sensitive data like usernames?
I checked App Store Review Guidelines §5.1.1, which says "data must be stored securely," but it’s unclear if this requires encryption.
Context:
The app targets U.S. users (no GDPR/CCPA concerns).
No financial/health data is involved.
Is plain-text server storage of emails/names acceptable, or will this risk rejection? Thanks for any clarity!