Data usage and AI usage disclosures for public Marketplace apps

As part of preparing to submit your public app for approval from Sitecore, you must prepare a data usage disclosure that describes how your app collects, stores, and processes data. If your app uses AI or machine learning in any capacity, you must also prepare an AI usage disclosure that describes how your app uses artificial intelligence and complies with relevant regulations.

You enter the disclosures on the Overview tab when finishing app configuration. After publishing your app, the disclosures appear in the public Marketplace. The disclosures help users understand how your app handles their data and build trust in your app.

Data usage disclosure

Your data usage disclosure must describe how your app handles data throughout the data lifecycle, from collection to deletion. The disclosure should address the following for each type of data your app collects:

  • Data type - the type of data stored, such as personal information, usage analytics, device metadata, access logs, or configuration data.

  • Data source - where the data comes from, such as user input, user device, the Marketplace SDK, or Sitecore.

  • Purpose - why your app collects this data and how it uses the data.

  • Retention period - how long the data is retained, such as until account deletion, 90 days, 12 months, or as long as the app is installed.

  • Storage region - where the data is stored geographically, including specific cloud providers and regions when relevant.

  • Access scope - who can access the data, such as app admins, analytics team, or support team.

  • Data protection - how the data is protected throughout its lifecycle, including encryption methods for data in transit and at rest.

  • Regulatory rights - how users can exercise Data Subject Access Requests (DSAR) and other regulatory rights, such as GDPR and CCPA.

  • Data deletion - when and how the data is deleted.

AI usage disclosure

If your app uses AI or machine learning in any capacity, you must turn on the AI usage disclosure switch on the Overview tab when finishing app configuration and include the following AI usage details in the data usage disclosure:

  • Features - state which AI or machine learning features are available. Explain how AI is used, for example, for automated decisions, content generation, or analytics.

  • Data and security - disclose the data sources used for AI training, as well as model security measures and bias mitigation strategies.

  • Regulations - confirm compliance with relevant regulations, such as the EU AI Act, GDPR, and the CCPA.

  • Human oversight - provide transparency about automated decision-making and the role of human oversight.

Best practices for secure data handling

Follow these best practices to handle data securely:

  • Only collect data that is essential for your app's features.

  • Set clear retention periods and delete data when it's no longer required.

  • Allow users to request data deletion at any time.

  • Use strong encryption for data in transit and at rest.

  • Regularly review and update your security protocols.

  • Specify geographic storage regions to meet cross-border privacy regulations.

  • Clearly state compliance with relevant regulations such as GDPR and CCPA.

  • Provide a simple process for Data Subject Access Requests (DSAR), including how users can request to view, export, or delete their data.

Do you have some feedback for us?

If you have suggestions for improving this article,