Synthrek research

Privacy explainers for indie launches.

Practical notes for founders who need their product stack, app-store forms, and policy language to agree with each other. Educational only, never legal advice.

how-to confidence medium May 22, 2026

Apple Privacy Manifest files explained for indie iOS developers in 2026

What goes inside a PrivacyInfo.xcprivacy file, why Apple now expects one for many SDKs, and how a solo iOS developer can map their stack to the four required arrays without guessing.

Sources cited

S-001
S-002
S-007
S-008

read explainer →

template confidence medium May 21, 2026

Google Play Data Safety form for solo devs: a row-by-row example

An example walkthrough of Google Play's Data safety section for an indie app that uses Stripe, Supabase, PostHog, and Resend — with the categories Google's documentation defines and cautious wording where the docs leave room for judgement.

S-003S-006S-009S-010

checklist confidence medium May 20, 2026

What disclosures Stripe, PostHog, Supabase, and OpenAI typically require in your privacy policy (with example wording)

A vendor-by-vendor walk-through of which data Stripe, PostHog, Supabase, and OpenAI handle, the processor entries each vendor's own docs ask you to include, and example wording you can adapt for your own privacy policy.

S-006S-011S-012S-013

risk confidence medium May 19, 2026

GDPR processor list for tiny apps: who you have to name, where, and why

What GDPR Article 13 and 14 actually require when you disclose processors in your privacy policy, with an example processor list for an indie app and cautious wording where the regulation leaves judgement to the controller.

S-004S-006S-011S-014

mistakes confidence medium May 18, 2026

Privacy policy templates that get apps rejected from the App Store (and what to do instead)

Patterns we see repeatedly in App Store privacy rejections — fields that are blank in the App Privacy Details form, inconsistent disclosures between the policy and the form, and SDK manifests that aren't ratified — with cautious wording on how to recover.

S-001S-002S-015S-016

decision confidence low May 17, 2026

Cookie banner vs no cookie banner: when an indie app actually needs one in 2026

A decision-tree walkthrough of when an indie SaaS that uses PostHog, Stripe, Supabase, or Google Analytics typically needs a cookie consent banner, with cautious wording where local guidance varies.

S-004S-013S-017S-018

risk confidence low May 16, 2026

CCPA 'Do Not Sell or Share' for SaaS that uses ad-tech retargeting — when it applies to indie apps

What CCPA / CPRA's right to opt out of sale or sharing means for a small SaaS that runs Meta retargeting, Google Ads, or affiliate tracking — with cautious wording on when the link is required.

S-005S-019S-020S-021

comparison confidence medium May 15, 2026

OpenAI vs Anthropic API in a privacy policy: how each provider handles user content as of 2026

A side-by-side of OpenAI's and Anthropic's API privacy postures — training opt-out defaults, retention windows, regional availability, DPAs — with example processor entries for each.

S-013S-022S-023S-024