ATT system prompt
No IDFA access or code-level evidence of advertising, ad measurement, data-broker sharing, or cross-company identity joins.
Probably not for the analytics implementation in this repo. Apple’s ATT prompt is for advertising-related cross-company tracking or access to IDFA—not for product analytics in general.
Codebase review + Apple policy research. This is a technical assessment, not legal advice.
The common failure mode is treating Apple’s ATT prompt, the App Store privacy label, and ordinary privacy consent as one requirement. Apple treats them separately.
No IDFA access or code-level evidence of advertising, ad measurement, data-broker sharing, or cross-company identity joins.
Product-interaction events are sent off-device and linked to the authenticated user ID. “Linked to You” is separate from “Used to Track You.”
The repo’s own release gate says legal/compliance sign-off, age and region rules, DPA status, withdrawal controls, and replay proof are unresolved.
Apple defines tracking around what happens across companies and why: targeted advertising, advertising measurement, or data broker sharing.
Feature usage, funnels, reliability, or audience measurement can be account-linked and still fall outside ATT.
ATT applies when app data is linked with other companies’ data for targeted advertising or ad measurement, shared with a data broker, or when IDFA is accessed.
The strongest evidence is not the word “analytics.” It is the actual data path: which identifiers exist, where data goes, which properties survive the relay, and which uses are enabled.
The iOS target contains no NSUserTrackingUsageDescription, AppTrackingTransparency, AdSupport, IDFA, or IDFV reference, and the app target has no Swift package dependency that could hide one.
mobile/ios/Poe-iOS/Poe-iOS.xcodeproj/project.pbxproj · mobile/ios/Poe-iOS/Poe-iOS/Info.plistPOSTHOG_ENABLED and POSTHOG_REPLAY_ENABLED are false in the deployed configuration. An empty project key also makes the relay a no-op.
projects/poe-tiles/wrangler.toml:421–437The browser posts to /__posthog/* on Poe’s origin. The server forwards only allowlisted paths and events, removes client headers and query strings, and replaces client identity with the authenticated Poe user ID.
packages/poe-tiles-api/src/api/posthog-relay/index.ts:260–278, 525–619, 747–782The integration uses memory persistence, disables geo-IP, sends $ip: null, and removes URL, referrer, browser, OS, screen, device, email, phone, username, and display-name properties.
docs/posthog-analytics.md §1.6–1.9 · packages/analytics-client/src/analytics-mode.tsPostHog distinct_id is the authenticated session userId. Events describe product actions such as page views, app opens, invites, phone verification, first moves, and remix taps.
docs/posthog-analytics.md Status · §1.13 · §3Production and preview replay eligibility returns false until consent, age, and region gating exists. The release checklist still blocks production enablement on privacy and payload proofs.
projects/poe-tiles/src/backend/posthog-replay-eligibility.ts:10–18 · docs/posthog-release-checklist.mdRun every native SDK, webview script, SSO provider, attribution tool, and analytics vendor through these questions. One “yes” in the first three boxes changes the answer.
Yes → request ATT before access.
For ads or ad measurement? Yes → ATT.
Yes → ATT, subject to narrow exceptions.
No ATT prompt. Continue the privacy-label and consent review.
Apple holds the app responsible for code and vendors it includes. A same-origin relay and stripped device context are strong controls, but they do not replace a contractual answer about downstream use.
Before enablement, confirm the signed DPA and contract prohibit reuse of Poe event data for cross-customer advertising, ad measurement, audience building, or data-broker purposes.
The repo’s broader privacy page says Poe may collect advertising IDs and share hashed emails with advertising partners. No such implementation was found here, but adding it to this iOS app or its functional webview would require a fresh ATT analysis.
Replay is currently fail-closed in preview and production. Do not treat an ATT “no” as permission to turn replay on; close the repo’s masking, age, region, consent, retention, and access gates.
The repo already has strong technical controls. The remaining work is to align contracts, declarations, consent, and runtime evidence with those controls.
Document “no ATT” with the exact conditions: no IDFA, no ads/ad measurement join, no data-broker sharing, and PostHog acting only as Poe’s analytics processor.
Confirm DPA execution, data-use restrictions, subprocessors, retention, deletion, and whether any optional warehouse or export integration could join other-company data for advertising.
Likely disclose Usage Data / Product Interaction for Analytics, linked to the user. Also review the APNs token as Device ID linked to the user for App Functionality. Mark “Used for Tracking” as no only after the vendor and advertising-use checks are closed.
Resolve age and jurisdiction rules, add an understandable way to withdraw ordinary analytics consent where required, and keep replay independently gated.
Declare the native UserDefaults required reason, inspect Xcode’s privacy report and embedded SDK manifests, then inspect live traffic with analytics enabled. Test a denied ATT state to prove no tracking-domain or advertising-ID path is attempted.
Add NSUserTrackingUsageDescription, request permission before any tracking or IDFA access, and write a brief, specific purpose string. Ask in context. Do not gate app functionality, incentivize consent, mimic the system alert, or steer users toward Allow.
Apple’s definitions and the codebase are the primary evidence. Policy can change; re-run this review before a materially different analytics, advertising, identity, SSO, or attribution launch.