- Only data shared directly with the app developer or contracted parties needs to be reported.
- Some categories that aren't vague are way too broad.

Mastodon reporting an empty list here is in fact very obviously wrong. When you log in to mastodon.social from the Mastodon app, you are sharing contact info (email address), identifiers, as well as usage data.

So at the very least you should conclude Threads is doing a better job of informing its users re: privacy than Mastodon gGmbH is.

Overall the App Store privacy labels are a terrible implementation of a potentially good idea. There is no way for a user to figure out how accurately a developer filled that info, and there's no baseline of quality because nobody on the Apple side reviews or enforces this.

Large companies are in fact more prone to over-declaring here because that has ~ no cost except for pissing off privacy loonies (which you can never satisfy anyway) while covering your ass legally.

Disclaimer for this post: I worked for ~2 years as a privacy reviewer for infra services at Google. This is what I would minimally declare for the Mastodon app, from my reading of Apple's policy:

- Contact Info (email address, obviously)
- Location (coarse location, Mastodon stores IP addresses in logs)
- Contacts (your follows/followers)
- User Content (your toots)
- Search History
- Identifiers (handle)
- Usage Data (logs, anti-abuse)

Not far from Threads' list...

@delroth I don’t think that Mastodon (gGmbH) collects these data if you use your own or a third party server.

What server to use is up to the user.

That’s the difference: you can use the Mastodon App without sending data to Mastodon gGmbH but you cannot use the Threads app without sending data to developer of the Threads app.