Invalid reason on xcprivacy report file: Privacy Accessed API Types USERDEFAULT

[jesus-mg-ios]

• I have updated Purchases SDK to the latest version
• I have read the Contribution Guidelines
• I have searched the Community
• I have read docs.revenuecat.com
• I have searched for existing Github issues

Describe the bug
The reason exposed is

CA92.1
Declare this reason to access user defaults to read and write information that is only accessible to the app itself.
This reason does not permit reading information that was written by other apps or the system, or writing information that can be accessed by other apps.

Instead of:

1C8F.1
Declare this reason to access user defaults to read and write information that is only accessible to the apps, app extensions, and App Clips that are members of the same App Group as the app itself.
This reason does not permit reading information that was written by apps, app extensions, or App Clips outside the same App Group or by the system. This reason also does not permit writing information that can be accessed by apps, app extensions, or App Clips outside the same App Group.

Revenuecat uses user default app group to communicate extensions and apps.
https://www.revenuecat.com/docs/getting-started/configuring-sdk/ios-app-extensions

1. Environment
   1. Platform:
   2. SDK version:
   3. StoreKit version:
      • StoreKit 1
      • StoreKit 2 (enabled with usesStoreKit2IfAvailable(true))
   4. OS version:
   5. Xcode version:
   6. Device and/or simulator:
      • Device
      • Simulator
   7. Environment:
      • Sandbox
      • TestFight
      • Production
   8. How widespread is the issue. Percentage of devices affected.
2. Debug logs that reproduce the issue. Complete logs with Purchases.logLevel = .verbose will help us debug this issue.

Logs here

3. Steps to reproduce, with a description of expected vs. actual behavior

Please fill in

4. Other information (e.g. stacktraces, related issues, suggestions how to fix, links for us to have context, eg. stackoverflow, etc.)

5. Additional context
   Add any other context about the problem here.

[RCGitBot]

👀 We've just linked this issue to our internal tracker and notified the team. Thank you for reporting, we're checking this out!

[jesus-mg-ios]

Also it's rare that the purchase history is not linked to the user. Is it right?

[aboedo]

@jesus-mg-ios the currenty privacy report is based on default usage of the SDK, so your mileage may vary depending on how you use the SDK.

Sadly there isn't a way for us to know beforehand how exactly your app will use our SDK, so the privacy report assumes a minimal implementation.

For example, if you rely solely on RevenueCat's Anonymous IDs, those are not tied to a user in any traceable way, which is why the purchase data isn't linked to a user. If you use logIn, logOut, or pass in an appUserID when configuring, however, then you would need to check "purchase history linked to the user".

Similarly, for App Groups, a default implementation would use UserDefaults without App Groups, so the relevant reason would be CA92.1 unless you actually configure using UserDefaults for App Groups.

You can find out more here:
https://www.revenuecat.com/docs/platform-resources/apple-platform-resources/apple-app-privacy