Comment by klibertp
For the record: I don't disagree with anything above.
My question was more about whether you need a lawyer to know you need a privacy policy... It was tangential, admittedly; sorry about that.
To make the direction of the tangent clearer (and please ignore it if it distracts from the main discussion too much): I'm in the EU, and I know that I'd need to read GDPR[1] before letting people see such an app. I haven't read it - I quite possibly would give up at Act 4 and decide I do need a lawyer. But my first instinct would be to go read the Regulation itself.
[1] Actually, RODO (official translation): https://gdpr.pl/baza-wiedzy/akty-prawne/interaktywny-tekst-g...
A side effect of my career is that I have been in compliance adjacent roles for 20 years or so, and as a result I have read most of the related regulations. I still defer to a lawyer for actual opinions, but have frequently had to explain the technical implications of regulations to lawyers.
The bottom line is that the regulation is not a technical specification, it is a legal document, and parsing a legal document requires both the ability to read the regulation, and also to reason by applying the jurisprudence that is specific to the jurisdiction for the regualtion. Essentially, interpreting the law and translating it into requirements requires the ability to both outline the technical requirements and understand what is required to make the implementation legally defensible.
A good example of this is data deletion under GDPR. The expectation of the law is that when you get a deletion request, you will delete the data. In practice, deleting data is hard, unless you build your backup mechanisms to allow deletion of individual fields. With that in mind, companies meet this requirement by implementing a deletion scheme for production systems, and a mechanism such that datasets marked for deletion are logged, and when a restore from backup is performed, the restoration process references those deletion logs to ensure that deleted records are not restored. This, technically speaking, does not result in proper deletion of the data, but it has passed audits under data deletion regulations (Disclaimer: this is based on public documents detailing data deletion requirements, not my work directly. Consult your lawyer, I am not a lawyer, and I am not on your compliance or security team and this is not a recommendation).