[floatingatoll]

It sounds like you’d like to work at Apple and help them improve their guidelines process. They don’t offer what-if examples, and they note that it’s by design that the guidelines are not detailed to the level you’re asking, so that they have the flexibility to make judgment calls and prevent rules-lawyering problems that crop up with the more detailed approach you seek.

1. Auth tenant. Common sense says that if the auth provider is operated by you, it’s your problem to handle deletions appropriately, either by removing their account or by warning the user that you’re only deleting the specific site account and providing a link to delete the SSO account at your website or whatever. If you do not operate the identity provider, such as Facebook, then you need do nothing about it at deletion time. Apple would likely approve any of those paths without comment, but to defend against rules lawyering and loophole seeking, there’s no way to be perfectly certain until it’s approved.

2. Banking or healthcare app. If you can sign up in-app, you’ll need to let people close/delete in-app, except where prohibited by contract or law. For corporate healthcare, you would pop a dialog that says “This account can only be closed through your employer”, which would be absolutely sufficient. Ditto for a banking account with non-zero balances or a safety deposit box or whatever. It seems likely Apple will not have cause to enforce the deletion clause against brick and mortar banks, since they all have help/faqs on how to close accounts already. App-only banks will be held to the more strict standard of having some way to initiate deletion, being app-only, though of course they’ll retain financial audit records as required by law.

3. Deleted means that all information not essential to compliance with financial and other auditing laws has been removed from your systems. Exceptions are understood to exist for recording that someone requested deletion, but you can’t use those records for marketing or training AI or any other purpose beyond managing your deletions. If you can’t explain in plain simple English how you handle deletions, they’re likely to reject your submission until you can.

All of this is obvious. It isn’t comfortable to consider that you’re at the mercy of human beings to evaluate your compliance — human beings that see a thousand scams a minute trying to hack loopholes in the guidelines. But that’s how it is today.

[oauea]

The sad truth is you're at the whims of some random app store reviewer and it depends completely on their mood of the day. It's honestly insane and impossible to work with. One day everything is fine, the next they have a list of issues that you are forced to spend dozens of developer hours on, just so apple will grace you with the permission to push an unrelated localization fix.

[floatingatoll]

Correct, you are at the whims of Apple when you attempt to publish to their app store.

[oauea]

Some random app store reviewer fella. Not sure if you've ever been on the phone with them, but it does not inspire confidence at all.