Thanks a lot for your response. I don't think that's the point. In fact, your app accesses potentially sensitive user information. I think that's the problem. It does access it, because the company offers a free and open API to encourage third parties to do that. But keep in mind this rule is under section 5.1.1: Data Collection and Storage. My app does not collect or store anything, at all. It's merely accessing the data from a GET endpoint, showing it to the user, and discarding it. I don't even have an account or login system, or even any kind of telemetry. The user just looks at their account data through my app, with their token, then it's gone. Much like a web browser. Are we sure this rule doesn't apply only to apps that actually collect and/or store data? Reading AppStore rule, the app should be submitted by the "official firm". It cannot be by an individual developer or by a company that is not a banking or financial service company. Then how do financial aggregators do it? Or regular portfolio tracking apps? That's what I'm not getting. They also access an open endpoint provided by some third party broker or bank. And they show the data to the user, even though they're not the broker or the bank. Don't get me wrong, I'm not trying to vent or argue. I've already come to terms with the fact that I'll probably have to remove the app. I'm just genuinely trying to understand why, or if there's anything I can do. I'm really struggling to see the difference between my app and the myriad of popular, approved apps that aggregate (personal) financial data from different banks or brokers, without being those banks or brokers. Do you really think this policy also applies to apps that don't collect or store any data at all? Thanks again for your support!