Every plugin submitted to the Dify Marketplace must be transparent about how it handles user data. This page tells you what to declare and how to write the policy reviewers expect. The whole submission boils down to one question:Documentation Index
Fetch the complete documentation index at: https://docs.dify.ai/llms.txt
Use this file to discover all available pages before exploring further.
Does your plugin collect or transmit any user personal data, either directly or through a third-party service it calls?If yes, list the data types and link a privacy policy. If no, say so explicitly.
“Personal data” means any information that identifies a specific individual on its own or when combined with other data: anything that could locate, contact, or target a unique person.
Identify the data your plugin handles
Walk through the three categories below. Anything you collect, store, log, or send to a third party must be declared.Direct identifiers
- Full name, first name, last name
- Email address
- Phone number
- Home address or other physical address
- Government IDs (passport, driver’s license, Social Security number, etc.)
Indirect identifiers
- Device identifiers (IMEI, MAC address, device ID)
- IP address
- Location data (GPS coordinates, city, region)
- Online identifiers (cookies, advertising IDs)
- Usernames, profile pictures
- Biometric data (fingerprints, facial recognition)
- Browsing history, purchase history
- Health or financial information
Combinable data
Data that becomes identifying when joined with other data:- Age, gender
- Occupation
- Interests
Third-party services count too
Your plugin is responsible for what the services it calls collect. If your plugin uses Slack, you must reference Slack’s privacy policy and disclose what Slack receives. Before submitting, read the privacy policy of every third-party API the plugin touches and make sure your declaration covers it.Write the privacy policy
Your policy, either aPRIVACY.md in the plugin repository or a hosted URL, must cover:
- What is collected (from the categories above).
- How it is used.
- Where it goes, including any third parties and links to their policies.
Declare it in the manifest
The privacy URL goes in the plugin manifest. See General Specifications for the exact field.Common questions
What counts as 'collect and use' personal data?
What counts as 'collect and use' personal data?
Any of: collecting, transmitting, storing, logging, sharing, or analyzing user data. Concrete examples:
- Forms that gather personally identifiable information
- Login or third-party-auth flows
- Capturing user input that may contain PII
- Analytics that track user behavior or usage patterns
- Storing messages, chat logs, or email addresses
- Accessing connected social-media profiles
- Collecting health or fitness data
- Storing search queries or browsing behavior
- Processing financial information (bank details, credit scores, transactions)
What if my plugin collects nothing?
What if my plugin collects nothing?
Say so explicitly in the privacy policy. Reviewers still expect a
PRIVACY.md file or hosted URL; it just needs to state that no user data is collected, stored, or transmitted, including by any third-party services the plugin calls.My plugin handles sensitive data: what changes?
My plugin handles sensitive data: what changes?
Plugins that touch health, finance, biometrics, or children’s data get extra review. Be explicit about each data type, the legal basis for collecting it, retention period, and how users can request deletion.
Related resources
- Publishing Overview
- Plugin Development Guidelines
- Publish to Dify Marketplace
- General Specifications
Edit this page | Report an issue