← All Documentation

App Review Guidelines

Every app submitted to the Mercentia Marketplace goes through a thorough review. This guide explains what we check and how to pass on the first try.

Review Process Overview

  1. Automated Scan — Static analysis, dependency audit, security scan
  2. Permission Audit — Verify each requested scope is justified
  3. Privacy Review — Privacy policy, DPA, data handling practices
  4. Manual Testing — Install, use, and uninstall on a test store
  5. Accessibility Audit — WCAG 2.2 AA automated + manual checks
  6. Performance Testing — Response times, load impact, error rates
  7. Compliance Check — Certifications, audit reports, documentation
  8. Decision — Approved, approved with conditions, or rejected with feedback

Review Timelines

TierInitial ReviewRe-submission
Community14 business days5 business days
Partner7 business days3 business days
Elite3 business days1 business day

What We Check

1. Functionality

  • App does what it claims in the listing description
  • Core features work correctly without errors
  • Install flow completes smoothly (OAuth, permissions, onboarding)
  • Uninstall cleanly removes all modifications, webhooks, scripts, and injected content
  • App handles edge cases (empty store, large catalog, missing data)

2. Security

  • OAuth 2.0 + PKCE implemented correctly
  • Webhook signatures verified before processing
  • No client-side exposure of API keys, tokens, or secrets
  • HTTPS enforced for all endpoints
  • Input validation on all user-facing forms
  • No known vulnerabilities in dependencies (CVE scan)
  • OWASP Top 10 compliance
  • Data encrypted at rest and in transit

3. Privacy & Data

  • Privacy policy is published, accessible, and accurate
  • Data Processing Agreement (DPA) signed if accessing customer data
  • Only collects data necessary for app functionality
  • Data retention policy documented
  • Right to erasure implemented (responds to deletion requests)
  • No selling or sharing of merchant/customer data with third parties
  • Compliant with GDPR, CCPA/CPRA, and applicable local regulations

4. Performance

  • P95 API response time under 500ms
  • No blocking impact on merchant's storefront load time
  • Graceful degradation — your app's failure must not crash the store
  • Proper rate limit compliance (no aggressive retry loops)
  • Efficient API usage (batch where possible, avoid unnecessary calls)

5. User Experience

  • Clear onboarding — user understands the app within 60 seconds
  • Meaningful error messages with actionable guidance
  • Loading states for async operations
  • Confirmation dialogs for destructive actions
  • No dark patterns (difficult cancellation, pre-checked upsells, misleading copy)
  • Responsive design (works 320px to 4K)
  • Consistent with Mercentia UI patterns

6. Accessibility (WCAG 2.2 AA)

  • Keyboard navigation works for all interactive elements
  • ARIA labels on custom components
  • Colour contrast minimum 4.5:1 (normal text), 3:1 (large text)
  • Focus indicators visible
  • Screen reader compatible
  • Touch targets minimum 44x44px
  • Respects prefers-reduced-motion

7. Listing Quality

  • App name is clear, professional, and not misleading
  • Tagline accurately describes the app in one sentence
  • Description is detailed, well-written, and honest
  • Screenshots are current and reflect actual app UI
  • Pricing is transparent — no hidden fees or bait-and-switch
  • Category and subcategory are accurate

Common Rejection Reasons

ReasonHow to Fix
Uninstall leaves residual data/scriptsImplement clean uninstall that removes all store modifications
Missing or inadequate privacy policyPublish a comprehensive policy covering all data you collect
Excessive permissionsOnly request scopes your app actually uses
Client-side secret exposureMove all API keys and secrets to server-side code
No PKCE in OAuth flowImplement S256 code challenge/verifier
Webhook signatures not verifiedAdd HMAC-SHA256 verification before processing
Slow response times (>500ms P95)Optimise queries, add caching, reduce payload sizes
Accessibility failuresRun axe-core audit and fix critical violations
Misleading screenshotsUse current screenshots that match the live app
No error handlingAdd user-friendly error messages and retry logic
Dark patterns detectedRemove deceptive UI (e.g. difficult cancellation flows)
Missing DPA for customer data accessSign the Mercentia DPA before re-submitting

Tips for First-Try Approval

  1. Test uninstall thoroughly — this is the #1 rejection reason
  2. Provide test credentials — pre-configured demo accelerates review
  3. Run an accessibility audit — use axe-core or Lighthouse before submitting
  4. Keep permissions minimal — each scope must be justified
  5. Write an honest description — don't oversell features you're still building
  6. Include a demo video — 2-3 minute walkthrough of core functionality
  7. Read the full compliance requirements before starting

After Approval

  • Your app goes live on the marketplace immediately
  • Quarterly automated re-scans check for new vulnerabilities
  • Annual compliance documentation renewal required
  • Maintain a minimum 3.0 average rating (apps below 2.5 for 90+ days may be suspended)
  • Updates to permissions, pricing, or core functionality trigger a re-review
  • Mercentia reserves the right to emergency-delist apps for critical security issues