I think part of the disconnect is communicating what the app actually does vs. what the terms permit it to do in the future.
It sounds like you've put genuine thought into this, and your privacy policy is very readable, but it suffers from the generic "WTFPL" clauses.
For example, you clearly specify who the third-parties are and what data is shared, which again is commendable. But it's combined with "we may use your data for [any] other purposes", "we may sell and may have sold [extremely personal PII]", and so on.
Are you doing this? Doesn't seem like it. Could you? Apparently, and that's part of the concern.
It sounds like you've put genuine thought into this, and your privacy policy is very readable, but it suffers from the generic "WTFPL" clauses.
For example, you clearly specify who the third-parties are and what data is shared, which again is commendable. But it's combined with "we may use your data for [any] other purposes", "we may sell and may have sold [extremely personal PII]", and so on.
Are you doing this? Doesn't seem like it. Could you? Apparently, and that's part of the concern.