To address inaccurate privacy policy authoring and inefficient cross-role collaboration in mobile app development, this paper introduces Privacy Bills of Materials (PriBOM)—the first structured, privacy-engineering–oriented “bill of materials” paradigm. PriBOM enables end-to-end traceable and verifiable generation of privacy notices from implementation artifacts via role-coordinated modeling, static code analysis, policy text mining, privacy metadata modeling, and human-in-the-loop pre-filling. Its core innovation lies in embedding privacy accountability directly into the DevOps pipeline, thereby enabling cross-functional alignment and automated compliance auditing. Evaluated in a 150-participant user study, PriBOM significantly improves the completeness and accuracy of privacy notices. It constitutes the first industry-ready, integrable, and auditable privacy information infrastructure.

Privacy regulations mandate that developers must provide authentic and comprehensive privacy notices, e.g., privacy policies or labels, to inform users of their apps' privacy practices. However, due to a lack of knowledge of privacy requirements, developers often struggle to create accurate privacy notices, especially for sophisticated mobile apps with complex features and in crowded development teams. To address these challenges, we introduce Privacy Bills of Materials (PriBOM), a systematic software engineering approach that leverages different development team roles to better capture and coordinate mobile app privacy information. PriBOM facilitates transparency-centric privacy documentation and specific privacy notice creation, enabling traceability and trackability of privacy practices. We present a pre-fill of PriBOM based on static analysis and privacy notice analysis techniques. We demonstrate the perceived usefulness of PriBOM through a human evaluation with 150 diverse participants. Our findings suggest that PriBOM could serve as a significant solution for providing privacy support in DevOps for mobile apps.