An explanation of GDPR, CCPA, and other privacy policies at Expo. Last updated: 2/7/2020.
To try and remove some of the fog that surrounds privacy policies, and help you contextualize intimidating walls of legal text, we've provided a brief explanation of what data we collect, and why. For a more detailed explanation, see our privacy policy.
In general, there are two ways Expo handles data. In technical terms, Expo is sometimes a data controller and sometimes a data processor. When a developer uses Expo as a tool and service, we are a controller of their data since we're directly providing services to them. After the developer uses Expo's services to create an app and distributes it to their users (end-users), we become a data processor because we process end-user data on behalf of the developer. Below is an explanation of how we treat data in both cases and the implications of both.
When you create an account on Expo or use our tools and services, we collect data including your name, email, and, if you enable paid services, your billing information. In addition, we also collect tracking information about how you use Expo CLI, our documentation site (https://docs.expo.dev), and our website (https://expo.dev). This data helps us make decisions about our products and services, in addition to allowing us to deliver satisfactory user experiences.
In all scenarios regarding our users' data, Expo is GDPR-, CCPA-, and Privacy Shield-compliant.
When developers create apps with Expo, their users (end-users) ultimately use their apps and websites. When end-users use apps built by Expo, we collect very little end-user data. The data we may collect includes the end-user's push token, which we use for push notifications, but this is only collected if you specifically opt in to push notifications and collect the user's ExpoPushToken
.
An example situation is when an app uses the EAS Update feature, the end-user's app will often request new app updates over HTTPS when the app is opened on the end-user's device. If there is a new update available, we will push the new update to that end-user. These requests do not contain identifying information such as unique device identifiers. The request contains non-identifying information needed to correctly process the update request, including the end-user's operating system, the developer's project ID, and a random token used to determine if an installation of the app has requested an update.
Another example is when a developer uses Expo to send push notifications. We do store end-user push tokens to make it possible to send notifications, however the most sensitive part of sending notifications is the notification's content itself. We process that data to send it to end-users; however, it is never stored and we only handle that data as long as it takes to send the notification.
There are some cases where we may disclose user data to others. These include situations when we have consent or when we send data to a service that processes data for us (you can see a list of services we use here).
In all scenarios regarding end-user data, Expo is GDPR-, CCPA-, and Privacy Shield-compliant.
While Expo ensures the proper handling and processing of developer data and end-user data, we cannot guarantee that the developers who build apps with Expo follow data privacy practices themselves. For example, a developer could build an app that collects an end-user's information and shares it publicly in some way. In this case, Expo would not have access to this information, only the developer who created the app would. While it's ultimately up to each individual end-user to evaluate what data they share and what apps or services they trust, we recommend they start by looking for similar policies in their app developer's privacy policy.
As our privacy policies change, we will either email you or put a prominent banner on our website to notify you of any changes.
For more information please see our privacy policy at https://expo.dev/privacy. If you have questions about how we collect and use data, please send us a message via our contact form.