An explanation of GDPR, CCPA, and other privacy policies at Expo. Last updated: 2/7/2020.
In general, there are two ways Expo handles data. In technical terms, Expo is sometimes a data controller and sometimes a data processor. When a developer uses Expo as a tool and service, we are a controller of their data since we're directly providing services to them. After the developer uses Expo's services to create an app and distributes it to their users (end-users), we become a data processor because we process end-user data on behalf of the developer. Below is an explanation of how we treat data in both cases and the implications of both.
When you create an account on Expo or use our tools and services, we collect data including your name, email, and, if you sign up for the EAS Priority Plan, your billing information. In addition, we also collect tracking information about how you use Expo CLI, our documentation site (https://docs.expo.dev), and our website (https://expo.dev). This data helps us make decisions about our products and services, in addition to allowing us to deliver satisfactory user experiences.
In all scenarios regarding our users' data, Expo is GDPR-, CCPA-, and Privacy Shield-compliant.
When developers create apps with Expo, their users (end-users) ultimately use their apps and websites. When end-users use apps built by Expo, we collect very little end-user data. The data we collect includes the end-user's push token, which we use for push notifications. We collect specifically nothing that identifies end-users using Expo apps.
One example situation is when an app is created with Expo's managed workflow, the end-user's app will often request new app updates over HTTPS when the app is opened on the end-user's device. If there is a new update available, we will push the new update to that end-user. These requests do not contain identifying information such as unique device identifiers.
Another example is when a developer uses Expo to send push notifications. We do store end-user push tokens to make it possible to send notifications, however the most sensitive part of sending notifications is the notification's content itself. We process that data to send it to end-users; however, it is never stored and we only handle that data as long as it takes to send the notification.
There are some cases where we may disclose user data to others. These include situations when we have consent, when we send data to a service that processes data for us (you can see a list of services we use here), or if there's a lawful request by public authorities.
In all scenarios regarding end-user data, Expo is GDPR-, CCPA-, and Privacy Shield-compliant.
As our privacy policies change, we will either email you or put a prominent banner on our website to notify you of any changes.