Apps made with Expo and GDPR compliance

#1

Hi everyone - the Expo team aims follow the GDPR guidelines and respect the data privacy of developers using Expo and the people using apps made with Expo.

This is an explanation of the data collected by apps made with Expo and their deletion and retention policies, written for developers making apps with Expo. Specifically, this applies to people who download and install a basic Expo app from the App Store or Google Play.

(Of course, if you add more services that collect data, use APIs like Facebook Login or Segment, or generally add code that collects data, Expo neither controls nor processes the data in those cases.)

Data collected by Expo

By default, Expo apps check for newer versions of your published JS. They also may download that JS and other assets like icons required by your app. These are basic HTTPS requests to Expo’s servers (hosted on Google Cloud in the US) and CDN (hosted on AWS worldwide). The HTTPS requests include the device’s IP address, locale, and a user-agent string with some basic device information like the type of device and OS. The request headers to Expo’s servers are logged for 30 days. This helps us with operational duties and general debugging and is not used for other purposes like advertising. We currently don’t log requests to the CDN but we’d treat the data similarly if we did. Also, you can disable checking for JS updates by setting updates.enabled to false in your app.json file before your build your app.

Similarly, when an Expo app registers to get an Expo push token for push notifications or uses the AuthSession API, the app makes a basic HTTPS request to Expo’s servers that is treated the same way. If we were to add more Expo APIs that use Expo’s servers, we’d probably treat those server requests the same way. These services need HTTPS requests to work and you can choose not to invoke them in your app.

The Expo push notification service does not use nor store the contents of push notifications for longer than needed to deliver them to Apple or Google. The response from Apple or Google, which just includes success or error data and not the contents of the notification, is kept for a short amount of time so that developers can learn whether their notifications were delivered to Apple or Google successfully.

In summary, Expo apps use HTTPS to check for JS updates and call other server APIs and we keep basic NGINX logs for a month.

Data collected by other parties

Apps built with Expo send basic metrics to Amplitude such as when an app is initially launched, encounters an error, or successfully launches to understand issues with Expo and how it is being used. The data primarily consists of an event name and a device ID that Amplitude generates. If you send us the “Amplitude ID” of a user whose Amplitude events you would like to delete we will do that for you with their API here. On iOS, a project using ExpoKit can disable these metrics by adding EXAnalyticsDisabled to Info.plist.

We also send crash logs to Fabric’s Crashlytics service for general debugging. Crashlytics says the personal data collected are an installation UUID (different from iOS’s UDID) and crash traces and, “Crash traces and their associated identifiers are kept for 90 days.” This is their page on data privacy.

On Android, Expo apps use Firebase Cloud Messaging for push notifications. Firebase needs to store whey they call “Instance IDs” to provide the basic notification service. These Instance IDs are associated with your own Firebase project, not Expo’s. This is their page on data privacy.

Summary

In general, apps made with Expo collect and store little data for the basic operation of the Expo service. We don’t sell it or use it for advertising. The data collected and stored by Expo or with an Expo-owned account on another service are used by Expo for our operation and maintenance of the service. Finally, Expo is open source and also lets you “detach” and modify the code if you have different needs.

6 Likes
GDPR compliance
closed #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.