Utah Creates LLC currently does not know how to sell user data, or posess the ability to sell user data. However Some of the tools we use to create awesome apps do some behind the scenes data collection on our users. We use
Expo to build our javascript files into .apk and .ipa files to be distributed on app marketplaces. Expo does collect user data, but per the following
link none of the data is sold or used for advertising. We've copy and pasted the content from that expo post below.
Data collected by Expo
By default, Expo apps check for newer versions of your published JS. They also may download that JS and other assets like icons required by your app. These are basic HTTPS requests to Expo’s servers (hosted on Google Cloud in the US) and CDN (hosted on AWS worldwide). The HTTPS requests include the device’s IP address, locale, and a user-agent string with some basic device information like the type of device and OS. The request headers to Expo’s servers are logged for 30 days. This helps us with operational duties and general debugging and is not used for other purposes like advertising. We currently don’t log requests to the CDN but we’d treat the data similarly if we did. Also, you can disable checking for JS updates 14 by setting updates.enabled to false in your app.json file before your build your app.
Similarly, when an Expo app registers to get an Expo push token for push notifications or uses the AuthSession API, the app makes a basic HTTPS request to Expo’s servers that is treated the same way. If we were to add more Expo APIs that use Expo’s servers, we’d probably treat those server requests the same way. These services need HTTPS requests to work and you can choose not to invoke them in your app.
The Expo push notification service does not use nor store the contents of push notifications for longer than needed to deliver them to Apple or Google. The response from Apple or Google, which just includes success or error data and not the contents of the notification, is kept for a short amount of time so that developers can learn whether their notifications were delivered to Apple or Google successfully.
In summary, Expo apps use HTTPS to check for JS updates and call other server APIs and we keep basic NGINX logs for a month.
Data collected by other parties
Apps built with Expo send basic metrics to Amplitude such as when an app is initially launched, encounters an error, or successfully launches to understand issues with Expo and how it is being used. The data primarily consists of an event name and a device ID that Amplitude generates. If you send us the “Amplitude ID” of a user whose Amplitude events you would like to delete we will do that for you with their API here 6. On iOS, a project using ExpoKit can disable these metrics 11 by adding EXAnalyticsDisabled to Info.plist.
We also send crash logs to Fabric’s Crashlytics service for general debugging. Crashlytics says the personal data collected are an installation UUID (different from iOS’s UDID) and crash traces and, “Crash traces and their associated identifiers are kept for 90 days.” This is their page on data privacy. 8
On Android, Expo apps use Firebase Cloud Messaging for push notifications. Firebase needs to store whey they call “Instance IDs” to provide the basic notification service. These Instance IDs are associated with your own Firebase project, not Expo’s. This is their page on data privacy. 6
Summary
In general, apps made with Expo collect and store little data for the basic operation of the Expo service. We don’t sell it or use it for advertising. The data collected and stored by Expo or with an Expo-owned account on another service are used by Expo for our operation and maintenance of the service. Finally, Expo is open source and also lets you “detach” and modify the code if you have different needs.