Must I disclose Expo Notifications in my privacy policy?

Yes. Expo Notifications processes personal data including device push tokens and notification delivery information. Under GDPR, CCPA, and similar regulations, you must transparently disclose all third-party services that collect or process user data. Failure to disclose Expo Notifications exposes you to regulatory violations and user trust issues.

What specific data does Expo Notifications collect?

Expo Notifications collects device push tokens (unique identifiers assigned to each device for receiving notifications) and notification delivery data (information about whether notifications were successfully delivered, opened, or interacted with). These identifiers enable the service to target and track notification performance across your user base.

Do I need a cookie consent banner for Expo Notifications?

No. Expo Notifications does not use cookies. However, you still need explicit user consent or a lawful basis (typically legitimate interest or service necessity) under GDPR and CCPA to collect device tokens and delivery data. Your privacy policy must explain the legal basis for this data collection.

Who processes Expo Notifications data and where?

Expo (650 Industries), a United States-based company, operates and processes Expo Notifications. If your users are in the EU, you must ensure an adequate transfer mechanism such as Standard Contractual Clauses (SCCs) is in place, as the US lacks an adequacy decision under GDPR.

Push Notifications

Privacy policy clauses for Expo Notifications

Expo Notifications is a push notification service that enables Expo-built mobile applications to send real-time messages to users' devices. It collects device identifiers and delivery metadata to route notifications reliably across iOS and Android platforms.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Expo Notifications collects

Your privacy policy must disclose each of the following data types when you use Expo Notifications.

Device push token

Notification delivery data

When does Expo Notifications trigger privacy obligations?

Installation & Device Token Collection

Adding Expo Notifications to your Expo app triggers data protection obligations immediately upon installation. The moment your app requests push notification permissions from users, Expo generates and stores a device push token (a unique identifier for that device) on Expo's servers in the United States. This token is personal data under GDPR Article 4(1) because it identifies or relates to an identifiable natural person.

Which Regulations Apply

GDPR applies if you have users in the EU/EEA, regardless of your company location. You are the controller; Expo is a processor. CCPA applies if you have California users and meet the threshold (e.g., $25M+ revenue, data on 100K+ consumers). Device tokens may qualify as "identifiers" under CCPA Section 1798.100(d). ePrivacy Directive (Article 5(3)) requires prior consent before storing or accessing push notification identifiers on a user's terminal equipment in most EU member states—a higher bar than GDPR.

First Concrete Step

Common compliance pitfalls

Pitfall 1: Missing the DPA or Signing Expo's Non-Compliant Template

The mistake: Many indie founders skip the DPA or assume Expo's standard terms are sufficient. Under GDPR Article 28(3), a processor contract must include specific mandatory clauses (data subject rights assistance, sub-processor management, deletion/return obligations, audit rights). Expo's standard processor terms may not fully address sub-processors (e.g., Apple Push Notification service, Google Firebase Cloud Messaging) or cross-border data transfers.

Why it happens: Friction—DPAs feel legal-heavy, and Expo's docs may not emphasize this requirement for non-EU founders. Consequence: GDPR non-compliance exposure; fines up to €10M or 2% of global annual revenue for processor violations. A regulator audit will immediately request your signed DPA and flag gaps.

Pitfall 2: Conflating Consent Categories—"Functional" vs. "Targeting"

The mistake: Teams treat push notifications as purely "functional" and don't request explicit consent, or they bundle device token collection into a "necessary" category without distinguishing between transactional notifications and behavioral tracking. However, Expo Notifications' notification delivery data (when users open/dismiss notifications) can reveal usage patterns and inform targeting decisions if retained or shared.

Why it happens: Confusion about what "functional" means; assumption that notifications are always user-triggered. Consequence: Under GDPR Article 7 and CCPA opt-in rules, you may lack valid consent for behavioral analytics built on notification engagement. Regulators flag this in audits of consent implementations.

Pitfall 3: Not Updating Privacy Policy After SDK Integration

The mistake: Privacy policy pre-dates Expo Notifications integration and mentions only first-party analytics. Device tokens and Expo's role as a US-based processor are never disclosed. Under GDPR Article 13/14 and CCPA Section 1798.100, you must disclose the categories of data collected, Expo's identity, the lawful basis, and retention periods *before or at time of collection*.

Why it happens: Rapid feature deployment; assuming Expo Notifications are invisible to privacy law because they're a library. Consequence: Unfair trading practices claims (FTC enforcement); GDPR complaints to local DPAs alleging lack of transparency; CCPA civil rights claims. Users cannot give informed consent if Expo's data collection is not disclosed.

Privacy policy clauses for Expo Notifications

What data Expo Notifications collects

When does Expo Notifications trigger privacy obligations?

Installation & Device Token Collection

Which Regulations Apply

First Concrete Step

Where data goes

Common compliance pitfalls

Pitfall 1: Missing the DPA or Signing Expo's Non-Compliant Template

Pitfall 2: Conflating Consent Categories—"Functional" vs. "Targeting"

Pitfall 3: Not Updating Privacy Policy After SDK Integration

Sample privacy policy clause

What regulators look for

GDPR DPAs (EU/EEA)

CCPA Enforcement (California AG)

FTC (US-wide)

Initial Audit Sequence

Frequently asked questions

Must I disclose Expo Notifications in my privacy policy?

What specific data does Expo Notifications collect?

Do I need a cookie consent banner for Expo Notifications?

Who processes Expo Notifications data and where?

Don't ship without Bandit.