Privacy policy
Last updated · 2026-05-21
XPO ("we", "us", "the app") is a mobile companion for Expo Application Services (EAS), with a companion CLI and MCP server. Built by RTH. This policy describes what data we collect, why, and what choices you have.
Data we store
When you sign up to XPO via GitHub, Google, or Apple, we receive the email address, display name, and avatar URL associated with that provider and store them in our database (Supabase). We never see or store your provider password — sign-in is handled by GitHub, Google, or Apple directly.
When you link an Expo account to XPO, we store the Personal Access Token you provide so we can query EAS on your behalf. Tokens are scoped to your XPO account via row-level security and never shared with any third party.
Data we send to third parties
- Supabase hosts authentication, profile, and linked-account data.
- Expo — we make API calls to
api.expo.devusing your linked PAT to fetch build status, logs, and other EAS data. Expo's privacy policy applies to those calls. - RevenueCat handles in-app purchase receipt validation when you buy XPO Pro. They receive your XPO user id and Apple/Google purchase receipt.
We do not run our own analytics, tracking pixels, or advertising SDKs.
Push notifications
If you grant notification permission, the app stores a push token from Apple/Google so we can ping your device when a build finishes. The token is tied to your XPO account and removed if you delete it.
API tokens (CLI / MCP)
If you generate a Personal Access Token for the XPO CLI or MCP server, we store a SHA-256 hash of the token plus the last four characters as a display hint. We never store the raw token — once generated, it's shown to you once and you must save it yourself. You can revoke any token at any time from Settings.
Your rights
- View all data we hold by signing in and visiting Settings.
- Sign out at any time from Settings.
- Permanently delete your XPO account, all linked Expo accounts, and all associated tokens from Settings → Delete XPO account. Deletion is immediate and cannot be undone.
Contact
Questions or concerns: hello@xpo-connect.com
Changes to this policy
If we change this policy materially, we'll update the date above and notify active users via in-app message.