Ah, this is known about. You're correct, these come from dependencies.

This app is build on Expo, which includes a whole bunch of libraries for building mobile apps. Included with Expo is the SDK for Segment. Unfortunately there's no easy way to unbundle it. :/

This app does not actually use those libraries and I have no plans to. But it does mean that when deploying to iOS, I'll have to state that I use IDFA, even though the app doesn't.

One of Segment's use case is to ship data from one place to another. So it's SDKs come with support for a whole bunch of destinations including marketing tools like the FB suite, Google analytics, etc. Which is why I'm guessing they show up in the exodus privacy report.

For the moment, I think we're okay to keep it as it is. If Expo gives a non-Segment version, I'll switch to that.

from quirk.

So I did some further network analytics today and sadly, those trackers aren't just included by the framework, they are also active:

On every app start there are requests to:

• settings.crashlytics.com
• graph.facebook.com
• exp.host (maybe not a tracker)
• expo.io (maybe not a tracker)

No matter what, this includes data like the app name. Which means to facebook and Google is knows that a user installed this application. Given that the app has a medical background in one way or another, it's a bit disturbing to have this known to Facebook and Google.

I agree that his is a build system problem, but either way, you definitely need to mention it in the apps privacy policy (which might still conflicts with GDPR as there is no user consent for that) and in long term perspective should definitely get fixed by either switching the framework or finding another solution. Of course for now I can only say those things for the Android version, but I don't expect the iOS version to be fundamentally different.

Hope this helps to move things even more towards privacy :)

from quirk.

Ah, so: exp.host and expo.io are the updating server from expo.io, the framework and updating system Quirk uses. My understanding is Expo uses crashlytics to provide crash reports. Expo also comes prepackaged with access to facebooks apis for things like fb login. That said, the FB graph api isn't being used or setup; there's no API key or account setup afaik.

So this is a problem with the build system; if you're concerned about this, you're welcome to fork the app or go submit an issue on https://github.com/expo/expo.

Which means to facebook and Google is knows that a user installed this application.

This info is already known, or at least it's known by Google. When you install an app via the Google Play Store, they know you installed it. This info is also known by Expo, since they're delivering the updates to the device.

you definitely need to mention it in the apps privacy policy

It is. See here.

just to clarify

Quirk is not a privacy app.

It's a Cognitive Behavioral Therapy app that does not store your personally identifiable information and does not use identifiable analytics.

Privacy isn't a feature of Quirk, it's just the way I built it. I didn't store your mental health thoughts on a server because the risks of doing so are more dangerous than the value it would provide to the user.

I don't use anonymous analytics to see what buttons your clicking on or how often you record something because I have no reason to. Quirk is a free, open source app with nothing to sell you. It has no ads or in-app purchases. It has nothing to optimize for.

What I'm saying is that I have no moral objection to first party data collection. (Third-party data buying & selling is pretty scummy.) If for some reason Quirk needed me to anonymous tracking, I would have no concerns doing that. But it doesn't, so I thankfully don't have to.

Collected user data, especially PII, is like nuclear waste. It's a necessary byproduct of a lot of products, but should be carefully stored and you should work to accrue as little as possible.

from quirk.