All auth data are located at your computer. No one cannot get your auth data with a general method. Auth data and other contents are directly used by only TheDesk and your instance. They cannot be known by the TheDesk developer. Your VPN server or your provider may know such data. Some dependent libraries may be malwares, post your private data to evil servers. TheDesk developer check them to prevent, but it is not TheDesk developer's charge. All data are passed on the TLS-encrypted route. TheDesk however does not check the server's HTTPS cert.
TheDesk gets some information from the developer. TheDesk is always being connected with the developer's server. Then, the developer's server save log: your IP address and your User Agent to keep it sustainable.
Twemoji(MAX CDN), Google Fonts are also used. You cannot stop using them.
#InstanceTicker are hosted by the developer's server