Privacy Policy

We want you to own and hold your data. YAP is built on the belief that your messages, your relationships, and the way you choose to represent them visually are yours — not ours, not a server's, not a dataset's. This policy exists to explain exactly how we uphold that principle.

YAP ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we collect it, how we use it, and your rights regarding that information.

1. Information We Collect

1.1 Information You Provide

• Account Information: @handle, display name, profile avatar, status, online presence settings, and optional recovery email (encrypted, used only for account recovery). Collected during account registration and when you update your profile.
• Messages: Stored locally on your device and encrypted end-to-end during transit using the Signal Protocol. We cannot access, read, or decrypt message content at any point.
• Contacts & Themes: Stored locally on your device by default. Theme data is only transmitted to our servers if you voluntarily publish it to a future Theme Gallery. Themes shared between contacts travel through the same end-to-end encrypted channel as messages. Unpublished and unshared themes, per-relationship identities, and styling are never accessible to our servers.
• AI Prompts: When you use AI-powered features (theme generation, meme generation, or the AI companion), the prompts and images you submit are sent to third-party AI providers for processing. This data is sent only when you explicitly initiate a generation or send a message to the AI companion.

1.2 Information Collected Automatically

• Technical Information: Randomly generated authentication tokens, encryption keys, push notification tokens, and material necessary to establish calls and transmit messages. We limit this to the minimum required to operate the Services.
• Device Information: Device type, OS version, app version — collected for compatibility and crash reporting only.
• Crash Reports: Anonymous crash logs to identify and fix issues. These contain no personal information or message content.

1.3 Information We Do NOT Collect

• Message content: We cannot read your messages. They are end-to-end encrypted.
• Address book: We do not upload or access your device's contacts.
• Location data: We do not track or request your location.
• Browsing history: We do not monitor your activity outside the App.
• Usage analytics: We do not track which features you use, how often you open the App, or how you interact with it.

2. How We Use Your Information

We use information exclusively to: provide and operate the Services; deliver encrypted messages between users via relay servers; process in-app purchases for AI generation features; send service-related notifications (such as push notifications for incoming messages and calls); identify and fix technical issues via crash reports; and comply with legal obligations.

We do not use your information for advertising, behavioral profiling, user tracking, or any purpose beyond operating the messaging service.

3. Data Storage

3.1 Local-First Architecture

Your messages, contacts, themes, and settings are stored on your device. We cannot access locally stored data. If your device is lost or the App is deleted without a backup, local data cannot be recovered by anyone — including us. You are responsible for maintaining backups.

3.2 Message Relay

Encrypted messages are temporarily held on our relay server until the recipient's device retrieves them. We cannot decrypt these messages. Messages are deleted from our server after delivery confirmation, or after a maximum of 30 days if undelivered.

3.3 Cloud Backup

If enabled, data is encrypted on your device with a key derived from your credentials before upload to your personal cloud storage (iCloud or Google Drive). We never store backup data on our servers and cannot decrypt your backups.

4. Third-Party Services

We use a limited number of third-party services to operate YAP. Each is listed below with the specific data they receive and their role. All third-party service providers are required to handle your data with protections consistent with this Privacy Policy and applicable data protection laws.

4.1 AI Providers

Theme generation: Your text prompt is sent to Anthropic (Claude API). Governed by Anthropic's privacy policy.

Meme generation: Your prompt and uploaded image are sent to either OpenAI (GPT Image API) or Google (Gemini API), depending on which provider you select. Governed by OpenAI's and Google's respective privacy policies.

AI Companion: If you enable the AI companion, your messages to it are sent to a third-party AI model for processing. AI companion conversations are not end-to-end encrypted. If you enable the optional "Chat Access" setting, conversation excerpts from your other chats may be sent to the AI provider for analysis. Chat Access is opt-in and disabled by default.

We send only the specific prompts, settings, and images you submit — not your messages, contacts, or personal information (except when Chat Access is explicitly enabled). AI data is transmitted only when you explicitly initiate a generation or send a message to the companion.

4.2 Firebase (Google)

Used for authentication token management, encrypted message relay (Firebase cannot read message content), encrypted media storage in transit, and push notifications. Governed by Google's privacy policy.

4.3 Agora

Used for voice and video call connectivity. Call streams are encrypted in transit. Governed by Agora's privacy policy.

4.4 Payment Processing

In-app purchases are processed entirely by Apple (App Store) or Google (Play Store). We do not collect, process, or store any payment or credit card information.

5. Data Sharing

We do not sell, rent, or trade your personal information. We do not share data with advertisers or data brokers.

We may share information only: with your explicit consent; to comply with law, subpoena, or legal process; to enforce our Terms of Service or investigate violations; to detect, prevent, or address fraud, security, or technical issues; to protect the rights, property, or safety of YAP, our users, or the public; and with the service providers listed in Section 4, who are required to handle your data consistently with this Privacy Policy.

6. Data Security

We implement industry-standard security measures: end-to-end encryption (Signal Protocol) for all messages; TLS/SSL for all data in transit; encryption-at-rest on relay servers; hardware-backed key storage (iOS Keychain / Android Keystore) for cryptographic keys. No security method is 100% impenetrable, and we cannot guarantee absolute security.

7. Data Retention

• Local data: Remains on your device until you delete it or uninstall the App.
• Relay messages: Deleted from our servers upon delivery confirmation, or after 30 days if undelivered.
• Account information: Deleted from our servers within 90 days of an account deletion request.
• Crash reports: Retained for up to 12 months, then deleted.

8. Your Rights and How to Exercise Them

Depending on your jurisdiction, you may have the right to: access your personal data; correct inaccurate data; delete your account and associated data; export your data; object to processing; restrict processing; and withdraw consent at any time.

How to exercise these rights

• Delete your account: Profile > Account > Delete Account (in-app). This permanently removes your account from our servers within 90 days.
• Withdraw consent / stop data sharing: You can stop using any feature that involves data transmission at any time. Disable the AI companion in settings to immediately stop all data sharing with AI providers. Disable push notifications in your device settings to stop receiving push tokens.
• Request data access, correction, or deletion: Email contact@yap-messenger.com. We will respond within 30 days.
• Export your data: Use the in-app export feature (Profile > Data & Backups).

8.1 Kenya Data Protection Act

If you are in Kenya, your rights under the Data Protection Act, 2019 include the right to be informed of the use of your personal data, the right to access your personal data, the right to object to processing, the right to correction of false or misleading data, and the right to deletion of false or misleading data. We process your data on the basis of consent and contract performance. You may lodge a complaint with the Office of the Data Protection Commissioner.

8.2 GDPR (European Users)

Our legal bases for processing are: consent, contract performance, and legitimate interests (limited to operating the messaging service). If you are in the EEA, you have rights under GDPR including the right to lodge a complaint with your supervisory authority and the right to data portability.

8.3 CCPA (California Users)

You have the right to know what personal information is collected, request deletion, and not be discriminated against for exercising your rights. We do not sell personal information as defined under the CCPA.

9. International Data Transfer

Your encrypted information and metadata may be transferred to countries where we have facilities or service providers, including the United States. We ensure appropriate safeguards for international transfers in accordance with applicable data protection laws, including the Kenya Data Protection Act, 2019 and, where applicable, GDPR.

10. Children's Privacy

The App is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have, we will delete it promptly. The minimum age may be higher in your country.

11. Changes to This Policy

We may update this Policy. Material changes will be notified through the App at least 30 days before taking effect. Continued use of the App after changes take effect constitutes acceptance of the updated Policy.

12. Contact

• Email: contact@yap-messenger.com
• In-App: Profile > Legal

Effective as of the date listed above.