Privacy Policy

What we collect, and why.

Yapp is a voice-first anonymous social app. Anonymity is the whole point — we deliberately collect as little as we can get away with while still running the service. This page lays out exactly what we do collect, who else sees it, and how to make it go away.

Effective: 15 May 2026 Last updated: 4 June 2026 Applies to: Yapp Android app + yapp.co.in
On this page
  1. Who we are
  2. Information we collect
  3. Why we collect it
  4. Who we share it with
  5. How long we keep it
  6. Your rights
  7. Security
  8. Age requirement (18+)
  9. Cross-border data transfer
  10. Changes to this policy
  11. Contact & grievance officer

01Who we are

Yapp is an independent product currently operated by an individual founder based in India. The service is delivered through the Android app (package id io.yapp.app) and the website yapp.co.in. When this policy says "we" or "Yapp", it means that founder acting as the operator of the service. Once a legal entity is registered, this section will be updated.

02Information we collect

We try to keep this list short. It is what it is — running the app needs the items below.

Account information

  • Email address — used as your login, whether you sign up with email and password or with Google. We do not display it to other users. Your handle, avatar emoji, and identity colour are randomly generated; we never ask you for, or show other users, your real name.
  • Password — only if you sign up with email and password. Stored solely as a salted hash by our authentication provider (Supabase). We cannot read it.
  • Google Sign-In (optional) — if you choose to sign in with Google, your device sends us a Google identity token. It contains your email address, a Google account identifier, and the name and profile picture on your Google account. We use the email as your login; we do not show your Google name or photo to other users — your in-app handle, avatar emoji, and colour stay randomly generated.

Voice and post content

  • Audio recordings (yaps and voice posts, up to 30 seconds each) — stored on our media bucket and played back to other users.
  • Automatic transcripts of those recordings — generated by our transcription provider so that listeners can opt to read what's said. Stored alongside the audio.
  • AI-generated context summaries of voice threads — short text generated from the transcripts above to help users decide whether to listen to a conversation.
  • Images and videos you attach to a post.
  • Captions and other text you choose to add to a post.

Activity on the service

  • Likes, dislikes, and replies you make to other users' content.
  • Blocks and reports you submit (used to keep the platform safe and to enforce our terms).
  • Impression, play, and completion counts on posts and yaps you create (so we can show you how your content is doing).

Device and technical information

  • Android version and device model, app version, locale, time zone.
  • IP address, captured by our backend when your device makes a request. Used for spam / abuse prevention and the safety signals below — not for advertising.
  • Crash reports and diagnostic logs when the app misbehaves, so we can fix it.

Permissions you grant on Android

  • Microphone — to record voice notes. The app only records while you are actively holding the record button. We do not listen passively or in the background.
  • Storage / Photos & Media — only when you choose to attach an image or video to a post.
  • Notifications — to alert you when someone replies to your yap, or when a moderation decision affects you. You can turn these off in your device settings at any time.
  • Internet — required for the service to function.

What we do NOT collect

  • Your phone number, contacts, calendar, or location.
  • Advertising identifiers (we don't run ads).
  • Biometrics, fingerprints, or face data.

03Why we collect it

  • To run the service — store and play back your voice notes, deliver replies to the right user, keep your account signed in.
  • To make voice content accessible — auto- generated transcripts let people read what was said, and AI-generated thread summaries help them decide whether to listen.
  • To keep the platform safe — process the reports and blocks you submit, screen uploads for content that violates our Terms, retain enough signal to detect users evading bans.
  • To improve the app — read crash reports, fix bugs, understand what features are actually used.
  • To comply with the law — respond to valid legal requests, defend against fraud and abuse.

We do not use your data for advertising, sell it, share it with brokers, or use it to train large language models outside the scope described in section 4.

04Who we share it with

Yapp uses a small number of trusted infrastructure providers to run. Each one only sees the slice of data needed for its job. We do not share your data with anyone else for marketing or profiling.

Supabase
Auth + database. Stores your account row, posts/yaps, likes, reports, blocks.
Hosted in Mumbai (ap-south-1)
Google Sign-In
Lets you sign in with your Google account. Returns an identity token (your email, a Google account ID, name, and profile picture) that Supabase verifies to log you in.
United States
Amazon Web Services (S3, Lambda)
Media storage + media processing. Stores audio, images, and video.
Hosted in Mumbai (ap-south-1)
Sarvam AI
Speech-to-text. Receives audio bytes to produce a transcript. Sarvam confirms it does not retain audio for training.
India
Google (Gemini API)
Generates short AI summaries of voice threads from the transcript text only. No audio is sent.
United States
Vercel
Hosts this website (yapp.co.in). Sees standard web server logs.
United States
Google Play / Firebase
App distribution + push notifications. Receives device tokens to deliver notifications.
United States
Sentry
Crash + error reporting. Receives stack traces, device model, app version, and current screen when the app crashes or hits an unhandled exception. Does NOT receive your audio, transcripts, posts, email, or real-world identity.
Hosted in European Union
PostHog
Product analytics. Receives anonymous event pings (e.g. "app opened", "post created", "thread opened") with a random session ID — no email, no handle, no audio, no transcript text, no media. Used to understand which features are used so we can prioritise improvements.
Hosted in European Union

We may also disclose information to law enforcement when compelled by a valid legal order in India. We will push back on requests that look overbroad.

05How long we keep it

  • Account row — until you delete your account.
  • Posts, yaps, audio, transcripts, images, video — until you delete them, or until our moderators remove them for breaking the Terms. Soft-deleted items are purged from active storage within 30 days.
  • Backups — encrypted backups of the database are retained for up to 30 days for disaster recovery and then rotated out.
  • Moderation records — reports and moderator actions are retained for 12 months after the related content is removed, so we can defend the decision if questioned.
  • Ban-evasion signals — limited device and IP signals tied to banned accounts are retained for 24 months to prevent ban evasion.
  • Server logs and crash data — up to 90 days.

06Your rights

Under India's Digital Personal Data Protection Act, 2023 (DPDPA), and as a matter of how we'd like to run this app regardless, you have the following rights over your data:

  • Access — request a copy of the personal data we hold about you.
  • Correction — ask us to fix data that's wrong. (Most of what we store is content you've created yourself, which you can edit or delete from inside the app.)
  • Erasure — ask us to delete your account and the data associated with it. See the Account Deletion page for the exact process and what it does and doesn't remove.
  • Portability — request a machine-readable export of your content (audio, transcripts, posts).
  • Withdraw consent — stop using the service and delete your account at any time.
  • Lodge a grievance — see section 11.

We will respond to verified requests within 30 days (often much faster). For account deletion, the standard processing window is documented on the deletion page.

07Security

  • All traffic between the app and our servers uses HTTPS.
  • The media bucket is private — audio, images, and video are only accessible through short-lived signed URLs issued by our backend after an auth check.
  • Passwords are stored as salted hashes by Supabase and are never visible to us.
  • Encrypted backups, restricted admin access, audit logs on moderator actions.

No system is perfectly secure. If a breach affects you, we will notify you and the relevant regulator as required by the DPDPA.

08Age requirement (18+)

Yapp is intended for users 18 years of age and older. Voice content on Yapp can be candid, political, spicy, or generally not suitable for minors. If you are under 18, please do not use the service. If we learn that an account belongs to someone under 18, we will delete it.

Under India's DPDPA, processing a child's personal data without verifiable parental consent is restricted; the 18+ floor is how we comply.

09Cross-border data transfer

Most Yapp data is processed and stored in India — auth, database, and media are all hosted in Mumbai (ap-south-1). A small number of narrow exceptions:

  • Gemini (Google) — United States. Only transcript text and short prompts are sent. No audio, no identity information.
  • Vercel / Firebase / Play / Google Sign-In infrastructure — United States. Standard web hosting, notification delivery, and Google account sign-in.
  • Sentry — European Union. Only crash reports + diagnostic context (stack traces, device model, app version, current screen). Deliberately chosen in the EU rather than US for stronger data-protection guarantees on the bit of telemetry that does leave India.
  • PostHog — European Union. Anonymous product-event pings (which screens get used, which features get tapped). No audio, no transcripts, no identity. Also deliberately EU.

By using Yapp you consent to this limited cross-border transfer for the purposes described above. We do not transfer data to any country the Indian government has notified as restricted under the DPDPA.

10Changes to this policy

We may update this policy as the service evolves. If a change is material — for example, adding a new processor or a new category of data — we'll surface it inside the app and update the "Last updated" date at the top of this page. The change will only take effect once you have had a chance to review it.

11Contact & grievance officer

Grievance Officer

For privacy questions, data requests, or grievances under the DPDPA / India IT Rules 2021, contact the Grievance Officer at:

📧 yappcares@gmail.com

We aim to acknowledge within 24 hours and resolve within 15 days, in line with the IT Rules 2021. Please include your account handle (the @username we generated for you) so we can locate your data.