Launch App
Legal

Privacy Policy

Effective: March 16, 2026 · Version 2.0 · Contact: privacy@yapperhq.com

This document describes how Yapper Technologies, Inc. collects, uses, stores, and protects your information when you use the Yapper platform.

Data Controller Yapper Technologies, Inc.
DPO dpo@yapperhq.com
Address KwaZulu-Natal, South Africa
Applicable laws GDPR · CCPA/CPRA · COPPA · UK GDPR · LGPD · PIPEDA · POPIA

1. Introduction

Welcome to Yapper! Yapper Technologies, Inc. ("Yapper," "we," "our," or "us") operates a real-time chat platform that lets communities connect through text channels, Voice Yaps (audio messages), Video Clips (video messages), Live Canvas features, custom server-scoped emojis, and more.

This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, and what rights you have over your data. It applies to all users of the Yapper platform, including our website, desktop application, and mobile apps (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please discontinue use of the Service immediately.

2. Scope and Applicability

This Privacy Policy applies to all individuals who access or use the Yapper Service, regardless of their geographic location. It covers data collected through the Yapper platform, our website, APIs, and any third-party integrations (such as Discord profile import and bot migration tools).

This Policy does not apply to third-party services, websites, or applications that may be linked to or integrated with Yapper. We encourage you to review the privacy policies of any third-party services you interact with.

2.1 Territorial Scope

Yapper is designed to comply with applicable data protection regulations worldwide. The following regulatory frameworks are specifically addressed in this Policy:

  • European Economic Area (EEA) and United Kingdom: General Data Protection Regulation (GDPR) and UK GDPR
  • California, USA: California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA)
  • United States (Children): Children's Online Privacy Protection Act (COPPA)
  • Brazil: Lei Geral de Proteção de Dados (LGPD)
  • Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
  • South Africa: Protection of Personal Information Act (POPIA)

3. Key Definitions

Personal Data
Any information relating to an identified or identifiable natural person, including but not limited to names, email addresses, IP addresses, device identifiers, and user-generated content metadata.
Processing
Any operation performed on Personal Data, whether automated or manual, including collection, storage, use, disclosure, and deletion.
End-to-End Encryption (E2EE)
A communication system based on the Signal Protocol in which only the communicating users can read the messages. Yapper's servers cannot access plaintext message content.
Voice Yap
An audio message sent by a user within a Yapper server or direct message, encrypted end-to-end using the Signal Protocol.
Video Clip
A short-form video message shared by a user within a Yapper server or direct message, encrypted end-to-end using the Signal Protocol.
Live Canvas
A real-time sidebar feature within Yapper servers that may display music state, polls, and community clips carousels.
Server
A community space within Yapper that contains text channels, voice channels, and other collaborative features.
Metadata
Data about data — such as timestamps, sender/recipient identifiers, message sizes, and channel identifiers — that does not include the plaintext content of communications.

4. Information We Collect

4.1 Information You Provide Directly

4.1.1 Account Registration

When you create a Yapper account, we collect your chosen username, email address, password (stored as a salted Argon2id hash — a memory-hard algorithm resistant to GPU-based attacks), date of birth (for age verification and COPPA compliance), and optional profile information such as display name, avatar image, and biography.

4.1.2 Payment Information

If you subscribe to Yapper Premium or purchase server boosts, your payment is processed by our third-party payment processor (Stripe). We receive a tokenized payment reference, the last four digits of your card, and billing address, but we never store full credit card numbers on our servers.

4.1.3 User-Generated Content

All text messages, Voice Yaps (audio), and Video Clips (video) sent through Yapper are end-to-end encrypted using the Signal Protocol. Plaintext content is only accessible on the sender's and recipient's devices. Yapper's servers store only encrypted ciphertext, which we cannot decrypt.

Custom server-scoped emojis uploaded by server administrators are stored on our content delivery network (CDN) and are associated with the uploading server. Emoji images are not end-to-end encrypted, as they must be accessible to all server members.

4.1.4 Discord Profile Import Data

If you choose to use our Discord profile import tool, we temporarily process your exported Discord data package to migrate your profile information, friend lists, server memberships, and bot configurations. This data is processed in volatile memory and is not persisted on Yapper servers after the import is complete. See Section 10 for details.

4.2 Information Collected Automatically

4.2.1 Device and Connection Information

We collect device type and operating system, browser type and version, IP address (anonymized after 30 days), unique device identifiers, and timezone and language preferences.

4.2.2 Usage Metadata

We collect metadata necessary to deliver and improve the Service, including message timestamps, sender and recipient identifiers (for message routing), channel and server identifiers, message sizes (not content), Voice Yap and Video Clip duration and file sizes, and Live Canvas interaction events. This metadata does not include the plaintext content of any end-to-end encrypted communications.

4.2.3 Cookies and Similar Technologies

Yapper uses strictly necessary cookies for authentication and session management. We use optional analytics cookies (deployed only with your consent where required by law) to understand usage patterns and improve the Service. See Section 17 for full details.

4.3 Information from Third Parties

We may receive limited information from third-party authentication providers (e.g., Google) if you choose to sign in using single sign-on (SSO). This typically includes your name, email address, and profile picture.

5. How We Use Your Information

We process your Personal Data for the following purposes and on the following legal bases:

Purpose Data Used Legal Basis (GDPR)
Provide and operate the Service Account data, metadata, device info Contractual necessity (Art. 6(1)(b))
Deliver and route E2EE messages, Yaps, and Clips Encrypted ciphertext, routing metadata Contractual necessity (Art. 6(1)(b))
Age verification and COPPA compliance Date of birth, parental consent records Legal obligation (Art. 6(1)(c))
Enforce parental safety controls Metadata only (no plaintext) Legitimate interest / Legal obligation
Process payments Tokenized payment data Contractual necessity (Art. 6(1)(b))
Detect fraud and abuse IP addresses, device fingerprints, behavioral metadata Legitimate interest (Art. 6(1)(f))
Improve and personalise the Service Aggregated analytics, usage metadata Legitimate interest (Art. 6(1)(f))
Respond to legal requests Data as required by applicable law Legal obligation (Art. 6(1)(c))
Discord import and bot migration Imported profile and bot data (transient) Consent (Art. 6(1)(a))
Marketing communications Email address, preferences Consent (Art. 6(1)(a))

6. End-to-End Encryption Architecture

6.1 Signal Protocol Implementation

Yapper employs the Signal Protocol — the industry-leading standard for secure messaging — to provide end-to-end encryption for all user-to-user communications. This includes text messages in channels and direct messages, Voice Yaps, Video Clips, and file attachments shared within encrypted channels.

The Signal Protocol provides forward secrecy and future secrecy through its Double Ratchet Algorithm, meaning that compromise of a single session key does not compromise past or future messages.

6.2 What We Cannot Access

Due to E2EE, Yapper's servers never have access to the plaintext content of your messages, the audio content of your Voice Yaps, the video or audio content of your Video Clips, or file attachments shared in encrypted channels. We store only encrypted ciphertext. We cannot read, listen to, view, or share the content of your communications, even in response to legal requests. In such cases, we can only provide the encrypted ciphertext and associated metadata.

6.3 What We Can Access

To operate the Service, we necessarily have access to routing metadata (who sent a message to which channel/user, and when), message sizes and types, encrypted key material stored on our servers for multi-device synchronization, and server and channel membership information.

6.4 Encryption Key Management

Your private encryption keys are generated on your device and are never transmitted to our servers in plaintext. Public keys are distributed through our servers using the Signal Protocol's key distribution mechanism.

Optional Key Backup: If you choose to enable the key backup feature, an encrypted copy of your keystore is stored on our servers. This backup is protected using a PIN-derived encryption key (derived via PBKDF2). We cannot decrypt this backup — only you can, using your PIN. Without your PIN, the backup is indecipherable to Yapper and to any third party. You may delete your backup at any time from your account settings.

You may verify other users' identity keys through a safety number verification process within the app to confirm there is no man-in-the-middle.

7. Children's Privacy and COPPA Compliance

7.1 Age Requirements

Yapper is intended for users aged 13 and older. Users under 13 may only use Yapper with verifiable parental consent, in compliance with COPPA. Users between 13 and 16 in the EEA may require parental consent under GDPR Article 8, depending on their member state's implementation.

7.2 Parental Safety Controls

Yapper provides robust parental safety controls designed to protect children while respecting the privacy of all users. These controls operate exclusively on metadata and do not access, store, or process plaintext message content. Parental controls include:

  • Activity Reports: Parents receive periodic reports showing metadata such as time spent on the platform, number of messages sent/received, servers joined, and active hours. These reports never include message content.
  • Contact Restrictions: Before a child can establish an E2EE session with a new contact, the parent must approve the friend request. Before a child can join a server, the parent must approve the join request. These restrictions are enforced server-side.
  • Screen Time Limits: Parents can set daily usage limits, enforced client-side with server-side session tracking.

7.3 COPPA Compliance Measures

  • We collect date of birth at registration to identify users under 13.
  • For users under 13, we obtain parental consent before the account becomes active. A parent or guardian must create the child account on behalf of the minor and provide explicit consent at the time of creation.
  • Parents can review, modify, or request deletion of their child's Personal Data at any time by contacting coppa@yapperhq.com.
  • We do not condition a child's participation on the collection of more Personal Data than is reasonably necessary.
  • We do not serve targeted advertising to users identified as minors.

7.4 Data Minimization for Minors

For users identified as minors, we apply enhanced data minimization principles. We collect only the minimum Personal Data necessary to provide the Service, we do not share minors' data with third parties except as required by law, and we automatically delete inactive minor accounts after 12 months of inactivity.

8. User-Generated Content

8.1 Encrypted Content

Text messages, Voice Yaps, and Video Clips are encrypted end-to-end and stored as ciphertext on our servers only for the purpose of asynchronous delivery (e.g., when a recipient is offline) and multi-device synchronization. Users may delete their own messages at any time; deletion removes the ciphertext from our servers.

8.2 Non-Encrypted Content

Certain user-generated content is not end-to-end encrypted because it must be accessible to groups of users or the public. This includes:

  • Custom server-scoped emojis (accessible to all server members)
  • Server names, descriptions, and icons (visible to members and in server discovery)
  • Live Canvas content such as poll questions and options
  • Music state metadata (track title, artist, playback position)
  • Community clips carousel thumbnails and titles
  • User profile information (display name, avatar, bio, status)

This non-encrypted content is stored on our servers and CDN infrastructure, protected by encryption at rest (AES-256) and encryption in transit (TLS 1.3).

8.3 Content Moderation

Because Yapper cannot access the plaintext content of E2EE messages, content moderation for encrypted communications relies on user reporting. When a user reports a message, the plaintext is shared with our Trust & Safety team solely for the purpose of investigating the report. Non-encrypted content (such as server names, emojis, and profile information) may be proactively moderated to enforce our Community Guidelines.

9. Live Canvas Features

The Live Canvas sidebar provides dynamic, real-time interactive features within Yapper servers, including music state, polls, and community clips carousels.

9.1 Music State

When a user shares their music listening activity in the Live Canvas, Yapper processes the track title, artist name, and playback position. This information is displayed to other server members in real time. We do not store music state data after the session ends, and we do not share this data with music streaming services or other third parties.

9.2 Polls

Poll questions, options, and aggregated results are stored on our servers for the duration specified by the poll creator. Individual vote records are pseudonymized using hashed user identifiers.

9.3 Community Clips Carousel

Video Clips shared to the community clips carousel are stored as encrypted content with decryption keys distributed to server members. Carousel metadata (titles, thumbnails, view counts) is stored on our servers unencrypted. Clips are automatically archived after 30 days unless pinned by a server administrator.

10. Data Import and Migration

10.1 Discord Profile Import

Yapper offers a Discord profile import tool that allows you to migrate your Discord profile to Yapper. When you use this tool, you provide your Discord data export package (obtained from Discord's settings). Yapper processes this data to import your username, display name, avatar, bio, friend list, server memberships, and account preferences.

10.2 Bot Migration

Server administrators may use our bot migration tool to port Discord bots to the Yapper platform. This process involves importing bot configuration files, command definitions, permission structures, and webhook configurations. Bot tokens from Discord are never stored; new Yapper-native tokens are generated.

10.3 Data Handling During Import

All imported data is processed in isolated, ephemeral containers destroyed after import completion. Imported data is encrypted in transit using TLS 1.3. Temporary import data is purged from all systems within 24 hours of a successful import, or immediately upon import failure. Import activity logs are retained for 30 days for troubleshooting purposes and then permanently deleted.

11. Data Sharing and Disclosure

Yapper does not sell your Personal Data. We share your data only in the following limited circumstances:

11.1 Service Providers

We engage trusted third-party service providers who process data on our behalf under strict Data Processing Agreements. These include:

  • Cloud infrastructure providers (Fly.io for hosting, Neon for database, Cloudflare for CDN and storage)
  • Payment processors (Stripe)
  • Email delivery providers (Resend)
  • Push notification services (Firebase Cloud Messaging)
  • Error monitoring services (Sentry)
  • Customer support platforms (HubSpot)

11.2 Legal Requirements

We may disclose Personal Data if required by law, subpoena, court order, or governmental request. Due to our E2EE architecture, we can only provide encrypted ciphertext and metadata in response to legal requests for message content. We cannot provide plaintext message content because we do not have access to it.

11.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your Personal Data may be transferred as part of the transaction. We will notify you via in-app notification and email at least 30 days before any such transfer, giving you the opportunity to delete your account and data before the transfer occurs.

11.4 With Your Consent

We may share your data with third parties when you have given explicit, informed consent, such as when connecting third-party integrations or participating in joint promotions.

12. Data Retention

We retain your Personal Data only for as long as necessary to fulfill the purposes outlined in this Policy, or as required by law.

Data Category Retention Period Deletion Method
Account data Duration of account + 30 days Cryptographic erasure
Encrypted messages (ciphertext) Duration of account or until user-deleted Deleted on request or account deletion
Routing metadata 12 months Automated purge
IP addresses (raw) 30 days, then anonymized Anonymization
Payment records 7 years (legal requirement) Secure deletion after period
Parental consent records Duration of minor's account + 3 years Secure deletion
Import/migration data 24 hours (transient) Ephemeral container destruction
Analytics (aggregated) 24 months Automated purge
Custom emojis Duration of server + 30 days CDN purge
Support tickets 24 months after resolution Automated purge
Key backup (encrypted) Until user deletes backup or account Cryptographic erasure

13. Your Rights

Depending on your jurisdiction, you may have some or all of the following rights regarding your Personal Data:

13.1 Rights Under GDPR (EEA/UK)

  • Right of Access (Art. 15): Request a copy of the Personal Data we hold about you.
  • Right to Rectification (Art. 16): Request correction of inaccurate Personal Data.
  • Right to Erasure (Art. 17): Request deletion of your Personal Data ("right to be forgotten").
  • Right to Restriction (Art. 18): Request restriction of processing in certain circumstances.
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format. Yapper supports this via the in-app data export feature (Settings → Privacy & Safety → Download My Data).
  • Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing.
  • Right Not to Be Subject to Automated Decisions (Art. 22): Object to solely automated decision-making, including profiling.
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent (Art. 7(3)).

To exercise these rights, contact our Data Protection Officer at dpo@yapperhq.com. We will respond within 30 days (extendable by 60 days for complex requests). If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.

13.2 Rights Under CCPA/CPRA (California)

  • Right to Know: Request disclosure of the categories and specific pieces of Personal Information collected, the sources, the business purposes, and the categories of third parties with whom we share it.
  • Right to Delete: Request deletion of your Personal Information, subject to certain exceptions.
  • Right to Correct: Request correction of inaccurate Personal Information.
  • Right to Opt Out of Sale/Sharing: Yapper does not sell or share (as defined by CCPA) your Personal Information for cross-context behavioral advertising.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

California residents may exercise these rights by emailing privacy@yapperhq.com or using the "Privacy Settings" panel in the Yapper app.

13.3 Additional Jurisdictional Rights

Users in Brazil (LGPD), Canada (PIPEDA), South Africa (POPIA), and other jurisdictions may have similar rights. Yapper will comply with applicable local laws. Please contact privacy@yapperhq.com to exercise your rights.

14. International Data Transfers

Yapper's primary servers are located in Johannesburg, South Africa (hosted on Fly.io). Supporting infrastructure is operated by Cloudflare (global CDN and storage) and Neon (database, hosted in AWS regions). If you access the Service from outside South Africa or the United States, your data may be transferred to and processed in these locations.

For transfers of Personal Data from the EEA/UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission with our sub-processors, and we apply supplementary technical measures — including end-to-end encryption — that provide an essentially equivalent level of protection for message content.

For users in South Africa, Yapper's primary data processing activities are conducted in compliance with the Protection of Personal Information Act (POPIA). Transfers to other jurisdictions are made only under conditions that ensure an adequate level of protection.

15. Security Measures

15.1 Technical Safeguards

  • End-to-end encryption (Signal Protocol: X3DH + Double Ratchet) for all user communications
  • Sender Keys for group channel encryption
  • Encryption at rest (AES-256) for all stored data
  • Encryption in transit (TLS 1.3) for all network communications
  • Argon2id (memory-hard, GPU-resistant) for all password storage
  • JWT RS256 with short-lived access tokens (15-minute expiry) and HttpOnly refresh cookies
  • CSRF double-submit cookie protection on all state-mutating API endpoints
  • Per-IP and per-user rate limiting to prevent brute-force attacks
  • Immutable audit logging for all administrative access to user data
  • All production secrets stored in encrypted secret management (Fly.io secret store — never committed to source code)

15.2 Organizational Safeguards

  • Principle of least privilege for all team member access
  • Security awareness as part of onboarding for all staff
  • Vendor security assessments and Data Processing Agreements for all sub-processors
  • Responsible disclosure policy and security contact (security@yapperhq.com)

16. Data Breach Response and Incident Management

16.1 Incident Detection and Classification

Yapper monitors production systems for anomalous activity via application-level error tracking (Sentry) and infrastructure monitoring. Incidents are classified by severity from P1 (Critical, affecting E2EE integrity or mass data exposure) through P4 (Informational, no user data impact).

16.2 Response Procedures

Upon detection of a confirmed data breach involving Personal Data, Yapper will execute the following response plan:

  • Containment (0–24 hours): Isolate affected systems, revoke compromised credentials, and deploy patches to prevent further unauthorized access.
  • Assessment (24–48 hours): Determine the scope, nature, and severity of the breach, including which categories of data and how many users are affected.
  • Notification — Regulators (within 72 hours): Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible and where the breach is likely to result in a risk to rights and freedoms.
  • Notification — Users (without undue delay): Notify affected users via in-app notification, email, and a public status page announcement.
  • Remediation (ongoing): Implement long-term corrective measures, update security controls, and conduct a post-incident review.

16.3 E2EE Breach Considerations

In the event of a server compromise, the E2EE architecture provides an additional layer of protection. Because we do not possess plaintext message content, a breach of our servers does not expose the content of user communications. However, metadata may be exposed. We would notify affected users of any metadata exposure and provide guidance on re-verifying identity keys using safety numbers.

16.4 Breach Notification Commitments

  • Notifying the relevant supervisory authority within 72 hours of breach discovery as required by GDPR Article 33
  • Notifying affected California residents as required by California Civil Code §1798.82
  • Notifying all affected users within 7 days of breach confirmation regardless of jurisdiction
  • Publishing a detailed post-incident report within 30 days

17. Cookies and Tracking Technologies

Yapper uses the following categories of cookies and similar technologies:

Category Purpose Duration Consent Required
Strictly Necessary Authentication, session management, security Session / 30 days No
Functional User preferences, language settings 12 months Yes (EEA/UK)
Analytics Aggregated usage statistics 12 months Yes
Performance Error tracking, latency monitoring Session No (legitimate interest)

Yapper does not use advertising cookies or trackers. We do not engage in cross-site tracking or serve targeted advertisements.

See our full Cookie Policy for more detail.

18. Do Not Track Signals

Yapper honours "Do Not Track" (DNT) browser signals. When we detect a DNT signal, we disable all non-essential analytics tracking for that session. Additionally, Yapper supports the Global Privacy Control (GPC) signal as a valid opt-out of sale/sharing under the CCPA.

19. Third-Party Links and Integrations

The Service may contain links to third-party websites or integrate with third-party services (e.g., music streaming platforms via Live Canvas, bots connecting to external APIs). Yapper is not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before sharing data with them.

20. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you via:

  • In-app notification at least 30 days before the changes take effect
  • Email notification to the address associated with your account
  • A prominent banner on our website

Your continued use of the Service after the effective date of any changes constitutes acceptance of the updated Privacy Policy. The previous version of this policy (v1.0, effective March 3, 2026) is available upon request at privacy@yapperhq.com.

21. Contact Us

If you have any questions, concerns, or requests related to this Privacy Policy or your Personal Data, please contact us:

General Privacy Inquiries privacy@yapperhq.com
Data Protection Officer dpo@yapperhq.com
COPPA / Children's Privacy coppa@yapperhq.com
Security Concerns security@yapperhq.com
Mailing Address Yapper Technologies, Inc., KwaZulu-Natal, South Africa