search

privacy security

Privacy is not a feature of YAP — it is the foundation. This page summarises the key protections in place.

hashtag
What we collect

Data
Collected
How long

Messages

Yes, encrypted

24 hours

IP address

Hashed only, never raw

24 hours

Anonymous UUID

Browser-generated, sent with messages

24 hours

Display name

Browser-generated, sent with messages

24 hours

Email address

Never

Account data

Never

Device fingerprint

Never

hashtag
Encryption

All messages are encrypted with AES-256-GCM before they are written to the database. The server stores only ciphertext. Even with full database access, messages cannot be read without the encryption key.

hashtag
IP address handling

Your IP address is processed as follows:

  1. Request arrives at the server

  2. IP is immediately hashed: SHA-256(ip + secret_salt)

  3. The original IP is discarded — never written to any log or database

  4. The hash is stored temporarily for rate-limiting only

  5. The hash is deleted after 24 hours

There is no way to reverse a SHA-256 hash back to the original IP. Even we cannot identify you from the stored hash.

hashtag
No fingerprinting

YAP does not perform any form of browser fingerprinting:

  • No canvas fingerprinting

  • No WebGL fingerprinting

  • No font enumeration

  • No user agent analysis beyond basic request handling

  • Camera, microphone, and geolocation permissions are explicitly blocked via Permissions-Policy headers

hashtag
No WebRTC

YAP uses WebSocket only for real-time communication. There are no peer-to-peer connections, no STUN/TURN servers, and no WebRTC. Your real IP address cannot leak through the chat — not even to other participants.

hashtag
No cookies, no trackers

  • No advertising cookies

  • No analytics scripts (no Google Analytics, no Mixpanel, no similar)

  • No third-party tracking pixels

  • No data sold or shared with any third party

  • GDPR compliant — there is no personal data to request or delete

hashtag
Security headers

Every response from YAP includes the following HTTP headers:

Header
Value

Referrer-Policy

no-referrer

X-Content-Type-Options

nosniff

Permissions-Policy

camera=(), microphone=(), geolocation=(), interest-cohort=()

Content-Security-Policy

Strict whitelist per page type

hashtag
24-hour auto-delete

A scheduled cleanup job runs every hour and permanently deletes:

  • All messages older than 24 hours

  • All IP hashes older than 24 hours

  • All votes and reactions older than 24 hours

  • All session notifications older than 24 hours

This is enforced at the database level — not just hidden from the UI.

Previoushow it worksNextgetting-started

Was this helpful?