Privacy Policy
Last updated: May 15, 2026
Your WhatsApp chat is read on your own device. The free wrap is fully anonymous and nothing is stored. If you sign in, your wrap is scrambled on your device (end-to-end encrypted)before it’s saved, so all we ever store is a locked version we cannot read, not your wraps, message samples, chat titles, or participant names. The key that unlocks it comes from your passphrase or your face/fingerprint unlock and never leaves your device. We never sell your data. We never use it for advertising. You can delete everything at any time by writing to privacy@yapd.in.
1. Who we are
Yapd (“we,” “our,” or “us”) is a web app that turns a WhatsApp chat export into a swipeable, Spotify Wrapped-style recap. We are operated from India and serve users globally. This Privacy Policy explains what data we collect, how we handle it, who we share it with, and the controls you have over it.
If you have read our Terms of Service you have already met the legal frame. This page is the data side.
2. The on-device guarantee
Yapd is designed so that raw chat messages are never readable by us. When you drop a .zip or .txt onto the uploader, the parsing, statistical analysis, archetype detection, and landmark detection all happen in your browser using JavaScript that runs on your device. For anonymous users nothing is ever sent or stored. Crucially, your raw WhatsApp chat history is never uploaded or saved in plaintext on our database under any circumstance.
For signed-in users who save a wrap to their library, the wrap is end-to-end encrypted in your browser before anything is sent to us. We store:
- A scrambled (encrypted) bundle containing the recap, a sample of messages (up to 3,000 so Encore can run later), the chat title, and participant names. It is locked so tightly that we cannot open it: technically, AES-256-GCM ciphertext for which we do not hold the key and cannot decrypt.
- Non-identifying counts in plaintext (total message count, participant count, relationship type, theme, and a one-way chat fingerprint hash) so your library can list cards before you unlock. These contain no message text and no names.
- Your name, email, and profile image from Google OAuth.
- Wrapped (encrypted) copies of your master key: one per passphrase and one per registered device passkey. Each is itself encrypted by a key we never see.
The master key that decrypts your wraps is derived on your device from your recovery passphrase or your device biometrics (Touch ID / Face ID / Windows Hello via WebAuthn). It is held only in memory for the duration of your browser session and is never transmitted to us. A consequence of real end-to-end encryption: if you lose your passphrase and all enrolled devices, your wraps cannot be recovered, not even by us.
You can delete saved wraps from your library at any time. Deletion is permanent and immediate.
3. What we collect
Anonymous (no account) users
- Chat content: Processed entirely in your browser. Not transmitted, not stored.
- Anonymized recap: The aggregated statistics produced from the chat. These do not contain raw messages, names of recipients, or message text.
- Device identifiers: To enforce the free credit allowance fairly, we store a salted hash of your IP, a salted hash of your browser fingerprint, and a long random cookie token. Raw IPs and fingerprints are never written to disk. The hashes are one-way and cannot be reversed to identify you personally.
- Server logs: Vercel logs include request paths, status codes, response times, and approximate region. These are operational logs used for debugging and abuse prevention.
Signed-in users
- Account profile: Name, email, and profile image returned by Google OAuth.
- Saved wraps: Stored as end-to-end encrypted ciphertext under your user ID, decryptable only on your devices. We cannot read them. (Public Link sharing is temporarily disabled while we rebuild it to be compatible with end-to-end encryption.)
- Encore reports: The long-form AI analysis you have purchased. Stored under your user ID and visible only to you.
- Purchase records: Each paid action (credit packs, Encore unlock) creates a record containing the product code, price paid, currency, and a provider session ID. Card details, UPI IDs, and banking details are handled by the payment provider and never reach our servers.
- Credit balance: Your current credit count and lifetime purchased total.
What we explicitly do not collect
- Phone numbers.
- Raw message contents from anonymous wraps.
- Contact lists, photos, or media files from your phone.
- Location data (beyond approximate region from request IP).
- Analytics events from third-party trackers. We do not use Google Analytics, Meta Pixel, or any cross-site tracking.
4. How we use your data
- To generate, display, and persist your wrap and Encore report.
- To enforce free-tier usage limits and detect obvious abuse patterns.
- To authenticate you and link your purchases to your account.
- To process payments through your chosen payment provider.
- Encore reports are generated and encrypted in your browser. To produce them, your decrypted content streams through a non-logging pass-through proxy directly to the AI provider, and it is never stored, logged, or read by us. The proxy source is auditable at
src/app/api/encore-proxy/route.ts. - To respond when you write in for support.
- We do not sell or rent data, use it for advertising, profile you across other sites, or hand it to data brokers.
5. Public sharing
Saved wraps are private by default and end-to-end encrypted, so we cannot read them. Sharing is strictly opt-in and per-wrap. When you switch on a Public Link for a specific wrap, your browser publishes a separate, unencrypted copy of that wrap’s deck so anyone with the unguessable link can view it without signing in. The UI states this plainly before you enable it. Your private encrypted copy is untouched and remains unreadable by us. Crucially, even when public sharing is enabled, your raw WhatsApp chat history is never uploaded or saved in plaintext on the database—the public copy contains only your high-level visual recap summary and AI reports, preserving your total privacy.
You control the link’s lifetime: never-expire, 7 days, or 30 days. When it expires or you turn it off, the published plaintext copy is deleted and the link stops resolving (visitors then see a generic prompt to make their own wrap). Only enable a public link for a wrap you are comfortable a stranger seeing.
6. Sub-processors
We rely on the following providers to run the service. Each has their own privacy policy and security posture; we only share with them what is strictly necessary to deliver the feature.
- Vercel: web hosting and serverless functions.
- Neon: managed PostgreSQL database (your account profile, saved wraps, purchases).
- Anthropic: AI provider for Encore. Content is streamed from your browser through our non-logging proxy directly to Anthropic, and the result is encrypted on your device before being saved. Our proxy stores nothing: no logs, no database writes. Anthropic maintains SOC 2 Type II, ISO 27001 and ISO 42001 certifications; does not use data submitted via its API to train its models; and offers a HIPAA Business Associate Agreement (with zero-data-retention options) for first-party API use. These terms are Anthropic’s and may change. See the Anthropic Trust Center, Anthropic Privacy Policy, and BAA / HIPAA details for the authoritative, current position.
- Razorpay: payment processing for all users: UPI, Indian and international cards, NetBanking, wallets, and PayPal (served via Razorpay’s hosted checkout).
- Google OAuth: sign-in identity provider.
7. Data retention
- Saved wraps and Encore reports: retained for as long as your account exists, or until you delete them.
- Anonymous wraps: not stored on our servers in the first place.
- Account data: deleted within 14 days of an account deletion request.
- Device quota records: retained for up to 12 months to enforce usage limits.
- Server logs: retained by Vercel for up to 30 days for operational and security purposes.
- Payment records: retained for 7 years to meet tax and accounting requirements.
8. Your rights
Regardless of where you live, you can ask us to:
- Access the data we hold about you.
- Correct anything that is wrong.
- Delete your account and everything tied to it.
- Export your data in a portable format.
- Object to specific uses of your data.
Write to privacy@yapd.in from the email address on your account. We respond within 30 days. Residents of jurisdictions with stronger statutory rights (GDPR, CCPA, India’s DPDP Act, etc.) have those rights in addition to anything stated here.
9. Security
We follow industry-standard practices: encrypted-in-transit connections (HTTPS), encrypted-at-rest databases, salted hashing for device identifiers, scoped OAuth tokens, narrow IAM permissions, and routine dependency patching.
End-to-end encryption of saved wraps
Saved wraps are encrypted in your browser before upload. The specifics:
- Cipher. AES-256-GCM authenticated encryption, with a 96-bit cryptographically random initialisation vector that is unique per ciphertext, and a GCM authentication tag so tampering is detectable.
- Master key. A 256-bit key generated on your device. It encrypts your wraps and is never transmitted to us in any usable form.
- Key wrapping (envelopes). We store only wrapped copies of the master key. A passphrase envelope uses PBKDF2-HMAC-SHA-256 at 600,000 iterations with a 16-byte random salt. A device envelope uses the WebAuthn PRF extension bound to a passkey (Face ID, Touch ID, Windows Hello). Any factor can unwrap the master, which is how cross-device recovery works.
- Key handling. The unwrapped master key exists only in memory for the session. It is never written to localStorage, sessionStorage, IndexedDB, or a cookie. Closing the tab evicts it.
The server stores ciphertext, the random IV, a crypto-version integer, non-identifying counts, your account profile, and a one-way chat fingerprint (a truncated SHA-256 of sorted participant names plus the first-message year-month). It never has access to message text, the chat title, participant names, the Encore report contents, or the key.
This provides strong protection against a database breach, a stolen backup, access by staff or a third party we are compelled to share with, and compromise of our storage infrastructure. As with any service, it does not extend to your own device’s security, a public link you choose to create, or recovery of your wraps if your passphrase and all enrolled devices are lost (in that case we are unable to restore access, as only you hold the key). A full, plain-language walkthrough is in our security blog post.
No system is perfect. If you believe you have found a security issue, please email security@yapd.in.
10. International transfers
Our infrastructure is hosted globally on Vercel and Neon. Data may be processed in regions outside your country of residence. We choose providers that maintain industry-standard data protection commitments.
11. Children
Yapd is not directed at children under 13. We do not knowingly collect personal information from anyone under that age. If you believe a child has uploaded data to Yapd, contact us and we will delete it promptly.
12. Changes to this policy
We update this page when we change how we handle data. Material changes will be highlighted at the top of the page with the new date. Continued use of Yapd after a change counts as acceptance.
13. Contact
For privacy questions, email privacy@yapd.in. For everything else, email support@yapd.in.
