Privacy Policy

Effective date: April 18, 2026 · Last updated: April 18, 2026

This Privacy Policy describes how Yapper Phone handles your personal data. It is written to be read, not to be hidden behind.

1. Who controls your data

The data controller for Yapper Phone is:

SUPER SINCE BIRTH Tmi
Business ID (Y-tunnus): 2461315-1
Aleksis Kiven katu 45 B 21
00520 Helsinki, Finland
janne@yapperphone.app

For any question about your data, including the rights described in Section 9, write to that email. You will receive a response within 30 days.

2. Our approach to your data

Yapper Phone was built to keep your personal life on your phone. Most of what the app generates — your calls, your notes, your contacts, your relationships, your behavioral dashboard, your health data — is stored locally on your device and never transmitted to us or to any third party.

A small amount of data leaves your device, and only when strictly necessary:

  • Your Google account identifier, so your paid subscription follows you across devices and reinstalls
  • Your Stripe payment information, if and when you purchase Yapper Originals or gift a subscription
  • Call-duration negotiation data when both participants of a call use Yapper, so your two devices can agree on a call length
  • Crash reports, so we can fix bugs
  • Pseudonymous technical identifiers inherent to running Firebase SDKs

That is the complete list. We do not collect analytics about how you use the app. We do not sell data. We do not serve advertising. We do not share data with brokers, marketers, or third parties not listed in this policy.

3. Data that stays on your device

The following data is stored only on your device and is never transmitted to us or to any third party:

  • Contacts and contact details, tags, relationship notes
  • Medications, medical conditions, blood type, allergies, and emergency contacts that you record for loved ones
  • Your own medical information — conditions, medications, blood type, allergies — if you choose to enable the ICE lock-screen emergency info feature
  • Call history, call durations, call types, call agendas, and call participants
  • Call notes that you type
  • Your phone number, stored as a SHA-256 hash — the raw number is hashed on your device and the hash never leaves it
  • Behavioral dashboard data, including call patterns, focus usage, and time-signal usage
  • Settings, preferences, language, timer profiles, focus sound preferences, time signal intervals, battery alert thresholds
  • Any file, folder, or note you create within the app

All data in this section is stored exclusively in Yapper Phone's private storage on your device. Firebase Firestore has no access to this data, and neither do we. If something happens to your device, we cannot restore this data. You can delete any of it at any time by uninstalling the app or by using Android's storage access controls.

4. Data that is transmitted

4.1 Google account identifier

When you start a free trial, subscribe, redeem Yapper Originals, or redeem a promo code, you are asked to sign in with Google. A stable identifier for your Google account, along with the associated email, is transmitted from your device to our backend (Firebase Firestore, operated on Google Cloud) and stored there for a single purpose: tracking whether your account has a paid entitlement. This allows your subscription to follow you when you reinstall the app, change devices, or replace your phone.

We do not access your Google Drive, Contacts, Calendar, Photos, or any other Google service. The only scopes requested are profile and email.

Legal basis: performance of a contract (GDPR Art. 6(1)(b)) — processing is necessary to provide the paid service you have purchased.

4.2 Firebase Anonymous Authentication and call-duration negotiation

The app uses Firebase Anonymous Authentication to manage your session. This generates a randomized session identifier that is not tied to your identity and changes when you reinstall the app.

When you call another Yapper user, the call-duration negotiation between your two devices works through Firebase Firestore, governed by security rules that:

  • Match your device and the other party's device using SHA-256 hashed phone numbers
  • Permit only the two parties to a given call to read or write that call's negotiation data
  • Do not expose your identity, your Google account, your contacts, your call content, or any other personal data to Google or to any third party

What passes through Firestore during negotiation is limited to the minimal information the two devices need to agree: the proposed duration, the accepted duration, and the call type. The raw phone numbers are never transmitted — only their hashes.

Legal basis: legitimate interest (GDPR Art. 6(1)(f)) for session security; performance of a contract (GDPR Art. 6(1)(b)) for the call-duration negotiation feature.

4.3 Firebase Firestore writes

Firestore stores only the following records:

  • Entitlement records keyed to your Google account — whether you have an active subscription, Yapper Originals lifetime access, Finnish Type 1 diabetic grant, or promo code entitlement, and the period of validity
  • Gift records, when the gift feature launches — who sent a gift to whom and whether it has been redeemed
  • Subscription state mirrored from Google Play Billing
  • Transient call-duration negotiation data between two Yapper users, keyed to hashed phone numbers (see Section 4.2)

Firestore stores only the records listed above. It has no access to any data on your device — not your contacts, not your call history, not your notes, not your health information, not your behavioral dashboard. The data flow is strictly one direction: your device writes specific minimal records to Firestore for the purposes above. Firestore does not read from your device and cannot reach into it.

Legal basis: performance of a contract (GDPR Art. 6(1)(b)).

4.4 Stripe

If you purchase Yapper Originals (€67 lifetime) or buy Yapper as a gift, your payment information (name, email, card details) is processed by Stripe Payments Europe, Ltd. and Stripe, Inc. We never see your full card number. We receive your email so that we can match your payment to your Google account when you redeem your purchase in the app.

Stripe's privacy policy: https://stripe.com/privacy

Legal basis: performance of a contract (GDPR Art. 6(1)(b)).

4.5 Firebase Crashlytics

When the app crashes, a crash report is sent to Google (Firebase Crashlytics) so we can fix the bug. The report contains:

  • The crash stack trace and error type
  • Device model and operating system version
  • A pseudonymous Firebase installation identifier
  • The app state at the time of the crash — not the content of your calls, notes, contacts, or health data

You can reset the installation identifier by clearing the app's data in Android settings.

Legal basis: legitimate interest (GDPR Art. 6(1)(f)) — identifying and fixing defects in the software.

4.6 Firebase SDK technical identifiers

Using Firebase SDKs (Anonymous Authentication, Firestore, Crashlytics) inherently involves pseudonymous technical identifiers that Firebase generates to operate those SDKs — including a Firebase Installations identifier. These identifiers are not tied to your name, your phone number, your contacts, your Google account, or the content of your calls. They allow Firebase to distinguish one app instance from another for technical purposes such as crash attribution and session management.

You can reset these identifiers by clearing the app's data in Android settings.

Legal basis: legitimate interest (GDPR Art. 6(1)(f)) — technical operation of the application.

4.7 Google Play Billing

If you subscribe through the Google Play Store, your payment and subscription management is handled entirely by Google Play Billing. We receive confirmation of your subscription status from Google; we do not process your payment information.

Google Play's privacy policy: https://policies.google.com/privacy

Legal basis: performance of a contract (GDPR Art. 6(1)(b)).

5. What we do not do

  • We do not record your phone calls. The app does not request the RECORD_AUDIO permission. Under the current Android telephony architecture, call recording is not technically possible in Yapper Phone. A visual "record" button on the in-call screen is non-functional and displays a "Future feature" indicator when tapped.
  • We do not collect or transmit voice recordings of any kind.
  • We do not use analytics SDKs to track your behavior within the app. Firebase Analytics is not enabled. Firebase Remote Config is not used.
  • We do not serve advertising.
  • We do not use your data to train machine learning models.
  • We do not share your data with data brokers or marketing partners.
  • We do not transmit your contacts, messages, health data, or any content of your communications.
  • We do not verify your phone number by SMS. Your phone number is never sent off your device in any form other than its SHA-256 hash, and only for the purpose of matching two Yapper users on a call.
  • We do not have any access to the data stored on your device, including any medical or health information you enter.

6. Your control over your health data

If you use Yapper's ICE emergency features, you may choose to enter medical information about yourself — conditions, medications, blood type, allergies, emergency contacts. You may also choose to display some or all of this information on your device's lock screen so that anyone who picks up your phone in an emergency can see it and call your emergency contact.

This is always your choice. Nothing is displayed on the lock screen by default. You activate it. You control what is shown. You turn it off at any time. There is no setting that exposes your medical information without your explicit action.

The same applies to medical information you record for loved ones: it is stored on your device only, visible only to you inside the app, and never transmitted or shared.

7. International transfers

Google (Firebase, Google Sign-In, Google Play Billing, Crashlytics) and Stripe are US-based companies with EU operations. When data is transferred to the United States, it is protected by the EU-U.S. Data Privacy Framework, standard contractual clauses, and the respective providers' supplementary safeguards.

8. Data retention

  • Entitlement records: retained while you have an active or recently expired subscription, Originals lifetime access, or T1D grant. If you have no valid entitlement for more than 24 months and no payment history, we may delete the record.
  • Gift records (when launched): retained for 24 months after redemption or expiry.
  • Call-duration negotiation data: transient — typically deleted within minutes of the call ending.
  • Stripe payment records: retained by Stripe according to their policies, and by us only as required by Finnish tax and accounting law (currently 6 years).
  • Crashlytics data: retained by Google for 90 days by default.
  • Firebase installation identifiers: retained while the app is installed on your device; removed when you uninstall or clear app data.

Data stored on your device is retained until you delete it or uninstall the app.

9. Your rights under GDPR

You have the following rights concerning your personal data:

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — ask us to correct inaccurate data.
  • Right to erasure — ask us to delete your data. For entitlement records, erasure may end your paid subscription.
  • Right to restriction — ask us to pause processing of your data.
  • Right to data portability — request your data in a machine-readable format.
  • Right to object — object to processing based on legitimate interest.
  • Right to withdraw consent — where processing is based on consent, withdraw it at any time.
  • Right to lodge a complaint — if you believe we have mishandled your data, you have the right to complain to the Finnish supervisory authority, the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto, www.tietosuoja.fi), or the supervisory authority in your country of residence.

To exercise any of these rights, write to janne@yapperphone.app. You will receive a response within 30 days. You do not need to justify your request.

Since we do not have access to the data stored on your device, requests under these rights apply only to the data listed in Section 4 (entitlement records, Stripe payment records, Crashlytics data, Firebase technical identifiers).

10. Children

Yapper Phone is intended for users aged 13 and older. We do not knowingly process the personal data of children under 13. If you become aware that a child under 13 has provided personal data through Yapper Phone, please contact us so we can delete it.

11. Security

We use standard Android technical measures to protect your data:

  • Encryption in transit (TLS) for all network transfers
  • Android file-based encryption at rest for all app-private data, protected by your device credential
  • Android Keystore-backed encryption for entitlement records, providing an additional layer of tamper resistance
  • HMAC-signed entitlement records
  • Firestore Security Rules that restrict access to authorized parties only
  • Restricted access to backend systems, currently limited to the developer

No security system is perfect. If we learn of a data breach that affects you, we will notify you and the Finnish supervisory authority within the timeframes required by GDPR (72 hours).

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will announce them in the app and update the "Last updated" date above. We will never reduce your rights without your explicit consent.

13. Institute for The Study Of Humanity and Maximized Impact ry

A substantial portion of profits from Yapper Phone is directed to the Institute for The Study Of Humanity and Maximized Impact ry, a registered Finnish research association (Y-tunnus 3564524-7). The Institute is a downstream beneficiary of profits only. It does not receive, process, or access any user personal data. It is not a data controller or data processor under this policy.

14. Contact

SUPER SINCE BIRTH Tmi
Aleksis Kiven katu 45 B 21
00520 Helsinki, Finland
janne@yapperphone.app