Privacy Policy
How we handle your data
Last updated 2026-05-23
[TODO: ...] placeholder below with your legal entity name, contact email, and jurisdiction before launch.yapspace ([TODO: COMPANY_LEGAL_NAME], "we", "us", "our") operates a random video chat service. This policy explains what information we collect, why we collect it, and your rights. By using yapspace you agree to the practices described here and in our Terms of Service.
1. Who this applies to
This policy applies to anyone who visits or uses yapspace. The service is for adults only — see Section 2 of the Terms of Service. We do not knowingly collect data from anyone under 18.
2. What we collect
We deliberately collect as little as we can. Specifically:
- An anonymous account ID. When you first load the site, our authentication provider (Firebase Authentication) issues you a random user ID. It contains no personal information and is not linked to an email or phone number unless you create an admin account.
- Your IP address — but only as a hash. Every connection to our matchmaker server is processed against a list of banned IPs. To do that we compute a one-way
HMAC-SHA256hash of your IP using a secret server pepper. We store the hash, never the raw IP. From that hash we cannot reverse-engineer your IP, but we can compare it against future visits to enforce bans. - Your country.Derived from your IP at connect time using a local MaxMind GeoLite2 database. Used for the country-based matching feature; visible to peers only when you choose the "Countries" interest. We store the two-letter country code with your anonymous user record.
- Choices you make in the lobby.Your nickname, selected camera/microphone IDs, and chosen interest live only in your browser's
localStorage. We never receive them. - Reports you submit. If you report another user, we receive a single video frame captured from their camera at the moment of reporting, the last few text-chat messages exchanged in that session, the category and any free-text reason you provide, and your anonymous user ID. Snapshots are deleted automatically after 30 days; if a moderator confirms or dismisses the report sooner, the snapshot is deleted at that point.
- Acceptance of this policy.When you click "Continue" on the consent dialog we record the policy version, the timestamp, your hashed IP, and your country as proof of acceptance.
- Operational logs. Our hosting providers may record short-lived access logs (HTTP method, path, status, user agent) for security and debugging. These typically expire within 30 days.
What we do NOT collect
- Your video or audio. Calls are peer-to-peer. They never traverse our servers. We have no technical ability to listen in or record them.
- Your text chat (during a call). Messages are sent through a peer-to-peer data channel. The only chat we ever see is the small tail you choose to attach to a report.
- Cookies for tracking or analytics. We do not use third-party analytics, advertising cookies, or fingerprinting. The only cookie we set is the admin-session cookie for the moderation panel — ordinary visitors never receive it.
3. How we use it
- Matchmaking. Your anonymous ID, hashed IP, and country are used to pair you with another user.
- Abuse prevention. Hashed IPs are checked against an internal ban list. If you have been banned (by IP or by anonymous user ID), you cannot connect.
- Moderation. Reports are processed by Google Cloud Vision SafeSearch and Google Cloud Natural Language moderation. Human moderators review uncertain cases. Confirmed reports may result in a strike, a ban, or referral to law enforcement where required by law.
- Service operation and security. Diagnosing failures, blocking abuse, and complying with legal obligations.
4. Who we share it with
We do not sell or rent your data to anyone. We share specific data with the following processors purely so we can operate the service:
- Google Firebase / Google Cloud — anonymous user records, hashed IPs, reports, and snapshots are stored on Google Cloud Firestore and Cloud Storage. Cloud Vision and Cloud Natural Language analyse reports.
- Twilio— used to mint short-lived TURN relay credentials so calls can punch through firewalls. Twilio sees connection metadata (your IP, the peer's IP, bandwidth used) when relaying is required. Twilio does not see the call content beyond what's needed for relay.
- MaxMind — we run their GeoLite2 IP-to-country database locally on our matchmaker. No data is sent to MaxMind from your session.
- Our hosting provider — runs the application servers and may receive operational logs as described in Section 2.
- Law enforcement— we will respond to valid legal process. We will also voluntarily report content involving minors to the National Center for Missing & Exploited Children (NCMEC) and equivalent authorities.
5. How long we keep it
- Anonymous user records (your ID + hashed IP + strikes + ban status) — kept indefinitely so bans remain enforceable. You can request deletion by contacting us; see Section 8.
- Report snapshots — auto-deleted within 30 days, or sooner once a moderator decides the case.
- Report metadata (category, reason, decision) — kept up to 12 months for accountability and pattern detection, then deleted.
- IP ban records — kept until the ban is lifted or the optional expiry timestamp passes (Firestore TTL deletes expired bans automatically).
- Consent records — kept for the lifetime of your anonymous user record so we can prove you agreed to a specific policy version.
6. Where it's stored
Data is stored in [TODO: PRIMARY_DATA_REGION, e.g. "Google Cloud's us-central1 region in the United States"]. If you access yapspace from outside that region your data is transferred there. We rely on standard contractual clauses and other applicable safeguards for international transfers.
7. Security
We use TLS for every network connection, hash IPs server-side before storage, restrict admin access with multi-factor email + password authentication, and lock down direct database writes with Firestore security rules so only our backend can mutate sensitive collections. No system is bulletproof — if you believe you've found a vulnerability, please contact [TODO: SECURITY_EMAIL].
8. Your rights
Depending on where you live (GDPR, UK GDPR, CCPA/CPRA, LGPD, and similar), you may have the right to:
- Confirm whether we hold any data about you and obtain a copy.
- Request correction or deletion of your data.
- Object to certain uses of your data, or restrict them.
- Lodge a complaint with your local data-protection authority.
- For California residents:we do not sell or share personal information for cross-context behavioural advertising. The CCPA "Do Not Sell or Share" right therefore does not apply, but you may still exercise the access and deletion rights above.
To exercise any right, email [TODO: PRIVACY_EMAIL] from a context that lets us match the request to your anonymous record (for example, by including the approximate first-use date and a description of your activity). Because accounts are anonymous we may need additional verification before we can act.
9. Children
yapspace is for people 18 and older. We do not knowingly collect personal information from children. If we learn that we have, we will delete it. Parents and guardians who believe a child has used the service may contact [TODO: PRIVACY_EMAIL].
10. Changes to this policy
When we change this policy materially we bump its version (current: 2026-05-23) and re-prompt every active user the next time they visit. Continued use after re-acceptance constitutes agreement to the new version.
11. Contact
[TODO: COMPANY_LEGAL_NAME]
[TODO: COMPANY_MAILING_ADDRESS]
Email: [TODO: PRIVACY_EMAIL]
See also: Terms of Service (incl. DMCA Policy).