Privacy Policy

Last updated: April 4, 2026 · Effective: April 4, 2026 · Version: 1.0

93%

Privacy Score — Independently calculated

YapID achieves a 93% privacy score across 7 criteria including data minimization, IP handling, identity linkability, session encryption, third-party exposure, tracking prevention, and replay protection. This is the highest score of any authentication service we are aware of.

Overview

The short version: We store almost nothing about you. No email, no IP address, no name, no tracking. Only a cryptographic hash that proves you own your 12 words — without revealing who you are.

This Privacy Policy explains what data YapID ("we", "us", "our") collects, why we collect it, and how it is used. We operate id.yaphub.xyz and related services.

YapID is designed from the ground up to collect the absolute minimum data necessary to function. Privacy is not a feature we added — it is the foundation of everything we built.

What We Collect

Data	Collected	Purpose
SHA-256 hash of your public key	Yes	Identify your account without storing your actual key
Session identifiers	Yes	Maintain login sessions
Session timestamps	Yes	Session expiry and security
Refresh token identifiers	Yes	Token rotation security
One-time nullifiers	Yes	Prevent replay attacks
Premium status	Yes	Link YAP Premium subscription
Email address	Never	—
IP address	Never	—
Name or username	Never	—
Device fingerprint	Never	—
Location data	Never	—
Browser/OS information	Never	—
Your 12-word passphrase	Never	—
Your private key	Never	—
Cookies	Never	—

How Your Identity Works

Your 12-word passphrase never leaves your browser. Here is exactly what happens:

Your browser derives an Ed25519 keypair from your 12 words using PBKDF2 (210,000 iterations)
Your browser signs a one-time challenge message using your private key
Only the signature and your public key are sent to our server
Our server verifies the signature and stores only SHA-256(publicKey + salt)
This hash cannot be reversed to reveal your public key or passphrase

Result: Even if our entire database were stolen, an attacker would have no way to link any account to a real person, and no way to recover any 12-word passphrase.

Session Storage (Client-Side)

Your session token is stored encrypted in your browser's IndexedDB using AES-256-GCM with a non-extractable cryptographic key. This means the token cannot be read even if an attacker executes JavaScript on a page that embeds YapID — because the decryption key never leaves the WebCrypto API's secure context.

What Third-Party Sites Receive

When you sign in to a website using YapID, that website receives only:

accountId — a random UUID (e.g., 5ea84ef5-0210-4eb9-9350-7cd3dd60a748). This is not linked to any personal information.
isPremium — a boolean indicating whether you have an active YAP Premium subscription

Third-party sites do not receive: your name, email, avatar, IP address, passphrase, public key, or any other identifying information.

Different websites that use YapID each see the same accountId for a given user. This is necessary for persistent identity. However, because the accountId is a random UUID with no link to any real-world identity, this does not constitute a privacy risk unless a user voluntarily identifies themselves to those websites.

Data Retention

We retain data only as long as necessary:

Account hash: Retained indefinitely (as long as the account exists)
Active sessions: Until expiry (maximum 1 year) or manual logout
Refresh tokens: Until expiry or revocation. Revoked tokens are deleted in hourly cleanup jobs
Nullifiers: Deleted after 7 days
Login notifications: Deleted after 30 days

Database backups are taken every 6 hours and retained for 7 days, then permanently deleted.

Your Rights

GDPR

Because we store no personal data as defined by GDPR, most GDPR rights (right to access, right to erasure, etc.) do not technically apply — there is no personal data to access or erase.

However, if you wish to remove all trace of your account from our systems, you can use the "Logout from all devices" feature at id.yaphub.xyz/profile. This will invalidate all your sessions. Your account hash will remain in the database but is not linked to any personal information.

For complete account deletion requests, contact us at Support Chat. We will delete the account hash, effectively making the account unrecoverable.

Right to Information

Our full source code is available at github.com/YapID. You can verify every claim in this Privacy Policy by reading the code.

Security

We take security seriously and implement industry-standard protections:

All connections are encrypted via TLS 1.2+ with HSTS
Strict Content Security Policy to prevent XSS attacks
Rate limiting on all authentication endpoints
Replay attack prevention via cryptographic nullifiers
Rotating refresh tokens — stolen tokens are invalidated on use
No access logs containing user activity

If you discover a security vulnerability, please report it to Support Chat.

Third-Party Services

YapID uses the following third-party services:

Google Fonts — for typography (fonts.googleapis.com, fonts.gstatic.com). Font requests include your IP address as part of the HTTP request.
esm.sh — for loading cryptographic libraries in the browser. Requests to esm.sh include your IP address.

We are actively working to self-host these dependencies to eliminate all third-party connections.

Children's Privacy

YapID does not knowingly collect any information from children under 13 years of age. Because we collect no personal data, we cannot determine user ages. If you are under 13, please do not use this service.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of significant changes by updating the "Last updated" date and posting a notice on our website. Continued use of the service after changes take effect constitutes acceptance of the updated policy.

Contact

For privacy-related questions or requests:

Email: Support Chat
GitHub: github.com/YapID