1. Who we are
YapRoom is operated by Christian Nielsen (trading as “YapRoom”), an individual developer based in Denmark (“YapRoom,” “we,” “us”). Contact: privacy@yap-room.com.
For data protection purposes in the EU/EEA, the data controller is Christian Nielsen, reachable at the email above. As an individual sole trader operating below the thresholds in GDPR Articles 37 and 27, we are not required to appoint a Data Protection Officer or an EU representative; the controller handles data requests directly. You can lodge a complaint with the Danish Data Protection Authority (Datatilsynet) at datatilsynet.dk, or with the supervisory authority in your country of residence.
2. What we collect
We split the data we hold into two buckets: the dataset bundle (the audio, transcripts, and demographic metadata that may be included in datasets we license out under the Terms of Service) and operational data(the data we use to run your account, which is never shared with licensees, advertisers, or marketing partners — see Section 4).
Dataset bundle
- Audio recordings.Both speakers’ microphones are recorded locally for the full duration of each session.
- Transcripts.Each recording is transcribed using a third-party speech-to-text service (Deepgram — see Section 4).
- Demographic profile from onboarding. Age, gender, country, childhood country, education level, native language. Downstream researchers rely on this metadata to describe the dataset, so we ask you to provide it accurately.
Operational data
- Account details. Email address, password (stored hashed), display name, and login provider identifier (e.g., Apple ID if you sign in with Apple).
- Session metadata. Conversation duration, partner pairing, consent timestamps, upload status, rejection status.
- Device and delivery data. Push notification token (if enabled), device type, IP address at sign-up, browser type.
- Payment data. Detailed in Section 5 below.
- Support and safety records. Emails you send us, abuse reports you file, and our notes from investigating them.
3. Why we collect it and our lawful bases
Under GDPR Article 6, we identify a specific lawful basis for every purpose we process data for:
- Recording sessions, transcribing audio, building datasets, and licensing those datasets to train AI voice models — your consent(Art. 6(1)(a)). You give this consent during onboarding and at the start of each session, and you can withdraw it at any time from Settings → Withdraw consent.
- Running your account— sign-in, session-joining, support, partner connection — contract (Art. 6(1)(b)). We need to process this data to provide the service you signed up for.
- Payouts and payment records — contract (Art. 6(1)(b)) for the payment itself, and legal obligation (Art. 6(1)(c)) for the multi-year accounting retention required by Danish law.
- Reviewing recordings for quality, screening for abuse, fraud prevention, securing the service, and defending legal claims — legitimate interest (Art. 6(1)(f)). The interest is operating a safe service whose datasets are usable for AI research; we have weighed this against your privacy and consider the impact proportionate.
- Responding to lawful requests from authorities — legal obligation (Art. 6(1)(c)).
Where we rely on consent, you have the right to withdraw it at any time (Art. 7(3)). Withdrawal does not affect the lawfulness of processing that took place before you withdrew, and it does not require licensees to delete data we already delivered to them in good faith — see Section 6.
4. How we use and share data — and what we never share
We do not sell personal data as defined by EU or California law and we do not process personal data for cross-context behavioral advertising. The categories of recipients below are exhaustive.
Infrastructure providers (processors acting on our instructions)
- Supabase— authentication and user database. United States.
- Cloudflare R2— audio storage. United States / global edge.
- Hetzner— audio processing servers. Germany.
- Vercel— hosting for the YapRoom web app and APIs, and privacy-friendly first-party analytics (see Section 11). United States.
- Resend— transactional email delivery. United States.
- Expo (Push)— push notification delivery for iOS. United States.
- Cloudflare— WebRTC relay (TURN) servers that route the live audio between you and your partner during a session. They do not retain audio. United States / global edge.
Third-party AI services in the processing pipeline
- Deepgram— raw audio is sent to Deepgram's speech-to-text service in the United States to generate transcripts. Deepgram does not retain the audio for training and deletes it after processing. The consent screen names Deepgram explicitly before you record.
Third-party partners we license to
Under the license you grant in Section 6 of the Terms of Service, we may license dataset deliveries to third-party partners (including our successors, assigns, and other parties we contract with) in connection with our and their businesses, and to train, fine-tune, evaluate, and benchmark AI voice and speech models. A dataset delivery contains:
- processed audio recordings,
- their transcripts,
- the demographic profile you provided during onboarding (age, gender, country, childhood country, education level, native language).
Personal identifiers — your name, email address, IP, account ID, payment information, push token, and device identifiers — are removed before delivery. For commercial reasons we do not publish the identities of, or otherwise disclose, the parties we license to.
What we never share
The following operational data is never licensed, sold, or otherwise shared with any licensee, advertiser, marketing partner, or data broker:
- your email address, password, or display name;
- payout details (bank account, IBAN/BIC, account holder name);
- your IP address, device identifiers, and push notification tokens;
- session metadata such as durations, partner pairings, consent timestamps, and upload status;
- support emails, abuse reports, and our investigation notes.
We disclose this operational data only to the infrastructure processors listed above (to run the service), to authorities when legally compelled, and to professional advisers under a duty of confidence where strictly necessary to defend legal claims.
5. Payment data
If you choose to provide payment details so we can pay you for recorded conversations, we collect the following from the in-app form at Settings → Payouts:
- Account holder name (the legal name on your bank account).
- Bank country and IBAN, or the equivalent account number and routing/sort/BSB/IFSC code for non-IBAN countries.
- BIC / SWIFT code (used for international transfers).
- Free-text payout notes you provide (e.g., anything else your bank needs from a sender abroad).
Why:the sole purpose of this data is to send you money for usable conversations you record on YapRoom. We do not use it for analytics, marketing, fraud profiling, or sharing with third parties. Payouts are processed directly by YapRoom — we do not share your payment details with any third-party payouts provider (Stripe, Wise, PayPal, or similar).
Lawful basis (GDPR Art. 6(1)(b) and 6(1)(c)): processing is necessary to perform our payout obligation to you under our terms, and to comply with Danish accounting and tax law.
Retention:we keep your payment details for as long as you have an active YapRoom account. If you withdraw consent or ask us to delete your data, we remove your payment details at the same time as your other personal data — with one narrow exception: we keep a record of past payouts (date, amount, transfer reference) for the period required by Danish accounting and tax law (5 years).
6. How long we keep it
Retention by data category. “Account active” means you have not deleted your account and your consent has not been withdrawn.
- Account data: while the account is active.
- Audio recordings and transcripts (accepted sessions): while the account is active and consent is active. Deleted within 30 days of consent withdrawal or account deletion.
- Audio recordings and transcripts (rejected sessions — see Terms of Service § 7): retained for up to 30 days after rejection for limited internal purposes (improving the processing pipeline and rejection criteria, reviewing appeals, investigating suspected abuse or fraud, defending legal claims). Deleted automatically thereafter and never included in dataset deliveries.
- Demographic profile: retained alongside the audio and transcripts. Deleted on the same schedule.
- Data already delivered to a licensee: we cannot recall a delivery once it has been made, but once you withdraw consent or delete your account you will not be included in any future delivery.
- Session / operational logs: 12 months.
- Abuse reports and moderation notes: 24 months after the case is closed.
- Support emails: 24 months.
- Payment details: while the account is active, then deleted with the rest of your data (see Section 5).
- Past payout records (date, amount, transfer reference): 5 years, to satisfy Danish accounting and tax law.
7. Your rights under GDPR, UK GDPR, and CCPA
You have the following rights, regardless of where you are contacting us from. We respond within 30 days, free of charge in all but the narrowest cases (Art. 12(5)). We may need to verify your identity before fulfilling a request.
- Access(Art. 15) — ask us what we hold about you and receive a copy.
- Rectification(Art. 16) — ask us to correct inaccurate or incomplete data, including your demographic profile.
- Erasure / right to be forgotten(Art. 17) — ask us to delete your data. The fastest route is Settings → Delete account.
- Restriction of processing(Art. 18) — ask us to pause processing while we investigate a dispute.
- Data portability(Art. 20) — ask for a machine-readable export of your account data, demographic profile, transcripts, and audio.
- Object to processing(Art. 21) — object to processing that relies on our legitimate interest. We will stop unless we have compelling overriding grounds.
- Not be subject to solely automated decision-making (Art. 22) — YapRoom does not make decisions that produce legal or similarly significant effects about you using purely automated processing.
- Withdraw consent(Art. 7(3)) — from Settings → Withdraw consent. New sessions will not be recorded, we will not include you in future dataset deliveries, and your retained audio and transcripts are deleted within 30 days. Already-delivered data cannot be recalled (see Section 6).
- Lodge a complaint with Datatilsynet (DK) or the supervisory authority in your country.
If you are a California resident under the CCPA / CPRA, you have equivalent rights to know, delete, correct, and limit. We do not sell personal information as defined by the CCPA, and we do not share it for cross-context behavioral advertising. You will not be discriminated against for exercising your rights.
To exercise any of these rights, email privacy@yap-room.com from the address on your account.
8. Children
YapRoom is for users aged 16 and older. We do not knowingly collect data from anyone under 16, and we apply 16 as a single global floor even where local law would permit a lower age. If you believe a minor has created an account, contact privacy@yap-room.com and we will delete the account.
9. Security
We use TLS for all data in transit. Audio at rest is stored in Cloudflare R2 with access keys held only by our servers and rotated periodically. Supabase enforces Row-Level Security policies that prevent one user from accessing another user’s data. We monitor for unauthorized access. No system is perfect — if we discover a personal data breach affecting you, we will notify the Danish Data Protection Authority within 72 hours where required by GDPR Art. 33, and notify you directly where the breach is likely to result in a high risk to your rights and freedoms under Art. 34.
10. International transfers
Several of our processors operate outside the EU/EEA:
- United States— Supabase, Cloudflare (R2 storage and TURN relay; US / global edge), Vercel, Deepgram, Resend, Expo. Transfers are made under the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914), and where the processor has certified, under the EU–US Data Privacy Framework adequacy decision.
- Germany (EU)— Hetzner. No transfer outside the EEA.
You can request a copy of the safeguards in place by emailing privacy@yap-room.com.
11. Cookies, local storage, and analytics
YapRoom uses only the storage and telemetry needed to run the service. We do not use advertising cookies, retargeting pixels, or third-party analytics that build cross-site profiles, and we do not sell or share data for advertising.
- Strictly necessary cookies: Supabase authentication cookies and CSRF tokens.
- Local and session storage: in-app session state and consent state.
- Push notification tokens (iOS app only, when you opt in to notifications).
- Vercel Web Analytics— a privacy-friendly, cookieless, first-party analytics product run by our hosting provider Vercel. It collects aggregate pageview data (visited page, referrer, approximate country derived from IP, browser, and operating system) without setting cookies and without building cross-site profiles. The lawful basis is our legitimate interest (GDPR Art. 6(1)(f)) in understanding which pages are used. You can object under Art. 21 by emailing privacy@yap-room.com.
If we ever add additional analytics or marketing technologies, we will update this section first and ask for consent where required.
12. Marketing communications
We send transactional emails (account, payout, safety, consent and policy changes) because they are necessary to operate the service — you cannot opt out of these while your account is active. We will only send marketing emails on an opt-in basis, and every marketing email will contain a one-click unsubscribe link.
13. Changes to this policy
We update this policy when our practices change. For any material change — a new third-party recipient, a new data type, or a change to the license grant — we will notify active users in-app and by email at least 14 days before the change takes effect. The current version is always at yap-room.com/privacy.
14. Contact
Questions, requests, and complaints: privacy@yap-room.com.