Privacy Policy
Last updated: March 15, 2026
YesYes is built on a simple principle: your relationship is yours alone. This policy explains exactly what we collect, what we cannot see, and how we protect your data.
What we cannot read
All intimate content you log in YesYes — session details, notes, challenges, and connection requests — is end-to-end encrypted on your device before it is sent to our servers. We use X25519 key exchange and XSalsa20-Poly1305 encryption. Your private key never leaves your device. This means we are technically unable to read your content, even if required to do so.
What we do collect
- Email address — used for account creation and login only.
- Public encryption key — your X25519 public key, used to establish a secure channel with your partner. It is public by design and contains no personal information.
- Encrypted ciphertext — the encrypted form of your events, challenges, and messages. We store this but cannot decrypt it.
- Push notification token — if you enable notifications, your device token is stored to deliver nudges from your partner. Notification content is minimal and does not include encrypted data.
- Timestamps and metadata — when events occurred, account creation date. This metadata is not encrypted.
How we use your data
- To authenticate you and connect you with your partner.
- To store and sync your encrypted data across devices.
- To deliver push notifications at your partner's request.
We do not sell your data. We do not use your data for advertising. We do not share your data with third parties except as described below.
Third-party services
- Supabase — our database and authentication provider. Supabase stores your encrypted data and email address on servers in the United States. See supabase.com/privacy.
- Expo — used to deliver push notifications. Your push token may be processed by Expo's push notification service. See expo.dev/privacy.
- Apple / Google — app distribution and push notification delivery on iOS and Android respectively.
Data retention and deletion
Your data is retained for as long as your account is active. To delete your account and all associated data, contact us at the email below. We will permanently delete your account and all stored ciphertext within 30 days.
Note: because your content is end-to-end encrypted and we do not hold your private key, we cannot recover your data if you lose access to your device.
Children's privacy
YesYes is intended for adults aged 17 and older. We do not knowingly collect personal information from anyone under 17. If you believe a minor has created an account, please contact us and we will delete it promptly.
Changes to this policy
If we make material changes to this policy, we will update the date at the top of this page and notify you via the app. Continued use of YesYes after changes constitutes acceptance of the updated policy.
Contact
Questions about this policy or requests to delete your data: privacy@yesyes.io