← Back to yotp

Privacy Policy

Last updated: February 12, 2026

The short version

yotp doesn't collect, store, or transmit any personal data. No accounts, no analytics, no tracking. Your OTP codes are end-to-end encrypted and we never see them.

What data yotp handles

yotp processes OTP codes from SMS messages on your Android device and forwards them to your Mac. Here's exactly what happens:

  • OTP codes — Detected from incoming SMS messages, encrypted on your phone with AES-256-GCM, and sent to your Mac. The encryption key is generated during pairing and never leaves your devices.
  • Pairing data — When you scan the QR code, a shared secret and pair ID are generated. These are stored locally on your devices only.
  • Device names — Your device name (e.g. "Pixel 8") is shared between paired devices for display purposes.

Local connections

When your phone and Mac are on the same WiFi network, OTP codes are sent directly between them over an encrypted local connection. The data never leaves your network.

Cloud relay

When your devices are on different networks, yotp uses a cloud relay to pass messages between them. The relay consists of two components:

  • Token server — A stateless Cloudflare Worker that issues authentication tokens. It does not store messages, log connections, or retain any data. It is open source.
  • Message relay — Powered by Ably, a third-party realtime messaging service. Ably transports the encrypted messages between your devices. Because messages are end-to-end encrypted before reaching Ably, they cannot read your OTP codes. Ably's privacy policy is available at ably.com/privacy.

Both components only ever see encrypted data. Neither can read your OTP codes.

What we don't do

  • No user accounts or registration
  • No analytics or usage tracking
  • No cookies or browser fingerprinting
  • No advertising or ad networks
  • No data sharing with third parties
  • No server-side storage of any user data

Permissions

yotp requests the following permissions:

  • Android — SMS access — To detect incoming OTP codes. Messages are processed on-device; only extracted OTP codes are forwarded (encrypted) to your Mac.
  • Android — Camera — To scan the QR code during pairing. Used once, during setup.
  • macOS — Network — To receive OTP codes from your phone over local WiFi or the cloud relay.

Data retention

yotp stores the last 3 OTP codes in memory on your Android device for sync purposes. These are not persisted to disk and are cleared when the app is closed. Your Mac displays received OTPs in the menu bar popover and stores them in memory only.

Pairing credentials (pair ID and encryption key) are stored locally on each device using the platform's standard secure storage (SharedPreferences on Android, UserDefaults on macOS). You can delete this data by unpairing or uninstalling the app.

Children's privacy

yotp is not directed at children under 13 and does not knowingly collect any personal information from children.

Changes to this policy

If we update this privacy policy, we'll post the changes on this page and update the date at the top. Since we don't have your contact information (by design), we can't notify you directly — so check back if you're curious.

Contact

Questions about this policy? Email us at [email protected].