← Back to yotp

Privacy Policy

Last updated: February 27, 2026

The short version

yotp doesn't collect, store, or transmit any personal data from the apps. No accounts, no tracking. Your OTP codes are end-to-end encrypted and we never see them. Our website uses anonymous analytics (see below).

What data yotp handles

yotp processes OTP codes from SMS messages on your Android device and forwards them to your Mac. Here's exactly what happens:

  • OTP codes — Detected from incoming SMS messages, encrypted on your phone with AES-256-GCM, and sent to your Mac. The encryption key is generated during pairing and never leaves your devices.
  • Pairing data — When you scan the QR code, a shared secret and pair ID are generated. These are stored locally on your devices only.
  • Device names — Your device name (e.g. "Pixel 8") is shared between paired devices for display purposes.

How OTPs are transmitted

yotp uses an encrypted cloud relay to pass OTP codes between your phone and Mac. The relay consists of two components:

  • Token server — A stateless Cloudflare Worker that issues authentication tokens. It does not store messages, log connections, or retain any data. It is open source.
  • Message relay — Powered by Ably, a third-party realtime messaging service. Ably transports the encrypted messages between your devices. Because messages are end-to-end encrypted before reaching Ably, they cannot read your OTP codes. Ably's privacy policy is available at ably.com/privacy.

Both components only ever see encrypted data. Neither can read your OTP codes.

What we don't do

  • No user accounts or registration
  • No analytics or tracking in the apps
  • No cookies or browser fingerprinting
  • No advertising or ad networks
  • No data sharing with third parties (except anonymous website analytics)
  • No server-side storage of any user data

Permissions

yotp requests the following permissions:

  • Android — SMS access — To detect incoming OTP codes. Messages are processed on-device; only extracted OTP codes are forwarded (encrypted) to your Mac.
  • Android — Camera — To scan the QR code during pairing. Used once, during setup.
  • macOS — Network — To receive OTP codes from your phone via the encrypted cloud relay.

Data retention

yotp stores the last 3 OTP codes in memory on your Android device for sync purposes. These are not persisted to disk and are cleared when the app is closed. Your Mac displays received OTPs in the menu bar popover and stores them in memory only.

Pairing credentials (pair ID and encryption key) are stored locally on each device using the platform's standard secure storage (SharedPreferences on Android, UserDefaults on macOS). You can delete this data by unpairing or uninstalling the app.

Website analytics

Our website (yotp.app) uses PostHog for anonymous usage analytics. This helps us understand how visitors use the website (page views, referrers, clicks). PostHog does not use cookies and does not collect personally identifiable information. No analytics are collected within the Android or macOS apps. PostHog's privacy policy is available at posthog.com/privacy.

Children's privacy

yotp is not directed at children under 13 and does not knowingly collect any personal information from children.

Changes to this policy

If we update this privacy policy, we'll post the changes on this page and update the date at the top. Since we don't have your contact information (by design), we can't notify you directly — so check back if you're curious.

Contact

Questions about this policy? Email us at [email protected].