Limited launch·Lifetime $199 one-time
Legal

Security

Last updated May 18, 2026

This page summarises how Yapless handles the things you record and the data that backs your account. If you're evaluating Yapless for sensitive work, this is the surface to read.

Where your recordings live

Recordings are captured locally on your Mac. The polish pipeline (transcribe → cut → revoice → compose) runs on-device for transcription, then calls the Anthropic Messages API for the EDL and ElevenLabs for re-voicing. Source video bytes are only uploaded to our storage when you publish a share link. Until then everything stays in ~/Yapless/recordings/<id>/.

What we send to third parties

  • Anthropic (Claude) — the transcript text (not the audio) for cut/revoice EDL generation, plus a small number of sampled video frames if you use the AI-walkthrough CLI mode.
  • ElevenLabs — the cleaned text spans we want re-voiced, plus a one-time voice sample when you enroll your clone.
  • Stripe — billing identifiers only. Card data is collected by Stripe Checkout and never touches our servers.
  • PostHog & Sentry — opt-out product analytics and crash reports. No video, no audio, no transcript content.

Storage + retention

Polished MP4s + share-page metadata live on our Stack0 CDN backed by S3-compatible object storage. Encryption at rest (AES-256) is on by default; transport is TLS 1.2+. You can delete any recording from the Mac app or the dashboard, which fans out a delete to both our database and the CDN within seconds.

Authentication

Sessions are cookie-based, HttpOnly, Secure, SameSite=Lax, signed with a rotating per-deployment secret. OAuth providers (Google) issue tokens we exchange for an internal session and then discard. We never store provider access tokens after the initial exchange.

Mac app signature + updates

The Mac app is signed with our Apple Developer ID, notarized by Apple, and stapled before release. Auto-updates ship through Sparkle with EdDSA signatures; the public key is embedded in the app binary, the private key is held offline. Update binaries are published to a separate yapless-releases GitHub repo so the appcast can be served without any auth.

Reporting an issue

If you've found a security issue, please email security@getyapless.com. We respond within one business day and disclose responsibly. No bug bounty yet — we're a small team — but we will credit you publicly with your permission once an issue is patched.