Privacy Policy

Effective · May 13, 2026

Overview

Taprun is an open-source browser automation runtime. It consists of a CLI tool and a Chrome extension that work together locally on your machine. Taprun does not collect, transmit, or store any personal data.

What Taprun Does

Taprun executes deterministic automation plans (.plan.json files) in your browser. The Chrome extension acts as a local runtime — it communicates with the CLI through Chrome's Native Messaging transport (OS-supervised stdio between the browser and a binary on your machine). No network ports are opened and no remote servers are involved.

Data Collection

Taprun collects no user data. Specifically:

• No analytics or telemetry. Taprun does not phone home.
• No personal information. No names, emails, or identifiers are collected.
• No browsing history. Taprun does not track which sites you visit.
• No cookies or credentials. While Taprun can read cookies for script execution (e.g., authenticated API requests), this data stays entirely on your local machine and is never transmitted externally.
• No remote servers. All communication happens locally between the CLI and the extension via Chrome's Native Messaging transport (OS-managed stdio). No localhost ports are opened.

Permissions Explained

The Chrome extension requests several permissions, all used exclusively for local automation:

• nativeMessaging — Connects the extension to the locally-installed Tap CLI binary via Chrome-managed stdio. This is the only transport between the browser and the CLI; no network is involved.
• debugger — Native input simulation (mouse/keyboard events via Chrome DevTools Protocol) on tabs the user has explicitly selected for automation.
• activeTab — Resolves the tab the user just interacted with so the CLI can run a tap against the right page context.
• tabs — Tab management: enumerate, create, navigate, switch focus during multi-step flows. Does not by itself read page content.
• scripting — Injects content-script shims into user-selected tabs for DOM reads and event dispatch.
• cookies — Reuses the browser's existing session cookies for the sites the user automates, so credentials never leave the machine.
• storage — chrome.storage.local only; persists popup state and connection status. No page content or credentials are written.
• host_permissions (<all_urls>) — The user decides at runtime which site to automate; host access is exercised only on tabs they explicitly select.

Third-Party Services

Taprun does not integrate with any third-party analytics, advertising, or tracking services.

Data Storage

Taprun stores data only on your local filesystem:

• Compiled plans in ~/.tap/plans/<site>/<name>.plan.json
• Execution logs and intent records in ~/.tap/intents/ and ~/.tap/snapshots/
• Local-only secret store (if used) in ~/.tap/config/secrets
• No cloud storage or sync

Open Source

Taprun is fully open source. You can audit the complete source code at github.com/LeonTing1010/tap.

Changes

If this policy changes, the update will be posted here with a new effective date.

Contact

For questions about this privacy policy, email support@taprun.dev or open an issue at github.com/LeonTing1010/tap/issues.