Privacy Policy
Effective · May 13, 2026
Overview
Taprun is an open-source browser automation runtime. It consists of a CLI tool and a Chrome extension that work together locally on your machine. Taprun does not collect, transmit, or store any personal data.
What Taprun Does
Taprun executes deterministic automation plans (.plan.json files) in your browser. The Chrome extension acts as a local runtime — it communicates with the CLI through Chrome's Native Messaging transport (OS-supervised stdio between the browser and a binary on your machine). No network ports are opened and no remote servers are involved.
Data Collection
Taprun collects no user data. Specifically:
- No analytics or telemetry. Taprun does not phone home.
- No personal information. No names, emails, or identifiers are collected.
- No browsing history. Taprun does not track which sites you visit.
- No cookies or credentials. While Taprun can read cookies for script execution (e.g., authenticated API requests), this data stays entirely on your local machine and is never transmitted externally.
- No remote servers. All communication happens locally between the CLI and the extension via Chrome's Native Messaging transport (OS-managed stdio). No localhost ports are opened.
Permissions Explained
The Chrome extension requests several permissions, all used exclusively for local automation:
- nativeMessaging — Connects the extension to the locally-installed Tap CLI binary via Chrome-managed stdio. This is the only transport between the browser and the CLI; no network is involved.
- debugger — Native input simulation (mouse/keyboard events via Chrome DevTools Protocol) on tabs the user has explicitly selected for automation.
- activeTab — Resolves the tab the user just interacted with so the CLI can run a tap against the right page context.
- tabs — Tab management: enumerate, create, navigate, switch focus during multi-step flows. Does not by itself read page content.
- scripting — Injects content-script shims into user-selected tabs for DOM reads and event dispatch.
- cookies — Reuses the browser's existing session cookies for the sites the user automates, so credentials never leave the machine.
- storage —
chrome.storage.localonly; persists popup state and connection status. No page content or credentials are written. - host_permissions (<all_urls>) — The user decides at runtime which site to automate; host access is exercised only on tabs they explicitly select.
Third-Party Services
Taprun does not integrate with any third-party analytics, advertising, or tracking services.
Data Storage
Taprun stores data only on your local filesystem:
- Compiled plans in
~/.tap/plans/<site>/<name>.plan.json - Execution logs, intent records, and capture traces in
~/.tap/intents/and~/.tap/traces/ - Local-only secret store (if used) in
~/.tap/config/secrets - No cloud storage or sync
Data Retention
Because Taprun collects nothing and uses no remote servers, there is no server-side data to retain — Anthropic and Taprun retain none of your data. Everything Taprun writes lives under ~/.tap/ on your own machine, and its retention is entirely under your control:
- You decide how long it lives. Plans, intents, traces, and secrets persist locally until you delete them.
- Automatic local cleanup. Transient artifacts (traces, intent records) age out on a local time-to-live sweep; they are never uploaded before or after deletion.
- Full deletion any time. Removing the
~/.tap/directory (or uninstalling the CLI and extension) erases all locally stored Taprun data permanently. There is no copy anywhere else to delete.
Open Source
Taprun is fully open source. You can audit the complete source code at github.com/LeonTing1010/tap.
Changes
If this policy changes, the update will be posted here with a new effective date.
Contact
For questions about this privacy policy, email support@taprun.dev or open an issue at github.com/LeonTing1010/tap/issues.