Privacy Policy
Last updated: 7 July 2026
The short version
Tapprove sits between your AI assistant and the business tools you connect (like Gmail, Stripe, Slack, and Notion). To do that, you grant us permission to act on those tools on your behalf. We use that access only to pass your agent's requests through, to pause risky actions for your approval, and to keep an activity log for you. We do not sell your data, and we do not use it to train AI models. We aim to touch as little of your data as possible and to store even less.
1. Who we are
Tapprove is operated by Cruxen, an Australian business (cruxen.com.au). You can reach us at hello@tapprovehq.com for any question, including privacy requests.
2. What we access and why
When you connect a tool, you authorize Tapprove (usually through that tool's own secure sign-in, called OAuth) to perform actions on it. Depending on the tool and the permissions you approve, this can include performing actions your agent initiates (for example sending an email or editing a record), subject to the approval rules you set, and recording metadata about each action (which tool, what type of action, when, and whether it was approved, denied, or passed through) so we can show you an activity log.
For Google services specifically: Tapprove requests only the narrow permission to send email on your behalf (the gmail.send scope). Tapprove does not request permission to read, modify, or delete your email, and cannot see your inbox.
3. What we store, and for how long
- Account data: your email address and sign-in credentials (handled by our authentication provider), kept while your account is active.
- Connection credentials: the OAuth tokens or scoped keys for tools you connect, stored encrypted with application-level encryption on top of encrypted-at-rest infrastructure. Deleted when you disconnect the tool or close your account.
- Held actions: when a risky action pauses for your approval, its details (for example the draft email your agent asked to send) are stored encrypted only until you decide or the action expires, then deleted.
- Activity log: a plain-English, metadata-level record of actions (tool, action type, a short human-readable summary, timestamps, outcome), retained for 90 days on the Solo plan. Full request and response contents are not kept in the log.
4. Your tokens, your control
- Least access: we request the narrowest permissions that deliver the feature, and we will not silently broaden them. If a future feature needs more access, we will ask you to re-authorize.
- Encryption: credentials are encrypted in transit and at rest, with application-level encryption using keys held separately from the database. Credentials are never written to logs.
- Revocation: you can disconnect any tool at any time from your dashboard, and you can also revoke Tapprove directly from the tool's own security settings (for Google: myaccount.google.com > Security > Third-party access).
5. Google API Services: Limited Use disclosure
Tapprove's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Google user data is used only to provide the user-facing features described here (sending email you have approved), is not used for advertising, is not sold, and is not used to train generalized AI or machine-learning models.
6. Who we share with
We share data only with the service providers that run Tapprove: Cloudflare (hosting and compute), Supabase (database and authentication), and Resend (transactional email such as approval notifications). They process data on our behalf and are bound to protect it. We do not sell personal data or connected-tool content, and we do not share it with advertisers. We may disclose data if legally required, and we will push back on overbroad requests where we can.
7. Your rights
Depending on where you live, you may have rights to access, correct, export, or delete your personal data. Email hello@tapprovehq.com and we will act on your request. You can delete your account at any time, which removes your stored credentials and activity log.
8. Security
We use industry-standard measures including encryption in transit and at rest, application-level encryption for credentials, least-privilege access, and tenant isolation enforced at the database layer. No system is perfectly secure, but because we hold sensitive credentials we treat their protection as a first-order priority. If a breach affects your data, we will notify you as required by law and without undue delay.
9. Children
Tapprove is for business use by adults and is not directed to anyone under 18.
10. Changes
We may update this policy as the product evolves. If changes are material, we will notify you before they take effect. The date at the top shows the current version.