The Short Version
TapAuth is an access gateway for AI agents. We store the tokens your agents need to access third-party services on your behalf. We don't sell your data, we don't use it to train AI models, and we don't track you across the web. That's it.
What We Collect
| Data | Why | How long we keep it |
|---|---|---|
| Email & name (from OAuth sign-in) | So you can log in and we know who you are | While your account exists |
| OAuth tokens (access & refresh) | So your AI agents can call third-party APIs | Until you revoke the grant |
| Grant metadata (which agent, which service, when) | So you can see and manage what you've authorized | While the grant is active |
| Audit logs (token access events) | So you can see who accessed what and when | 90 days |
| Session cookies | To keep you logged in | Session duration |
That's the complete list. We don't use analytics cookies, tracking pixels, or advertising scripts.
How We Protect Your Tokens
Your OAuth tokens are the most sensitive thing we store, and we treat them that way:
- Encrypted at rest — every token is encrypted with AES-256-GCM before it hits the database. We never store tokens in plaintext.
- Access-controlled — tokens are only served to AI agents that you've explicitly authorized, for the specific services and scopes you granted.
- Revocable — you can revoke any grant at any time. When you do, the token is no longer served. Period.
What We Don't Do
To be explicit:
- We don't sell your data to anyone
- We don't use your data to train AI models
- We don't track you across the web
- We don't run advertising or ad-tech
- We don't share your data with data brokers
- We don't read your tokens — they're encrypted and we have no reason to decrypt them except to serve them to your authorized agents
Third-Party Services
We use a small number of services to run TapAuth:
| Service | What it does |
|---|---|
| Vercel | Hosts and deploys the app |
| Neon (Postgres) | Stores our database (tokens are encrypted before storage) |
When you connect a service through OAuth (like Google or GitHub), information is exchanged as part of the standard OAuth flow. That's how OAuth works — their privacy policies apply to their services.
Your Rights
Wherever you are, you can:
- See your data — your dashboard shows your grants and audit logs
- Revoke access — remove any grant at any time via the API or dashboard
- Delete your account — email us and we'll delete everything
- Export your data — email us and we'll send you what we have
If you're in the EU/EEA, you have additional rights under GDPR — including the right to restrict processing, object to processing, and lodge a complaint with your local data protection authority. We process your data based on contractual necessity (we need it to provide the service) and legitimate interest (security and fraud prevention).
A Note About Beta
TapAuth is currently in beta. That means things are evolving — but our commitment to your privacy isn't one of the things that changes. If anything material changes in how we handle data, we'll update this page and the “last updated” date at the top.
Where Your Data Lives
Our infrastructure is in the United States. If you're accessing TapAuth from outside the US, your data is transferred to and stored in the US.
Children
TapAuth isn't for kids. You must be at least 13 years old to use the service. If we learn we've collected data from someone under 13, we'll delete it.
Questions?
Email us at privacy@tapauth.ai. We're a small team and we actually read these.
Fullstack Connections, Inc. d/b/a TapAuth · tapauth.ai