Privacy Policy - Tappie

Effective date: May 25, 2026

Short version: Tappie does not collect analytics, telemetry, or crash reports. It runs on your Mac and talks to Homebrew. The optional CVE Lookup feature scans your packages locally - no per-package data ever leaves your Mac.

1. What this app does

Tappie is a native macOS user interface for Homebrew. It runs entirely on your Mac, executing brew commands on your behalf and displaying the results. By default Tappie operates fully offline apart from:

  • Querying Homebrew's public formula index (which is what brew itself does).
  • Querying Empiric Apps' update server at https://www.empiricapps.com/api/updates/tappie/latest to check whether a newer version of Tappie itself is available.

2. What we collect - short answer

Nothing by default. Tappie does not include analytics, telemetry, crash reporters, or advertising SDKs. The Apple Privacy Manifest (PrivacyInfo.xcprivacy) bundled with the app reflects this.

3. Optional features that send data off-device

Some features that need external data are opt-in and are off until you turn them on explicitly inside the app.

3.1 CVE Lookup (opt-in, runs locally)

When you enable CVE Lookup in Tappie's Preferences, Tappie scans your installed Homebrew packages for known vulnerabilities using grype, an open-source vulnerability scanner published by Anchore. The scan runs entirely on your Mac.

What leaves your Mac:

  • grype downloads its vulnerability database from Anchore's servers when it's first installed and then refreshes it periodically (typically once a day). The download is a standard HTTPS request, which means Anchore's servers can see your IP address - exactly as any website you visit can.
  • That is the only network activity. The scan itself is local.

What is not sent:

  • The list of your installed packages, or any per-package query, ever
  • Your name, email, Apple ID, or any login credential
  • Installation paths, filesystem layout, or hardware identifiers
  • Scan results

How it works: grype reads /opt/homebrew/Cellar (or /usr/local/Cellaron Intel Macs), identifies the installed formulae and casks, and matches them against its local database. The matched advisories are surfaced in Tappie's Health Report.

How long results live on your Mac: Tappie caches grype's output in ~/Library/Caches/Tappie/cve-lookup/ for one hour to avoid repeated scans during a single session. You can clear the cache from Preferences at any time. The grype database itself is managed by grype in its own directory (~/Library/Caches/grype on macOS).

Anchore's policy: See Anchore's Privacy Policy. The grype tool itself is open source and self-contained.

Disabling: Toggle the switch off in Tappie → Preferences → CVE Lookup. After disabling, the in-app cache is cleared. Tappie does not install or uninstall grype on your behalf when you toggle the feature - you control that with brew install grype / brew uninstall grype.

3.2 Tappie update check (always on)

On launch, Tappie queries https://www.empiricapps.com/api/updates/tappie/latest for the latest published version. The request includes:

  • Your IP address (as with any HTTPS request)
  • A standard User-Agent containing the Tappie version (e.g. Tappie/1.0.2)

We log these requests for aggregate volume and operational monitoring (e.g. detecting outages of the update endpoint). We do not link them to any account, and we don't share them with third parties. Logs are rotated and discarded within 90 days.

You can disable update checks in Tappie → Preferences → Updates, but you'll then need to check for new versions manually.

4. What we do not do

  • No analytics SDKs (no Mixpanel, Amplitude, Segment, GA, Firebase Analytics, etc.).
  • No crash reporters (no Sentry, Crashlytics, Bugsnag).
  • No advertising.
  • No account system - Tappie does not have logins.
  • No selling or sharing of personal information to third parties for marketing.

5. Children's privacy

Tappie is a developer tool not directed at children under 13. We do not knowingly collect data from children.

6. Your rights (GDPR / CCPA)

Because Tappie does not maintain a user account and does not send identifying data anywhere, we hold no personal data about you that we could provide, correct, or delete.

The only third party that may briefly see your IP address is Anchore, when grype downloads its vulnerability database. Anchore is the data controller of any logs they retain from that connection. Refer to their privacy policy for access / deletion requests.

If you believe Tappie is handling data in a way that violates GDPR, CCPA, or another applicable regulation, email contact@empiricapps.com and we'll respond within 30 days.

7. Changes to this policy

We may update this policy as features change. Material changes (e.g. a new third-party service Tappie communicates with) will trigger a fresh consent prompt inside the app for the relevant feature - your previous consent does not roll over to a new data flow.

8. Contact

contact@empiricapps.com · empiricapps.com