Privacy Policy
Last updated: June 15, 2026
1. Introduction
Welcome to Brevy ("we," "our," or "us"). Brevy is an AI-powered coding workspace and Visual Studio Code extension developed by Brevy, Inc. ("Brevy," "Company," or "Brevios" as referenced in some backend systems). We are committed to protecting your privacy and handling your data with transparency and care.
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website at brevy.com, our Visual Studio Code extension, our APIs, and all related services (collectively, the "Service"). By accessing or using the Service, you agree to the collection and use of information in accordance with this policy.
If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.
2. Information We Collect
2.1 Account Information
When you create a Brevy account, we collect:
- Name — your display name for identification within the Service.
- Email address — used for authentication, communication, and account management.
- Password — stored in hashed and salted form using industry-standard bcrypt encryption. We never store plain-text passwords.
- OAuth credentials — if you sign in via a third-party provider (e.g., GitHub, Google), we receive a unique identifier and basic profile information as authorized by you.
2.2 Usage & Interaction Data
To provide and improve the Service, we automatically collect:
- Extension telemetry — anonymized usage metrics such as features used, request counts, error rates, and session duration. No source code content is collected from telemetry by default.
- API request metadata — timestamps, request types, model selections, and latency metrics for service optimization.
- Device & browser information — operating system, VS Code version, browser type, and IP address (used for security and fraud prevention).
- Quota & billing data — records of plan subscriptions, quota usage, payment history, and transaction IDs.
2.3 AI Interaction Data
Important: Your source code is sent to third-party AI model providers only when you explicitly initiate a request (e.g., code completion, chat, or voice interaction). We do not train on your code, and we do not store the content of individual AI requests beyond what is necessary for service delivery.
When you use AI features, we process and may temporarily store:
- Code snippets and context — the code you select, highlight, or reference when making an AI request. This data is transmitted to the AI model provider you have configured (e.g., Anthropic Claude, OpenAI GPT, Google Gemini, DeepSeek, Qwen) and processed in accordance with their respective privacy policies.
- Chat messages — your prompts and the AI's responses, stored to enable conversation history and context persistence.
- Autocomplete triggers — the surrounding code context sent to generate code completions.
2.4 Voice Data (Gemini Live & Voice Mode)
If you enable voice features powered by Google Gemini Live or similar providers:
- Audio recordings — your microphone input is streamed to the voice AI provider in real time. Audio is processed for the duration of the session and is not stored by Brevy after the session ends.
- Transcriptions — text transcriptions of your voice input may be temporarily cached to enable the coding workflow but are purged within 24 hours.
- Microphone permissions — Brevy only accesses your microphone when you explicitly enable voice mode. You can revoke microphone access at any time through your browser or OS settings.
2.5 API Key Data (Bring Your Own Key)
If you use the BYOK (Bring Your Own Key) feature to supply your own API keys for third-party AI providers:
- API keys — encrypted at rest using AES-256 and stored in our secure credential vault. Keys are decrypted only at the moment of request transmission and are never logged, displayed in plaintext, or used for any purpose other than routing your requests.
- Provider usage — API calls made with your keys are governed by the respective provider's terms of service and privacy policy.
2.6 Communication Data
- Support tickets — messages, attachments, and metadata submitted through our support channels.
- Email correspondence — communications sent to or from our support, sales, or security teams.
- Community contributions — posts, comments, or feedback submitted through community forums or feedback channels.
3. How We Use Your Information
We use the information we collect for the following purposes:
| Purpose | Legal Basis | Data Used |
|---|---|---|
| Providing and maintaining the Service | Contractual necessity | Account data, usage data, AI interaction data |
| Processing AI requests | Contractual necessity | Code context, chat messages, API keys |
| Billing and quota management | Contractual necessity | Payment data, quota usage |
| Improving the Service | Legitimate interest | Anonymized telemetry, error logs |
| Security and fraud prevention | Legitimate interest | IP address, device info, access logs |
| Sending service communications | Contractual necessity | Email address |
| Marketing and product updates | Consent | Email address (opt-in only) |
| Complying with legal obligations | Legal obligation | As required by applicable law |
4. Data Sharing
We do not sell your personal information. We share data only in the following circumstances:
4.1 AI Model Providers
When you use AI features, the relevant code context and prompts are transmitted to the AI model provider you have selected. These providers include, but are not limited to:
| Provider | Service | Data Processed |
|---|---|---|
| Anthropic | Claude models | Code context, prompts |
| OpenAI | GPT models | Code context, prompts |
| Gemini models, Gemini Live | Code context, prompts, voice audio | |
| DeepSeek | DeepSeek models | Code context, prompts |
| Alibaba Cloud | Qwen models | Code context, prompts |
| Various (BYOK) | User-configured providers | Code context, prompts |
These providers process data according to their own privacy policies and terms of service. We encourage you to review the privacy policies of any AI model provider you configure. When you use BYOK, your data is processed directly by the provider you have chosen, and Brevy acts only as a pass-through.
4.2 Service Providers
We may share data with third-party service providers who perform services on our behalf, including:
- Payment processing — Freemius (for subscription billing and payment handling).
- Infrastructure — cloud hosting and database providers for service deployment.
- Analytics — anonymized analytics services for service improvement.
- Communications — email delivery services for transactional and support communications.
All service providers are contractually bound to protect your data and are prohibited from using it for purposes other than those specified.
4.3 Legal Requirements
We may disclose your information if required to do so by law or in response to valid legal process, including subpoenas, court orders, or government requests.
4.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, your personal information may be transferred as part of that transaction. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.
5. Data Security
We implement industry-standard security measures to protect your data:
- Encryption in transit — all data transmitted between your device and our servers is encrypted using TLS 1.3. No unencrypted data transmission is permitted.
- Encryption at rest — all stored data, including database records, file storage, and API keys, is encrypted using AES-256.
- Authentication security — passwords are hashed using bcrypt with salt rounds ≥ 12. Session tokens are short-lived (15-minute access tokens with refresh token rotation).
- Access controls — strict role-based access control (RBAC) for all internal systems. No employee has standing access to user data without explicit authorization and logging.
- Infrastructure security — hosted on SOC 2 certified infrastructure with automated vulnerability scanning, intrusion detection, and DDoS protection.
- Code isolation — your source code is processed in isolated environments and is never shared between users or retained beyond the scope of the AI request.
While we strive to use commercially acceptable means to protect your data, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.
6. Data Retention
We retain your information only as long as necessary for the purposes described in this policy:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account information | Duration of account + 30 days | Service delivery and account recovery |
| Chat conversations | Until deleted by user | Context persistence and workflow continuity |
| AI request data | Up to 30 days | Service improvement and debugging |
| Voice recordings | End of session (not stored) | Real-time processing only |
| Voice transcriptions | 24 hours | Workflow enablement |
| API keys (BYOK) | Duration of user configuration | Request routing |
| Billing records | 7 years | Legal and tax compliance |
| Telemetry data | 90 days (anonymized) | Service improvement |
| Server logs | 30 days | Security and debugging |
When you delete your account, we initiate deletion of your personal data within 30 days, except where retention is required by law.
7. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Right of Access — request a copy of the personal data we hold about you.
- Right to Rectification — request correction of inaccurate or incomplete data.
- Right to Erasure — request deletion of your personal data ("right to be forgotten").
- Right to Restrict Processing — request limitation of how we process your data.
- Right to Data Portability — request your data in a structured, commonly used, machine-readable format.
- Right to Object — object to processing based on legitimate interests, including marketing.
- Right to Withdraw Consent — withdraw previously given consent at any time.
To exercise any of these rights, contact us at privacy@brevy.com. We will respond to your request within 30 days. For EU/EEA residents, additional rights under the General Data Protection Regulation (GDPR) apply.
If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights, including the right to opt out of the sale or sharing of personal information. Brevy does not sell personal information.
9. Children's Privacy
The Service is not intended for use by children under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@brevy.com.
10. International Data Transfers
Brevy operates primarily from the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.
For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on appropriate safeguards including:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Data Processing Agreements (DPAs) with all sub-processors.
- Adequacy decisions where applicable.
By using the Service, you acknowledge and consent to the transfer of your information to countries that may have different data protection rules than your country of residence.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page.
- Post a notice on our website and within the extension.
- Send an email notification to registered users (for material changes).
We encourage you to review this policy periodically. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.
12. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
| privacy@brevy.com | |
| Company | Brevy, Inc. |
| Data Protection Officer | privacy@brevy.com |
We aim to respond to all privacy-related inquiries within 30 business days.