Brave Search API privacy notice
Updated 8 August 2025
The Brave Search API is provided by Brave Software Inc located in the U.S.
FOR API CUSTOMERS
You must create an account and subscribe to a plan to gain access to the Brave Search API. Data types marked with * indicate mandatory fields. You will need to provide payment details, and your postal address and billing details. Payment information is processed and held by Stripe and is subject to Stripe's privacy policy. Brave does not have access to the personal data processed by Stripe. All subscription plans require payment information, even if you choose a Free plan (this is to help us safeguard against misuse of the service).
A record of search queries submitted to the Brave Search API via a customer’s Search API account is retained for a maximum of 90 days for the purpose of billing Search API account holders and for troubleshooting subject to Brave’s legal obligations.
As per Section 3b of the Terms Of Service the Brave Search API customer (Licensee) is solely responsible for complying with applicable data protection law including the posting of any privacy notice with regard to queries submitted by end users via the customer’s API access. Brave does not collect any identifiers that can link a search query to an individual or their devices.
You can contact our data protection officer at privacy@brave.com should you have any privacy enquiries about the use of account related data, and to the extent that a search query involves the processing of personal data.
| Purpose of processing | Categories of personal data processed | Legal basis of processing | Duration of storage |
| To create and manage account access | Email address, full name and account UID (assigned by Brave), API Key | Necessary for the performance of a contract For data retained after account closure: Legitimate interests Compliance with legal obligations | 12 months from when an account is deleted. |
| To provide customer support | User ID, user email, IP address, other information provided by account holder | Necessary for the performance of a contract | Maximum 6 years. |
| To process payments | Hashed Stripe identifier, Last 4 credit, expiration date | Necessary for the performance of a contract For data retained after account closure: Legitimate interests | 12 months from when an account is deleted. |
| Invoicing | Account information, client contact information, billing details. | Necessary for the performance of a contract | Returned after contract termination. |
| To resolve billing queries and troubleshooting | Search query string, IP address, authentication token | Necessary for the performance of a contract For data retained after account closure: Legitimate interests | Search Query Logs: 90 days. Option for Zero Data Retention (Enterprise clients), subject to Brave’s legal obligations. Other Data: 12 months from when an account is deleted. |
| To prevent abuse of the Search API | Search query string, IP address, authentication token | Legitimate interests. | Search Query Logs: 90 days. Option for Zero Data Retention (Enterprise clients), subject to Brave’s legal obligations. Other Data: 12 months from when an account is deleted. |
| Compliance with Brave’s legal obligations | Search query string, IP address, authentication token, account information | Compliance with legal obligations | To the extent required by law. |
List of sub-processors
The controller has authorised the use of the following sub-processors:
| Name of Subprocessor | Data Storage Location | Processing Activities | Duration of Processing | Onward Transfer Mechanisms | Types of Personal Data Processed |
| Amazon | United States | Search API queries (both processing and storage); Account access & provisioning | 90 days for search query logs; 12 months from when an account is deleted. | SCCs | Email address, full name and account ID (assigned by Brave). |
| Stripe | United States | Payments processing | 12 months from when an account is deleted. | EU-US Data Privacy Framework / UK-US & CH-US DPFs | A hashed identifier received from Stripe, that links to the account within Stripe system. |
| Alphabet / Google | United States | Customer support (emails sent to support@/privacy@brave.com) | Maximum six years. | SCCs | Email address, name, contact information, other information provided by user. |
| Slack | United States | Internal communications | Slack will process personal data for the duration of the agreement, unless otherwise agreed upon in writing. | Salesforce Processor BCRs / SCCs (UK, Switzerland) | First and last name, contact information, ID data, other data as required for ticket resolution. |
| Oracle NetSuite | United States | Invoicing | Returned after contract termination. | Oracle Processor BCRs | Account information, client contact information, billing details. |
| Asana | United States | Inbound inquiries for custom agreements | Asana will retain information for the period necessary to fulfill the purposes until termination of the agreement. | EU-US Data Privacy Framework / UK-US & CH-US DPFs | Customer prospect information such as name, email address, contact information. |