Brave Search API privacy notice
Updated 04 December 2025
The Brave Search API is provided by Brave Software Inc located in the U.S.
FOR API CUSTOMERS
You must create an account and subscribe to a plan to gain access to the Brave Search API. Data types marked with * indicate mandatory fields. You will need to provide payment details, and your postal address and billing details. Payment information is processed and held by Stripe and is subject to Stripe's privacy policy. Brave does not have access to the personal data processed by Stripe. All subscription plans require payment information, even if you choose a Free plan (this is to help us safeguard against misuse of the service).
A record of search queries submitted to the Brave Search API via a customer’s Search API account is retained for a maximum of 90 days for the purpose of billing Search API account holders and for troubleshooting subject to Brave’s legal obligations.
As per Section 3b of the Terms Of Service the Brave Search API customer (Licensee) is solely responsible for complying with applicable data protection law including the posting of any privacy notice with regard to queries submitted by end users via the customer’s API access. Brave does not collect any identifiers that can link a search query to an individual or their devices.
You can contact our data protection officer at privacy@brave.com should you have any privacy enquiries about the use of account related data, and to the extent that a search query involves the processing of personal data.
Brave Search API and Personal Data
Brave takes the position that query data sent to Brave Search API is not personal data under laws like the General Data Protection Regulation (GDPR). Brave Search API acts as a conduit – we act on data requests made by our customer’s systems and services, and return search results from our index. It’s no different than conducting a search on https://search.brave.com/ , except that instead of a person doing the search, a computer is doing it via a programmatic call (the Brave Search API).
For our customers, search queries may be personal data, because they may have other information or means that allow them to link back or identify a particular user or query. But Brave has no way to identify which “end user” made any specific query, only that a customer’s account is making an API call. We have no idea who actually made the query, or whether a given query was even about an identifiable individual.
This is why we specifically exclude Search Query Data in our Data Processing Addendum.
| Purpose of processing | Categories of personal data processed | Legal basis of processing | Duration of storage |
| To create and manage account access | Email address, full name and account UID (assigned by Brave), API Key | Necessary for the performance of a contract For data retained after account closure: Legitimate interests Compliance with legal obligations | 12 months from when an account is deleted. |
| To provide customer support | User ID, user email, IP address, other information provided by account holder | Necessary for the performance of a contract | Maximum 6 years. |
| To process payments | Hashed Stripe identifier, Last 4 credit, expiration date | Necessary for the performance of a contract For data retained after account closure: Legitimate interests | 12 months from when an account is deleted. |
| Invoicing | Account information, client contact information, billing details. | Necessary for the performance of a contract | Returned after contract termination. |
| To resolve billing queries and troubleshooting | IP address, authentication token | Necessary for the performance of a contract For data retained after account closure: Legitimate interests | Search Query Logs: 90 days. Option for Zero Data Retention (Enterprise clients), subject to Brave’s legal obligations. Other Data: 12 months from when an account is deleted. |
| To prevent abuse of the Search API | IP address, authentication token | Legitimate interests. | Search Query Logs: 90 days. Option for Zero Data Retention (Enterprise clients), subject to Brave’s legal obligations. Other Data: 12 months from when an account is deleted. |
| Compliance with Brave’s legal obligations | IP address, authentication token, account information | Compliance with legal obligations | To the extent required by law. |
List of sub-processors can be found in Annex IV of the data processing addendum.