Brevva by SFZ Labs

Privacy Policy

Last updated: May 10, 2026

This Privacy Policy explains what data Brevva (operated by SFZ Labs) collects when you use the service, how we use it, who we share it with, and the rights you have over it. It complements our Terms of Service and Cookie Policy.

1. What we collect

Account data

Email address, display name, hashed password (we never store plaintext), email-verification status, account preferences (e.g. your aggregate-benchmark opt-out), and a Stripe customer ID if you have a paid plan. Created and updated timestamps.

Provider connections

For each AI provider you connect, we store the provider name and your API key. Keys are encrypted at rest using Fernet (AES-128-CBC + HMAC-SHA256) with versioned keys to support online rotation. Plaintext keys are never written to logs, error reports, or audit records — our log sanitizer redacts every known provider key pattern (e.g. sk-…, sk-ant-…, AIza…) before any line leaves the application process.

Usage data (api_call_logs)

For calls captured via our proxy or fetched via your provider’s admin API, we store: timestamp, model name, provider, input/output/cached token counts, cost estimate, latency, error category and message, finish reason, optional chain-correlation IDs, and provider-supplied request IDs. We do not store your prompts or completions. Request and response bodies are forwarded to the provider untouched and never persisted.

Audit logs

Security-relevant actions — login, logout, password change, provider connect / disconnect, plan change, account deletion, suspected refresh-token reuse — are recorded with the requesting IP address, user agent, and timestamp. These records survive account deletion to enable incident investigation, then are pruned after one year.

Operational metadata

We use Sentry for error monitoring and session replay. Replay records the page DOM and user interactions, but masks form inputs by default — your email, password, and provider API keys are not captured. Replay segments are only uploaded when an error is captured, and are retained on Sentry’s standard schedule. We export Prometheus-format performance metrics keyed by user ID for our own observability; these metrics are not shared with third parties.

2. How we use your data

  • To provide and maintain the service.
  • To bill you (paid plans) and to detect and prevent payment fraud.
  • To detect, investigate, and respond to security incidents — including refresh-token-reuse detection that automatically logs out an attacker who replayed a stolen token.
  • To compute the analytics you see in your dashboard.
  • With your explicit opt-in, to compute aggregate benchmarks (subject to a 50-account k-anonymity threshold).
  • To send transactional email — verification, password reset, billing notices, and downgrade-grace notifications. We do not send marketing email without your separate consent.

3. Lawful bases (GDPR)

If you are in the EEA, UK, or Switzerland we rely on the following bases:

  • Performance of contract — most account features, provider connections, and billing.
  • Legitimate interests — security monitoring, anti-abuse, service improvement, where these do not override your fundamental rights.
  • Consent — aggregate benchmarks contribution (opt-in), and any future marketing email. You can withdraw consent at any time without affecting prior processing.
  • Legal obligation — keeping records required for tax, accounting, or fraud-prevention law.

4. Retention

  • api_call_logs: 90 days. Older logs are pruned by a daily background task. If your retention requirements are stricter (e.g. 30 days), contact us — shorter retention is achievable on request.
  • Audit logs: 1 year, even after account deletion, for incident investigation.
  • Account data, provider connections, billing records: retained while your account is active. On deletion they are removed within 30 days, except for records we are legally required to keep (e.g. tax records, which are retained for the period required by local law and then deleted).
  • Stripe webhook event records: retained 90 days for idempotency and reconciliation.
  • Aggregate benchmarks: published indefinitely as k-anonymized aggregates that cannot be linked back to you.

5. Sub-processors

We rely on the following sub-processors to deliver the service. We have data-processing agreements in place with each where required, and will give prior notice (via email or this page) before adding a new sub-processor.

Sub-processor Purpose Region
Stripe, Inc. Subscription billing and payment processing United States
Functional Software, Inc. (Sentry) Error monitoring and session replay United States
Railway Corp. Backend hosting, PostgreSQL, Redis United States
Netlify, Inc. Frontend hosting and CDN Global edge
Formspree, Inc. Closed-beta waitlist form submissions United States
Resend, Inc. Transactional email delivery United States

Note that Brevva connects to AI providers (OpenAI, Anthropic, OpenRouter, Google, Mistral, Cohere) on your behalf at your direction. Those providers are recipients of your prompts and responses but are not Brevva sub-processors — they are independent controllers governed by their own terms and privacy policies.

6. Sharing and disclosure

We do not sell your personal data. We share data only in these circumstances:

  • With sub-processors listed above, solely to deliver the service.
  • To comply with law — in response to valid legal process, or to protect rights, safety, or security.
  • In a corporate transaction — if SFZ Labs is acquired or reorganized, your data may transfer to the successor entity. We will notify you before your data moves and you will have an opportunity to delete your account first.

7. Your rights

EEA, UK, and Switzerland (GDPR / UK GDPR)

You have the right to:

  • access your personal data and receive a copy;
  • correct inaccurate data;
  • delete data we hold about you (“right to be forgotten”);
  • restrict or object to processing;
  • port your data to another service;
  • lodge a complaint with your local supervisory authority — though we ask that you contact us first so we can address your concern.

California (CCPA / CPRA)

You have the right to:

  • know the categories and specific pieces of personal information we collect about you;
  • request deletion of personal information;
  • opt out of the “sale” or “sharing” of personal information — we do not sell or share for cross-context behavioural advertising;
  • not be discriminated against for exercising any of these rights.

Anywhere else

Equivalent rights are available on request. Email support@sfzlabs.com and we will respond within 30 days.

8. International transfers

Brevva is operated from the United States. By using the service from outside the United States you consent to your data being transferred to and processed in the United States, subject to safeguards required by applicable law (such as the EU Standard Contractual Clauses for transfers from the EEA, and the UK International Data Transfer Addendum). Copies of these safeguards are available on request.

9. Security

We protect your data with:

  • encryption in transit using TLS 1.2+;
  • encryption at rest for sensitive fields (provider API keys), with versioned keys to support periodic rotation;
  • short-lived JWT access tokens (15 minutes) plus an httpOnly refresh_token cookie that the browser cannot read from JavaScript;
  • refresh-token-reuse detection — replayed tokens trigger automatic family-level invalidation and an audit log entry;
  • rate limiting on authentication endpoints (login, register, password reset, verify email) to mitigate credential-stuffing and enumeration;
  • continuous dependency-vulnerability scanning (pip-audit, npm audit, gitleaks, Trivy on container images);
  • principle-of-least-privilege within our team — only on-call engineers can access production data, and access is logged.

No system is perfectly secure. If you believe your account has been compromised, contact support@sfzlabs.com immediately and rotate your provider keys at the provider directly.

10. Children’s privacy

Brevva is not directed to children under 13 (16 in the EEA where applicable). We do not knowingly collect personal data from children. If you believe we have, contact us and we will delete it.

11. Cookies

See our Cookie Policy for details. In short: one essential httpOnly cookie for refresh tokens, plus Sentry session-replay storage that masks form inputs. The closed-beta waitlist form posts to Formspree and does not set tracking cookies.

12. Changes to this Policy

We will post any changes here and update the “Last updated” date. Material changes will be communicated by email and/or in-product notice. Continued use of the service after the effective date constitutes acceptance.

13. Contact

For privacy questions, rights requests, security reports, or general support, email support@sfzlabs.com.