Keep Factually independent
Whether you agree or disagree with our analysis, these conversations matter for democracy. We don't take money from political groups - even a $5 donation helps us keep it that way.
Brave search privacy audit
Executive summary
Brave presents itself as a “privacy-first” browser and search provider and publishes multiple privacy documents describing measures like anonymous, opt-in data collection (STAR/P3A) and an explicit Brave Search privacy notice; Brave’s browser privacy policy was updated September 11, 2025 and states the company “does not store any record of people’s browsing history” except when users enable Rewards or Sync [1]. Brave also documents server-side and API privacy controls—including a Brave Search API privacy notice and an API-specific SOC 2 Type II attestation reported in secondary coverage—though the full SOC 2 report is reportedly available only under NDA [2] [3].
1. Brave’s written promises: the baseline privacy claims
Brave’s own privacy pages lay out a clear baseline: the browser’s privacy policy (last updated September 11, 2025) states Brave “does not store any record of people’s browsing history” and that user data is stored only if Rewards or Sync are enabled; Brave directs readers to the Brave Search Privacy Notice for search-specific details [1]. The Brave Search privacy help pages and the Search API privacy policy expand on how search and API data are handled, and the API policy notes account-related data and billing are processed (Stripe) and provides a contact for the data protection officer (privacy@brave.com) [4] [2].
2. Technical systems Brave cites to justify privacy-preservation
Brave authors technical systems intended to limit exposure: the STAR system (described by Brave in 2022) and the P3A analytics approach are explicit privacy-preserving mechanisms Brave uses for opt-in telemetry and to help build the Brave Search index while minimizing identifiability [5] [6]. Brave’s STAR work stresses cryptographic guarantees that user-shared values are protected unless other users submit identical values; P3A is presented as collecting no personal information and avoiding sensitive items like browser history or search queries for analytics [5] [6].
3. Independent validation — audits, attestations, and their limits
There is reporting that Brave earned a SOC 2 Type II attestation for its Search API after a multi-month audit overseen by Prescient Security, which the coverage frames as “concrete reassurance” for users; however that article notes the final audit report is available only under NDA and that Brave plans annual audits [3]. That means while a reputable audit firm reportedly verified controls on the API, the underlying audit details are not public in the cited reporting and the search API attestation applies to the API product specifically, not necessarily all Brave services [3] [2].
4. Community scrutiny and ongoing development pressures
Brave’s public repositories and community threads show a process for security/privacy reviews and ongoing user questions: the Brave GitHub security review page requires privacy/security review for changes touching network or privacy UI, and community posts ask developers about external privacy-test results and feature parity [7] [8]. These artifacts indicate an active engineering and community process, but they do not by themselves prove the absence of vulnerabilities or gaps [7] [8].
5. Independent write‑ups and reviews — generally positive but not all‑conclusive
Third‑party reviews and comparisons (e.g., blogs and security-explainer pieces) generally rate Brave as among the more private mainstream browsers in 2025, noting Brave’s independent search index and claims it “does not track your search queries” compared with major engines; these are useful context but rely on Brave’s documented practices and public telemetry rather than full external verification [9] [10]. Such reviews can summarize functionality and UX but do not substitute for publicly available, auditable evidence for every privacy claim.
6. What the available reporting does not mention or fully resolve
Available sources do not mention a publicly released, complete SOC 2 or other external audit report for all Brave services (beyond the press coverage saying the Search API got an attestation and that the final report is available under NDA) [3] [2]. Available sources do not provide independent forensic testing results that definitively confirm every aspect of Brave’s “no browsing history” assertion in live deployments—community and testing discussions exist but do not produce a single authoritative, public audit report covering every product area [8] [7].
7. How to evaluate Brave’s privacy claims yourself
Read Brave’s browser privacy policy and Brave Search privacy notice for the official commitments [1] [4], examine the Search API privacy policy if you plan to use the API [2], and review Brave’s technical posts about STAR and P3A for details on privacy-preserving design [5] [6]. For independent assurance, request details of audits (the SOC 2 report was described as available under NDA in reporting) and ask vendors directly about scope—Search API attestations may not cover other services or client‑side behavior [3] [2].
Bottom line: Brave publishes concrete privacy commitments and describes cryptographic and analytics systems designed to minimize data exposure (STAR, P3A), and there is reporting of an API SOC 2 attestation; however, public, comprehensive third‑party audit evidence for all Brave components is not surfaced in the materials provided here, and the detailed SOC 2 report mentioned appears available only under NDA [5] [6] [3] [2].