privacy.

Bevel is operated by Bevel Labs, Inc. (“Bevel,” “we,” “us”). This page explains what data we collect when you use bevel.sh, why we collect it, and how to get rid of it. If something here is unclear, email victor@bevel.sh.

1 · what we collect

Three buckets, in order of how sensitive they are:

Account data. When you sign up we store your email and a salted hash of your password (or your provider id, if you sign in with Google or GitHub). We do not store the password itself.

Source data you connect. To produce recommendations Bevel pulls data from the sources you connect. That can include: PostHog events and properties, GitHub commits and issues from repositories you authorize, Sentry/Vercel logs, public Reddit and Hacker News mentions of your product, and pages you ask Bevel to read. We store this data in our database so we can show it back to you and so the agent does not have to re-fetch it on every request.

Product usage. We log which recommendations you ship, skip, override, or chat about, and we use PostHog for product analytics (which buttons get clicked, where flows fail, that sort of thing). We do not record your screen or sell behavioral data.

2 · what we do with it

• Generate the next packet of recommendations for you.
• Build your decision ledger so the agent learns your taste.
• Fix bugs, debug crashes, and improve the product.
• Bill you, if you are on a paid plan after beta.
• Email you operational stuff (digest delivery, billing, security).

That's it. We do not sell your data and we do not run ad targeting against it.

3 · what we send to third parties

To do its job, Bevel passes data to a small set of vendors:

• Anthropic / OpenAI — we send the agent prompt and the relevant slice of your source data so the LLM can reason about it. Anthropic and OpenAI do not train on data we send through their API.
• Supabase — our database and auth provider. Hosts your account record and the data Bevel has pulled.
• Vercel — hosts the web app and runs the cron jobs that scan your sources.
• PostHog — product analytics. Stores click events and feature usage tied to your account id.
• Stripe — payment processor (only if you upgrade past free). Stripe handles your card details; we never see them.

We do not sell, lease, or rent your data to anyone else. We do not share it with marketing or ad networks.

4 · training models

We do not use your private source data to train Bevel's own models, and we do not share it with third parties for their model training. The recommendations the agent shows you are generated on demand from your data and discarded server-side after the response.

5 · your rights

You can, at any time:

• Export your decision ledger and connected source data — email victor@bevel.sh and we will hand you a JSON within a week.
• Delete your account from Settings → Account, or by emailing the address above. Deletion removes your record from our active database and from backups within 30 days.
• Disconnect any source. We stop pulling immediately and purge cached data from that source within 7 days.
• Tell us to stop emailing you operational mail. We will, except for security and billing notices we're required to send.

If you are in the EU/UK or California, you have the rights granted by GDPR/UK-GDPR/CCPA respectively (access, rectification, erasure, portability, objection). The mechanism is the same: email us and we'll do it.

6 · retention

We hold source data while your account is active so the agent can use it. If you disconnect a source it is purged within 7 days. If you delete your account everything is purged within 30 days, including from backups. We retain billing records as long as required by tax law (typically 7 years) but those contain only the email and amount paid, not source data.

7 · security

All traffic is TLS. The database is encrypted at rest. Access tokens for connected sources (GitHub, PostHog, etc.) are encrypted with a key Bevel holds, separate from the database. Only the on-call engineer can read production data, and we log every access. We have not had a security incident; if we ever do, we will notify affected accounts within 72 hours of confirming it.

8 · cookies

We use one essential cookie to keep you signed in, and PostHog sets analytics cookies. We do not use ad-tracking cookies. You can reject the analytics cookies and the product still works.

9 · children

Bevel is for people who ship product. We do not knowingly collect data from anyone under 16. If you are a parent and we have somehow ended up with your kid's data, email us and we'll delete it.

10 · changes

We will email all active accounts at least 14 days before any material change to this page. The change log lives in our public GitHub.

11 · contact

Questions, complaints, or data requests: victor@bevel.sh. We try to answer within two business days.