Legal

Privacy Policy

Last updated: March 24, 2026

1. Overview

Bruce Engine ("Bruce", "we", "us") operates the Bruce execution runtime, available at bruceengine.run and via the Bruce Desktop application. This Privacy Policy describes how we collect, use, and protect information when you use our services.

Bruce is designed with a local-first architecture. The agent that executes tasks runs on your own machine. Files, file contents, and command outputs are processed locally and are never uploaded to our servers unless you explicitly share them.

2. Information We Collect

Account & Auth
  • Email address (for magic-link sign in and early access waitlist)
  • Authentication tokens (short-lived, stored in your browser)
Device & Pairing
  • Device name and platform (macOS / Windows / Linux)
  • Device ID (randomly generated, not linked to hardware)
  • Pairing timestamp and online/offline status
Run Audit Log
  • Tool names and parameters submitted in each plan (e.g. file paths, commands)
  • Run status and step results returned by your local agent
  • Risk level and approval status
  • File contents are never stored on our servers — only tool parameters (paths, command strings) appear in run logs
Usage & Logs
  • Gateway request logs (timestamps, endpoints, HTTP status codes)
  • Error events for debugging purposes
  • We do not use third-party analytics or advertising trackers

3. How We Use Your Information

  • Authenticate your account and send magic-link sign-in emails
  • Route execution plans between your AI assistant and your local Bruce agent
  • Display your run history and audit log in the dashboard
  • Manage your device policy and permissions
  • Notify you when your early access spot is ready
  • Diagnose errors and improve service reliability

We do not sell your data. We do not use your data for advertising. We do not share your data with third parties except as required to operate the service (e.g. our database and email providers, listed below).

4. Data Storage & Sub-processors

Processor
Purpose
Location
Neon (PostgreSQL)
Account, device, run data
AWS us-east-1
Fly.io
Gateway compute hosting
CDG (Paris) / IAD
Netlify
Dashboard hosting
Global CDN
Resend
Magic-link transactional email
US

5. Data Retention

  • Run logs are retained for 90 days, then deleted automatically
  • Device records are retained until you delete the device from the dashboard
  • Account data is retained until you request deletion
  • Waitlist emails are retained until early access is fully open or you opt out
  • Gateway access logs are retained for 30 days for debugging

6. Your Rights

You may request at any time:

  • Access to all personal data we hold about you
  • Correction of inaccurate data
  • Deletion of your account and associated data
  • Export of your run history in JSON format
  • Removal from the early access waitlist

To exercise any of these rights, email us at privacy@bruceengine.run. We will respond within 30 days.

7. Security

All data in transit is encrypted via TLS. Database credentials and API keys are stored as environment secrets, never in source code. Device tokens are generated with cryptographic randomness. Magic-link tokens are single-use and expire in 15 minutes.

8. Children

Bruce is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us and we will delete it promptly.

9. Changes to This Policy

We may update this policy as the service evolves. We will update the "Last updated" date at the top and, for material changes, notify users by email.

10. Contact

For privacy-related questions or requests:
privacy@bruceengine.run

← Back to homeTerms of Service →