Legal

Privacy Policy

Effective date: May 2026 · Behavry Inc.

The short version: we collect different information depending on whether you're filling out a form on this website, using the Behavry browser extension your employer deployed, or administering Behavry on behalf of your organization. We don't sell any of it, and we don't share it with advertisers.

Who we are

Behavry Inc. is a US-based company. This policy applies to information collected through behavry.ai, the Behavry browser extension distributed through the Chrome Web Store and other extension stores, and the Behavry platform (the SaaS service that customer organizations use to govern AI usage in their environments). If you have questions, contact privacy@behavry.ai.

This policy covers three distinct data flows:

  1. Website — the access form at behavry.ai
  2. Browser extension — the Behavry extension installed by employees of customer organizations
  3. Platform — the Behavry SaaS service that processes data on behalf of customer organizations

Each is covered in its own section below.

1. Website

What we collect

We collect information only when you voluntarily submit it — specifically through the access form on behavry.ai. That form collects:

  • First and last name
  • Work email address
  • Company name
  • Your role or job title
  • The type of AI agents you are deploying
  • A description of your authorization challenges (optional, free-text)

We do not use cookies, tracking pixels, or analytics scripts on this site. We do not collect IP addresses, device identifiers, or general browsing behavior.

How we use it

We use the information you submit for one purpose: to follow up with you about Behavry. Specifically:

  • To respond to your request and send a brief questionnaire about your deployment
  • To schedule a conversation if there is a mutual fit
  • To keep you informed about Behavry's availability and access program

We will not add you to a general marketing list, send unsolicited newsletters, or contact you about anything unrelated to Behavry without your explicit consent.

Who we share it with

We use Formspree to process form submissions. Formspree receives the data you submit and forwards it to us by email. Their privacy policy is at formspree.io/legal/privacy-policy.

We do not sell, rent, trade, or otherwise share your information with any other third parties.

How long we keep it

We retain your information for as long as there is an active conversation about an Access engagement. If you ask us to delete it, we will do so promptly.

2. Browser extension

The Behavry browser extension is installed by employees of organizations that have deployed Behavry as a customer. The extension is enrolled with a tenant-issued token and operates only on twelve declared AI service domains:

  • chatgpt.com, chat.openai.com
  • claude.ai
  • gemini.google.com
  • copilot.microsoft.com
  • perplexity.ai
  • chat.mistral.ai
  • chat.deepseek.com
  • grok.x.ai
  • you.com
  • poe.com
  • github.com/copilot
  • huggingface.co/chat

Host permissions are scoped to these domains. The extension cannot read or modify content on any other website.

What the extension processes locally

Before any data leaves your browser, the extension processes prompt content locally. Local processing includes:

  • Regex pattern scanning for sensitive data such as credit card numbers, government IDs, and API keys, using a built-in 26-pattern library
  • Optional context-aware PII detection using an on-device machine learning model (the Privacy Filter), which runs entirely in the browser using WebGPU or WebAssembly
  • Prompt injection pattern detection

Prompt content itself is never transmitted to Behavry. Only metadata and redacted findings leave the browser.

What the extension sends to Behavry

For each prompt submitted to one of the twelve AI service domains, the extension transmits:

  • Tenant identifier and enrolled user identifier
  • AI service domain and model name (for example: claude.ai, claude-opus-4-7)
  • Submission timestamp
  • Token counts when available
  • DLP findings: pattern name, severity, and a redacted excerpt of the match. Critical patterns are fully redacted. Non-critical findings may include a short anonymized snippet.
  • Privacy Filter findings: label (for example, PERSON_NAME or EMAIL), severity, and confidence score. No raw text.
  • Prompt injection findings: rule name and severity. No raw text.
  • Coarse device status: active, inactive, last heartbeat timestamp

What the extension does not collect

  • Browsing history outside the twelve declared AI service domains
  • Form data, passwords, or autofill content
  • The contents of files uploaded to AI services (filename only is logged for audit; file content is not)
  • Cookies, local storage, or session tokens from any website
  • Screen content, screenshots, or keystrokes
  • Microphone, camera, or geolocation

Chrome permissions and why we use each

PermissionUse
storageStores the enrollment token and tenant configuration locally in your browser
tabsIdentifies when the active tab is on a declared AI service domain
identityUsed only during one-time enrollment to bind the extension to your enterprise identity via your organization's identity provider
offscreenRuns the Privacy Filter machine learning model in a hidden offscreen document (required for WebGPU access in Manifest V3)
idleThrottles background activity when you are idle to reduce CPU and battery usage
webRequestObserves (does not block or modify) outbound requests to the twelve AI service domains so scan results can be correlated with submission events

Sub-processors

HuggingFace Hub (huggingface.co): the Privacy Filter machine learning model is downloaded from HuggingFace Hub on first activation and cached in your browser. The model files are binary weights, not executable code. No user data is sent to HuggingFace.

If you are an employee of an organization that deployed Behavry

Your employer is the data controller for the information the extension transmits. Behavry processes that information on your employer's behalf. If you have questions about how your employer uses Behavry, including what is retained and for how long, please contact your employer's IT or privacy team. If you contact us directly, we will refer you to them.

3. Behavry platform

When an organization deploys Behavry as a customer, the platform processes data on behalf of that organization. The organization, not Behavry, is the data controller for the data flowing through the platform. Behavry acts as a data processor.

What the platform receives

  • The metadata and findings described in the Browser extension section above
  • API proxy telemetry from agents and integrations that the organization has explicitly configured to route through Behavry
  • Administrative data created by the organization's administrators using the Behavry dashboard (policies, user accounts, audit records)

Sub-processors

  • Amazon Web Services: hosting and database storage (US regions)
  • Clerk: authentication for administrator access to the Behavry dashboard
  • Stripe: billing and subscription management (limited to organization billing contacts)

Behavry does not route customer data to AI providers (Anthropic, OpenAI, Google, and others) unless the customer organization explicitly configures these as approved AI services in their tenant. Default-deny applies.

Retention

Customer organizations configure their own retention policies through the Behavry dashboard. Behavry's default retention for telemetry events is 90 days unless the customer extends it.

Your rights

You have the right to:

  • Request a copy of the information we hold about you
  • Ask us to correct inaccurate information
  • Ask us to delete your information
  • Withdraw from further communication at any time

For information collected through the Behavry platform on behalf of your employer, please direct requests to your employer's IT or privacy team first. They have direct control over their tenant's data.

For all other requests, email privacy@behavry.ai. We will respond within 5 business days.

Security

All Behavry traffic is transmitted over HTTPS with TLS 1.2 or higher. Platform data is encrypted at rest. Extension data stored locally in your browser uses the browser's built-in chrome.storage.local encryption where available. Administrator access to the Behavry dashboard requires multi-factor authentication.

Children

Behavry is intended for business and enterprise use. We do not knowingly collect information from anyone under 18 years of age.

Changes to this policy

If we make material changes to this policy, we will update the effective date at the top of this page and, where appropriate, notify customer organization administrators through the Behavry dashboard.

Contact

For any privacy-related questions or requests, email privacy@behavry.ai.