Privacy Policy

A formal data protection officer has not been appointed. Data protection requests are handled directly by the controller, Kai Stieger.

Our offer is addressed exclusively to entrepreneurs within the meaning of Section 14 of the German Civil Code (BGB). We do not enter into contracts with consumers within the meaning of Section 13 BGB.

We process personal data only when necessary, in particular on the basis of:

• Art. 6 (1) lit. b GDPR (contract / pre-contractual measures)
• Art. 6 (1) lit. f GDPR (legitimate interests, e.g. operations, security, abuse prevention)
• Art. 6 (1) lit. a GDPR (consent), where we obtain it in individual cases

Website and internal workspace are hosted at Hetzner in Germany (Nuremberg).

We use first-party analytics for product and website performance measurement. No third-party ad/retargeting networks are embedded.

Where cookies or similar technologies store information on, or access information already stored on, your device, the German Telecommunications Digital Services Data Protection Act (TDDDG) applies in addition to the GDPR. Strictly necessary device access is based on Section 25 (2) no. 2 TDDDG. Optional analytics device access takes place only after prior consent under Section 25 (1) TDDDG; the related personal-data processing is based on Art. 6 (1) lit. a GDPR.

Strictly necessary storage and processing for login, security, and core functionality remain active independently of analytics consent.

Optional analytics collection is activated only after explicit consent via banner.

To manage and evidence consent and protect against abuse, we also process consent visitations and decision records (consent status, policy version, timestamp, path/referrer, user-agent information, hashed IP and coarse IP prefix). Legal basis: Section 25 (2) no. 2 TDDDG where device access is strictly necessary, Art. 6 (1) lit. f GDPR and Art. 7 (1) GDPR; optional analytics is based on consent under Section 25 (1) TDDDG and Art. 6 (1) lit. a GDPR.

If you contact us via the contact form or email, we process the data you provide (e.g. name, email address, message and any additional content).

• Purpose: handling and responding to the request
• Legal basis: Art. 6 (1) lit. b GDPR (pre-contractual/contractual) or Art. 6 (1) lit. f GDPR (general communication)
• Retention: stored in our contact inbox and deleted when no longer required for communication, unless statutory retention obligations apply

When creating and using a user account, we process in particular:

• Name
• Email address
• Organization (if applicable)
• Authentication identifiers (e.g. Firebase UID)

Authentication is handled via Firebase Authentication (Google). We process only the data required to authenticate and secure access.

Firebase Authentication is provided by Google Ireland Ltd. / Google LLC. Google LLC states that it is certified under the EU-U.S. Data Privacy Framework (DPF). Where transfers to the U.S. occur within this certified scope, they may rely on the European Commission adequacy decision under Art. 45 GDPR. Where this does not apply, appropriate safeguards such as Standard Contractual Clauses under Art. 46 GDPR are used.

• Purpose: providing access, authentication, workspace management, and features
• Legal basis: Art. 6 (1) lit. b GDPR
• Retention: for the duration of the account. After account deletion, we generally delete account data within a reasonable period unless statutory obligations apply.

For certain functions in the app we use AI models from OpenAI as a technical service provider. In doing so, content provided by users for processing may be processed (e.g. business documents such as invoices). Such content may contain personal data (e.g. contact/address data on documents). Special categories of data under Art. 9 GDPR are not intended for processing.

In addition to the recipients named in this statement, we use service providers where required, e.g.:

• Hosting (Hetzner, Germany)
• Email service providers (sending/receiving email)
• Authentication provider (Firebase / Google; Google LLC states that it is certified under the EU-U.S. Data Privacy Framework, with Standard Contractual Clauses as fallback where needed)
• OpenAI (see section 9; Standard Contractual Clauses or applicable adequacy decisions under Art. 45 GDPR, depending on the processing route)

• Google Fonts: hosted locally (no requests to Google servers).
• No embedding of YouTube/Vimeo, maps, captchas or similar third-party content (as of now).
• Social links (e.g. LinkedIn) are simple links; we do not automatically load tracking tools through them.

For tracking and consent data, the current retention periods are:

• Consent decisions: 180 days
• Consent visitations: 90 days
• Analytics events (consent-based): 90 days
• Analytics session state: 30 days
• Analytics dead-letter/security logs: 30 days
• Analytics blocklist entries: 90 days

Other personal data is stored only as long as necessary for the respective purposes or as required by law (e.g. contract duration, communication handling, statutory retention periods).

Under the GDPR, you have the following rights in particular:

• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection to processing under Art. 6 (1) lit. f GDPR (Art. 21 GDPR)
• Withdrawal of consent (Art. 7 (3) GDPR), where processing is based on consent

Under Art. 77 GDPR, you have the right to lodge a complaint with a data protection supervisory authority. The competent authority for Brandenburg is in particular:

We do not use solely automated decision-making within the meaning of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you.

We update this privacy policy when our processing activities or legal requirements change. The version published at the time applies.

Benchlane uses AI systems from OpenAI in parts of its services (see section 9). Where users interact directly with an AI assistant, extraction function, or suggestion function, the product interface is designed to make the AI-supported nature of the function clear.

AI-generated or AI-modified content, such as document summaries, extraction results, or suggested text, should remain identifiable as AI-supported output in the relevant workflow and is subject to human review where appropriate. Benchlane keeps these UI notices aligned with the transparency obligations under Art. 50 of Regulation (EU) 2024/1689 (EU AI Act), which apply from 2 August 2026.