Privacy Policy

Last updated: 13 Feb 2026

This privacy policy explains how we process personal data in connection with the website benchlane.com and the internal client workspace. The information follows the disclosure duties under Art. 13 GDPR.

1. Controller

Kai Stieger

Geschwister-Scholl-Str. 76

14471 Potsdam

Germany

Email: contact@benchlane.com

2. Contact for data protection requests

Email: privacy@benchlane.com

A formal data protection officer has not been appointed. Data protection requests are handled directly by the controller, Kai Stieger.

3. B2B Notice

Our offer is addressed exclusively to entrepreneurs within the meaning of Section 14 of the German Civil Code (BGB). We do not enter into contracts with consumers within the meaning of Section 13 BGB.

4. Legal bases of processing

We process personal data only when necessary, in particular on the basis of:

  • Art. 6 (1) lit. b GDPR (contract / pre-contractual measures)
  • Art. 6 (1) lit. f GDPR (legitimate interests, e.g. operations, security, abuse prevention)
  • Art. 6 (1) lit. a GDPR (consent), where we obtain it in individual cases

5. Hosting

Website and internal workspace are hosted at Hetzner in Germany (Nuremberg).

Server logs

As of now, we do not maintain our own persistent server access logs. However, to provide and secure the infrastructure it may be technically necessary for the hosting provider to process technical data temporarily (e.g. for incident handling and IT security). Legal basis is Art. 6 (1) lit. f GDPR (legitimate interest in secure operations).

6. Cookies / Tracking / Consent banner

We use first-party analytics for product and website performance measurement. No third-party ad/retargeting networks are embedded.

Strictly necessary storage and processing for login, security, and core functionality remain active independently of analytics consent.

Optional analytics collection is activated only after explicit consent via banner.

To manage and evidence consent and protect against abuse, we also process consent visitations and decision records (consent status, policy version, timestamp, path/referrer, user-agent information, hashed IP and coarse IP prefix). Legal basis: Art. 6 (1) lit. f GDPR and Art. 7 (1) GDPR; optional analytics is based on consent (Art. 6 (1) lit. a GDPR).

7. Contact (contact form & email)

If you contact us via the contact form or email, we process the data you provide (e.g. name, email address, message and any additional content).

  • Purpose: handling and responding to the request
  • Legal basis: Art. 6 (1) lit. b GDPR (pre-contractual/contractual) or Art. 6 (1) lit. f GDPR (general communication)
  • Retention: stored in our contact inbox and deleted when no longer required for communication, unless statutory retention obligations apply

8. User account / internal client workspace

When creating and using a user account, we process in particular:

  • Name
  • Email address
  • Organization (if applicable)
  • Authentication identifiers (e.g. Firebase UID)

Authentication is handled via Firebase Authentication (Google). We process only the data required to authenticate and secure access.

Depending on technical routing, processing outside the EU/EEA cannot be fully excluded for authentication services. Where applicable, transfers are based on appropriate safeguards (e.g. Standard Contractual Clauses).

  • Purpose: providing access, authentication, workspace management, and features
  • Legal basis: Art. 6 (1) lit. b GDPR
  • Retention: for the duration of the account. After account deletion, we generally delete account data within a reasonable period unless statutory obligations apply.

9. Document/content processing and AI service provider (OpenAI)

For certain functions in the app we use AI models from OpenAI as a technical service provider. In doing so, content provided by users for processing may be processed (e.g. business documents such as invoices). Such content may contain personal data (e.g. contact/address data on documents). Special categories of data under Art. 9 GDPR are not intended for processing.

9.1 Purposes and legal basis

  • Purpose: AI-assisted processing of the function requested by the user (e.g. extraction/transformation of information)
  • Legal basis: Art. 6 (1) lit. b GDPR (service performance)

9.2 Storage at Benchlane

We do not store documents permanently. Content/processing data is kept only temporarily and deleted within 24 hours at the latest, unless longer storage is required in individual cases (e.g. on explicit support request).

9.3 OpenAI API logging and retention at OpenAI

We configure API calls so that results are not stored for optional OpenAI products such as Distillation/Evals.

Regardless, when using the OpenAI API, so-called abuse-monitoring logs may be created that can contain content (prompts/responses) and are retained for up to 30 days unless a longer legal retention obligation applies.

9.4 Recipients and third-country transfer

Recipient is OpenAI (depending on service component also affiliates/subprocessors). Depending on technical setup, processing outside the EU/EEA cannot be ruled out. In such cases, transfers are based on appropriate mechanisms (e.g. Standard Contractual Clauses), where applicable and contractually agreed. (Details follow the relevant OpenAI documentation.)

10. Other service providers / recipients

In addition to the recipients named in this statement, we use service providers where required, e.g.:

  • Hosting (Hetzner, Germany)
  • Email service providers (sending/receiving email)
  • Authentication provider (Firebase / Google)
  • OpenAI (see section 9)

11. Embedded content and external resources

  • Google Fonts: hosted locally (no requests to Google servers).
  • No embedding of YouTube/Vimeo, maps, captchas or similar third-party content (as of now).
  • Social links (e.g. LinkedIn) are simple links; we do not automatically load tracking tools through them.

12. General retention period

For tracking and consent data, the current retention periods are:

  • Consent decisions: 180 days
  • Consent visitations: 90 days
  • Analytics events (consent-based): 90 days
  • Analytics session state: 30 days
  • Analytics dead-letter/security logs: 30 days
  • Analytics blocklist entries: 90 days

Other personal data is stored only as long as necessary for the respective purposes or as required by law (e.g. contract duration, communication handling, statutory retention periods).

13. Rights of data subjects

Under the GDPR, you have the following rights in particular:

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection to processing under Art. 6 (1) lit. f GDPR (Art. 21 GDPR)
  • Withdrawal of consent (Art. 7 (3) GDPR), where processing is based on consent

14. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for Brandenburg is in particular:

Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg

Stahnsdorfer Damm 77, 14532 Kleinmachnow

Tel.: 033203 356-0

Email: poststelle@lda.brandenburg.de

15. No automated decision-making

We do not use solely automated decision-making within the meaning of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you.

16. Changes to this privacy policy

We update this privacy policy when our processing activities or legal requirements change. The version published at the time applies.

Data deletion