The legal bit
Privacy Policy
Last updated: 23 May 2026
We're a small team running a SaaS that holds your customer database. We take that seriously. This page explains, in plain English, what personal data we collect, why, who we share it with, and what you can do about it.
1. Who we are
Benchworks is operated from South Africa. We run the platform at benchworks.app. For any privacy question — access requests, deletions, complaints — email us at support@benchworks.app.
2. What we collect
There are three layers of data on Benchworks and we treat them differently:
- Your account data. The email, name, and phone number you sign up with. Used to log you in, contact you about the service, and bill you.
- Tenant Data — your customers' records. Names, phone numbers, email addresses, ticket history, message threads, photos, signatures, invoices. You enter this when you run your shop. You own it. We hold it for you.
- Usage data. Which pages loaded, how long they took, error rates. We use this to keep the lights on and meet our uptime promise (see /sla). We do not store request bodies, query strings, IP addresses, or user-agents on the uptime ledger.
- Payment data. We never see your card number. Stripe and Paystack handle that. We only see the metadata they return — last 4 digits, brand, payment status.
3. Why we collect it
Under GDPR we rely on two lawful bases: contractual necessity (you signed up for the service, so we need this data to deliver it) and legitimate interest (keeping the platform secure, preventing fraud, improving reliability).
Under POPIA, for South African customers, we rely on the contract you entered into when you signed up, plus your consent for any optional channels (e.g. opting your customers in to WhatsApp notifications — that's a per-customer toggle you control).
4. Who we share it with
We use a small set of sub-processors to actually run the platform. Each one only sees the slice it needs:
| Sub-processor | What it does | Region |
|---|---|---|
| Supabase | Database, auth, file storage | EU |
| Cloudflare | DNS, CDN, edge protection | Global |
| cloud.co.za | VPS hosting (our app servers) | South Africa |
| Stripe | Payment processing (UK / AU / NZ tenants) | Global |
| Paystack | Payment processing (SA tenants) | South Africa |
| Meta Platforms | WhatsApp Business API — only when you connect your own WABA | Global |
| Resend | Transactional email — only when you use our platform fallback sender | EU / US |
| Anthropic / OpenAI / Google | AI APIs — only when you use the platform fallback key. Primary path is your own key (BYOK). | US |
We don't sell your data. We don't share it with advertisers. We don't train anyone's AI model on it.
5. International transfers
Our app servers sit in South Africa. Some sub-processors (Supabase, Cloudflare, Stripe, Resend, the AI APIs) operate from the EU, UK, or US. That means your data may cross borders to be processed.
For SA→UK/EU transfers we rely on the UK and EU adequacy decisions covering South Africa is a separate area — we use the standard contractual clauses each sub-processor publishes as the transfer mechanism. For SA outbound transfers under POPIA, the sub-processor either operates in a country with comparable protection or is bound by a written contract with equivalent terms.
6. How long we keep it
While your account is active, we keep your data for as long as you need it. If you cancel, your data sits in a 90-day dormant grace period — you can come back and restore everything by clicking one button. After 90 days, we permanently delete it. That's the deal, and it's in our Terms (see /terms).
A small number of records we keep longer for legal reasons — invoices and audit logs for the period our tax and accounting law requires. Everything else goes.
7. Your rights over your data
POPIA and GDPR give you the same set of rights. You can:
- Ask for a copy of every piece of data we hold about you.
- Correct anything that's wrong.
- Ask us to erase your account and everything in it (subject to the legal-retention carve-out above).
- Export your data in a portable format. We give you a CSV and JSON bundle on demand, no support ticket needed — from Settings → Account.
- Object to a specific use of your data, or withdraw consent.
- Lodge a complaint with your regulator. In South Africa that's the Information Regulator (inforeg@justice.gov.za). In the UK it's the Information Commissioner's Office (ico.org.uk). Australia: the OAIC. New Zealand: the Office of the Privacy Commissioner.
Most of these you can do yourself, inside the app, without asking us. The rest, email support@benchworks.app and we'll handle it.
8. Security
Data is encrypted in transit (TLS) and at rest (database + storage). Every tenant's data is isolated at the database row level — your customers, tickets, and messages cannot be read by another tenant's account even with a valid login.
We run a 4-agent security review at the end of every feature milestone and we don't ship a milestone with open HIGH findings. That's a process, not a guarantee — but it's the most honest answer we can give about how we think about this.
9. Cookies and tracking
We use a small number of cookies for things that genuinely need them: keeping you signed in (session cookies), protecting the forms you submit (CSRF), and remembering whether you've dismissed certain prompts. We don't run advertising trackers, analytics pixels, or third-party fingerprinting on this site.
10. Children
Benchworks is a business-to-business tool for repair shops. We do not knowingly collect data from anyone under 16. If you believe a child has signed up or had their data submitted to us, email support@benchworks.app and we'll delete it.
11. Changes to this policy
If we change anything material — new sub-processor, new category of data, narrower or wider retention — we'll email you and update the date at the top of this page. We won't quietly change the rules in the background.
12. Contact
For anything privacy-related — questions, complaints, requests — email support@benchworks.app. We aim to respond inside one business day.