Privacy Policy
Last Updated: 1 April 2026
1. Introduction
1.1 CommonBench ("CommonBench," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, disclose, and protect your personal data when you use our platform and services (the "Service").
1.2 We provide services to users in multiple jurisdictions including the United States, the United Kingdom, Singapore, Hong Kong, and Australia. This policy is designed to comply with applicable data protection laws in each of these jurisdictions, including:
- The UK General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR");
- The Personal Data (Privacy) Ordinance (Cap 486) in Hong Kong ("PDPO");
- The Personal Data Protection Act 2012 in Singapore ("PDPA");
- The Privacy Act 1988 and Australian Privacy Principles in Australia ("Privacy Act"); and
- Applicable US federal and state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA").
1.3 By using the Service, you acknowledge that you have read and understood this Privacy Policy.
2. Data Controller / Data Intermediary
2.1 CommonBench [entity name, address] is the data controller (or equivalent) responsible for your personal data.
2.2 For UK GDPR purposes, our representative in the United Kingdom is [name and address if applicable].
2.3 For enquiries about this Privacy Policy, contact our Data Protection Officer at: cases@commonbench.ai.
3. Personal Data We Collect
3.1 Account information. When you register, we collect your name, email address, billing address, and payment information.
3.2 Usage data. We automatically collect information about how you interact with the Service, including IP address, device type, browser type, operating system, pages visited, features used, session duration, and referring URLs.
3.3 Content you provide. We process documents, queries, and other materials you upload to or enter into the Service ("User Content") in order to provide the Service. User Content may include personal data relating to you or third parties.
3.4 Communications. If you contact us, we collect the contents of your communications, including email correspondence and support requests.
3.5 Cookies and tracking technologies. We use cookies and similar technologies as described in Section 9.
3.6 Payment data. Payment card details are processed by our third-party payment processor and are not stored on our systems. We receive only a transaction reference, last four digits, and billing address.
4. How We Use Your Personal Data
4.1 We use your personal data for the following purposes and on the following legal bases:
| Purpose | Legal Basis (UK GDPR) | Equivalent Basis (Other Jurisdictions) |
|---|---|---|
| Providing and operating the Service | Performance of contract | Contractual necessity / Consent |
| Processing payments and billing | Performance of contract | Contractual necessity |
| Communicating with you about your account | Performance of contract | Contractual necessity |
| Improving and developing the Service | Legitimate interest | Legitimate business purpose |
| Ensuring security and preventing fraud | Legitimate interest | Legitimate business purpose |
| Complying with legal obligations | Legal obligation | Legal requirement |
| Sending marketing communications (with consent) | Consent | Consent |
| Aggregated analytics (anonymised) | Legitimate interest | Legitimate business purpose |
4.2 AI model training. We do not use your User Content to train our AI models unless you have given explicit, informed consent to do so. Anonymised and aggregated usage patterns (not User Content) may be used to improve the Service.
5. Data Sharing and Disclosure
5.1 We do not sell your personal data.
5.2 We may share your personal data with:
(a) Service providers. Third-party providers who perform services on our behalf (hosting, payment processing, analytics, customer support). These providers are contractually bound to process personal data only as instructed by us and to maintain appropriate security measures.
(b) AI providers. We use third-party AI model providers to power certain features of the Service. User Content may be transmitted to these providers for processing. We require these providers to process data in accordance with their data processing agreements and not to use your data for their own training purposes.
(c) Legal and regulatory. We may disclose personal data where required by law, regulation, court order, or governmental request; to enforce our Terms of Service; to protect the rights, property, or safety of CommonBench, our users, or others; or in connection with legal proceedings.
(d) Business transfers. In connection with any merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred to the successor entity. We will notify you of any such transfer.
5.3 We do not share your personal data with any other third parties except as described above or with your consent.
6. International Data Transfers
6.1 Your personal data may be transferred to and processed in countries other than the country in which you reside, including countries that may not provide an equivalent level of data protection.
6.2 Where we transfer personal data from the UK or EEA to a country that has not been deemed to provide an adequate level of data protection, we implement appropriate safeguards, including Standard Contractual Clauses approved by the UK Information Commissioner's Office or the European Commission.
6.3 Where we transfer personal data from Singapore, we ensure compliance with the transfer limitation obligation under the PDPA, including ensuring the recipient provides a comparable standard of protection.
6.4 Where we transfer personal data from Australia, we take reasonable steps to ensure the overseas recipient handles the data in accordance with the Australian Privacy Principles.
6.5 Where we transfer personal data from Hong Kong, we take all reasonably practicable steps to ensure the recipient handles the data in accordance with the requirements of the PDPO.
7. Data Retention
7.1 We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to comply with legal, accounting, or reporting obligations.
7.2 Account data: Retained for the duration of your account and for 12 months after account closure (or longer if required by law).
7.3 User Content: Retained for the duration of your account. Upon account deletion, User Content is permanently deleted within 30 days, except where retention is required by law.
7.4 Usage data: Retained in identifiable form for up to 24 months, after which it is anonymised or deleted.
7.5 Payment records: Retained for 7 years to comply with applicable tax and accounting obligations.
7.6 Communications: Retained for 24 months after the last communication, or longer if relating to a dispute or legal matter.
8. Your Rights
8.1 Depending on your jurisdiction, you may have the following rights:
All jurisdictions: - Right to access your personal data - Right to correct inaccurate personal data - Right to delete your personal data (subject to legal retention requirements) - Right to withdraw consent (where processing is based on consent)
UK (under UK GDPR): - Right to restriction of processing - Right to data portability - Right to object to processing based on legitimate interests - Right not to be subject to automated decision-making - Right to lodge a complaint with the Information Commissioner's Office (ICO)
Singapore (under PDPA): - Right to access and correct personal data - Right to withdraw consent - Right to lodge a complaint with the Personal Data Protection Commission (PDPC)
Hong Kong (under PDPO): - Right to access and correct personal data held by data users - Right to lodge a complaint with the Office of the Privacy Commissioner for Personal Data
Australia (under Privacy Act): - Right to access and correct personal data - Right to complain about a breach of the Australian Privacy Principles - Right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC)
California (under CCPA/CPRA): - Right to know what personal information is collected and how it is used - Right to delete personal information - Right to opt out of the sale or sharing of personal information - Right to non-discrimination for exercising privacy rights - Right to correct inaccurate personal information - Right to limit use of sensitive personal information
8.2 To exercise any of these rights, contact us at cases@commonbench.ai. We will respond within the timeframe required by applicable law (generally 30 days, or 45 days under CCPA/CPRA).
8.3 We may need to verify your identity before processing your request.
9. Cookies and Tracking Technologies
9.1 We use the following types of cookies:
(a) Strictly necessary cookies. Required for the Service to function (e.g., authentication, security). These cannot be disabled.
(b) Analytical cookies. Help us understand how users interact with the Service. We use [e.g., Google Analytics / Plausible Analytics] for this purpose.
(c) Functional cookies. Enable enhanced functionality and personalisation (e.g., language preferences).
(d) Marketing cookies. Used with your consent to deliver relevant advertising. We do not currently use marketing cookies. If we introduce them, we will update this policy and obtain your consent where required.
9.2 You can manage your cookie preferences through your browser settings or through our cookie consent tool. Note that disabling certain cookies may affect the functionality of the Service.
9.3 For UK and Australian users, we obtain consent before placing non-essential cookies in accordance with applicable law.
10. Data Security
10.1 We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit (TLS) and at rest, access controls, regular security testing, and incident response procedures.
10.2 No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security.
10.3 In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with applicable law.
11. Children
11.1 The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete it promptly.
12. Third-Party Links
12.1 The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of such third parties. We encourage you to review the privacy policies of any third-party services you access.
13. Changes to This Policy
13.1 We may update this Privacy Policy from time to time. Material changes will be notified to you by email or through the Service at least 14 days before they take effect. The "Last Updated" date at the top of this policy indicates when it was last revised.
14. Contact and Complaints
14.1 For questions, requests, or complaints about this Privacy Policy or our data practices, contact:
Data Protection Officer CommonBench N/A cases@commonbench.ai
14.2 If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction (see Section 8).
15. Jurisdiction-Specific Disclosures
15.1 California Residents
If you are a California resident, the following additional disclosures apply under the CCPA/CPRA:
- Categories of personal information collected: Identifiers (name, email, IP address); commercial information (transaction history); internet activity (usage data); geolocation data (derived from IP address).
- Purpose of collection: As set out in Section 4.
- Sale or sharing: We do not sell or share your personal information as defined under the CCPA/CPRA.
- Retention: As set out in Section 7.
- To exercise your rights: Contact us at cases@commonbench.ai or [toll-free number if applicable].
15.2 Australian Residents
If you are an Australian resident, we will handle your personal information in accordance with the Australian Privacy Principles. Where we disclose your personal information to overseas recipients, we will comply with APP 8. You may lodge a complaint with the OAIC if you believe we have breached the APPs.
15.3 Singapore Residents
If you are a Singapore resident, we collect, use, and disclose your personal data in accordance with the PDPA. Where consent is required, we will obtain it before collecting, using, or disclosing your personal data. You may withdraw your consent at any time, subject to legal and contractual restrictions. You may lodge a complaint with the PDPC.