Legal · How we handle your data

Privacy Policy

Last Updated · 1 April 2026 · GDPR · UK GDPR · PDPA · APP · CCPA

§ 01Who We Are

1.1
CommonBench ("we," "us," "our") is the data controller responsible for your personal information. This Privacy Policy explains what we collect, how we use it, and your rights.
1.2
Contact us about privacy at privacy@commonbench.ai.

§ 02Information We Collect

We collect the following categories of personal information:

Category What it includes Source
Account information Name, email address, password (hashed), organisation, role, jurisdiction. You
Billing information Billing address, VAT/GST number, payment method (handled by our payment processor — we do not store full card numbers). You · Payment processor
Usage data Queries you submit, documents you upload, Work Product generated, session timestamps, feature usage, and quota consumption. You · Service
Technical data IP address, browser type, device type, operating system, referring URL, time-zone, and language preference. Your device
Communications Emails, support tickets, and feedback you send to us. You
Cookies and analytics See § 10 for full detail. Your browser
Important — Sensitive content in queries

Queries you submit and documents you upload may contain sensitive personal information about you or third parties (including special category data under GDPR Article 9, such as health information or information about criminal convictions, if relevant to your matter). You are responsible for ensuring that you have the legal right to submit such information to the Service. We process this content only to generate your Work Product, in accordance with this Policy.

§ 03How We Use Your Information

3.1
We use your information for the following purposes:
  1. To provide the Service — process queries, generate analysis, retrieve and surface citations, deliver Work Product, and maintain your account.
  2. To bill you — process subscription fees, send invoices, and enforce usage caps.
  3. To support you — respond to your enquiries, resolve issues, and provide service announcements.
  4. To improve the Service — analyse aggregate usage to debug, measure performance, and identify reliability issues. We do not use Your Content to train foundation models without your explicit, opt-in consent.
  5. To secure the Service — detect, prevent, and respond to fraud, abuse, security incidents, and unauthorised access.
  6. To comply with the law — meet our legal, regulatory, tax, and accounting obligations, and respond to valid legal process.

§ 04Legal Bases for Processing

4.1
For users in the UK, EEA, and other jurisdictions with similar frameworks, we rely on the following legal bases under the GDPR / UK GDPR:
  1. Contract — to provide the Service you have subscribed to (Article 6(1)(b)).
  2. Legitimate interests — to operate, secure, and improve the Service, balanced against your rights (Article 6(1)(f)).
  3. Legal obligation — to comply with applicable law (Article 6(1)(c)).
  4. Consent — for non-essential cookies, marketing communications, and any optional model training participation (Article 6(1)(a)). You may withdraw consent at any time.
4.2
Where you submit special category data (GDPR Article 9), we rely on Article 9(2)(a) — your explicit consent — given when you submit the query, or Article 9(2)(f) — establishment, exercise, or defence of legal claims, where applicable.

§ 05Sharing Your Information

5.1
We share your information only as described below:
  1. Service providers (sub-processors) — cloud hosting, AI inference, payment processing, email delivery, analytics, error monitoring, and customer support tooling. Each is bound by a written data processing agreement and processes data only on our instructions.
  2. AI inference providers — your queries and uploaded documents are transmitted to our AI inference providers solely to generate Work Product. We require providers to operate under zero-retention or short-retention configurations and not to use Your Content for model training.
  3. Professional advisers — lawyers, accountants, and auditors, where necessary and bound by confidentiality.
  4. Legal and regulatory authorities — where required by valid legal process or to protect our or others' rights, property, or safety.
  5. Successors — in connection with a merger, acquisition, or sale of assets, subject to confidentiality protections and notice to you.
5.2
We do not sell your personal information. We do not share your personal information with advertisers or data brokers.

§ 06International Transfers

6.1
CommonBench is headquartered in Singapore. Your information may be processed in Singapore, the United Kingdom, the European Economic Area, the United States, and other countries where our service providers operate.
6.2
When we transfer personal information outside your jurisdiction, we use appropriate safeguards, including:
  1. Standard Contractual Clauses approved by the European Commission and/or the UK Information Commissioner's Office;
  2. adequacy decisions, where applicable;
  3. the ASEAN Model Contractual Clauses for cross-border data flows in Southeast Asia; and
  4. contractual confidentiality and security commitments from our sub-processors.
6.3
You may request a copy of the safeguards we apply to a specific transfer by contacting privacy@commonbench.ai.

§ 07Data Retention

7.1
We retain personal information only for as long as necessary for the purpose for which it was collected.
7.2
Default retention periods:
  1. Account information — for the duration of your subscription, plus 12 months after termination.
  2. Queries and Work Product — up to 12 months by default. You can delete individual chats or your full history at any time from your account settings.
  3. Billing records — 7 years, as required by tax and accounting law.
  4. Support communications — 3 years from the date of resolution.
  5. Security logs — 12 months.
7.3
After the retention period expires, we delete or anonymise your information. Anonymised information may be retained for analytics indefinitely.
7.4
You may request earlier deletion at any time by emailing privacy@commonbench.ai, subject to our legal obligations to retain certain information.

§ 08Security

8.1
We implement technical and organisational measures appropriate to the risk, including:
  1. encryption in transit (TLS 1.2+) and at rest (AES-256);
  2. role-based access control with the principle of least privilege;
  3. multi-factor authentication for staff access to production systems;
  4. regular security audits, penetration tests, and vulnerability scanning;
  5. incident response procedures with notification timelines aligned to GDPR Article 33; and
  6. employee confidentiality obligations and security awareness training.
8.2
No system is perfectly secure. If a breach affecting your information occurs, we will notify you and the relevant supervisory authority where required by law.

§ 09Your Rights

9.1
Depending on your jurisdiction, you have the following rights over your personal information:
  1. Access — request a copy of the personal information we hold about you.
  2. Rectification — request correction of inaccurate or incomplete information.
  3. Erasure ("right to be forgotten") — request deletion of your information, subject to legal exceptions.
  4. Restriction — request that we limit processing in certain circumstances.
  5. Portability — receive your information in a structured, commonly used, machine-readable format.
  6. Objection — object to processing based on legitimate interests or for direct marketing.
  7. Withdraw consent — at any time, where processing is based on consent.
  8. Lodge a complaint — with your local data protection authority.
9.2
California residents have additional rights under the CCPA / CPRA, including the right to know what categories of personal information we collect and the right to opt out of "sale" or "sharing" of personal information (we do not sell or share for cross-context behavioural advertising).
9.3
Australian residents have rights under the Australian Privacy Principles (Privacy Act 1988 (Cth)), including access, correction, and complaint rights.
9.4
Singapore residents have rights under the Personal Data Protection Act 2012 (PDPA), including access, correction, and withdrawal of consent.
9.5
To exercise any right, email privacy@commonbench.ai. We will respond within 30 days (or the period required by your jurisdiction). We may need to verify your identity before responding.

§ 10Cookies and Tracking

10.1
We use cookies and similar technologies to operate the Service. Cookies fall into the following categories:
  1. Strictly necessary — required to deliver the Service (authentication, security, load balancing). These are always active.
  2. Functional — remember your preferences (language, jurisdiction, theme).
  3. Analytics — help us understand how the Service is used (page views, feature engagement, error rates). We use privacy-preserving analytics that do not build cross-site profiles.
10.2
We do not use advertising cookies and we do not engage in cross-context behavioural advertising.
10.3
You can manage cookies through your browser settings or our cookie banner where required by law (UK, EEA, California).

§ 11Children's Privacy

11.1
The Service is not intended for users under 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child, we will delete it promptly.

§ 12Changes to This Policy

12.1
We may update this Privacy Policy from time to time. The "Last Updated" date at the top of this page reflects the most recent version. Material changes will be notified to you by email or through the Service at least 14 days before they take effect.

§ 13Contact and Complaints

For privacy questions or to exercise your rights, contact our Data Protection contact:

Data Protection — CommonBench

privacy@commonbench.ai

Send a request →

If you are based in the UK or EEA and are dissatisfied with our response, you have the right to lodge a complaint with your national supervisory authority (in the UK, the Information Commissioner's Office).

© 2026 CommonBench. All rights reserved.