Skip to main content
Benchwork

Privacy Policy

Last updated: February 26, 2026

Benchwork (“we”, “our”, or “us”) operates as a Shopify app that provides visual workflow automation for Shopify merchants. This Privacy Policy explains how we collect, use, store, and protect information when you use our Service.

By installing or using Benchwork, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Shopify Store Data

When you install Benchwork, we access your Shopify store through the Shopify API using OAuth 2.0. We collect and process:

  • Store information (shop domain, shop name, email, currency, timezone)
  • Order data (order IDs, status, amounts, line items) — to trigger automations
  • Product and inventory data — to enable inventory-based workflow triggers
  • Customer data (customer ID, email, tags) — when processed by your workflows
  • Webhook event payloads — to execute your configured automation workflows

1.2 Account Information

  • Name and email address of the merchant who installs the app
  • Firebase Authentication credentials (email + password, or OAuth)
  • Billing and subscription information (plan, status) — via Shopify Billing API

1.3 Usage Data

  • Workflow execution logs (which workflows ran, when, and their outcome)
  • Feature usage metrics (which node types are used, workflow counts)
  • AI assistant interactions (prompts and generated workflow suggestions) — not stored long-term
  • Error logs (anonymized, for debugging and improving the service)

1.4 Technical Data

  • IP addresses (for rate limiting and fraud prevention)
  • Browser type and version (for compatibility)
  • Pages visited within Benchwork (for product improvement)

2. How We Use Your Information

We use collected information to:

  • Provide the Service: Execute your automation workflows in response to Shopify events
  • Process billing: Manage your subscription through Shopify's Billing API
  • Improve the Service: Analyze usage patterns to improve features and reliability
  • Provide support: Diagnose and fix issues you report
  • Security: Detect abuse, fraud, and unauthorized access
  • Legal compliance: Meet GDPR, Shopify Partner requirements, and applicable laws
  • Communications: Send transactional emails (workflow alerts, billing notices)

We do not sell your personal information to third parties. We do not use your customer's data for advertising purposes.

3. Data Storage and Security

3.1 Storage Infrastructure

Benchwork stores data using Google Cloud Platform (Firebase/Firestore), hosted in the United States (us-central1 region). All data is encrypted at rest using AES-256 and in transit using TLS 1.2+.

  • Firestore: Workflow definitions, execution logs, user accounts
  • Firebase Authentication: User credentials (passwords are bcrypt-hashed by Firebase)
  • Cloud Functions: Serverless backend processing (Google Cloud, US region)

3.2 Security Measures

  • All API endpoints require authentication (Firebase session tokens)
  • Shopify webhook HMAC-SHA256 verification on all incoming webhooks
  • Rate limiting on all public endpoints
  • PII sanitization in application logs
  • Strict Content Security Policy (CSP) headers
  • HTTPS enforced for all connections (HSTS)
  • JavaScript sandbox isolation for custom code execution

4. Sub-Processors and Data Sharing

We share data with the following third-party service providers (“sub-processors”) solely to operate the Service:

ServicePurposeData Processed
Google Firebase / GCPDatabase, auth, hostingAll app data
ShopifyEcommerce platformStore & order data
StripePayment processingBilling data only
Anthropic (Claude)AI workflow assistantWorkflow descriptions (no customer PII)
Vercel / Cloud RunApplication hostingRequest logs

We do not share your data with advertisers, data brokers, or any other third parties not listed above.

5. Data Retention

  • Active account: Data is retained for as long as your account is active and you have an installed Benchwork app.
  • After uninstall: We retain data for 48 hours after you uninstall the app, after which Shopify sends a GDPR shop/redact webhook and we permanently delete all store data.
  • Workflow execution logs: Retained for 90 days for debugging purposes, then automatically deleted.
  • Customer data in webhooks: Retained in encrypted form for 30 days, then purged from execution logs.
  • Billing records: Retained for 7 years as required by financial regulations, stored in Stripe.

6. Your Rights (GDPR / Privacy Rights)

If you are located in the European Economic Area (EEA), United Kingdom, or California, you have the following rights:

  • Access: Request a copy of personal data we hold about you
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your personal data (“right to be forgotten”)
  • Portability: Receive your data in a machine-readable format
  • Objection: Object to processing for direct marketing
  • Restriction: Request restriction of processing in certain circumstances

Your customers' rights: As a Shopify merchant using Benchwork, you are the data controller for your customers' data. Benchwork is a data processor acting on your behalf. Customer data requests received by Shopify (via GDPR webhooks) are automatically processed within 30 days.

To exercise your rights, contact us at [email protected]. We will respond within 30 days.

7. Cookies and Tracking

Benchwork uses minimal cookies necessary for the app to function:

  • Authentication cookies: Firebase Auth session tokens to keep you logged in. These are essential and cannot be disabled.
  • Preference cookies: Store your UI preferences (theme, sidebar state). These can be cleared at any time.

We do not use tracking cookies, advertising cookies, or third-party analytics that track individuals across websites.

8. Children's Privacy

Benchwork is a business tool intended for Shopify merchants. It is not directed at children under 13, and we do not knowingly collect personal information from children.

9. International Data Transfers

Benchwork is operated from the United States. Data is stored on Google Cloud (us-central1). If you access the Service from the EEA or UK, your data will be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) with our sub-processors to ensure adequate protection for such transfers.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new policy on this page and updating the “Last updated” date. Continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or your data rights, contact us:

Benchwork

Email: [email protected]

Web: https://benchwork.dev