Docs Services Sign In

Privacy Policy

Last updated: May 18, 2026. We do not sell your data, we do not share it with advertisers, and we do not use it to train any AI model.

1. Who we are and what this covers

This policy describes how Benmore Technologies ("Benmore", "we") handles personal information for users of benmore.ai, the dashboard, the hosted apps you build, and the Claude/MCP connector. It does not cover personal information that your own end users share with apps you build on the platform. For that you are the data controller, and you set the privacy posture for your own app.

2. What we collect

a. Account information

Email address, a one way bcrypt hash of your password, the time you signed up, the time of your last login, and the plan you are on. We never store your password in plaintext.

b. Billing information

If you upgrade to a paid plan, Stripe handles the payment. Stripe sends us a customer ID, the subscription ID, status (active, canceled, past due), and the current renewal date. We never see or store your full card number, expiry, or CVC.

c. Your app data

Each app you create gets its own SQLite database on our servers. We process this data only as needed to operate, back up, and surface it to you in the dashboard. We do not look at the contents of your databases except when (i) you ask us to (support), (ii) we are legally compelled, or (iii) we are investigating an abuse report or platform wide security incident.

d. Technical and operational data

Standard server logs: timestamp, request path, response status, response time, IP address, user agent, error stack traces. Used to keep the platform running and to debug failures. Logs are kept in CloudWatch for 30 days, then auto expire.

e. Cookies

Two cookies. One is the session cookie that signs you in after login. It is HttpOnly, SameSite=Lax, and Secure in production. The other is a CSRF protection token. We do not set advertising cookies and we do not embed third party trackers in the dashboard.

3. How we use what we collect

To run the platform: signing you in, processing payments, deploying your apps, sending operational emails (password reset, billing receipts, deploy notifications). To investigate abuse, fraud, or security incidents. To improve the product in aggregate, never tied back to your account in a way that lets us read your app data.

We do not sell or rent personal information. We do not run advertising on the dashboard. We do not use your app data or messages to train AI models.

4. Who else processes your data

These third parties process some of your data on our behalf. Their privacy policies apply to the bits of data they touch.

ProviderWhat they handleWhy
Amazon Web Services (us-east-1)EC2 compute, S3 backups, CloudWatch logs, SNS alertsHosting infrastructure
StripePayment card data, billing emailPayment processing
CloudflareDNS, edge routing, SSL termination for some custom domainsNetwork layer
AnthropicYour messages to Claude, when you connect Claude as a builder via MCPOptional. Your Anthropic account, your terms with them
Resend, Postmark, Twilio, or your own SMTPTransactional email and SMS contents you wire into your own appsOnly when you provide your own keys

5. Where your data lives

Your account, billing, app databases, and backups all live in AWS us-east-1 (Northern Virginia, USA). Backups are encrypted at rest in S3. If you are outside the United States, by using the Service you understand that your data is transferred to and processed in the U.S.

6. How long we keep it

  • Live app data: as long as your account is active.
  • Daily SQLite backups: retained on a rolling 20 snapshot window in S3.
  • CloudWatch server logs: 30 days, then auto expire.
  • Account and billing records: retained as long as required by tax and audit law (typically 7 years for billing).
  • After account closure: app data deleted within 30 days, except where law requires longer retention.

7. Your rights

You have the right to access, export, correct, or delete your personal information.

  • Export: the dashboard's /dashboard shows your apps. Each app exposes GET /api/_my-data to export the data for the logged-in user as JSON.
  • Delete: close your account from the billing portal, or email [email protected] with a deletion request. We confirm receipt within 3 business days and complete the deletion within 30 days, minus anything we are legally required to keep.
  • Correction: email is your account identity. If you need to change it, contact support and we will migrate the record.
  • GDPR, UK GDPR, CCPA: if you are in the EEA, UK, or California, you also have the right to object to processing, request a portable export, and lodge a complaint with your local data protection authority. We are the controller for platform data. You are the controller for end-user data inside apps you build.

8. Security

The platform runs HSTS, CSP, and strict cookie flags on every page. Passwords are bcrypt hashed with per user salts. Per app environment variables are encrypted at rest with AES-256-GCM. All Stripe webhooks are HMAC verified. Every CRUD mutation through the framework is parameterized to prevent SQL injection. No system is bulletproof. If you find a vulnerability, please tell us at [email protected] and we will respond within 72 hours.

9. Children

The Service is not for children under 18. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, contact [email protected] and we will delete it.

10. Changes to this policy

If we make material changes to this policy we will email the address on your account and post a banner on the dashboard at least 30 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

11. Contact

Privacy questions or requests: [email protected]. Security disclosures: [email protected].