Apr 4, 2026

Privacy policy

How we collect, use, and protect personal data when you use Benito.

Privacy policy

Last updated: 4 April 2026

This Privacy Policy describes how the data controller identified below (“we”, “us”, “our”) processes personal data when you use Benito and related services (the “Services”), including the marketing site and authenticated application at https://benito-digital.com where applicable.

We process personal data in accordance with applicable law, including the EU General Data Protection Regulation (GDPR) where it applies.

1. Data controller

Operator: set BENITO_LEGAL_ENTITY_NAME and address fields in your environment (see config/benito.php, legal).

Privacy requests: privacy@your-domain (set BENITO_LEGAL_EMAIL_PRIVACY)
General inquiries: hello@your-domain (set BENITO_LEGAL_EMAIL_GENERAL)

2. What data we collect

Depending on how you use the Services, we may process:

Account and profile data — name, email address, password (stored in hashed form), organization membership, roles where applicable, and preferences you set in the product.
Authentication data — if you sign in with Google or other providers we enable, we receive information from that provider as permitted by your settings (typically name, email address, and an identifier).
Service usage and technical data — feature usage, timestamps, request and security logs, device/browser metadata, and similar data needed to operate and protect the platform.
Configuration and content you submit — data task definitions, connection settings (including credentials stored with appropriate protection), prompts or parameters you supply for optional features (for example AI-assisted tagging where enabled), uploaded files, and exports you generate.
Payment data — payments may be processed by our payment provider (e.g. Stripe). We do not receive your full card number. We may receive billing-related metadata such as subscription status, invoice identifiers, last four digits if shown by the provider, and transaction references.
Marketing and communications — if you subscribe to updates, we process your email address and preferences. Third-party tools we use for email may process data on our behalf under their terms.
Support and correspondence — messages you send us, including email content and metadata.
Cookies and similar technologies — as described in our Cookie policy.

3. Why we use your data (legal bases under GDPR)

We rely on:

Contract — providing the Services you signed up for (accounts, authentication, data tasks, billing, support).
Legitimate interests — where applicable and not overridden by your rights: securing the Services, fraud and abuse prevention, reliability, basic product analytics, and internal reporting.
Consent — where required (for example certain non-essential cookies or marketing, where we ask for consent).
Legal obligation — such as tax and accounting, and responding to lawful requests.

4. Processors, integrations, and optional AI

To deliver the Services we use infrastructure providers (hosting, email, queues) and payment processors. When you configure integrations (for example advertising libraries, Apify, OpenAI connections for optional AI features, or data warehouses), your organization’s instructions may cause personal data or business data contained in task inputs/outputs to be sent to those third parties. Those providers process data under their terms and your configuration.

Where optional AI features are enabled, inputs you provide may be transmitted to the model provider you select (for example OpenAI) to generate outputs. Review your organization’s policies before enabling such features.

5. How long we keep data

We retain personal data only as long as necessary for the purposes above, unless a longer period is required by law. Retention depends on account lifetime, billing and tax rules, backups, security investigations, and product functionality (for example run history).

6. Who we share data with

We may share personal data with hosting and infrastructure providers, payment processors, authentication providers (limited to sign-in), email or marketing tools if you subscribe, professional advisers where necessary, model/API providers when you use those features, and authorities when required by law or to protect rights and security. Where GDPR processors are used, we aim to put appropriate agreements in place.

7. International transfers

If personal data is transferred outside the European Economic Area, we implement appropriate safeguards such as Standard Contractual Clauses or other mechanisms permitted by law, unless an adequacy decision applies.

8. Security

We implement technical and organizational measures designed to protect personal data. No method of transmission or storage is completely secure; use strong passwords and protect your credentials.

9. Your rights (GDPR)

Where applicable you may have the right to access, rectify, erase, restrict, object, data portability, withdraw consent, and lodge a complaint with a supervisory authority. In the Czech Republic, the Office for Personal Data Protection (ÚOOÚ). Contact: privacy@your-domain (set BENITO_LEGAL_EMAIL_PRIVACY).

10. Children

The Services are not directed to children under 16, and we do not knowingly collect their personal data.

11. Automated decision-making

We do not use purely automated decision-making that produces legal or similarly significant effects solely by automated means as part of core account administration.

12. Changes

We may update this Privacy Policy. We will post the updated version and adjust the “Last updated” date.