BenchMark'd ("we," "us," or "our") operates the website at benchmarkd.space (the "Service"). This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and what rights you have regarding your data.
BenchMark'd is an independently operated project by Berkay, not a registered company. By using the Service, you agree to the collection and use of information in accordance with this policy.
2.1 Information You Provide Directly
When you create an account or use the Service, you may provide:
- Account information: email address, username, display name, password (hashed, if using email/password authentication)
- Profile information: biography, avatar image
- Content you create: reviews, ratings, comments, discussion threads and replies, curated lists, model requests
- Uploaded files: images attached to reviews, comments, or your profile (limited to 4 MB per file)
2.2 Information from Third-Party Authentication
If you sign in with GitHub, Google, or Discord, the OAuth provider shares limited profile information with us, typically:
- Your name or display name
- Your email address
- Your profile picture URL
- A unique account identifier from the provider
We do not receive your password from any OAuth provider, and we do not request access to your repositories, contacts, or other private data.
2.3 Information Collected Automatically
When you visit or use the Service, we may automatically collect:
- IP address: used for rate limiting and abuse prevention (not stored permanently)
- Browser and device information: user agent string, screen resolution, operating system (if Vercel Analytics is enabled)
- Usage data: pages visited, features used, and timestamps of activity
We use the information we collect to:
- Provide and operate the Service: display your profile, publish your reviews and comments, show your lists and activity to other users
- Authenticate your identity: verify your account through email/password or OAuth providers
- Moderate content: check user-generated text against our content policy using automated moderation tools (see Section 5)
- Prevent abuse: rate-limit requests, detect spam, enforce bans, and protect against unauthorized access
- Send notifications: inform you about activity related to your content (e.g., replies to your reviews, votes on your requests)
- Improve the Service: understand usage patterns and fix issues
We do not use your data for advertising. We do not sell your personal information to third parties.
We use a minimal set of cookies, strictly for functionality:
- Authentication cookie: an encrypted JSON Web Token (JWT) session cookie set by NextAuth.js. This cookie is HttpOnly and SameSite=Lax, meaning it cannot be read by JavaScript and is only sent in first-party contexts. It keeps you signed in across page visits.
- CSRF token cookie: a NextAuth.js security cookie used to prevent cross-site request forgery attacks.
We do not use advertising cookies, tracking pixels, or third-party analytics cookies. If Vercel Analytics is enabled, it collects anonymous, aggregated page-view data without setting cookies.
To operate the Service, we rely on the following third-party providers. Each processes only the minimum data necessary for its function:
5.1 Hosting and Infrastructure
- Vercel (San Francisco, USA) -- hosts the application and serves web pages. Vercel processes your HTTP requests, including IP address and browser headers. Vercel Privacy Policy
- Neon (EU region) -- managed PostgreSQL database that stores all account data, reviews, comments, and other content. Neon Privacy Policy
5.2 Authentication
- GitHub -- if you sign in with GitHub, we receive your name, email, and avatar URL via their OAuth API. GitHub Privacy Statement
- Google -- if you sign in with Google, we receive your name, email, and profile picture via their OAuth API. Google Privacy Policy
- Discord -- if you sign in with Discord, we receive your username, email, and avatar via their OAuth API. Discord Privacy Policy
5.3 File Uploads
- UploadThing -- handles image uploads for reviews, comments, and avatars. Uploaded files are stored on UploadThing's infrastructure. UploadThing Privacy Policy
5.4 Content Moderation
- OpenAI -- user-generated text (reviews, comments, discussion posts, list descriptions, profile bios) is sent to OpenAI's Moderation API to check for policy violations. We use the
omni-moderation-latest model. OpenAI processes this text solely for moderation and does not use it to train their models. OpenAI Privacy Policy
5.5 Analytics
- Vercel Analytics (if enabled) -- collects anonymous, aggregated page-view and performance data. No cookies, no personal identifiers. Vercel Analytics Privacy
We retain your personal information for as long as your account is active or as needed to provide the Service.
- Account data: retained until you delete your account
- Content (reviews, comments, discussions): retained until you delete the specific content or your account
- Uploaded images: retained on UploadThing until the associated content is deleted
- IP addresses: used in-memory for rate limiting and not persisted to the database
- Moderation logs: retained for platform integrity and abuse prevention purposes
You may request deletion of your account at any time by contacting us (see Section 12). When your account is deleted:
- Your profile information (username, display name, bio, avatar) is removed
- Your reviews, comments, and discussion posts are deleted
- Your lists, follows, likes, and watchlist entries are removed
- Your uploaded images are queued for deletion from UploadThing
- Your OAuth account links are severed
Some information may be retained in database backups for a limited period (up to 30 days) before being permanently purged. Anonymized, aggregated data (e.g., total review counts) may persist.
Depending on your location, you may have the following rights regarding your personal data:
- Access: request a copy of the personal data we hold about you
- Correction: update or correct inaccurate information via your profile settings or by contacting us
- Deletion: request that we delete your account and associated data
- Data portability: request an export of your data in a machine-readable format
- Objection: object to certain types of processing
To exercise any of these rights, contact us at the address listed in Section 12. We will respond to requests within 30 days.
The Service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us.
Your information may be transferred to and processed in countries other than your country of residence. Our database is hosted in the EU (Neon), while our application hosting (Vercel) and content moderation (OpenAI) are based in the United States.
By using the Service, you consent to the transfer of your data to these locations. We rely on the service providers' own data protection measures and, where applicable, Standard Contractual Clauses for EU-to-US transfers.
We take reasonable measures to protect your personal information:
- Passwords are hashed using bcrypt before storage
- Sessions use encrypted, HttpOnly JWT cookies
- All connections use HTTPS with HSTS, CSP, and other security headers
- API endpoints are rate-limited to prevent abuse
- User input is sanitized to prevent XSS and injection attacks
- Admin actions are logged for audit purposes
No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security.
If you have questions about this Privacy Policy, want to exercise your data rights, or need to report a privacy concern, you can reach us at:
We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this page. If the changes are significant, we may also notify registered users via an in-app notification.
Your continued use of the Service after changes are posted constitutes your acceptance of the updated Privacy Policy.
