Privacy Policy

UNIVERSAL BENCH  |  LAST UPDATED: 25 MAY 2026

1. What we collect

Account data. When you sign up we collect your email address and a hashed password. We never store your password in plain text.

API key. We generate a unique API key (ubk_...) for you. This is the sole credential used to authenticate your requests.

Usage logs. Every tool call is logged with: timestamp, tool name, success or failure flag, execution duration, and your customer ID. We do not log the content of your code, search queries, or data you process.

Billing data. If you top up your wallet, Stripe processes your payment. We store your Stripe customer ID and wallet balance. We never see or store your card number.

Secrets vault. Credentials you store via the secrets vault are encrypted with AES-256-GCM before storage. We store only the encrypted ciphertext and the secret name. The plaintext value is never logged or accessible to our staff.

IP addresses. Your IP is recorded in usage logs for abuse prevention only.

Website visitor logs. When you visit universalbench.dev or any of its subpages, we record the request server side: timestamp, URL path, HTTP method, response status, your IP address, user agent string, referrer, and approximate geographic location (country, region, city) derived from your IP. This data is gathered from standard HTTP headers your browser already sends to any web server, no cookies or JavaScript trackers are used. These visitor logs are retained indefinitely.

2. What we do not collect

• The content of code you execute
• The content of web searches you run through the platform
• Data returned from your database queries
• Content of files you read or write
• Any data from third-party services you connect via vault credentials

3. How we use your data

• Service delivery. Account data and API keys authenticate requests and enforce your usage tier. Legal basis: contract (necessary to provide the service you signed up for).
• Billing. Usage logs count executions against your free tier and deduct from your wallet for paid calls. Legal basis: contract.
• Reliability and abuse prevention. Aggregate usage data, website visitor logs, and IP addresses help us detect abuse, identify scrapers and hostile bots, analyse traffic patterns over long time periods, plan capacity, and maintain a forensic record we can rely on if we ever need to defend the platform against security or legal threats. We do not sell this data or share it with advertisers. Legal basis: legitimate interest.
• Communication. We use your email for transactional messages only. No marketing without explicit opt-in. Legal basis: contract for transactional messages; consent for any marketing.
• Legal compliance. We retain certain billing records as required by applicable law. Legal basis: legal obligation.

4. Data sharing

We do not sell your data. We do not share it with advertisers. Limited sharing only with:

• Stripe for payment processing. Stripe's privacy policy applies to payment data.
• Supabase hosting our database in ap-southeast-2 (Sydney, Australia).
• Resend for transactional email delivery. Only your email address is shared.
• Legal requirement. We may disclose data if required by law.

5. Data retention

Account data is retained while your account is active. Platform usage logs (per-tool-call records of API customers) are retained for 12 months then deleted. Website visitor logs (server-side request records for visitors to universalbench.dev) are retained indefinitely, because identifying slow-developing abuse patterns and defending the platform against security or legal threats requires long historical context. If you delete your account, all account data is deleted within 30 days. Encrypted vault secrets are deleted immediately on account deletion.

6. Your rights

You have the right to access, correct, or delete your personal data, receive a portable copy, restrict or object to certain processing, and withdraw consent where processing is based on consent. Contact us at privacy@universalbench.dev to exercise any of these rights. We respond within 30 days.

Right to complain. If you believe we have not handled your data lawfully, you have the right to lodge a complaint with your local data protection authority. EU and EEA residents may contact their national supervisory authority. Australian residents may contact the Office of the Australian Information Commissioner at oaic.gov.au.

California residents (CCPA). We do not sell your personal information. We do not share personal information with third parties in exchange for anything of value. California residents may contact privacy@universalbench.dev to confirm this, request disclosure of what personal information we hold, or request deletion.

7. Security

All data in transit uses HTTPS. Passwords are hashed with HMAC-SHA256 and a random salt. Vault secrets are encrypted with AES-256-GCM. No system is perfectly secure and we cannot guarantee absolute security.

8. Children

UniversalBench is not directed at children under 13. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

9. Changes

Material changes will be notified by email at least 14 days before taking effect. Continued use after a change constitutes acceptance.

11. Cookies

We use cookies only as necessary to operate the platform and remember your consent choice. We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

You can withdraw or change your consent at any time by clearing the ub_consent cookie in your browser settings (DevTools, Application tab, Cookies) and refreshing the page. The consent banner will reappear and you can make a new choice.

10. Contact

Universal Bench is operated by Nikhil Gogulwar, trading as Universal Bench, Melbourne, Australia.
Email: privacy@universalbench.dev