Privacy Policy

SpotBench (“SpotBench,” “we,” “us,” or “our”) is committed to protecting your privacy. This policy explains what information we collect, how we use it, with whom we share it, and your rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable law.

This policy applies to all users of getspotbench.com and our web application. By using our platform, you agree to the practices described in this policy.

Information you provide directly:

• Account information: full name, email address, mobile phone number.
• Authentication data: if you sign in with Google, we receive your name and email address from Google.
• Profile information: bio, location (city, ZIP code), hourly rate, years of experience, skills, languages, work photos.
• Licensing and credentials: CSLB license numbers, driver license classes, insurance information (self-reported).
• Provider Attestation: your typed signature and attestation timestamp, retained for AB5 compliance.
• Messages: content of messages you send to other users through the platform.
• Payment information: billing details are processed by Stripe. We do not store full card numbers or CVVs.

Information collected automatically:

• Log data: IP address, browser type and version, pages visited, time and date of access, referring URL, session duration.
• Device information: device type, operating system, screen resolution.
• Usage data: search queries, filters applied, profiles viewed, features used, click patterns.
• Cookies and similar tracking technologies: see Section 7 (Cookies) for full details.

Information from third parties:

• CSLB license data: sourced from publicly available California Contractors State License Board records at time of Provider verification.
• Google OAuth: when you choose to sign in with Google, we receive your name and email from Google's authentication service.

• To operate the platform: display your profile in search results, facilitate messaging between users, process payments, and provide customer support.
• To authenticate you: manage sign-in sessions, send one-time passcodes, and enable Google OAuth sign-in.
• To prevent fraud and abuse: detect duplicate accounts, apply rate limits, enforce our Terms of Service, and protect the integrity of the platform.
• To communicate with you: send transactional emails (account confirmation, OTP codes, billing receipts, platform notifications) via Resend. Marketing emails are sent only with your consent and include an unsubscribe link.
• To analyze and improve the product: with your consent, analyze usage patterns via PostHog to understand feature adoption and identify friction points.
• For advertising and marketing measurement: with your consent, we use Google Analytics and Meta Pixel to measure campaign performance and reach relevant audiences. See Section 7 for details and opt-out options.
• To comply with law: respond to lawful requests from government authorities, enforce our legal rights, and retain records as required by applicable law.

We do not use your information to train AI models, sell your data to data brokers, or share it with advertisers beyond the measurement purposes described above.

We share your information only in the following circumstances:

• With other platform users: your public profile (name, city, skills, rate, photos, availability) is visible to registered users. Your phone number is only revealed to users with an active paid subscription who explicitly request it. Your email is only revealed to paid subscribers.
• Service providers (data processors): we share data with vendors who help us operate the platform, each under a contractual obligation to protect your data: Supabase (database and authentication), Stripe (payment processing), Resend (email delivery), PostHog (product analytics, consent-gated), Sentry (error monitoring), Vercel (hosting and CDN), Upstash (rate limiting), Twilio (phone verification).
• Advertising platforms (consent-gated): only if you accept analytics and marketing cookies, we share limited event data with Google (Google Analytics 4) and Meta (Facebook/Instagram Pixel) for campaign measurement and audience targeting. This constitutes “sharing” of personal information under CPRA. You may opt out at any time — see Section 8.
• Legal requirements: we may disclose information if required by law, valid court order, or subpoena, or to protect the rights and safety of our users or the public.
• Business transfers: in the event of a merger, acquisition, or asset sale, user information may be transferred as a business asset. We will notify you via email at least 30 days before such transfer occurs and give you the option to delete your account.

We do not sell your personal information to third parties for monetary consideration.

• Active account data: retained for as long as your account is active.
• After account deletion: we retain minimal records for 30 days to handle disputes and chargebacks, then permanently delete all personal data within 90 days, except where retention is required by law.
• Billing records: retained for 7 years per IRS requirements.
• Message content: deleted within 90 days of account deletion.
• Provider Attestation records: retained for 7 years to demonstrate AB5 / CA Labor Code §2777 compliance.
• Log data (IP addresses, access logs): retained for 90 days.
• Data deletion requests: we will respond to and complete verified deletion requests within 45 days as required by CCPA/CPRA.

As a California resident, you have the following rights:

• Right to Know: request disclosure of the categories and specific pieces of personal information we have collected, used, disclosed, or sold about you in the past 12 months.
• Right to Delete: request deletion of your personal information, subject to certain exceptions (e.g., completing a transaction, legal obligations).
• Right to Correct: request correction of inaccurate personal information we hold about you.
• Right to Opt-Out of Sale or Sharing: we do not sell personal information for money. However, sharing data with advertising platforms (Google, Meta) may constitute “sharing” under CPRA. You may opt out — see Section 8.
• Right to Limit Use of Sensitive Information: we collect sensitive information (phone numbers, precise location via ZIP code) only as necessary to operate the platform. We do not use it for advertising or profiling beyond platform operations.
• Right to Non-Discrimination: we will not deny service, charge different prices, or provide a different level of service because you exercised any of these rights.

To exercise any of these rights, email privacy@getspotbench.com or go to your account Settings → Data & Privacy. We will verify your identity and respond within 45 days. You may designate an authorized agent to submit requests on your behalf.

We use the following categories of cookies and tracking technologies:

• Strictly necessary (always active): session and authentication cookies set by Supabase to keep you signed in and secure your session. These cannot be disabled without breaking core platform functionality.
• Analytics cookies (consent required): PostHog collects anonymized usage data (pages visited, features used, click patterns) to help us understand and improve the product. Only activated after you accept analytics cookies.
• Marketing and advertising cookies (consent required): Google Analytics 4 (GA4) measures traffic sources and user behavior for marketing optimization. Meta Pixel measures ad campaign performance and enables custom audience targeting on Facebook and Instagram. Both are only activated after you accept marketing cookies.

Managing your preferences: when you first visit SpotBench, a cookie consent banner allows you to choose which categories to accept. You can change your preference at any time by clearing your browser's local storage for this site, which will re-display the consent banner on your next visit. You may also use browser-level settings to block or delete cookies.

Disabling strictly necessary cookies will prevent you from signing in and using the platform. Disabling analytics or marketing cookies has no effect on platform functionality.

Under the California Privacy Rights Act (CPRA), California residents have the right to opt out of the “sharing” of their personal information with third parties for cross-context behavioral advertising, even if no money changes hands.

SpotBench shares limited event data with Google Analytics 4 and Meta Pixel when you have accepted marketing cookies. This may constitute “sharing” under CPRA.

To opt out: click “Necessary only” on the cookie consent banner (shown on first visit), or clear your browser's local storage for getspotbench.com to reset your preferences and decline marketing cookies on the re-displayed banner. You may also contact us at privacy@getspotbench.com to request opt-out on your behalf.

Once you opt out, we will not re-activate marketing tracking without your explicit consent. Opting out does not affect your ability to use the platform.

We implement industry-standard safeguards: TLS encryption for all data in transit, AES-256 encryption at rest via Supabase, Row Level Security (RLS) policies ensuring each user can only access data they are authorized to see, and rate limiting on sensitive operations including authentication and contact reveal.

No method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security. In the event of a data breach that is reasonably likely to cause harm to affected individuals, we will notify you as required by California Civil Code §1798.82 in the most expedient time possible, and no later than 72 hours after discovery where feasible.

SpotBench is not directed to individuals under 18 years of age. We do not knowingly collect personal information from minors. If we discover that we have inadvertently collected personal information from a person under 18, we will delete it promptly and terminate the associated account. If you believe a minor has registered on our platform, please contact us at privacy@getspotbench.com.

The platform may contain links to third-party websites or services (for example, CSLB license verification at cslb.ca.gov). This Privacy Policy does not apply to those third-party sites. We encourage you to review the privacy policies of any external sites you visit.

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notice at least 14 days before they take effect. Non-material clarifications may be made without notice. The effective date at the top of this page reflects the most recent revision.

SpotBench
Los Angeles, California
Privacy inquiries: privacy@getspotbench.com
Legal: legal@getspotbench.com