Our Mission & Safety Guidelines
Unused benefits shouldn't go to waste. We connect people to share surplus perks anonymously, securely, and responsibly.
๐ฏ Our Core Values
Share Generously
Turn your unused corporate perks into someone else's amazing day instead of letting them expire.
Stay Private
Your details are protected. We strip metadata and enforce backend security policies to shield your identity.
Build Community
Connect with local peers to safely swap credits, codes, passes, and stipends in a trusted space.
Do It Right
Only trade benefits you are authorized to share, and respect guidelines to keep the marketplace safe.
๐ก๏ธ "How I Would Do It If I Did It" (Safety Guide)
"If I were an employee looking to share my unused benefits without alerting my employer or violating IT policies, here is exactly how I would handle it to protect my job:"
Never Use Work Devices or Office Networks
Do not access BenefitsFromBenefits from your work computer, corporate phone, office Wi-Fi, or company VPN. Company networks keep detailed traffic logs. Always use a personal laptop or phone connected to your home network or cellular data.
Sanitize Listings & Image Uploads
When posting descriptions or pictures, never share serial numbers, exact expiration times, order receipt IDs, department names, or company sub-divisions. Keep details generalized. Share private codes or barcodes only inside our encrypted private chat after matching.
Treat Digital Goods Like Physical Transactions
For high-value digital benefit transfers (such as subscription additions, gym group passes, or software license keys), do not trade blindly online. Treat it like a physical trade: meet the buyer at a local coffee shop, activate their access or hand over the code in front of them, verify it works on their device, and collect cash or digital payment instantly. This prevents online scams where a buyer claims a code didn't work.
Choose a Random Display Name
When creating your account, choose a completely random display name that has zero connection to your real name, birthday, online handles, or Slack username. Your display name is the only profile field visible to other users.
Arrange Safe Physical Hand-offs
If you are handing over a physical perk (like corporate event swag, passes, or vouchers), meet in a neutral, highly public space. Standard online safety rules apply.
Proxy Listing for Extra Corporate Security
For absolute tracking protection, share the benefit as normal with a trusted friend who does not work at your company, and let your friend list, chat, and trade it on their account. Because they have zero connection to your employer, there is no footprint linking back to you.
Share with a Friend and Let Your Friend Trade for Additional Corporate Security
Share the benefit with a friend as normal, and let your friend trade it on their own account. Because your friend has no professional connection to your employer, this introduces a proxy layer that eliminates any digital or physical trace linking back to your job.
Utilize Public Safe Swap Zones
For any physical trade meetups, prioritize designated safe swap zones established by local communities or police departments (such as well-lit municipal parking lots). Alternatively, meet inside highly visible, active locations like a public library or busy coffee shop. Never invite buyers/sellers to your home or office.
โ Questions & Answers
Is it legal to share my employee perks?
Yes. Corporate perks are generally part of your overall compensation package, and sharing guest slots, referral links, or physical swag is standard. However, some companies have policies regarding listing software deals or selling corporate accounts. Always review your acceptable use policies, keep trades inside authorized bounds, and use discretion.
How does anonymity work on this platform?
By default, other users only see your random display name and active listings. Your actual sign-in email address is hidden from the public database and is never exposed in chats or listing details. Communications are handled securely in-app without revealing personal contact information.
How is my email protected in the database?
Our database architecture enforces strict isolation. Your email address is stored exclusively within Supabase Auth's protected internal tables (auth.users), which cannot be queried or read by client-side APIs. The public database table (profiles) only stores your anonymous display name and location preferences (city and state), meaning there is no way for third-party scripts to connect your username to your email.
Are my direct messages private?
Yes. We implement strict PostgreSQL Row Level Security (RLS) policies on our database. When you chat with a buyer or seller, the database rejects any query that doesn't match the active user's UUID (matching either the sender or receiver of the message). This ensures your chats are strictly unreadable by anyone else, including public queries or web scanners.
Are my uploaded photos safe?
Yes. When you select or drop photos to upload for your listings, our client-side JavaScript automatically draws the image onto an HTML5 <canvas> element to compress it. This canvas redraw process completely strips out all EXIF metadata (including GPS coordinates, location tags, date/time stamps, and camera identifiers) before the file is uploaded to our storage buckets, keeping your uploads anonymous.
What if the benefit requires a corporate login?
Never share your primary corporate password or single sign-on (SSO) credentials. If a benefit cannot be transferred via an invite code, voucher link, family plan addition, or meeting in person, it is not safe to trade and should not be listed on the platform.
What should I do if a buyer or seller requests my real identity?
Never share your real name, phone number, LinkedIn profile, work Slack, or work email. If someone demands this information or behaves suspiciously, stop communicating immediately and report them using the "Report User" button in their profile or chat thread.
Does BenefitsFromBenefits log my IP address or track my location?
No. We do not store connection logs, browser user-agents, or IP addresses in any public database tables, and we do not load third-party location tracking scripts. The only location data stored is the city and state you explicitly select for your listings or set as search preferences in Settings, which is kept in the public profiles table.
How does the payment process work securely?
All transactions are negotiated directly between you and the buyer/seller. To ensure maximum security, we recommend completing transactions in person using cash, or using anonymous peer-to-peer payment options (such as cash vouchers or privacy cards) rather than payment methods linked to your real identity or payroll accounts.
What happens if a shared benefit is revoked or expires?
Listings on BenefitsFromBenefits automatically expire after a set period (e.g., 30 days) to prevent stale posts. If a benefit is revoked by your employer or expires, you should mark the listing as claimed or delete it immediately. Maintaining honesty about transfer limits and expiration dates keeps the community trusted.
How does the platform protect against Cross-Site Scripting (XSS) in listings and messages?
To prevent malicious script injection, our application enforces strict data sanitization and rejects raw HTML inputs. When rendering listing details, seller profiles, or direct chat messages, the client-side code utilizes standard DOM properties like textContent and performs safe template escaping instead of using innerHTML. This ensures that any user-submitted text is treated strictly as plain text, eliminating XSS vulnerabilities.
Can other users see my saved listings or search preferences?
No. Your saved listings (favorites) and account preferences are secured using PostgreSQL Row Level Security (RLS) policies. Only the authenticated user associated with the specific profile UUID can query or modify their own entries in the database. Any unauthorized attempts to access or scan another user's saved items will return zero results from the database.
Is the platform's codebase protected against database exploits?
Yes. All database communications are routed through Supabase PostgREST APIs, which inherently parameterize all queries to prevent SQL injection. Furthermore, we run regular schema validation checks and apply database constraints (such as foreign key cascades, non-null requirements, and range validations) to enforce database integrity and prevent unauthorized modifications.
How do I verify the authenticity of a corporate perk?
When matching with a seller, you can ask them to verify that the benefit is active by sending a cropped screenshot of the benefit's balance or expiration date in our private chat, ensuring no identifying corporate details are visible. For high-value digital items, we recommend meeting in person to verify the code is successfully applied to your device before finalizing the transaction.
of employees say benefits packages are a major factor when deciding to accept or stay at a job.
โ SHRM Employee Benefits Survey