SPEC-R
TermsDocs

Privacy Policy

Last updated: April 1, 2026

1. What we collect

We collect the minimum necessary to run the service: your email address and hashed password for authentication, the specification data you create (projects, specs, blocks), and usage metadata (timestamps, IP addresses for security). We do not collect personal data beyond what you provide.

2. Your AI keys

SPEC-R uses a Bring Your Own Key (BYOK) model. If you provide an Anthropic or OpenAI API key, it is encrypted at rest using AES-256. Your key is used solely to proxy AI generation requests on your behalf. We never store your prompts or the generated content of AI calls on our servers beyond what you explicitly save as spec blocks.

3. How we use your data

Your specification data is used exclusively to provide the service to you. We do not sell your data, share it with third parties for marketing purposes, or use it to train AI models. Aggregated, anonymized usage statistics may be used to improve the product.

4. Data storage

Data is stored in a PostgreSQL database hosted on Neon (serverless PostgreSQL). The database is located in the EU (France) by default. Application code runs on Vercel infrastructure. Both providers maintain SOC 2 compliance.

5. Cookies and tracking

We use a single session cookie for authentication. We do not use third-party tracking cookies, advertising pixels, or analytics that track you across sites. Basic server-side analytics (page views, error rates) do not involve client-side tracking scripts.

6. Public sharing

When you enable public sharing on a spec, that spec becomes accessible to anyone with the link. You control this setting. Disabling public sharing removes public access immediately. Client comments submitted via public links are stored and associated with your spec.

7. Your rights

You may request a full export of your data, correction of inaccurate data, or deletion of your account and all associated data at any time. To exercise these rights, email us at privacy@spec-r.com. Account deletion is permanent and irreversible.

8. Security

All data is transmitted over HTTPS/TLS. Passwords are hashed using bcrypt. API keys and LLM provider keys are encrypted at rest. We conduct periodic security reviews. If you discover a vulnerability, please disclose it responsibly to security@spec-r.com.

9. Changes to this policy

We will notify registered users by email of material changes to this policy. Continued use of the service after changes constitutes acceptance.

10. Contact

Questions about this policy: privacy@spec-r.com