Privacy Policy
Last updated: May 23, 2026
1. Data Controller
Specor ("we", "our", "us") is the controller of the personal data you provide when using this platform. For questions about this policy or to exercise your rights, contact us at privacy@specor.ai.
2. Personal Data We Collect
We collect only what is necessary to provide the service:
| Data | Purpose | Basis (GDPR Art. 6) |
|---|---|---|
| Email address | Account authentication and identification | Performance of contract (Art. 6(1)(b)) |
| Full name (optional) | Display name within workspaces | Performance of contract (Art. 6(1)(b)) |
| Hashed password | Secure account access | Performance of contract (Art. 6(1)(b)) |
| IP address & user agent | Security audit logging and abuse prevention | Legitimate interests (Art. 6(1)(f)) |
| Workspace content | Core product graph functionality | Performance of contract (Art. 6(1)(b)) |
| Real-time presence data | Collaborative editing features | Performance of contract (Art. 6(1)(b)) |
| Contact / walkthrough request (name, email, company, role) | Responding to product demo requests from the landing page | Legitimate interests (Art. 6(1)(f)) — pre-sales contact |
We do not collect financial data, location data, biometric data, or any special-category data under GDPR Article 9.
3. How We Use Your Data
- To create and manage your account.
- To provide workspace collaboration and product graph features.
- To process AI-assisted suggestions when you invoke the AI features (your content is sent to our AI sub-processor — see §5).
- To detect and prevent fraud, abuse, and security incidents.
- To comply with legal obligations.
4. Data Retention
- Account data — retained for the lifetime of your account. Upon account deletion, all personal data (email address, display name, password hash, OAuth links) is immediately and irreversibly anonymised. The anonymised record is kept solely to preserve referential integrity for activity history; it contains no information that can identify you.
- Workspace content — retained for the lifetime of the workspace (nodes, branches, commits, AI chat history). When a workspace is deleted, all content is permanently removed within 30 days.
- Security audit logs (IP address, user agent, action) — retained for a maximum of 2 years (730 days), then automatically purged in nightly batches.
- Contact / walkthrough requests — name, email, company, and role submitted via the demo request form are permanently deleted after 90 days.
- Session tokens — expire within 30 days and are purged from our database within 30 days of expiry.
- Real-time presence — held in memory only; automatically expires within 60 seconds of inactivity.
5. Third-Party Data Processors
We use the following sub-processors. Data Processing Agreements (DPAs) are in place with each:
| Processor | Purpose | Data Transferred |
|---|---|---|
| OpenAI, L.L.C. (USA) | AI-powered node and graph suggestions | Workspace node content and AI chat messages |
| Stripe, Inc. (USA) | Payment processing and billing management | Organisation name; no payment card data touches our servers |
| Pydantic / Logfire (USA) | Application observability and error tracing | Anonymised request metadata and error traces |
| Google LLC (USA) — Analytics | Page-view analytics to understand product usage (only after analytics consent) | Pseudonymous page paths and session durations; no personally identifiable content |
| Microsoft Corporation (USA) — Clarity | Session replays and heatmaps to improve UX (only after analytics consent) | Masked session recordings; all input fields are masked before transmission |
Transfers to the USA are governed by the EU–US Data Privacy Framework and Standard Contractual Clauses where applicable.
6. Your Rights
Under GDPR and LGPD you have the following rights regarding your personal data:
- Access (Art. 15 / LGPD Art. 18(I–II)) — You may request a copy of all personal data we hold about you from your Account settings.
- Rectification (Art. 16 / LGPD Art. 18(III)) — You may update your name at any time in Account → Profile. Contact us to change your email address.
- Erasure (Art. 17 / LGPD Art. 18(VI)) — You may permanently delete your account and all associated data from Account → Danger Zone.
- Portability (Art. 20 / LGPD Art. 18(V)) — You may export your workspace data in JSON format from the Import / Export page.
- Restriction of processing (Art. 18) — Contact us to request restriction of processing.
- Objection (Art. 21 / LGPD Art. 18(II)) — You may object to processing based on legitimate interests by contacting us.
- Withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting prior processing.
To exercise any right, email privacy@specor.ai. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority (e.g., your EU member-state DPA, or the ANPD in Brazil).
7. Security
We protect your data using bcrypt password hashing (12 rounds), TLS encryption in transit, HttpOnly and Secure session cookies, AES-256 infrastructure-level encryption at rest (database volumes and backups), PostgreSQL Row-Level Security, immutable append-only audit logs, rate limiting on authentication endpoints, and regular security audits.
8. Cookies
We use a single strictly necessary cookie:
| Cookie | Purpose | Category | Expiry |
|---|---|---|---|
| refresh_token | Keeps you logged in between sessions (HttpOnly, Secure, SameSite=Strict) | Essential | 30 days |
| _clsk, _clck, CLID | Microsoft Clarity — session replay and heatmap analytics. Only set after you grant analytics consent. | Analytics (optional) | 1 day – 1 year |
We do not use advertising or third-party tracking cookies. Analytics cookies (Microsoft Clarity) are only loaded after you grant consent via the cookie banner. You can change your preference at any time by clearing site data in your browser or contacting us at privacy@specor.ai.
9. Changes to This Policy
Material changes will be notified via the in-app notification system at least 30 days before taking effect. Continued use after that date constitutes acceptance of the updated policy.
10. Data Breach Notification
In the event of a personal data breach we will, where feasible, notify the relevant supervisory authority within 72 hours of becoming aware of it (GDPR Article 33 / LGPD Article 48). Where a breach is likely to result in a high risk to your rights and freedoms, we will notify affected users without undue delay by email (GDPR Article 34). To report a suspected security incident, contact security@specor.ai.
11. Withdrawing Consent
Where processing is based on consent (marketing emails, analytics cookies), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal:
- Analytics cookies — click Manage in the cookie banner at the bottom of any page, or clear site data in your browser.
- Marketing communications — use the unsubscribe link in any marketing email or contact privacy@specor.ai.