Privacy Policy

Specsight (“we”, “us”, “our”) is a product operated by Ola Piętka, a sole proprietorship (jednoosobowa działalność gospodarcza) registered in Poland.

• Business name: Ola Piętka
• Address: ul. Zawodzie 20, 80-726 Gdańsk, Poland
• NIP: 5833430945
• REGON: 389087991
• Contact: ola@specsight.app

We are the data controller for the personal data processed through Specsight. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights regarding that data.

By creating an account or using Specsight, you agree to the collection and use of information as described in this policy.

1. Data we collect

1.1 Account information

When you sign up, we collect:

• Full name and email address
• Password (hashed; we never store or see your plaintext password)
• Google profile data (name, email, avatar) if you sign in with Google OAuth

1.2 Organisation and project data

When you create or join an organisation, we store:

• Organisation name, URL slug, and membership/role information
• Project names and configuration (repository, branch, context description)
• Features, scenarios, annotations, and changelog entries you create or that Specsight generates

1.3 Source code (transient)

When you connect a GitHub repository and trigger an analysis, Specsight temporarily clones your entire repository into a secure, ephemeral environment. An AI agent then reads, searches, and analyses files within that clone to generate specifications. We do not permanently store your source code. The clone is deleted immediately after the analysis completes. Only the extracted specifications (features and scenarios) are persisted.

During merge-triggered syncs, code diffs between commits are also sent to Specsight for analysis. These diffs are processed in memory and are not stored.

1.4 GitHub integration data

When you install the Specsight GitHub App, we store a GitHub App installation identifier that grants access to the repositories you explicitly authorise. We also receive webhook events (e.g., push events containing repository name, branch, and commit hashes) to trigger automatic syncs. We do not store commit messages or file contents from webhooks.

1.5 Payment data

Payments are processed by Stripe. We do not see or store your credit card number. We store only the Stripe customer ID, subscription ID, plan type, and billing period dates in our database so we can manage your subscription. Stripe handles all payment card data under their own Privacy Policy.

1.6 Usage and analytics data

We collect first-party usage data to operate and improve Specsight. This includes AI token usage per organisation (model, input/output token counts, cost, duration), and event logs (e.g., scan started, sync triggered, webhook received). This data is linked to your organisation and is pseudonymised, not anonymised. We do not use third-party advertising or analytics trackers.

1.7 Bring-your-own-key (BYOK)

Paid plans may allow you to provide your own Anthropic API key. If you do, your key is encrypted and stored in Supabase Vault (a dedicated secrets manager). It is only decrypted at the moment of use to make API calls on your behalf. We do not log or expose your key. You can delete your stored key at any time through your organisation settings.

2. Legal basis for processing

Under the General Data Protection Regulation (GDPR), we process your personal data on the following legal bases:

• Contractual necessity (Art. 6(1)(b)) — processing your account data, source code (transiently), and organisation data is necessary to provide the Specsight service you signed up for.
• Legitimate interest (Art. 6(1)(f)) — collecting usage analytics and event logs to maintain, secure, and improve the service; and sending occasional service announcements about Specsight to people who have created an account (see §3a). Our interest is balanced against your rights by limiting data collection to what is necessary, not sharing it with third parties for their own purposes, and offering one-click unsubscribe in every email.
• Consent (Art. 6(1)(a)) — sending non-essential transactional notification emails (scan complete, sync complete, report ready), and adding you to Specsight’s newsletter when you actively opt in (see §3a). You can withdraw consent at any time in your notification settings or via the unsubscribe link in any marketing email.
• Legal obligation (Art. 6(1)(c)) — retaining billing records as required by Polish tax law.

3. How we use your data

• Provide the service: Analyse your codebase, generate and maintain product specifications, and deliver them through the Specsight dashboard.
• Authenticate you: Verify your identity and manage access to your organisation’s data.
• Process payments: Manage subscriptions, enforce plan limits, and handle billing through Stripe.
• Send transactional notifications: Email you about scan completions, sync updates, report generation, and team invitations — delivered via Resend (see §4). You can opt out of non-essential transactional emails in your in-app notification settings. Marketing and lifecycle emails are covered separately in §3a.
• Improve Specsight: Use aggregated usage data to improve Specsight's analysis accuracy, performance, and user experience.
• Respond to support requests: Use your account information to help you when you contact us.

3a. Marketing communications and lead-magnet data

We send two categories of email outside the transactional product flow:

• Service announcements (auto-subscribed). When you create a Specsight account, we may send you occasional product updates — new features, important changes, and release notes. These are directly related to the service you signed up for. Lawful basis: legitimate interest under GDPR Art. 6(1)(f), balanced against your right to unsubscribe at any time via the link in every email.
• Newsletter and broader insights (explicit opt-in). We add you to Specsight’s newsletter only when you actively opt in by: ticking the “Send me Specsight’s newsletter” checkbox on the signup page; submitting your email through the newsletter form in the site footer or at the foot of blog posts; or ticking the marketing opt-in checkbox on our cost-of-drift calculator at specsight.app/cost-of-doc-drift. Lawful basis: explicit consent under GDPR Art. 6(1)(a).

You can withdraw consent or unsubscribe from either category at any time using the one-click link in every marketing email, or by emailing ola@specsight.app. Withdrawal does not affect the lawfulness of processing before withdrawal. When you unsubscribe, our email processor (Loops — see §4) adds you to its persistent suppression list so we cannot accidentally resubscribe you on a later signup.

Marketing emails are delivered by Loops (see §4 for processor details). When you delete your Specsight account, your Loops contact is removed within 24 hours as part of the account-deletion flow.

If you submit the calculator without opting in to marketing emails, we use your email address solely to deliver the calculator’s report (transactional, Art. 6(1)(b) — performance of a service you initiated). We retain the calculator submission record (your inputs and computed results) for 24 months so you can re-access your personalised report URL; you can request earlier deletion via ola@specsight.app.

4. Data sharing and sub-processors

We do not sell your personal data. We share data only with the following third-party services, strictly to operate Specsight:

• Supabase (Supabase Inc., USA) — Database hosting, authentication, real-time subscriptions, and encrypted secrets storage (Vault)
• Anthropic (Anthropic PBC, USA) — AI-powered code analysis and text generation. Your source code is sent to the Claude API during analysis and is subject to Anthropic’s Privacy Policy. Anthropic does not use API inputs to train their models.
• GitHub (Microsoft, USA) — Repository access and webhook delivery via the Specsight GitHub App
• Stripe (Stripe Inc., USA) — Payment processing and subscription management. Subject to Stripe’s Privacy Policy.
• Vercel (Vercel Inc., USA) — Application hosting and serverless compute
• Trigger.dev (Trigger.dev Ltd., UK) — Background job orchestration for scans and syncs
• Resend (Resend Inc., USA) — Transactional email delivery
• Loops (Loops Right Inc., USA) — Marketing and lifecycle email delivery, mailing-list subscription management, and hosted unsubscribe. We send your email address, full name, signup source, and mailing-list membership state. Subject to Loops’ Privacy Policy.

5. International data transfers

Specsight is operated from Poland (EU). Most of our sub-processors are based in the United States. Personal data transferred outside the European Economic Area (EEA) is protected by:

• The EU–US Data Privacy Framework, where the sub-processor is certified, or
• Standard Contractual Clauses (SCCs) approved by the European Commission

If you have questions about the specific safeguards applied to a particular sub-processor, contact us at ola@specsight.app.

6. Data security

We take the security of your data seriously:

• All data in transit is encrypted via TLS/HTTPS
• Database access is protected by Row-Level Security (RLS) policies — users can only access data belonging to their organisation
• BYOK API keys are encrypted at rest in Supabase Vault, a dedicated secrets manager
• Webhook payloads are verified using HMAC SHA-256 signatures with timing-safe comparison
• Authentication endpoints are rate-limited to prevent abuse
• Passwords are hashed using industry-standard algorithms managed by Supabase Auth
• Source code is cloned to temporary directories with restricted access and deleted immediately after analysis

7. Data retention

• Account data is retained for as long as your account is active.
• Source code is never stored permanently — it is cloned into an ephemeral environment and deleted immediately after analysis.
• Specifications (features, scenarios, changelogs) are retained until you delete them or delete your project/organisation.
• AI usage logs and analytics events are retained for as long as your organisation exists, for billing and service improvement purposes.
• Billing records are retained as required by Polish tax law (currently 5 years from the end of the tax year).
• Marketing contacts (Loops) are retained until you unsubscribe or delete your Specsight account. Account deletion removes the Loops contact within 24 hours. Unsubscribing places you on Loops’ persistent suppression list so you are not accidentally resubscribed.
• Deleted accounts: When you delete your account, we remove your personal data within 30 days. Organisation data is retained as long as other members remain.

8. Your rights

Under the GDPR and applicable Polish data protection law, you have the right to:

• Access your personal data and receive a copy
• Rectify inaccurate or incomplete data
• Erase your account and associated personal data (“right to be forgotten”)
• Export your data in a portable, machine-readable format
• Restrict processing in certain circumstances
• Object to processing based on legitimate interest
• Withdraw consent at any time for consent-based processing (e.g., notification emails), without affecting the lawfulness of processing before withdrawal

You can manage most of these directly in your Specsight account settings. For any requests you cannot fulfil through the app, contact us at ola@specsight.app. We will respond within 30 days.

You also have the right to lodge a complaint with the Polish supervisory authority: Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl.

9. Cookies

Specsight uses only essential cookies required for the service to function. We do not use advertising, analytics, or third-party tracking cookies. The cookies we set are:

• Supabase auth cookies — Authentication session tokens (access and refresh tokens). HttpOnly, Secure, SameSite=Lax.
• active_org_id — Remembers which organisation you last viewed, so we can redirect you on login. HttpOnly, Secure, SameSite=Lax. Expires after 1 year.
• pending_invite_token — Preserves an invitation link if you need to sign up or log in first. HttpOnly, Secure, SameSite=Lax. Expires after 24 hours.
• github_install_state — CSRF protection during GitHub App installation. Deleted immediately after use.

Because these are strictly necessary cookies, they do not require consent under the ePrivacy Directive.

10. Shared reports

Specsight allows you to generate share links for change reports. When you create a share link, the report becomes accessible to anyone with the link — they do not need a Specsight account. Share links can be revoked at any time by the organisation admin. Shared reports contain specification data (features, scenarios, changes) but never source code.

11. Children’s privacy

Specsight is a business tool and is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 16, we will delete it promptly.

12. Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority (UODO) within 72 hours of becoming aware of the breach, as required by GDPR Art. 33
• Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Art. 34
• Document the breach, its effects, and the remedial actions taken

13. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice in the app at least 30 days before they take effect. Continued use of Specsight after changes take effect constitutes acceptance of the updated policy. The “Last updated” date at the top of this page reflects the most recent revision.

14. Contact

If you have questions about this Privacy Policy, how we handle your data, or wish to exercise your data protection rights, contact us at:

• Email: ola@specsight.app
• Contact form: specsight.app/contact
• Post: Ola Piętka, ul. Zawodzie 20, 80-726 Gdańsk, Poland