SpecGraph
Request access
§ Privacy

Privacy policy.

We treat your data the way we would want our own treated. Plain-English summary first; details below.

At a glance

  • We collect what we need to deliver the product, and nothing more.
  • We never sell your data.
  • We never use Customer Content to train foundation models.
  • You can export or delete your data on request.
  • We host primarily in the EU (Convex EU-West, Estonia).

1 · Data we collect

Account data. Name, work email, role, organisation. Used to authenticate you and operate your workspace.

Customer Content. Briefs, wishes, specs, uploaded documents, and conversation transcripts captured during the voice interview. Treated as confidential and never used for training.

Marketing-site submissions.The “Request access” and “Contact” forms on specgraph.dev capture your email and the message you send. The submission is stored in our admin inbox and triggers an internal notification email to hello@specgraph.dev.

Operational logs. IP, user-agent, basic request metadata. Retained for thirty days, used for security and abuse prevention.

2 · What we don't collect

  • No third-party advertising or analytics cookies.
  • No fingerprinting.
  • No tracking across other sites.

3 · Sub-processors

We rely on a short, audited list of providers:

  • Convex — primary database & functions (EU-West).
  • Resend — transactional & magic-link email.
  • Vercel — application hosting & static delivery.
  • Anthropic / OpenAI — model providers, only invoked on request, with zero-retention configurations where available.

A current list with regions and DPA links is available on request to hello@specgraph.dev.

4 · Your rights

Under GDPR you may access, correct, export, restrict, or delete your personal data, and object to processing. Email us and we will respond within thirty days.

5 · Retention

Customer Content is retained for the lifetime of your workspace plus a sixty-day grace period after termination. Operational logs are kept thirty days. Marketing-site submissions are retained until you ask us to delete them.

6 · Security

All transport is TLS 1.2+. Convex storage is encrypted at rest. Access to production is gated by SSO + 2FA and audit-logged. Customer Content is namespaced by workspace; queries are authorised at the function layer, not by trusting the client.

7 · Children

SpecGraph is not directed at children under sixteen and we do not knowingly collect their data.

8 · Changes

We will notify you by email at least fourteen days before material changes take effect. The current version is always available at specgraph.dev/privacy.

9 · Contact

Data Protection contact: hello@specgraph.dev. Postal: Specgraph OÜ, Tallinn, Estonia.