Speclr Logo

Privacy Policy

Introduction

This Privacy Policy explains how we process your personal data when you use Speclr. We process your data in accordance with the EU General Data Protection Regulation (GDPR) and applicable German data protection law.

Speclr is intended for use by individuals aged 16 or older. We do not knowingly collect personal data from persons under the age of 16.

Responsible Entity

The data controller responsible for processing your personal data is:

Michael Flottmann

Heideweg 24

29574 Ebstorf

Germany

Email: privacy [at] speclr [dot] dev

A Data Protection Officer has not been appointed, as we do not meet the threshold requirements under Art. 37 GDPR.

Data Collection and Storage

We collect and process the following categories of personal data:

  • Account data (e.g. email address, authentication data via Clerk)
  • Usage data (e.g. interactions with the application, feature usage, timestamps)
  • IP address and device information
  • Content you provide to the AI system (e.g. requirements, personas, user stories, comments), which may contain personal data

We process this data for the following purposes:

  • To provide and maintain the Speclr platform
  • To authenticate users (via Clerk)
  • To operate backend logic and store user data (via Convex Cloud)
  • To process AI requests and generate outputs
  • To improve the platform and ensure stability
  • To communicate with users regarding onboarding, updates and service information

Legal bases for processing include:

  • Art. 6(1)(b) GDPR (performance of a contract)
  • Art. 6(1)(f) GDPR (legitimate interests in operating and improving the service)
  • Art. 6(1)(a) GDPR (consent for specific processing activities, such as certain AI use cases, where applicable)

We do not sell your personal data. We share data only with infrastructure and service providers that are necessary to operate Speclr, and only to the extent required for those purposes.

AI Processing (Anthropic Claude)

Speclr uses the Anthropic Claude API to generate content such as user stories, acceptance criteria, personas and test specifications.

When you use AI features, the following may occur:

  • Your prompts and inputs are sent to Anthropic
  • The content may contain personal data, depending on what you enter
  • Anthropic processes this data to generate AI outputs for you

We do not send personal data to Anthropic unless this is technically necessary to fulfill your request. However, you are responsible for ensuring that you do not submit more personal data than required.

Training configuration:

  • As an API customer, Anthropic does not use your data to train its models.
  • Anthropic retains API request data for up to 7 days for abuse monitoring purposes, after which it is deleted.

Location of processing:

  • Anthropic processes data in the United States.

Risk notice:

  • AI systems may produce inaccurate, incomplete or outdated outputs.
  • You must carefully review AI-generated content before using it for product decisions, engineering work or communication.

International data transfer:

  • Because Anthropic is located in the United States, personal data may be transferred outside the EU/EEA.
  • Such transfers are based on Standard Contractual Clauses (SCCs) as approved by the European Commission.
Infrastructure and Third-Party Providers

We use several infrastructure and third-party providers to operate Speclr. These providers process personal data on our behalf or as independent controllers:

Vercel (Frontend Hosting)

  • Service: Hosting of the Next.js frontend
  • Location: United States (primary); static assets may be cached in EU edge regions
  • Transfer mechanism: EU-U.S. Data Privacy Framework (DPF) certification; Standard Contractual Clauses (SCCs)
  • Data processed (among others):
  • IP addresses
  • Request metadata (e.g. headers, URLs, timestamps)
  • Deployment and error logs (retained for up to 1 hour on the Hobby plan)
  • Purpose: To deliver the website and frontend application, ensure performance and security

Convex Cloud (Backend Database and Execution)

  • Service: Backend database, storage and server-side logic
  • Location: EU West (Ireland) — aws-eu-west-1
  • Data processed (among others):
  • Speclr workspace data (e.g. projects, user stories, personas, AI results)
  • Account-related data required for backend operations
  • Purpose: To store and process your application data, including AI outputs, securely and efficiently

Clerk (Authentication and User Management)

  • Service: Authentication and user management
  • Location: United States (primary)
  • Transfer mechanism: EU-U.S. Data Privacy Framework (DPF) certification; Standard Contractual Clauses (SCCs)
  • Data processed (among others):
  • Email address
  • Authentication metadata (login times, identifiers)
  • Purpose: To manage user accounts and authentication

Anthropic (AI Processing)

  • Service: AI model inference via the Claude API
  • Location: United States
  • Transfer mechanism: Standard Contractual Clauses (SCCs)
  • Data processed (among others):
  • Prompts and inputs submitted to AI features
  • Generated outputs
  • Purpose: To generate AI-assisted requirements, user stories, acceptance criteria and related content

Kit (Waitlist Management)

  • Service: Email waitlist and subscriber management
  • Location: United States
  • Transfer mechanism: EU-U.S. Data Privacy Framework (DPF) certification; Standard Contractual Clauses (SCCs)
  • Data processed (among others):
  • Email address
  • Signup metadata (timestamps, referral data)
  • Purpose: To manage the pre-launch waitlist and communicate with prospective users

Each provider is bound by contractual agreements including, where required, Data Processing Agreements (DPAs) to ensure an appropriate level of data protection.

Cookies and Tracking Technologies

We use cookies and similar technologies only to the extent necessary to provide and secure Speclr and to understand basic technical performance.

We use the following categories of cookies:

  • Essential cookies: Required for authentication, security and core functionality (e.g. Clerk session cookies)
  • Functional/performance cookies: May be used by hosting providers such as Vercel to ensure stability and measure basic performance

We do not use cookies for behavioural profiling or targeted advertising.

Cookie control:

  • You can configure your browser to reject non-essential cookies.
  • If you block essential cookies, some parts of Speclr may not function correctly.
Logging and Security

For security and debugging purposes, we maintain operational logs. These logs may include:

  • IP addresses
  • Timestamps
  • Request URLs and headers
  • Error messages and stack traces

We use this information to:

  • Detect and prevent abuse or attacks
  • Diagnose technical issues
  • Improve stability and performance

We do not use log data to create behavioural profiles of individual users, and we do not combine logs with marketing or tracking databases.

Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by law.

In general:

  • Account data is retained for the duration of your account and for a reasonable period afterwards to comply with legal obligations or to resolve disputes.
  • Workspace and project data is retained while your account and/or organization remains active, unless you request deletion.
  • AI request data is stored in Convex only as required for application functionality and history; it is not stored separately by us for model training.

Infrastructure provider retention periods:

  • Vercel runtime log retention: up to 1 hour (Hobby plan)
  • Anthropic API request retention: up to 7 days for abuse monitoring purposes
  • Clerk retention: in accordance with Clerk's privacy policy (clerk.com/legal/privacy-policy)
  • Convex data retention: for the duration of your account, unless earlier deletion is requested

Once retention periods expire, data is deleted or anonymised in accordance with our technical capabilities and legal obligations.

Data Subject Rights

As a data subject under the GDPR, you have the following rights:

  • Right of access (Art. 15 GDPR): You can request information about the personal data we hold about you.
  • Right to rectification (Art. 16 GDPR): You can request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17 GDPR): You can request deletion of your personal data, subject to legal retention obligations.
  • Right to restriction of processing (Art. 18 GDPR): You can request that we restrict processing in certain circumstances.
  • Right to data portability (Art. 20 GDPR): You can request to receive your data in a structured, commonly used and machine-readable format.
  • Right to object (Art. 21 GDPR): You can object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on consent, you may withdraw it at any time with effect for the future.

To exercise these rights, please contact us at: privacy [at] speclr [dot] dev

We will respond to your request within one month of receipt (Art. 12(3) GDPR). In complex or multiple cases, this period may be extended by a further two months, in which case we will notify you.

You also have the right to lodge a complaint with a supervisory authority. The supervisory authority responsible for our registered address is:

Landesbeauftragte für den Datenschutz Niedersachsen (LfD Niedersachsen)

Prinzenstraße 5

30159 Hannover

Germany

https://www.lfd.niedersachsen.de

International Transfers

Some of our service providers are located in countries outside the European Union (EU) or European Economic Area (EEA), in particular the United States. Our backend data (Convex) is hosted within the EU (Ireland) and is not subject to a third-country transfer.

For providers located in the United States (Vercel, Clerk, Kit), transfers are based on their certification under the EU-U.S. Data Privacy Framework (DPF), which the European Commission has recognised as providing an adequate level of data protection. Standard Contractual Clauses (SCCs) serve as an additional safeguard where applicable.

For Anthropic, transfers to the United States are based on Standard Contractual Clauses (SCCs) as approved by the European Commission, together with additional technical and organisational measures where appropriate.

Despite these safeguards, third-country transfers may carry residual risks inherent to processing outside the EU/EEA.

AI Reliability and Responsibility

AI-generated content in Speclr may contain errors, inaccuracies or outdated information. This includes, but is not limited to, user stories, acceptance criteria, personas, test cases and roadmaps.

You remain fully responsible for:

  • Reviewing and validating all AI-generated content
  • Ensuring that requirements are correct, complete and suitable for your product
  • Making final decisions about implementation, testing and delivery

Speclr does not provide legal, financial or engineering advice. To the extent permitted by applicable law, we exclude liability for damages caused by simple negligence, unless such damages result from a breach of a material contractual obligation (cardinal obligation). In all cases, liability for damages resulting from gross negligence, wilful misconduct, injury to life, body or health, or under mandatory statutory provisions (including the German Product Liability Act) remains unaffected.

Contact Information

If you have any questions about this Privacy Policy or about how we process your data, you can contact us at:

Email: privacy [at] speclr [dot] dev

Address: Michael Flottmann, Heideweg 24, 29574 Ebstorf, Germany