Speclr Logo

Privacy Policy

Introduction

This Privacy Policy explains how we process your personal data when you use Speclr. We process your data in accordance with the EU General Data Protection Regulation (GDPR) and applicable German data protection law.

Speclr is intended for use by individuals aged 16 or older. We do not knowingly collect personal data from persons under the age of 16.

Responsible Entity

The data controller responsible for processing your personal data is:

Michael Flottmann

Heideweg 24

29574 Ebstorf

Germany

Email: privacy [at] speclr [dot] dev

A Data Protection Officer has not been appointed, as we do not meet the threshold requirements under Art. 37 GDPR.

Data Collection and Storage

We collect and process the following categories of personal data:

  • Account data (e.g. email address, authentication data via Clerk)
  • Usage data (e.g. interactions with the application, feature usage, timestamps)
  • IP address and device information
  • Content you provide to the AI system (e.g. requirements, personas, user stories, comments), which may contain personal data

We process this data for the following purposes:

  • To provide and maintain the Speclr platform
  • To authenticate users (via Clerk)
  • To operate backend logic and store user data (via Convex Cloud)
  • To process AI requests and generate outputs
  • To improve the platform and ensure stability
  • To communicate with users regarding onboarding, updates and service information

Legal bases for processing include:

  • Art. 6(1)(b) GDPR (performance of a contract)
  • Art. 6(1)(f) GDPR (legitimate interests in operating and improving the service)
  • Art. 6(1)(a) GDPR (consent for specific processing activities, such as certain AI use cases, where applicable)

We do not sell your personal data. We share data only with infrastructure and service providers that are necessary to operate Speclr, and only to the extent required for those purposes.

AI Processing (Anthropic Claude)

Speclr uses the Anthropic Claude API to generate content such as user stories, acceptance criteria, personas and test specifications.

When you use AI features, the following may occur:

  • Your prompts and inputs are sent to Anthropic
  • The content may contain personal data, depending on what you enter
  • Anthropic processes this data to generate AI outputs for you

We do not send personal data to Anthropic unless this is technically necessary to fulfill your request. However, you are responsible for ensuring that you do not submit more personal data than required.

Training configuration:

  • As an API customer, Anthropic does not use your data to train its models.
  • Anthropic retains API request data for up to 7 days for abuse monitoring purposes, after which it is deleted.

Location of processing:

  • Anthropic processes data in the United States.

Risk notice:

  • AI systems may produce inaccurate, incomplete or outdated outputs.
  • You must carefully review AI-generated content before using it for product decisions, engineering work or communication.

International data transfer:

  • Because Anthropic is located in the United States, personal data may be transferred outside the EU/EEA.
  • Such transfers are based on Standard Contractual Clauses (SCCs) as approved by the European Commission.
Infrastructure and Third-Party Providers

We use several infrastructure and third-party providers to operate Speclr. These providers process personal data on our behalf or as independent controllers:

Vercel (Frontend Hosting and Analytics)

  • Service: Hosting of the Next.js frontend; cookieless analytics and performance measurement via Vercel Analytics and Vercel Speed Insights
  • Location: United States (primary); static assets may be cached in EU edge regions
  • Transfer mechanism: EU-U.S. Data Privacy Framework (DPF) certification; Standard Contractual Clauses (SCCs)
  • Data processed (among others):
  • IP addresses (not stored in identifiable form by Analytics)
  • Request metadata (e.g. headers, URLs, timestamps)
  • Aggregated, anonymised page view and performance data
  • Deployment and error logs (retained for up to 1 hour on the Hobby plan)
  • Purpose: To deliver the website and frontend application, ensure performance and security, and understand aggregated usage patterns
  • Note: Vercel Analytics and Speed Insights operate without cookies and without cross-site tracking. No personal data is stored in identifiable form by these tools. No consent is required for their use under TTDSG §25 or Art. 6 GDPR, as no access to terminal equipment storage occurs and no personal data is linked to individual users.

Convex Cloud (Backend Database and Execution)

  • Service: Backend database, storage and server-side logic
  • Location: EU West (Ireland) — aws-eu-west-1
  • Data processed (among others):
  • Speclr workspace data (e.g. projects, user stories, personas, AI results)
  • Account-related data required for backend operations
  • Purpose: To store and process your application data, including AI outputs, securely and efficiently

Clerk (Authentication and User Management)

  • Service: Authentication and user management
  • Location: United States (primary)
  • Transfer mechanism: EU-U.S. Data Privacy Framework (DPF) certification; Standard Contractual Clauses (SCCs)
  • Data processed (among others):
  • Email address
  • Authentication metadata (login times, identifiers)
  • Purpose: To manage user accounts and authentication

Anthropic (AI Processing)

  • Service: AI model inference via the Claude API
  • Location: United States
  • Transfer mechanism: Standard Contractual Clauses (SCCs)
  • Data processed (among others):
  • Prompts and inputs submitted to AI features
  • Generated outputs
  • Purpose: To generate AI-assisted requirements, user stories, acceptance criteria and related content

Kit (Waitlist Management)

  • Service: Email waitlist and subscriber management
  • Location: United States
  • Transfer mechanism: EU-U.S. Data Privacy Framework (DPF) certification; Standard Contractual Clauses (SCCs)
  • Data processed (among others):
  • Email address
  • Signup metadata (timestamps, referral data)
  • Purpose: To manage the pre-launch waitlist and communicate with prospective users

Each provider is bound by contractual agreements including, where required, Data Processing Agreements (DPAs) to ensure an appropriate level of data protection.

Cookies and Local Storage

We use cookies and browser storage technologies only to the extent necessary to provide and secure Speclr, to remember your privacy preferences, and to understand basic technical performance.

Essential cookies

Required for authentication, security and core functionality. These cookies are set by Clerk to manage your login session. Without them, the Service cannot function. No consent is required for these cookies under TTDSG §25, as they are strictly necessary to provide a service explicitly requested by the user.

Consent preference storage (localStorage)

We store your cookie consent decision locally in your browser under the key speclr_consent. This entry records which categories of processing you have accepted or declined, along with a timestamp and a version number. It is not a cookie, but local browser storage. It does not leave your device and is not transmitted to our servers. It is retained until you clear your browser storage or change your preferences via the "Cookie Settings" link in the footer.

Analytics (Vercel Analytics and Speed Insights)

We use Vercel Analytics and Vercel Speed Insights to understand aggregated usage and performance. These tools do not set cookies, do not store personal data in identifiable form, and do not track users across sites. No consent is required for their use.

Future analytics (Google Analytics)

We intend to integrate Google Analytics in a future version of Speclr. Google Analytics sets cookies and processes personal data. It will only be activated if you have given your explicit consent via the cookie banner. This Privacy Policy will be updated before Google Analytics is enabled.

No behavioural profiling or advertising

We do not use cookies or tracking technologies for behavioural profiling, retargeting or targeted advertising.

Cookie control

You can manage your consent preferences at any time via the "Cookie Settings" link in the footer of every page. You can also configure your browser to reject non-essential cookies. If you block essential cookies, some parts of Speclr may not function correctly.

Logging and Security

For security and debugging purposes, we maintain operational logs. These logs may include:

  • IP addresses
  • Timestamps
  • Request URLs and headers
  • Error messages and stack traces

We use this information to:

  • Detect and prevent abuse or attacks
  • Diagnose technical issues
  • Improve stability and performance

We do not use log data to create behavioural profiles of individual users, and we do not combine logs with marketing or tracking databases.

Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by law.

In general:

  • Account data is retained for the duration of your account and for a reasonable period afterwards to comply with legal obligations or to resolve disputes.
  • Workspace and project data is retained while your account and/or organization remains active, unless you request deletion.
  • AI request data is stored in Convex only as required for application functionality and history; it is not stored separately by us for model training.

Infrastructure provider retention periods:

  • Vercel runtime log retention: up to 1 hour (Hobby plan)
  • Anthropic API request retention: up to 7 days for abuse monitoring purposes
  • Clerk retention: in accordance with Clerk's privacy policy (clerk.com/legal/privacy-policy)
  • Convex data retention: for the duration of your account, unless earlier deletion is requested

Once retention periods expire, data is deleted or anonymised in accordance with our technical capabilities and legal obligations.

Data Subject Rights

As a data subject under the GDPR, you have the following rights:

  • Right of access (Art. 15 GDPR): You can request information about the personal data we hold about you.
  • Right to rectification (Art. 16 GDPR): You can request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17 GDPR): You can request deletion of your personal data, subject to legal retention obligations.
  • Right to restriction of processing (Art. 18 GDPR): You can request that we restrict processing in certain circumstances.
  • Right to data portability (Art. 20 GDPR): You can request to receive your data in a structured, commonly used and machine-readable format.
  • Right to object (Art. 21 GDPR): You can object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on consent, you may withdraw it at any time with effect for the future.

To exercise these rights, please contact us at: privacy [at] speclr [dot] dev

We will respond to your request within one month of receipt (Art. 12(3) GDPR). In complex or multiple cases, this period may be extended by a further two months, in which case we will notify you.

You also have the right to lodge a complaint with a supervisory authority. The supervisory authority responsible for our registered address is:

Landesbeauftragte für den Datenschutz Niedersachsen (LfD Niedersachsen)

Prinzenstraße 5

30159 Hannover

Germany

https://www.lfd.niedersachsen.de

International Transfers

Some of our service providers are located in countries outside the European Union (EU) or European Economic Area (EEA), in particular the United States. Our backend data (Convex) is hosted within the EU (Ireland) and is not subject to a third-country transfer.

For providers located in the United States (Vercel, Clerk, Kit), transfers are based on their certification under the EU-U.S. Data Privacy Framework (DPF), which the European Commission has recognised as providing an adequate level of data protection. Standard Contractual Clauses (SCCs) serve as an additional safeguard where applicable.

For Anthropic, transfers to the United States are based on Standard Contractual Clauses (SCCs) as approved by the European Commission, together with additional technical and organisational measures where appropriate.

Despite these safeguards, third-country transfers may carry residual risks inherent to processing outside the EU/EEA.

AI Reliability and Responsibility

AI-generated content in Speclr may contain errors, inaccuracies or outdated information. This includes, but is not limited to, user stories, acceptance criteria, personas, test cases and roadmaps.

You remain fully responsible for:

  • Reviewing and validating all AI-generated content
  • Ensuring that requirements are correct, complete and suitable for your product
  • Making final decisions about implementation, testing and delivery

Speclr does not provide legal, financial or engineering advice. To the extent permitted by applicable law, we exclude liability for damages caused by simple negligence, unless such damages result from a breach of a material contractual obligation (cardinal obligation). In all cases, liability for damages resulting from gross negligence, wilful misconduct, injury to life, body or health, or under mandatory statutory provisions (including the German Product Liability Act) remains unaffected.

Contact Information

If you have any questions about this Privacy Policy or about how we process your data, you can contact us at:

Email: privacy [at] speclr [dot] dev

Address: Michael Flottmann, Heideweg 24, 29574 Ebstorf, Germany

Legal Disclosures - Speclr