Privacy Policy
Last updated: July 2026
1. What we collect
To provide the Service we collect:
- Account data: email address, hashed password, optional display name.
- Workspace data: the specs you generate, your workspace name, and your subscription status.
- Input data: meeting notes or recordings you upload, which are sent to OpenRouter for LLM processing.
- Integration data: OAuth tokens if you connect Linear (used only to write tickets on your behalf).
- Operational data: IP address (for rate limiting and security), timestamps, rough usage counters.
2. How we use your data
- To operate the Service (generate specs, save them, render the dashboard).
- To process payments via Stripe.
- To send transactional email (welcome, payment receipts, critical service notices).
- To detect abuse and secure the Service (rate limiting, fraud prevention).
We do not sell your data. We do not use your inputs to train any AI model (OpenRouter's terms guarantee the same).
3. Cookies we set
specboard_session— authentication token. Strictly necessary. httpOnly + Secure + SameSite=Lax. 30-day expiry.linear_oauth_state— CSRF token during OAuth flow. 10-minute expiry. Cleared after use.
We do not set any advertising, third-party analytics, or cross-site tracking cookies.
4. Where data is stored
All persistent data (account, specs, integrations) lives in a managed Postgres database in our hosting region. Audio uploads (when the audio path is enabled) are stored in our AWS S3 bucket. Backups are written to local storage.
5. Data retention and deletion
- Account data: retained while your account is active, deleted within 30 days of account deletion request.
- Specs: retained while your account is active; you can delete individual specs from the dashboard.
- OAuth tokens: cleared on account deletion or when you disconnect the integration from settings.
- Operational logs: retained for 30 days for abuse investigation, then deleted.
6. Your rights
You can request a copy of all data we hold about you, or request deletion, by emailing [email protected]. We respond within 30 days.
7. International transfers
We rely on subprocessors (OpenRouter, Stripe, Resend, AWS, Linear) that may transfer data outside your country. All subprocessors we use are published at /subprocessors.
8. Children
The Service is not intended for users under 16. We do not knowingly collect data from children.
9. Changes to this policy
Material changes will be notified via email at least 14 days before they take effect.
10. Contact
Email [email protected] for privacy questions.