Privacy Policy

1. Controller

The controller within the meaning of Art. 4(7) GDPR is:

Full statutory disclosure pursuant to § 5 ECG / § 14 UGB is available in our Imprint.

2. Data Protection Contact

We have not appointed a designated Data Protection Officer because we are not subject to the mandatory designation criteria in Art. 37(1) GDPR. For all data-protection enquiries and to exercise your rights, please contact customer-support@specky.space. EU/EEA-based data subjects who wish to address an EU representative pursuant to Art. 27 GDPR may write to the same address; we will route the request internally.

3. Categories of Personal Data & Sources

We process the following categories of personal data:

• Account data — name, email address, password hash, company name; obtained directly from you on sign-up.
• Workspace content — documents, PRDs, notes, tickets, messages and other content you create or upload.
• Usage and device data — pages viewed, feature interactions, IP address (truncated where possible), browser, operating system, session identifiers and timestamps.
• Billing data — name, billing address, VAT identifier, last four digits of the payment card, transaction history (collected and stored by Stripe; we receive a tokenised reference).
• Integration data — content fetched from third-party services you choose to connect (e.g. Google Workspace, Slack, Jira, GitHub). Such data may include personal data of third parties (e.g. authors of Slack messages or commit logs); pursuant to Art. 14 GDPR you confirm, when enabling an integration, that you have a lawful basis to share that data with us.
• Support and communications — emails, chat messages and feedback you send us.

4. Purposes & Legal Bases (Art. 6 GDPR)

Where we rely on legitimate interest (Art. 6(1)(f) GDPR) we have performed a balancing test; you can request a summary from us. Where consent is the basis, you may withdraw it at any time without affecting prior processing.

5. AI Processing & Automated Decision-Making

Specky uses generative AI (Google Gemini, hosted by Google LLC) to power chat, document generation and search features. Pursuant to our agreement with Google and the Google Cloud Data Processing Addendum:

• Your prompts and workspace content are not used to train any of Google's foundational models.
• Prompt content is processed transiently to produce a response and is not retained for product improvement.
• We do not use your workspace content to train any Specky-owned AI model.

We do not use your data for solely automated decision-making with legal or similarly significant effects within the meaning of Art. 22 GDPR. AI-generated outputs are advisory, never determinative, and you remain in full control of any decision based on them. As required by Article 50 of Regulation (EU) 2024/1689 (the EU AI Act), we make it visually clear in the product that you are interacting with an AI system.

6. Recipients & Sub-processors

Within Specky, access to personal data is limited to authorised personnel on a need-to-know basis. We share personal data with the following sub-processors (Art. 28 GDPR), each bound by a written data-processing agreement:

An up-to-date sub-processor list is maintained at /security. We notify business customers in advance of any new sub-processor. Beyond the above, we do not share personal data with third parties, except where required by law or in the event of a corporate transaction (in which case the recipient is bound to equivalent confidentiality and data-protection obligations).

7. International Data Transfers

Where personal data is transferred outside the EEA, we rely on one or more of the following safeguards under Chapter V GDPR:

• An adequacy decision of the European Commission, in particular the EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795), where the recipient is certified;
• The European Commission's Standard Contractual Clauses (SCCs, Decision (EU) 2021/914);
• The UK International Data Transfer Agreement (IDTA) or UK Addendum to the SCCs for data originating in the UK;
• Where appropriate, supplementary technical and organisational measures (e.g. encryption in transit and at rest, pseudonymisation, contractual access restrictions) consistent with EDPB Recommendations 01/2020.

You can request a copy of the relevant transfer mechanism by emailing customer-support@specky.space.

8. Retention Periods

• Account & workspace content — for the duration of your account; deleted within 30 days of account deletion (excluding backup rotation up to 30 additional days).
• Billing & tax records — 7 years following the end of the financial year (§ 132 Bundesabgabenordnung).
• Audit and security logs — 12 months, then anonymised; retained longer where necessary to investigate a specific incident.
• Marketing and analytics data — up to 14 months (PostHog) / 14 months (GA4); shorter if you withdraw consent.
• Support correspondence — 24 months from last interaction.
• Cookie consent records — 12 months, to evidence the consent given.
• Backups — overwritten on a 30-day rolling basis.

Anonymised, aggregated information may be retained indefinitely as it is no longer personal data within the meaning of Art. 4(1) GDPR.

9. Cookies & Similar Technologies

We use cookies and similar technologies on the basis of § 165 Austrian Telecommunications Act 2021 (TKG 2021) and Art. 5(3) of Directive 2002/58/EC (“ePrivacy Directive”). Strictly necessary cookies do not require consent. All other cookies (analytics, performance, marketing) are loaded only after you have given prior consent through our cookie banner. You can withdraw consent at any time via the “Cookie preferences” link in the footer with the same ease as you gave it.

• Strictly necessary — Supabase session cookies (login state); Vercel routing cookies; CSRF tokens. No consent required.
• Analytics (consent) — PostHog (ph_*), retention up to 14 months; aggregated event analytics, no advertising.
• Marketing analytics (consent) — Google Analytics 4 (_ga*) under Google Consent Mode v2; retention 14 months.

We do not use third-party advertising or cross-site tracking cookies.

10. Your Rights

You have the following rights under the GDPR:

• Access (Art. 15) — obtain confirmation as to whether we process your data and a copy of it.
• Rectification (Art. 16) — correction of inaccurate or incomplete data.
• Erasure (Art. 17) — deletion of your data, subject to overriding legal retention obligations.
• Restriction (Art. 18) — restrict processing in certain circumstances.
• Data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format.
• Objection (Art. 21) — object to processing based on legitimate interest, including profiling for direct marketing (which we will always honour).
• Withdraw consent (Art. 7(3)) — at any time, without affecting the lawfulness of prior processing.
• Not be subject to automated individual decision-making (Art. 22) — see Section 5.

We respond within one month of receipt (Art. 12(3) GDPR). The period may be extended by up to two further months for complex or numerous requests, in which case we will inform you within the first month and explain the reason.

You also have the right to lodge a complaint with a supervisory authority — in particular in the Member State of your habitual residence, place of work or place of the alleged infringement (Art. 77 GDPR). For Specky the lead supervisory authority is the Austrian Data Protection Authority (Österreichische Datenschutzbehörde), Barichgasse 40-42, 1030 Vienna, Austria, dsb@dsb.gv.at, www.dsb.gv.at.

11. Security

We implement appropriate technical and organisational measures within the meaning of Art. 32 GDPR, including TLS 1.2+ in transit, AES-256 at rest, role-based access control, row-level security, audit logging, and regular vulnerability management. We notify the competent supervisory authority within 72 hours of becoming aware of a personal data breach likely to result in a risk to rights and freedoms (Art. 33), and the affected data subjects without undue delay where the breach is likely to result in a high risk (Art. 34).

12. Google Workspace User Data

Specky integrates with Google Workspace (Drive, Gmail, Calendar, Docs, Sheets) via OAuth 2.0. We process Google user data only to provide the integration features you have explicitly enabled and strictly in accordance with the Google API Services User Data Policy, including the Limited Use requirements. We do not sell Google user data, use it for advertising, transfer it except to operate the Service, or use it to develop, improve or train AI models. You can revoke access at any time from your Google account or from the Integrations panel in Specky.

13. Data Processing Agreement (DPA)

Where Specky acts as a processor on behalf of a business customer, a Data Processing Agreement compliant with Art. 28 GDPR (including the EU SCCs as Annex) is available on request from customer-support@specky.space. For workspaces under a paid plan, the DPA is incorporated into the order form by reference.

14. Children

The Service is not directed at and may not be used by individuals under 16. Where Austrian law applies, § 4(4) DSG sets the digital age of consent at 14, but we voluntarily set 16 as a more protective minimum. If we learn we have collected personal data from a child below the applicable threshold without verifiable parental consent, we will delete it without undue delay.

15. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the right to know, the right to delete, the right to correct, the right to opt-out of the sale or sharing of personal information (we do not sell or share personal information for cross-context behavioural advertising), the right to limit the use of sensitive personal information (we do not collect sensitive PI as defined in CPRA), and the right to non-discrimination. To exercise these rights, email customer-support@specky.space. We respond within 45 days as required by Cal. Civ. Code § 1798.130.

16. Changes to this Policy

We may update this policy from time to time. Material changes will be notified to registered users by e-mail or in-app notice at least 30 days before they take effect. The “last updated” date at the top reflects the most recent version. Previous versions are available on request.

17. Contact

For privacy-related questions, data subject requests or to obtain a DPA, write to customer-support@specky.space. Postal correspondence should be sent to the address listed in our Imprint.