Specky

Privacy Policy

Last updated: March 8, 2026

1. Who We Are

Specky (“we”, “us”, “our”) operates the AI-native product management workspace available at speckyai.vercel.app. For the purposes of EU data protection law, Specky acts as the data controller for your personal data. You can reach us at privacy@specky.ai.

2. Information We Collect

We collect the following categories of personal data:

  • Account data – name, email address, company name provided at sign-up.
  • Workspace content – documents, PRDs, notes, tickets, and other content you create inside Specky.
  • Usage data – page views, feature interactions, and session metadata collected to improve the product.
  • Integration data – data fetched from third-party services you connect (e.g. Google Workspace, Slack, Jira, GitHub), solely to provide the integration features you enable.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases under the General Data Protection Regulation (GDPR) and equivalent national laws:

  • Contract performance (Art. 6(1)(b)) – processing necessary to provide the Service you have signed up for (account management, workspace features, AI assistance).
  • Legitimate interests (Art. 6(1)(f)) – product analytics and service improvement, where our interests are not overridden by your rights.
  • Consent (Art. 6(1)(a)) – optional integrations (Google Workspace, Slack, etc.) where you explicitly authorise access. You may withdraw consent at any time without affecting prior processing.
  • Legal obligation (Art. 6(1)(c)) – where processing is required to comply with applicable law.

4. How We Use Your Information

We use your data to provide and improve the Service, send product updates and important notices, and power AI features that assist your product work. We do not sell your data to third parties, use it for advertising, or process it for purposes incompatible with those described here.

5. Data Storage, Transfers & Security

Your data is stored securely using Supabase (PostgreSQL, hosted on AWS) and processed via Google Generative AI for AI features. We use industry-standard encryption at rest and in transit (TLS 1.2+).

If you are based in the EEA or UK, please note that some of our sub-processors may process data outside the EEA. Where this occurs, we ensure appropriate safeguards are in place — such as the European Commission's Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA) — to ensure your data receives equivalent protection.

6. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete or anonymise your personal data within 30 days, unless we are required to retain it by law (e.g. financial records). Anonymised, aggregated data may be retained indefinitely for product analytics.

7. Cookies and Analytics

We use PostHog for product analytics to understand how features are used. Strictly necessary cookies are set to operate the Service. Analytics cookies are only set after you accept our cookie notice. You can opt out at any time by contacting us or via your browser settings. We do not use advertising cookies.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access – obtain a copy of the personal data we hold about you.
  • Rectification – request correction of inaccurate or incomplete data.
  • Erasure (“right to be forgotten”) – request deletion of your personal data, subject to legal retention obligations.
  • Restriction – request that we limit processing of your data in certain circumstances.
  • Data portability – receive your data in a structured, machine-readable format.
  • Objection – object to processing based on legitimate interests.
  • Withdraw consent – where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at privacy@specky.ai. We will respond within 30 days (or within the legally required period). If you are in the EEA or UK and believe we have not handled your request appropriately, you have the right to lodge a complaint with your local supervisory authority (e.g. the BfDI in Germany, the ICO in the UK, or the relevant DPA in your country).

9. Google Workspace Data

Specky integrates with Google Workspace (Google Drive, Gmail, Google Calendar, Google Docs, and Google Sheets) via OAuth 2.0. When you connect your Google account, we access only the data described below and strictly in accordance with the Google API Services User Data Policy, including the Limited Use requirements.

  • Google Drive – read access to your files and folders, used to surface relevant documents inside your Specky workspace.
  • Gmail – read access to your email messages, used to extract product-relevant signals (e.g. customer feedback threads).
  • Google Calendar – read access to your calendar events, used to provide scheduling context in the AI assistant.
  • Google Docs & Sheets – read access to document and spreadsheet content, used to index context for AI-assisted product work.

We do not: sell Google user data, use it for advertising, transfer it to third parties (except as necessary to operate the service), or use it for any purpose other than providing Specky features to you. You can revoke access at any time from your Google account security settings or from the Integrations panel in Specky.

10. Sub-processors

We rely on the following third-party sub-processors to operate the Service:

  • Supabase (database & auth) – AWS us-east-1
  • Vercel (hosting & edge functions) – global CDN
  • Google Generative AI (AI processing) – Google Cloud
  • PostHog (product analytics) – EU cloud (eu.posthog.com)

All sub-processors are bound by data processing agreements and handle data only on our instructions.

11. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following rights in addition to those listed in Section 8:

  • Right to Know – request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
  • Right to Delete – request deletion of your personal information, subject to certain exceptions.
  • Right to Opt-Out of Sale – we do not sell your personal information to third parties.
  • Right to Non-Discrimination – we will not discriminate against you for exercising any of your CCPA rights.

To exercise your CCPA rights, contact us at privacy@specky.ai. We will respond within 45 days as required by law.

12. Cookies

We use the following categories of cookies:

  • Strictly necessary – session cookies set by Supabase to keep you logged in. These cannot be disabled as they are required for the Service to function.
  • Analytics – PostHog cookies (ph_*) that track feature usage and page views. Only set after you accept the cookie notice. You can opt out at any time by contacting us or clearing your browser cookies.

We do not use advertising, tracking, or third-party marketing cookies.

13. Data Processing Agreements (DPA)

If you are a business customer subject to GDPR and require a Data Processing Agreement (DPA) with Specky as a data processor, please contact us at privacy@specky.ai. We will provide a standard DPA on request.

14. Children's Privacy

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

15. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes via email or an in-app notice. The “last updated” date at the top reflects the most recent revision.

16. Contact & Data Controller

For privacy-related questions, data subject requests, or to contact our data protection representative, reach us at privacy@specky.ai.

Back to HomeTerms of Service →