Privacy Policy

1. Introduction

SpecMake ("we", "us", "our") operates the specmake.com website and document translation service. This Privacy Policy explains how we collect, use, and protect your information when you use our service.

For GDPR purposes, SpecMake is the data controller responsible for your personal data. You can reach us at privacy@specmake.com.

2. What We Collect

We collect and store the following information:

• Account information: Email address, password (hashed), your chosen role (e.g., engineering, quality/compliance), and optional company name.
• Source documents: The original PDF or DOCX files you upload. Stored in private Supabase Storage, accessible only via authenticated short-lived signed URLs. Used to power click-to-verify source so you can check any extracted value against the original document.
• Extracted content: The structured JSON output (fields, values, sections), the full extracted text layer, audit findings, compliance check results, and any images (diagrams, product photos, dimensional drawings) extracted from your documents. All stored in private storage with row-level security — accessible only to you and, if applicable, your team members.
• Translations and glossaries: Any translated output you generate, along with correction metadata, and any terminology you save to your personal or team glossary.
• Usage data: Pipeline processing metadata (document type, language pairs, audit coverage, processing duration, model used) for service operation, billing, and quality monitoring.
• First-party analytics: Page views, the referring domain (not the full URL), UTM parameters, and anonymous session-level engagement data (e.g., time on results page). A per-session identifier is stored in sessionStorage only — it is deleted when you close the browser tab, and we use no cookies for analytics. See Section 9.
• Payment information: Handled entirely by Stripe. We store only your Stripe customer ID — never your card details.
• Marketing preferences: Whether you have opted in to receive marketing communications, and the date and time of your consent.

3. How We Use Your Data

• Process and translate your uploaded documents.
• Maintain your account, document history, and glossary.
• Track usage against your plan limits.
• Send transactional emails related to your account (e.g., password resets, billing confirmations).
• Monitor aggregate service performance and cost.

4. Marketing Communications

We will only send you marketing emails (product updates, feature announcements, tips for technical documentation) if you have explicitly opted in during signup or through your account settings.

You can withdraw your consent and unsubscribe at any time by:

• Clicking the "unsubscribe" link in any marketing email.
• Updating your preferences in your account settings.
• Contacting us at privacy@specmake.com.

Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal. Unsubscribing from marketing emails does not affect transactional emails necessary for service operation (e.g., password resets, billing notifications).

5. AI Processing

Your documents are processed using the Anthropic Claude API. Document content is sent to Anthropic's API for extraction, structuring, and translation. Anthropic's API does not use your data for model training. Refer to Anthropic's Privacy Policy for details on their data handling.

6. International Data Transfers

Your data is primarily stored in the EU. However, some of our service providers process data outside the EU/EEA:

• Anthropic (Claude API): Document content is sent to Anthropic's servers in the United States for AI processing. This transfer is governed by Standard Contractual Clauses (SCCs) as per Anthropic's data processing terms.
• Vercel: Our website is hosted on Vercel's global edge network, which may serve content from locations outside the EU/EEA. Vercel participates in the EU-U.S. Data Privacy Framework.
• Stripe: Payment processing may involve data transfer to the United States. Stripe is certified under the EU-U.S. Data Privacy Framework.

We ensure that all international transfers of personal data are protected by appropriate safeguards as required by GDPR, including Standard Contractual Clauses, adequacy decisions, or certification under the EU-U.S. Data Privacy Framework.

7. Data Storage & Security

Your data is stored in Supabase (PostgreSQL + Object Storage) hosted in the EU. All data is encrypted in transit (TLS) and at rest.

Database: row-level security policies restrict access so each user can read and write only their own rows. Team members can access shared documents only through their team membership.

File storage (source documents and extracted images): stored in private Supabase Storage. Files are never publicly accessible and are served only via authenticated short-lived signed URLs scoped to a single file.

8. Payments

All payment processing is handled by Stripe. We never receive or store your credit card number, expiration date, or CVC. We only store your Stripe customer ID to manage subscriptions and billing.

9. Cookies, Analytics & Tracking

We use only essential cookies required for authentication (session tokens managed by Supabase Auth). We do not use any third-party tracking scripts, advertising cookies, pixels, or fingerprinting.

First-party analytics: we collect a small amount of anonymous usage data to improve the product — page views, the referring domain (not full URL), UTM parameters, and session-level engagement (e.g., time spent on the results page). A per-session identifier is generated and stored in browsersessionStorageonly, which is deleted when you close the tab. No identifier persists across browser sessions. The data is stored in our own database and is never shared with third parties.

We also use Vercel Analytics and Vercel Speed Insights to monitor website performance. These tools are cookieless and do not collect personal data.

10. Data Retention

Your documents, source files, extracted images, translations, and glossary entries are retained for as long as your account is active. You can delete individual documents at any time from your dashboard — deletion removes the database row, the stored source file, and all associated images immediately, within a single server operation.

If you delete your account, all associated data — documents, translations, glossary entries, templates, source files, extracted images, audit data, and usage logs — is permanently deleted within 30 days. Aggregated, non-identifying metrics (e.g., total document counts per month) may be retained for billing and legal purposes only.

Documents submitted to the anonymous EU DPP readiness check tool at /dpp-check are never saved to our database or file storage — only the immediate processing response is returned, after which no record of the document remains.

11. Your Rights (GDPR)

If you are in the EU/EEA, you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate data.
• Request deletion of your data.
• Export your data in a portable format.
• Object to or restrict processing of your data.
• Withdraw consent at any time (including marketing consent).
• Lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at the address below.

12. Third-Party Services (Sub-Processors)

The following service providers act as sub-processors for specific parts of our infrastructure. Each is bound by a Data Processing Agreement (DPA) that meets GDPR requirements.

• Supabase: Database, authentication, and private file storage (EU).
• Anthropic (Claude API): AI-powered document processing (US, SCCs). Content is not used for model training.
• Vercel: Website and serverless function hosting (global edge, EU-U.S. DPF participant).
• Stripe: Payment processing (US, EU-U.S. DPF certified).
• Resend: Transactional and lifecycle email delivery (US, SCCs).
• Cloudflare Turnstile: Optional CAPTCHA on contact forms (global, privacy-first alternative to reCAPTCHA).

A current, detailed list of sub-processors including their contact details and the specific data they process is available on request — emailprivacy@specmake.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. Continued use of the service after changes constitutes acceptance.

14. Contact

For privacy-related questions or to exercise your rights, contact us at: privacy@specmake.com