How we handle your data.

We collect what's needed to run Spectrace: your account profile, the requirements + AC you write, the diffs we read from your repos, audit log entries, and standard product analytics (page views, feature usage). We do not sell or share this data with advertisers.

To operate Spectrace, generate the AI outputs you ask for, route notifications, and keep audit trails. Aggregated, anonymized usage data informs product decisions. Your raw content is never used to train models that serve other customers.

Inside your workspace: people you invited, scoped by role. Inside Spectrace: a small on-call rotation has read access to debug specific issues, only with your authorization. Outside Spectrace: subprocessors we list publicly (OpenAI, Anthropic, AWS, Supabase, Sentry, Vercel).

While your workspace is active, indefinitely. After cancellation, your data stays read-only for 30 days, then is deleted within 7 days. Audit logs required by SOC 2 are retained for 13 months and then deleted, even if your workspace is gone.

You can export everything (Markdown / CSV / JSON / PDF) from Settings → Activity. You can delete an account, a project, or the whole workspace from the same page. EU and UK customers have access, rectification, erasure, portability, and objection rights under GDPR.

Encryption at rest (AES-256) and in transit (TLS 1.2+). SSO + SCIM available on the Team plan. SOC 2 Type II in progress with completion expected Q3 2026. Vulnerability disclosure: security@spectrace.io.

Strictly necessary cookies for auth + session, plus analytics that respect Do Not Track. We do not run third-party advertising or behavioral cookies. The marketing site uses a single first-party analytics cookie.

We'll email all workspace admins 30 days before a material change takes effect, and post the diff publicly. The 'View diff →' link above keeps a permanent record of every revision.