Specky
How it works Integrations Pricing Roadmap

Privacy Policy

Specky — operated by Spark IT Mariusz Iskra (sole proprietorship, Poland)

Version: 1.0 · Last updated: 8 July 2026

On this page

  1. 1. Who we are
  2. 2. What data we collect
  3. 3. How and why we process your data (legal bases)
  4. 4. AI processing — what actually happens to your content
  5. 5. Subprocessors and recipients
  6. 6. International transfers
  7. 7. Data retention
  8. 8. Your rights
  9. 9. Security
  10. 10. Cookies
  11. 11. Children
  12. 12. Changes to this policy
  13. 13. Contact

1. Who we are

Specky ("we", "us") is a specification-driven project management platform operated by:

Spark IT Mariusz Iskra, sole proprietorship registered in Poland Address: ul. Malownicza 9, 72-006 Mierzyn, Poland · Tax ID (NIP): 8581726552 · EU VAT: PL8581726552 Contact: support@specky.app

For data you provide when creating an account and using Specky's website, we act as the data controller under the EU General Data Protection Regulation (GDPR).

For content your organization uploads to Specky (project specifications, documents, tasks) that contains personal data of third parties, we act as a data processor on behalf of your organization. This processing is governed by our Data Processing Agreement (DPA), available at https://specky.app/legal/dpa.

2. What data we collect

Account and organization data (we are controller):

  • Name, email address, password hash
  • Organization name, role within the organization
  • Plan, billing status, and usage counters (e.g., number of AI analyses used)
  • Login timestamps, IP addresses, and security logs

Customer content (we are processor):

  • Documents and specifications you upload (PDF, DOCX, Markdown, and other supported formats)
  • Audio recordings and their transcriptions, where you use recording features
  • Requirements, tasks, comments, and project data created in Specky
  • Questions you submit to the AI assistant and the answers generated

Payment data: we do not collect or store your payment card details. Payments are processed by Paddle as Merchant of Record (see Section 5). We receive only subscription status, plan, and non-sensitive billing metadata.

Analytics: we use Google Analytics on our marketing website and Mixpanel within the application to understand how our website and product are used and to improve them. These tools process usage and device data and may set cookies or similar identifiers. Where required by law, they are activated only after you consent via our cookie banner (see Section 10). We do not use advertising trackers and we do not sell this data.

3. How and why we process your data (legal bases)

PurposeDataLegal basis (GDPR)
Providing the service (accounts, projects, AI analysis)account data, customer contentArt. 6(1)(b) — contract
Billing and subscription managementaccount data, billing metadataArt. 6(1)(b) — contract; Art. 6(1)(c) — legal obligations
Security, abuse prevention, audit logssecurity logs, IP addressesArt. 6(1)(f) — legitimate interest
Transactional email (invitations, notifications, alerts)email addressArt. 6(1)(b) — contract
Service observability, debugging, and quality improvementAI operation inputs/outputs, technical identifiersArt. 6(1)(f) — legitimate interest
Website and product analytics (Google Analytics, Mixpanel)usage data, device/browser data, cookie identifiersArt. 6(1)(a) — consent
Product improvement based on aggregated, de-identified usageaggregated metricsArt. 6(1)(f) — legitimate interest
Marketing communication (only if you opt in)email addressArt. 6(1)(a) — consent

We do not sell personal data. We do not use personal data for advertising.

4. AI processing — what actually happens to your content

Specky's core features rely on large language models (LLMs) and embedding models. In the interest of transparency, this is the actual processing flow:

  1. Document analysis. When you upload a specification and start an analysis, the document text is sent to one or more of our AI providers (Anthropic, OpenAI — see Section 5) via their APIs to extract requirements, classify their scope, and detect gaps.
  2. Embeddings and semantic search. Fragments of your documents and requirements are converted into numerical vector representations (embeddings) and stored in our vector database to enable semantic search. Embeddings are stored on our EU infrastructure.
  3. AI assistant (chat). Your questions, together with relevant fragments of your project content, are sent to an LLM to generate an answer. Answers are marked as AI-generated.

Your content is not used to train AI models. Both of our AI providers are used under their commercial/API terms, which prohibit or exclude training on customer content:

  • Anthropic: under its Commercial Terms of Service, Anthropic may not train models on customer content submitted through the API.
  • OpenAI: data sent to the OpenAI API is not used to train or improve OpenAI models unless the customer explicitly opts in (we do not opt in).

Provider-side retention for abuse monitoring. Independently of training, AI providers may temporarily log API inputs and outputs for a limited period (typically up to 30 days) solely to detect abuse and enforce their usage policies, after which they are deleted. We do not control these logs; they are governed by each provider's terms.

Service observability and quality. We operate a self-hosted observability tool on our EU infrastructure that records the inputs and outputs of AI operations (prompts and generated responses) together with technical identifiers (such as organization and project identifiers). We use this data solely to operate, monitor, debug, secure, and improve the functioning and quality of Specky's own processes — for example, to diagnose failed analyses and refine our internal prompts and pipeline. This data is hosted on our EU infrastructure, is not used to train any AI models, and is not shared with or sold to third parties. It is retained for a limited period (see Section 7) and then deleted.

We review our AI providers' data-use terms periodically and will update this policy if their commitments change.

5. Subprocessors and recipients

We use the following subprocessors. The current list, including any changes, is always available at https://specky.app/legal/subprocessors; DPA customers are notified of changes 30 days in advance.

ProviderPurposeLocation of processing
Hetzner Online GmbHhosting of application, databases, file storage, embeddings, observability, backupsGermany (EU)
Anthropic Ireland, Limited / Anthropic, PBCLLM API (document analysis, requirement extraction, chat)EU contracting entity; processing may occur in the USA
OpenAILLM / embeddings APIUSA
PaddleMerchant of Record — payments, invoicing, taxUK / EU / USA
cal.pltransactional (system) email delivery and marketing-website hostingPoland (EU)
Google Ireland Limited / Google LLC (Google Analytics)marketing-website analyticsEU / USA
Mixpanel, Inc.in-product analyticsUSA

Primary data storage (databases, uploaded files, embeddings, and AI observability data) is located exclusively in the European Union (Germany). AI providers receive document content transiently for processing, as described in Section 4.

We may also disclose data where required by law (e.g., to public authorities upon a valid legal request).

6. International transfers

Where processing involves providers in the United States, transfers are safeguarded by:

  • the EU–US Data Privacy Framework (DPF), where the provider is certified, and
  • Standard Contractual Clauses (SCCs) incorporated into each provider's data processing agreement, as a parallel or fallback mechanism,
  • supplementary measures where applicable (encryption in transit, minimization of transferred content).

Copies of relevant transfer safeguards can be requested at support@specky.app.

7. Data retention

DataRetention
Account and organization datafor the duration of the account, then deleted within 30 days of account deletion
Customer content (documents, tasks, embeddings, transcriptions)for the duration of the account; deleted within 30 days of account deletion or earlier upon deletion within the product
AI observability data (prompts and responses in our self-hosted tool)hosted on our EU infrastructure; retained up to 30 days, then deleted
Billing records held by usas required by tax and accounting law (in Poland, generally 5 years from the end of the relevant tax year)
Security and audit logsup to 12 months
Backupsencrypted backups are rotated; deleted data leaves the backup cycle within a maximum of 35 days

After a subscription ends without account deletion, your data is retained in read-only mode so you can export it or reactivate; the account deletion rules above apply when you delete the account.

8. Your rights

Under the GDPR you have the right to: access your data; rectify it; erase it; restrict processing; data portability; object to processing based on legitimate interest; and withdraw consent at any time (where processing is based on consent), without affecting prior processing.

To exercise these rights, contact support@specky.app. We respond within one month. You also have the right to lodge a complaint with a supervisory authority — in Poland, the President of the Personal Data Protection Office (PUODO, uodo.gov.pl), or the authority in your EU member state.

If you are an end user whose data was uploaded to Specky by an organization (e.g., your employer or contractor), that organization is the controller of that content; please direct requests to them. We will assist them in fulfilling your rights as required by our DPA.

Non-EU users: depending on your jurisdiction, you may have similar rights (e.g., under UK GDPR or applicable US state privacy laws). We honor access and deletion requests from all users regardless of location.

9. Security

We apply technical and organizational measures including: encryption in transit (TLS), encryption of backups, tenant isolation at the application and database level, role-based access control, secrets management, audit logging, and the principle of least privilege for internal access. A detailed description of measures (TOM) is provided in Annex 2 to our DPA.

No system is perfectly secure. In the event of a personal data breach likely to result in a risk to your rights, we will notify the competent supervisory authority within 72 hours and affected customers without undue delay, in accordance with GDPR Articles 33–34.

10. Cookies

Our application uses cookies strictly necessary for the service to function (session, authentication, and security), which do not require consent. In addition, subject to your consent, we use analytics cookies and similar identifiers: Google Analytics on our marketing website and Mixpanel within the application. We display a cookie consent banner that lets you accept, reject, or manage non-essential (analytics) cookies, and you can withdraw your consent at any time. We do not use advertising or cross-site behavioral-advertising cookies.

11. Children

Specky is a business tool intended for users aged 18 or older and is not directed at children. We do not knowingly process the personal data of children under 16.

12. Changes to this policy

We may update this policy as the service evolves — for example, when adding a new subprocessor or feature. Material changes will be announced in the application or by email at least 14 days in advance, and the subprocessor list follows the 30-day notice rule described in our DPA. Each version is identified by the version number and date above.

13. Contact

Privacy inquiries: support@specky.app General support: support@specky.app Postal address: ul. Malownicza 9, 72-006 Mierzyn, Poland

Specky

A living specification that drives the project. AI proposes — you decide.

Product
How it works Integrations Roadmap Pricing
Legal
Privacy Policy Terms of Service Refund Policy
© 2026 Specky. All rights reserved. Spark IT Mariusz Iskra · Mierzyn, Poland