Legal

Privacy Policy

Last updated: April 26, 2026  ·  Effective date: April 26, 2026

Spec10x ("we", "us", or "our") operates the Spec10x platform, a product discovery and research synthesis tool available at spec10x.com (the "Service"). This Privacy Policy explains what information we collect, why we collect it, how we use and share it, and the choices you have regarding your information. It applies to all users of the Service, including visitors to our website, registered account holders, and teams using Spec10x on behalf of an organisation.

By accessing or using the Service, you agree to the collection and use of information described in this policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Information You Provide Directly

  • Account information. When you register, we collect your name, email address, and password (stored as a hashed credential via Firebase Authentication). If you sign up with Google OAuth, we receive your name, email, and profile picture from Google.
  • Interview and research content. Files you upload — including transcript text (.txt, .md, .pdf, .docx), audio (.mp3, .wav), and video (.mp4) — are stored and processed to provide the core features of the Service. This content may contain personal data about your own customers or research participants; you are responsible for ensuring you have appropriate rights and consents to upload it.
  • Survey data. NPS or other survey exports (CSV or structured formats) you import into the Service.
  • Integration credentials and data. When you connect third-party services such as Zendesk, we receive an API key or OAuth token and fetch support ticket data on your behalf. We only request the minimum permissions necessary.
  • Payment information. If you subscribe to a paid plan, payment details (card number, billing address) are collected directly by our payment processor (Stripe). We do not store full card numbers on our servers; we receive and store only a tokenised reference.
  • Communications. If you contact us via email or in-app support, we retain those communications to respond to you and improve the Service.

1.2 Information Collected Automatically

  • Log data. Our servers automatically record information when you use the Service, including your IP address, browser type and version, operating system, referring URLs, pages visited, features used, and timestamps.
  • Usage analytics. We collect anonymised event data (e.g., which features are clicked, how often reports are generated) to understand how the product is used and guide development priorities.
  • Cookies and similar technologies. We use session cookies required for authentication, preference cookies to remember your settings, and analytics cookies. See Section 8 for full details.
  • Device information. We may collect device identifiers, screen resolution, and timezone to ensure the Service renders correctly and to detect suspicious activity.

1.3 Information from Third Parties

  • Google OAuth. If you sign in with Google, we receive basic profile data (name, email, profile picture) from Google in accordance with the OAuth scopes you authorise.
  • Zendesk. When you authorise the Zendesk integration, we pull ticket content, metadata (subject, status, priority, requester name and email), and comments into the Service to enable cross-source synthesis.
  • Linear, Jira, and GitHub. When you use export features to push specs to these tools, we send generated content to those services. We do not persistently store your credentials for these services beyond the active session unless you choose to save them.

2. How We Use Your Information

We use information collected for the following purposes:

  • Providing the Service. Processing uploaded content (transcription, AI-powered theme extraction, quote citation, impact scoring, feature brief generation) and delivering results back to you.
  • Authentication and account management. Creating and managing your account, verifying identity, and maintaining session security via Firebase Authentication.
  • Billing and subscriptions. Managing subscription plans, processing payments through Stripe, and sending invoices and billing-related notifications.
  • Communication. Sending transactional emails (account verification, password resets, usage alerts), product announcements, and, where you have opted in, marketing communications. You may unsubscribe at any time.
  • Product improvement. Analysing aggregated, anonymised usage patterns to improve features, fix bugs, and prioritise development work. We do not use the content of your individual interviews to train AI models without your explicit consent.
  • Security and fraud prevention. Monitoring for unauthorised access, detecting abuse of the Service, and complying with legal obligations.
  • Legal compliance. Fulfilling obligations under applicable law, responding to lawful requests from authorities, and enforcing our Terms of Service.

3. AI Processing of Your Content

The core value of Spec10x is AI-driven analysis. When you upload files or connect data sources, your content is processed by AI models to extract themes, sentiment, pain points, and feature signals. We use third-party AI providers (including large language model APIs) under data processing agreements that restrict the provider from using your data to train their models.

We do not use your uploaded research content to train Spec10x's own models without your explicit written consent. AI-generated outputs (themes, briefs, acceptance criteria) are derived from your inputs and are owned by you, subject to Section 5 below.

If your uploaded content contains personal data about third parties (such as interview participants), you must ensure you have the necessary consents or legal basis under applicable data protection law (including GDPR and CCPA) to process that data using the Service.

4. How We Share Your Information

We do not sell your personal data. We share information only in the following circumstances:

  • Service providers. We share data with trusted sub-processors (cloud hosting, AI API providers, payment processors, email delivery services, analytics platforms) solely to operate the Service. Each sub-processor is bound by data processing agreements.
  • Integrations you authorise. When you connect Zendesk, Linear, Jira, GitHub, or other tools, data flows to those platforms at your direction.
  • Organisational accounts. If you use Spec10x under a team or enterprise plan, your workspace owner and administrators may have access to your activity and content within that workspace.
  • Legal requirements. We may disclose information if required by law, court order, or government request, or if we believe disclosure is necessary to protect the safety of any person or prevent fraud.
  • Business transfers. In the event of a merger, acquisition, or sale of substantially all assets, your information may be transferred to the successor entity, subject to the same privacy protections.
  • With your consent. We may share information for any other purpose disclosed to you at the time of collection with your explicit consent.

5. Data Retention

  • Account data. Retained for as long as your account is active. If you delete your account, we will delete or anonymise your account data within 30 days, except where retention is required by law.
  • Uploaded content (interviews, audio, video, surveys). Retained for the duration of your subscription. You may delete individual files at any time via the dashboard. On account deletion, all uploaded content is permanently removed within 30 days.
  • AI-generated outputs. Retained alongside the source content. Deleting a source file also deletes associated themes, briefs, and quotes.
  • Billing records. Retained for seven years to comply with financial and tax regulations.
  • Log data. Retained for 90 days for security and debugging purposes, then deleted or anonymised.

6. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data. To exercise any of them, contact us at hello@spec10x.com.

  • Access. Request a copy of the personal data we hold about you.
  • Correction. Request correction of inaccurate or incomplete data.
  • Deletion. Request deletion of your personal data (the "right to be forgotten"), subject to legal retention obligations.
  • Portability. Request a machine-readable export of your data.
  • Restriction and objection. Request restriction of processing, or object to processing based on legitimate interests.
  • Withdraw consent. Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
  • Marketing opt-out. Unsubscribe from marketing emails at any time using the unsubscribe link in any email or by contacting us directly.
  • California residents (CCPA). You have the right to know what personal information is collected, disclosed, or sold; the right to opt out of the sale of personal information (we do not sell personal information); and the right to non-discrimination for exercising your rights.

We will respond to verifiable requests within 30 days (or within the timeframe required by applicable law).

7. Data Security

We implement appropriate technical and organisational measures to protect your data against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Encryption in transit using TLS 1.2 or higher for all communications between your browser and our servers.
  • Encryption at rest for uploaded files and database records.
  • Authentication via Firebase, which provides industry-standard OAuth 2.0 and email verification flows.
  • Role-based access controls limiting which employees can access production data.
  • Regular security reviews and dependency audits.
  • Isolated storage per workspace to prevent cross-tenant data leakage.

No method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it responsibly to hello@spec10x.com.

8. Cookies and Tracking

We use the following categories of cookies:

Strictly Necessary

Session authentication cookies issued by Firebase Authentication. Required for the Service to function. Cannot be disabled.

Functional

Preference cookies that remember your UI settings (theme, sidebar state, last viewed workspace). May be cleared without losing account data.

Analytics

Anonymised usage tracking to understand feature adoption. Data is aggregated and never tied to individually identifiable users. You may opt out via your account settings.

We do not use advertising or cross-site tracking cookies. You can manage cookie preferences through your browser settings, though disabling strictly necessary cookies will prevent you from logging in.

9. International Data Transfers

Spec10x is operated from servers primarily located in the United States. If you are accessing the Service from the European Economic Area (EEA), United Kingdom, or other jurisdictions with data transfer restrictions, your data may be transferred to and processed in the United States or other countries.

For transfers from the EEA or UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms recognised under GDPR. Our sub-processors are required to implement equivalent protections.

10. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data without parental consent, contact us at hello@spec10x.com and we will delete it promptly.

11. Third-Party Links and Services

The Service may contain links to third-party websites or integrations with external platforms (Zendesk, Linear, Jira, GitHub, Cursor, Claude Code, Devin). This Privacy Policy does not apply to those services. We encourage you to review their privacy policies. We are not responsible for the privacy practices of any third party.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address associated with your account) and/or by posting a prominent notice within the Service at least 14 days before the changes take effect. Your continued use of the Service after changes take effect constitutes your acceptance of the revised policy.

We encourage you to review this page periodically. The "Last updated" date at the top of this policy indicates when the most recent revision was made.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Spec10x

Email: hello@spec10x.com

If you are located in the EEA and are unsatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.