Specsor
Log inSign up

Privacy Policy

Last updated: October 6, 2025

1. Introduction

Specsor (the commercial name used by Idov Mamane, French micro‑entrepreneur, 37 rue Jules Guesde, 92300 Levallois‑Perret, France) provides AI‑powered specification generation tools. This Privacy Policy explains how we collect, use, disclose, and protect information in connection with our website, products, and services (the "Service").

Controller. For users who interact with our website and create accounts directly with Specsor, Idov Mamane is the data controller.

Processor. For organization accounts where an organization invites you to a workspace, we process Customer Content on their behalf under our data processing terms.

By using the Service, you acknowledge this Privacy Policy. If you do not agree, do not use the Service.

2. Key Definitions

  • Personal Data: information that identifies or relates to an identifiable person.
  • Customer Content: prompts, files, project ideas, specifications, and outputs you submit to or generate via the Service.
  • Processing: any operation performed on Personal Data (collection, use, storage, disclosure, deletion).

3. Information We Collect

Account & Profile

  • Name and email address (via Google OAuth or GitHub OAuth).
  • Google account ID or GitHub account ID and, if you choose, profile photo.

Customer Content

  • Project ideas, prompts, files you upload, and generated specifications or documents.
  • Feedback you provide about outputs.

Usage & Device Data

  • Log data (IP address, device identifiers, browser type/version, OS, referring URLs, timestamps).
  • Interaction data (feature use, frequency, performance metrics, error reports).
  • Cookies and similar technologies (see Section 12).

Payment Information

Payments are processed by Stripe. We do not collect or store full payment card numbers. We receive limited billing metadata such as:

  • Stripe customer ID and subscription plan/status.
  • Payment history (amounts, dates) and the last four digits/brand of the payment method.

4. How We Use Information

  • Provide, operate, and improve the Service.
  • Generate AI‑powered specifications based on your inputs.
  • Authenticate users and secure accounts; detect, prevent, and respond to fraud and abuse.
  • Process payments and manage subscriptions; send transactional communications.
  • Comply with law, legal process, and enforce our agreements.
  • With your consent or as permitted by law, provide product updates and offers (opt‑out anytime).

We do not sell or “share” Personal Data for cross‑context behavioral advertising under applicable U.S. laws.

5. AI & Data Processing

Customer Content may be processed by third‑party AI infrastructure to generate outputs. We currently use OpenAI models, including GPT‑5 and GPT‑5‑mini.

  • Training. We do not use Customer Content to train our own models. OpenAI’s API inputs/outputs are not used to train OpenAI models by default; limited abuse‑monitoring logs may be retained.
  • Retention by providers. Model providers may retain logs for a short period (often up to ~30 days) for security/abuse detection unless required otherwise by law or contract.
  • Minimization. We send only what is necessary to fulfill your request and apply safeguards.

6. Legal Bases for Processing (EEA/UK)

  • Contract necessity (Art. 6(1)(b)).
  • Legitimate interests (Art. 6(1)(f)).
  • Consent (Art. 6(1)(a)) for non‑essential cookies/marketing.
  • Legal obligation (Art. 6(1)(c)).

7. How We Share Information

  • Service Providers/Subprocessors: authentication (Google OAuth, GitHub OAuth), payments (Stripe), AI processing (OpenAI), hosting, analytics, and support tools. Access is limited to performing services for us under appropriate contracts.
  • Affiliates and business transfers: if we reorganize or transfer assets, subject to this Policy and legal requirements.
  • Legal and safety: to comply with law or protect rights and safety.
  • At your direction: when you ask us to share information.

8. Security

  • Encryption in transit (TLS) and at rest where supported.
  • Role‑based access controls and least‑privilege principles.
  • Audit logging for administrative actions and regular vulnerability management.

No system is perfectly secure. If a breach occurs, we will notify you and regulators as required by law.

9. International Data Transfers

We may transfer Personal Data outside the EEA/UK (e.g., to the U.S.). Where required, we use appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) or other approved mechanisms.

10. Data Retention

  • Account data: retained while your account is active and as needed to provide the Service.
  • Customer Content: retained until you delete it or request deletion (subject to organizational settings).
  • Backups/logs: deleted or anonymized on rolling schedules (typically within 30–90 days) unless required longer by law or for security/abuse investigations.

11. Your Rights & Choices

  • Access/Portability, Correction, Deletion.
  • Restriction/Objection where applicable.
  • Marketing opt‑out via email links.
  • Cookie preferences in Cookie Settings or your browser.

To exercise rights, contact [email protected]. We will verify and respond within applicable timelines.

12. Cookies & Similar Technologies

We use strictly necessary, preference, and analytics cookies. Where required, we obtain consent for non‑essential cookies. If your browser sends a Global Privacy Control (GPC) signal, we treat it as an opt‑out of sale/sharing where legally required.

13. Children’s Privacy

The Service is not intended for children under 13 (or up to 16 where required). We do not knowingly collect Personal Data from children.

14. U.S. State Privacy Disclosures

Residents of certain U.S. states have specific rights (e.g., access, correction, deletion, opt‑out of targeted advertising). We do not sell or share Personal Data for cross‑context behavioral advertising. To exercise rights, contact us.

15. EEA/UK Privacy Disclosures

  • Controller: Idov Mamane, 37 rue Jules Guesde, 92300 Levallois‑Perret, France.
  • Supervisory authority (France): CNIL. You have the right to lodge a complaint with CNIL or your local authority.
  • DPO: We have not appointed a Data Protection Officer as we are not legally required to do so. For privacy matters, contact [email protected].
  • Automated decision‑making: We do not engage in automated decision‑making producing legal or similarly significant effects without human involvement.

16. Subprocessors & Third‑Party Services

  • AI processing: OpenAI (GPT‑5, GPT‑5‑mini; limited retention of abuse‑monitoring logs).
  • Authentication: Google OAuth, GitHub OAuth.
  • Payments: Stripe (PCI‑DSS compliant).
  • Hosting/analytics/security: infrastructure and tools necessary to operate the Service.

17. Managing Your Account & Deletion

You can access or delete much of your information in account settings, or request deletion via email. Upon verified deletion:

  • Active copies of Personal Data are deleted or anonymized within ~30 days, and
  • Backups are deleted or overwritten within ~90 days, unless legally required to retain data.

18. Third‑Party Links

Third‑party sites have their own privacy policies. We are not responsible for their practices.

19. Changes to This Privacy Policy

We may update this Policy from time to time. For material changes, we will provide notice (e.g., via email or in‑product) and update the "Last updated" date.

20. Contact Us

For questions or requests about this Policy:

Email: [email protected]
Legal: [email protected]
Address: Idov Mamane (micro‑entrepreneur), commercial name “Specsor”
37 rue Jules Guesde
92300 Levallois‑Perret, France

This Privacy Policy is for general informational purposes and is not legal advice. Consult legal counsel for your specific obligations.