Loading SpecStep…

Privacy Policy

Last updated: 2026-05-01

SpecStep ("we", "us", "our") provides an agentic documentation-generation service operated at specstep.com. This Privacy Policy explains what information we collect, how we use it, who we share it with, and what rights you have. By using SpecStep, you agree to the practices described here.

1. What we collect

1.1 Information you provide directly

  • Account identity: when you sign in via Google, GitHub, or Microsoft, we receive your email, display name, and the provider's stable user identifier. We do not see or store your password — authentication is handled by your chosen identity provider.
  • Profile fields you set: contact phone number, SMS phone number (verified via 6-digit code), and notification preferences.
  • Interview content: the conversation you have with the SpecStep agents to capture your project's vision, requirements, and architecture inputs.
  • Reference documents: any files you optionally attach to an interview (PDFs, design references, prior specs).
  • Source-control configuration: when you opt in to repo delivery, the GitHub or Azure DevOps repository details you specify.

1.2 Information generated by your use of the service

  • Generated packages: the documentation packages produced by your generations, including all intermediate artifacts (rubric scores, agent reviews, decision logs).
  • API keys: when you create them. We store only a salted SHA-256 hash plus the first 8 characters (the "prefix") for display. The raw key is shown to you exactly once at creation and never stored.
  • Usage telemetry: timestamps, costs, error rates, LLM provider and model identifiers, token counts. Used to operate the service, bill subscriptions, and improve quality.
  • Audit log: a record of significant actions (sign-ins, generations started/completed, role changes, billing events) with timestamps and the actor identity.

1.3 Information from third-party services

  • Identity providers (Google, GitHub, Microsoft): when you sign in, the provider tells us your email is verified or not. Unverified emails do not auto-link to existing accounts.
  • Stripe: when you start a paid subscription, Stripe handles checkout and payment-method capture and notifies us via webhook of subscription state changes (started, renewed, canceled, payment failed). We receive a customer identifier and subscription state — never card numbers, CVCs, or full bank details.
  • Azure Communication Services: when we send you an email or SMS, ACS may record delivery telemetry (delivered, bounced) and forward it back to us.

2. What we don't collect

  • Payment card details. Stripe handles billing; we never see card numbers.
  • Source code from your projects, unless you explicitly attach a reference document containing source code.
  • Files from your computer beyond what you explicitly upload to an interview.
  • Browser fingerprinting data, advertising identifiers, or cross-site tracking signals.

3. How we use your information

  • To run the service: provision your account, run generations, deliver packages, send notifications you opted into, enforce quotas, surface usage in your Settings.
  • To bill you: track your subscription tier, count generations against your monthly quota, sync state with Stripe.
  • To support you: respond to questions you send to hello@specstep.com; the operator may receive a notification email when you sign up so they can welcome you directly.
  • To improve the service: aggregate, anonymized usage statistics may be used to improve agents, rubrics, and the platform. We do not use the content of your interviews or generations to train any LLM.
  • To comply with law: respond to legitimate legal requests, prevent fraud or abuse, enforce our Terms.

4. Third parties we share information with

4.1 LLM providers

SpecStep sends your interview content and intermediate artifacts to large language model providers (currently Anthropic and OpenAI) so the agents can produce your package. Both providers have committed to not training their public models on data sent through their commercial APIs. We send the minimum necessary data and redact obvious secrets before sending.

4.2 Infrastructure providers

  • Microsoft Azure: hosts the application, the database (PostgreSQL), the cache (Redis), and the blob storage for packages.
  • Azure Communication Services: sends transactional email and SMS.
  • Stripe: handles billing.
  • Cloudflare: provides DNS for the specstep.com domain.

4.3 We don't sell your data

We do not sell your personal information. We do not share it with advertisers or data brokers. We do not use it for any purpose unrelated to operating the SpecStep service.

5. How long we keep your information

  • Account and profile: as long as your account is active. Deleted accounts are removed within 30 days, including all linked data (generations, packages, API keys, subscriptions).
  • Generated packages: until you delete them or until the retention window for your subscription tier elapses (configurable in Settings → Retention).
  • Usage telemetry: 90 days for detailed traces, longer for aggregated billing records (required for tax + accounting purposes, typically 7 years).
  • SMS verification codes: hashed in transit, deleted after 10 minutes or after successful verification.
  • API key hashes: until you revoke the key.

6. Your rights

You have the right to:

  • Access the personal information we hold about you.
  • Export your generated packages and account data via the Data Export tab in Settings.
  • Correct any inaccurate information by editing your profile or emailing hello@specstep.com.
  • Delete your account at any time via Settings → Delete account. Account deletion is permanent and cascades to all linked data.
  • Opt out of non-essential email and SMS notifications via Settings → Notifications.
  • Withdraw consent for any optional data processing.

If you are in the European Economic Area, the United Kingdom, California, or another jurisdiction with specific privacy rights, those rights apply to your use of SpecStep regardless of where we operate.

7. Security

We protect your information with technical and organizational measures including TLS 1.2+ for all network traffic, encryption at rest for the database and blob storage, hashed API key storage, scoped access for infrastructure operators, structured audit logging, and short-lived verification codes for SMS. No system is perfectly secure; if you have reason to believe your account has been compromised, contact us immediately.

8. Children

SpecStep is intended for software developers and is not directed to children under 16. We do not knowingly collect information from children. If you believe we have done so inadvertently, contact us and we will delete the information.

9. International transfers

SpecStep is operated from the United States. By using the service, you consent to your information being processed in the United States, where privacy laws may differ from those in your country.

10. Changes to this policy

We may update this Privacy Policy as the service evolves. The "Last updated" date at the top of this page reflects the current version. Material changes (e.g., new categories of data sharing) will be announced via email to your account address before they take effect.

11. Contact

Questions, requests, or complaints about privacy: hello@specstep.com.