Privacy Policy
Privacy Policy
Spexsure — Version 1.0 · Effective June 2026
This Privacy Policy explains how Heuristicworks LLC ("Spexsure", "we", "us", "our") collects, uses, stores, shares, and protects personal data when you use the Spexsure platform (spexsure.com) and related services ("Service").
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, Heuristicworks LLC is the data controller for your personal data. If you are a business customer using our Captive Deployment, you are the data controller for personal data processed within your infrastructure; we act as a data processor in that context and a Data Processing Agreement (DPA) is available on request.
Please read this policy carefully. By using the Service, you acknowledge that you have read and understood it.
1. Data We Collect
1.1 Account and Identity Data
When you register for an account using Google or Microsoft single sign-on, we receive from your identity provider:
- Full name
- Email address
- Profile picture URL (where provided by your identity provider)
- A unique identifier issued by the identity provider (OAuth subject ID)
We store this information to create and manage your Spexsure account.
1.2 Subscription and Billing Data
We collect and store:
- Your subscription plan and status
- Credit allocation, credits used, and credit refill history
- Billing cycle dates and renewal timestamps
- Payment method metadata (card type, last four digits, expiry month/year) — provided by Stripe; we never store raw card numbers
- Invoice history
Raw payment card data is handled exclusively by Stripe and is never transmitted to or stored on our systems.
1.3 Content Data (PRD Content and AI Output)
When you use the Service's AI features, we process:
- PRD documents and text you submit ("Your Content")
- AI-generated output (gap reports, enriched PRDs, epics, user stories, tickets)
- Your review decisions (accepted/dismissed gap suggestions, section edits)
- Project metadata (project name, status, timestamps)
Your Content is transmitted to Anthropic PBC for AI processing (see Section 4). It is stored in our database (hosted on Supabase) for the duration of your subscription plus 30 days.
1.4 Integration Data
If you connect the Service to Atlassian Jira:
- We receive and store OAuth 2.0 access and refresh tokens issued by Atlassian. These tokens are encrypted at rest using AES-256-GCM encryption before storage.
- We receive and temporarily process your Jira project metadata (project keys, board IDs) to display and push tickets.
- We do not store Jira issue content beyond what is necessary to confirm a successful push.
If you use a BYOK plan and provide your Anthropic API key:
- Your API key is encrypted at rest using AES-256-GCM before storage and decrypted only at the point of making an AI API call on your behalf.
- We do not log, share, or use your API key for any purpose other than processing your requests.
1.5 Usage and Behavioural Data
We collect data about how you interact with the Service to operate, improve, and secure it:
- Pages visited, features used, and navigation paths (journey events)
- Actions taken within the platform (project creation, analysis initiated, tickets generated, Jira push)
- Session identifiers (generated client-side, stored in browser localStorage)
- Timestamps and duration of actions
- Credit consumption per operation
1.6 Technical and Device Data
- IP address
- Browser type and version
- Operating system
- HTTP referrer
- User agent string
- Error logs and stack traces (when errors occur)
- Performance metrics (API latency, job duration)
1.7 Communications Data
- Emails we send you (welcome email, credit warning emails at 80% and 95% usage, workspace invitations, system notifications)
- Support requests you send to support@spexsure.com or legal@heuristicworks.com
- Bug reports submitted through the platform's bug reporting feature
1.8 Security and Compliance Data
Where our security systems detect potentially malicious inputs, we may retain additional data as described in Section 3.5 of the Terms of Service, including the full content of the flagged submission and all associated metadata. This data is retained for investigative, evidentiary, and prosecutorial purposes and is subject to separate retention rules that supersede the standard retention periods in this policy.
2. How We Use Your Data
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Creating and managing your account | Identity data, subscription data | Contract |
| Providing AI analysis and ticket generation | Content data, subscription/credit data | Contract |
| Processing payments and managing subscriptions | Billing data | Contract |
| Sending transactional emails (welcome, credit warnings, invitations) | Identity data, subscription data | Contract |
| Connecting third-party integrations (Jira, Anthropic) | Integration data | Contract |
| Monitoring and improving Service reliability | Usage data, technical data, error logs | Legitimate interests |
| Detecting and preventing abuse, fraud, and security threats | Technical data, usage data, content data (flagged) | Legitimate interests / Legal obligation |
| Archiving and disclosing flagged content for prosecutorial purposes | Security and compliance data | Legal obligation / Legitimate interests |
| Analytics and understanding how users navigate the platform | Usage data, session data | Legitimate interests |
| Complying with legal obligations | Any relevant data | Legal obligation |
| Enforcing our Terms of Service and policies | Any relevant data | Legitimate interests |
| Providing customer support | Communications data, account data | Contract / Legitimate interests |
We do not sell your personal data to third parties. We do not use your personal data or Your Content to train AI models.
3. Data Sharing and Third-Party Processors
We share personal data with the following categories of third parties, solely to provide the Service:
3.1 Anthropic PBC (AI Processing)
- What is shared: Your Content (PRD text) and system prompts
- Purpose: AI gap detection, PRD enrichment, and ticket generation
- Location: United States
- Their policy: anthropic.com/legal/privacy
Your Content is transmitted to Anthropic under Anthropic's API terms. Anthropic's current API terms prohibit using customer API content to train their models without consent. If you use a BYOK plan, your API calls are subject to your own agreement with Anthropic.
3.2 Supabase (Database Hosting)
- What is shared: All data stored in our database (account data, content, analysis results, tokens)
- Purpose: Database hosting and management
- Location: United States (AWS us-east-1 or as configured)
- Their policy: supabase.com/privacy
3.3 Vercel (Application Hosting and Edge Network)
- What is shared: All data processed by the application (request data, IP addresses, user agent strings)
- Purpose: Web application hosting, serverless functions, CDN
- Location: United States (global edge network)
- Their policy: vercel.com/legal/privacy-policy
3.4 Stripe (Payment Processing)
- What is shared: Email address, billing metadata, payment method details
- Purpose: Subscription billing, invoicing, payment processing
- Location: United States
- Their policy: stripe.com/privacy
We never receive or store raw card numbers. Stripe is a PCI DSS Level 1 certified payment processor.
3.5 Resend (Transactional Email)
- What is shared: Your email address, your first name, email content
- Purpose: Sending welcome emails, credit warning emails, and system notifications
- Location: United States
- Their policy: resend.com/legal/privacy-policy
3.6 Sentry (Error Monitoring)
- What is shared: Error stack traces, request metadata, IP address, user ID (where an error is associated with a session)
- Purpose: Application error monitoring and debugging
- Location: United States
- Their policy: sentry.io/privacy
We configure Sentry to minimise personal data in error reports. Stack traces may occasionally include request parameters; we scrub known sensitive fields before transmission.
3.7 PostHog (Product Analytics)
- What is shared: Journey event data, session IDs, anonymised usage behaviour
- Purpose: Funnel analytics, feature usage analysis, session recordings (where enabled)
- Location: United States or EU (configurable)
- Their policy: posthog.com/privacy
We do not share Your Content with PostHog. Events sent to PostHog are anonymised at the journey-ID level and do not include PRD content.
3.8 Upstash (Rate Limiting)
- What is shared: IP addresses and anonymised request counts
- Purpose: Redis-backed rate limiting in the application middleware
- Location: United States
- Their policy: upstash.com/privacy
IP addresses used for rate limiting are not stored beyond the rate limit window (60 seconds per sliding window).
3.9 Cloudflare (WAF, CDN, DDoS Protection)
- What is shared: IP addresses, HTTP request metadata (headers, URL paths, user agent strings, geolocation derived from IP), request and response payloads in transit
- Purpose: Web Application Firewall (WAF), DDoS mitigation, bot detection, SSL/TLS termination, and global content delivery for all traffic to spexsure.com
- Location: United States (global edge network)
- Their policy: cloudflare.com/privacypolicy
All traffic to spexsure.com passes through Cloudflare's global edge network before reaching Vercel. Cloudflare enforces TLS 1.3 and acts as the first line of defence against malicious traffic. Cloudflare's privacy policy governs its retention of request metadata.
3.10 Law Enforcement and Legal Authorities
We may disclose personal data to law enforcement agencies, courts, regulators, or other public authorities where required by law or where we have a good-faith belief that disclosure is necessary to prevent harm, comply with legal process, or enforce our rights. See Section 3.5 of our Terms of Service for the specific conditions governing disclosure of flagged security content.
3.11 Business Transfers
If Spexsure is involved in a merger, acquisition, asset sale, or restructuring, personal data may be transferred as part of that transaction. We will notify affected users by email and provide an opportunity to delete accounts before transfer, unless prohibited by law or the acquiring entity assumes all obligations under this policy.
4. International Data Transfers
Spexsure is based in the United States. If you access the Service from the EEA, UK, or Switzerland, your personal data will be transferred to and processed in the United States, which may not provide the same level of data protection as your home jurisdiction.
Where we transfer personal data from the EEA or UK to the US, we rely on one or more of the following transfer mechanisms:
- Standard Contractual Clauses (SCCs): We incorporate EU SCCs (2021) into our agreements with relevant sub-processors where required.
- UK International Data Transfer Agreements (IDTAs): Where applicable for UK data subjects.
- Adequacy Decisions: Where the recipient country has been granted adequacy status by the European Commission or UK ICO.
A copy of applicable transfer mechanisms is available on request at legal@heuristicworks.com.
5. Data Retention
| Data Category | Retention Period |
|---|---|
| Account and identity data | Duration of account + 90 days after deletion |
| Subscription and billing data | 7 years (tax and accounting requirements) |
| PRD content and AI output | Duration of subscription + 30 days |
| Jira OAuth tokens | Until integration is disconnected + 7 days |
| BYOK API keys | Until deleted by user or account closure |
| Journey event data | 90 days hot (PostgreSQL), then archived to cold storage for 1 year |
| Error reports and bug reports | 12 months |
| Audit logs | 12 months hot, 3 years cold |
| Support communications | 3 years |
| Security-flagged content (prosecutorial retention) | Indefinite, until legal matter is resolved or Spexsure determines retention is no longer necessary |
| Anonymised usage statistics | Indefinite (no personal data) |
When we delete data, we remove it from our active database. Residual copies may remain in encrypted backups for up to 90 days before those backups are overwritten.
6. Security
We implement technical and organisational measures designed to protect your personal data, including:
- Encryption in transit: TLS 1.3 enforced via Cloudflare for all traffic to spexsure.com; all third-party API calls use TLS 1.2 or higher
- Encryption at rest: AES-256 encryption for database storage (Supabase); AES-256-GCM for OAuth tokens and BYOK keys
- Access controls: Role-based access; production database access limited to authorised personnel
- Security headers: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Rate limiting: Per-IP and per-account rate limiting on all sensitive endpoints
- Security monitoring: Sentry error monitoring; automated breakpoint monitoring for anomalous journey failure rates
- Supply chain security: GitHub Dependabot for automated dependency vulnerability scanning;
npm auditon every CI run - Incident response: We maintain a documented Incident Response Plan. In the event of a personal data breach, we will notify the relevant supervisory authority (UK ICO) within 72 hours of becoming aware of the breach. Where the breach poses a high risk to your rights and freedoms, we will also notify you directly without undue delay. Notifications will describe the nature of the breach, the data affected, and the steps we have taken to address it.
No system is completely secure. We cannot guarantee absolute security. If you discover a security vulnerability, please report it responsibly at security@spexsure.com or via /.well-known/security.txt.
7. Your Rights
7.1 Rights Under GDPR (EEA, UK, Switzerland)
If you are located in the EEA, UK, or Switzerland, you have the following rights regarding your personal data:
- Right of access: Request a copy of the personal data we hold about you
- Right to rectification: Request correction of inaccurate or incomplete data
- Right to erasure ("right to be forgotten"): Request deletion of your personal data, subject to legal retention obligations
- Right to restrict processing: Request that we limit how we use your data in certain circumstances
- Right to data portability: Receive your personal data in a structured, machine-readable format
- Right to object: Object to processing based on legitimate interests or for direct marketing
- Rights related to automated decision-making: We do not make solely automated decisions with legal or similarly significant effects
To exercise any of these rights, email legal@heuristicworks.com with the subject line "Data Rights Request". We will respond within 30 days (extendable by a further 60 days for complex requests, with notice).
You also have the right to lodge a complaint with your local supervisory authority. In the UK, this is the Information Commissioner's Office (ico.org.uk). In the EU, contact your national data protection authority.
7.2 Rights Under CCPA / CPRA (California Residents)
If you are a California resident, you have the following rights:
- Right to know: Request disclosure of the categories and specific pieces of personal information we collect, use, and share
- Right to delete: Request deletion of personal information we have collected, subject to exceptions
- Right to correct: Request correction of inaccurate personal information
- Right to opt-out of sale or sharing: We do not sell or share personal information for cross-context behavioural advertising. No opt-out mechanism is required, but you may contact us to confirm.
- Right to limit use of sensitive personal information: We do not use sensitive personal information (as defined by CCPA) for purposes beyond those necessary to provide the Service
- Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights
To submit a CCPA request, email legal@heuristicworks.com or write to: Heuristicworks LLC, Spring City, PA, USA.
7.3 Account Deletion
You may delete your account and all associated personal data at any time by clicking the Unsubscribe / Delete account link in any email we send you, or by emailing support@spexsure.com. Deletion is processed immediately on confirmation.
What is deleted immediately: your account and profile, all projects, PRD content, generated tickets, Jira OAuth tokens, billing subscription (cancelled), MFA configuration, and BYOK API key.
What is anonymised and retained for 12 months: Security and activity logs are anonymised — all personal identifiers (name, email address, account ID) are permanently removed — and retained for 12 months from the date of deletion for fraud detection, security incident investigation, and Stripe dispute resolution, as permitted under GDPR Article 6(1)(f) legitimate interest. The retained records cannot be linked back to you.
Billing records (invoices, payment history) are retained for 7 years as required for tax and accounting compliance, in accordance with Section 5.
8. Cookies and Tracking Technologies
8.1 Cookies We Use
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
authjs.session-token / __Secure-authjs.session-token |
Authentication session | Strictly necessary | Session / 30 days |
__Host-jira_oauth_state |
Jira OAuth CSRF protection | Strictly necessary | 15 minutes |
PostHog (ph_*) |
Product analytics and session recording | Analytics | 1 year |
Sentry (sentry-*) |
Error tracking session context | Functional | Session |
8.2 No Advertising Cookies
We do not use advertising cookies, retargeting pixels, or third-party tracking for advertising purposes.
8.3 Cookie Consent
Strictly necessary cookies are used without consent as they are required to operate the Service. Analytics cookies (PostHog) require your consent where applicable law requires it. A cookie consent mechanism will be implemented prior to launch in markets where consent is required (including the EEA and UK).
8.4 Do Not Track
We do not currently respond to "Do Not Track" browser signals, as there is no universally accepted standard for such signals. We will review this position as standards develop.
9. Children's Privacy
The Service is intended for business users aged 18 and over. We do not knowingly collect personal data from children under 18. If we become aware that we have collected personal data from a child under 18 without parental consent, we will delete it promptly. If you believe we have inadvertently collected such data, contact us at legal@heuristicworks.com.
10. Links to Third-Party Sites
The Service may contain links to third-party websites, including Atlassian, Anthropic, and payment providers. We are not responsible for the privacy practices of those sites. We encourage you to review their privacy policies before providing personal data.
11. Data Processing Agreement
If you are a business that processes personal data of EU or UK data subjects through the Service, you may require a Data Processing Agreement (DPA) under GDPR. To request a DPA, email legal@heuristicworks.com. We will provide a DPA within 14 business days of a valid request.
For Captive Deployment customers, the DPA should be executed before go-live, as Spexsure may act as a data processor in connection with diagnostic telemetry and licence validation data.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 30 days before the change takes effect. The "Effective" date at the top of this policy indicates when the current version was last updated. Continued use of the Service after the effective date of a revised policy constitutes acceptance.
13. Contact and Data Protection
For privacy-related questions, requests, or complaints:
- Email: legal@heuristicworks.com
- Subject line: "Privacy — [your request]"
- Response time: Within 30 days for standard requests
Mailing address: Heuristicworks LLC Spring City, PA, USA
For security vulnerabilities, use security@spexsure.com (see also /.well-known/security.txt).
Heuristicworks LLC · Spring City, PA, USA