Privacy policy

Last Updated: 4/6/2026

This Privacy Policy describes how Specode, Inc., a Wyoming corporation headquartered in Irvine, California (“Specode”, “we”, “us”, “our”) collects, uses, and protects information in connection with the Specode platform (“Platform”). This policy applies to customers, users, and visitors to specode.ai.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Name and email address
  • Organization name and role
  • Billing information (processed by Stripe; Specode does not store full payment card details)
  • Account credentials

1.2 Platform Usage Data

As you use the Platform, we collect:

  • Log data including IP addresses, browser type, pages visited, and timestamps
  • Feature usage and interaction data
  • Error logs and diagnostic information
  • Agent prompts and responses, solely to operate and debug the Service

1.3 Customer Content

Customer Content includes code, data, configurations, and applications that you create or upload using the Platform. Customer Content is processed solely to operate and deliver the Service and is not used for any other purpose. See Section 3 for our explicit restrictions on AI training use.

1.4 Communications

If you contact us by email or support channels, we retain those communications to respond to your inquiry and improve our support.

2. How We Use Information

We use the information we collect to:

  • Operate, maintain, and deliver the Platform
  • Process billing and manage subscriptions
  • Respond to support requests and communications
  • Monitor platform performance, security, and uptime
  • Comply with legal obligations, including HIPAA where applicable
  • Detect and prevent fraud, abuse, or security incidents

We do not sell Customer data. We do not use Customer data for advertising or marketing purposes.

3. No AI Training

Specode will not use Customer Content — including any code, data, configurations, prompts, or applications created, generated, or uploaded by Customer on the Platform — to train, fine-tune, benchmark, or otherwise develop any artificial intelligence or machine learning model, whether operated by Specode or any third party. This restriction applies regardless of whether Customer Content has been aggregated or de-identified.

4. Subprocessors

Specode shares data with the following third-party subprocessors to deliver the Platform. Each subprocessor is bound by data protection obligations consistent with this policy.

Infrastructure and Backend

  • Convex — backend infrastructure and database hosting
  • Vercel — frontend hosting and deployment
  • Amazon Web Services (AWS) — cloud infrastructure

Communications

  • Mailgun — transactional email delivery

Billing

  • Stripe — payment processing

AI Services

  • Anthropic — AI model inference for platform agents

Specode does not contractually authorize subprocessors to use Customer Content for AI training purposes and will use commercially reasonable efforts to ensure subprocessor agreements reflect this restriction.

5. HIPAA and Protected Health Information

Specode's managed production hosting environment is designed to support HIPAA-compliant application deployment. Customers who deploy applications to production will execute a Business Associate Agreement (BAA) with Specode governing the handling of Protected Health Information (PHI).

PHI must not be uploaded or processed in staging or development environments. Specode is not responsible for PHI handled outside of the managed production hosting environment or through Customer-managed third-party integrations.

6. Data Retention

We retain Customer data for as long as your account is active. Following termination of your subscription:

  • Customer data remains available for export for 60 days
  • After 60 days, Specode may delete Customer data in accordance with our internal data retention schedule
  • Audit logs generated within the production environment are retained for 12 months from the date of generation
  • Billing records are retained for 7 years as required by applicable law

You may request a complete export of your code, application configuration, and data in a portable, non-proprietary format at any time during your subscription or within the 60-day post-termination window.

7. Your Rights

Depending on your location, you may have the following rights with respect to your personal information:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate or incomplete information
  • Deletion: Request deletion of your personal information, subject to legal retention obligations
  • Portability: Request your data in a structured, machine-readable format
  • Objection: Object to certain processing activities

California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, the right to delete, and the right to opt out of sale (we do not sell personal information).

To exercise any of these rights, contact us at legal@specode.ai. We will respond within 30 days.

8. Cookies and Tracking

Specode uses cookies and similar technologies on specode.ai and within the Platform for the following purposes:

  • Authentication: To keep you logged in across sessions
  • Security: To detect and prevent fraudulent activity
  • Analytics: To understand how the Platform is used and improve it (aggregated, non-identifiable data only)

We do not use third-party advertising cookies or tracking pixels. You can control cookie settings through your browser, though disabling certain cookies may affect Platform functionality.

9. Data Security

Specode protects Customer data using industry-standard security controls, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256) for production environments
  • Role-based access controls limiting internal access to Customer data
  • Audit logging of access and administrative actions
  • Regular security assessments

Security controls apply to the managed production hosting environment. Staging and development environments do not carry the same security guarantees and must not contain PHI.

10. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days notice via email or in-platform notification prior to the effective date. Continued use of the Platform after the effective date constitutes acceptance of the revised policy.

11. Contact

For privacy-related requests, questions, or concerns:

  • Email: legal@specode.ai
  • Legal notices: legal@specode.ai
  • Mail: Specode, Inc., Irvine, California

We will respond to all privacy requests within 30 days of receipt.