Loading…
Effective date: April 3, 2026. Last updated: April 3, 2026.
We take your privacy seriously. This policy explains what data we collect, why we collect it, how we protect it, and what rights you have. We write in plain language because privacy policies should be readable.
Studio Tim ("Company," "we," "us," or "our") operates the Spectra AI software platform at spectra.app. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Services.
This policy applies to all Spectra products: Forge (viability analysis), Architect (architecture documents), Build (AI app development), and Deploy (managed hosting).
By creating an account or using any Spectra Service, you acknowledge that you have read and understood this Privacy Policy. If you are located in the European Economic Area (EEA), the United Kingdom, or California, additional rights and disclosures apply — see Sections 10 and 11.
Account information. When you register, we collect your email address, full name, and optionally your company name and job title. This information is required to create and manage your account.
Project data. When you use Architect, Build, or Forge, we collect the project briefs, descriptions, technical requirements, and any other content you submit as input to our AI pipelines. We also store the deliverables generated for you (architecture documents, source code, viability reports).
Payment information. Billing is handled by Stripe, Inc. When you make a purchase, Stripe collects and processes your payment card details. We receive only a tokenized reference and basic billing information (last 4 digits, card brand, billing name, billing country). We do not store full card numbers or CVVs.
Usage data. We collect logs of your interactions with the platform: pages visited, features used, pipeline runs initiated, errors encountered, timestamps, and session duration. This data is linked to your account.
Technical data. We automatically collect your IP address, browser type and version, operating system, referring URL, and device type when you access Spectra. This data is used for security, fraud prevention, and service improvement.
Communications. If you contact our support team, we retain records of that correspondence, including your email address and the content of your messages.
Providing the Services. We use your account information, project data, and usage data to operate the platform, run AI pipelines, generate deliverables, and deliver the Services you have purchased.
Billing and payments. We use payment information to process transactions, manage subscriptions, send invoices, and handle refunds.
Service communications. We use your email address to send transactional messages: account confirmations, pipeline completion notifications, billing receipts, and support responses. These communications are not marketing and cannot be fully opted out of while your account is active.
Product improvement. We analyze aggregated, anonymized usage patterns to improve our AI pipelines, identify common failure modes, and prioritize new features. We do not use your specific project briefs or deliverables to train our AI models without your explicit opt-in consent.
Security and fraud prevention. We use technical data and usage logs to detect and prevent abuse, unauthorized access, and fraudulent activity.
Legal compliance. We retain and process data as required by applicable law, including tax records, fraud investigation, and responses to valid legal requests.
We do not sell your data. We do not sell, rent, or trade your personal information or project data to any third party for their own commercial purposes. This applies to all users, including California residents (see Section 11).
No third-party advertising. We do not serve third-party advertisements on Spectra. We do not share your data with advertising networks, data brokers, or marketing platforms.
No cross-site tracking. We do not track your activity across third-party websites. We do not use third-party tracking pixels, behavioral advertising networks, or data enrichment services.
No social media data collection. We do not purchase or import social media profile data, browsing histories, or demographic segmentation data from external providers.
We use the following third-party services to operate Spectra. Each processes data subject to their own privacy policies:
**Supabase** — Database hosting, authentication, and storage. Your account data, project data, and deliverables are stored in Supabase infrastructure located in us-east-1 (Virginia, USA). Privacy policy: supabase.com/privacy
Stripe, Inc. — Payment processing. Stripe processes payment card data under PCI-DSS compliance. Privacy policy: stripe.com/privacy
Vercel, Inc. — Application hosting and CDN. Vercel hosts the Spectra web application and processes request logs. Privacy policy: vercel.com/legal/privacy-policy
**Anthropic, PBC** — AI model provider. Your project briefs and content are sent to Anthropic's API to generate AI outputs. Anthropic's API usage terms prohibit training on API inputs by default. Privacy policy: anthropic.com/privacy
We have data processing agreements in place with each of these providers where required by applicable law. We do not use providers that we have not vetted for appropriate data handling practices.
Account data. We retain your account profile information while your account is active, plus 30 days following account closure. During the 30-day window you may request an export of your data.
Project data and deliverables. Architecture documents, source code, viability reports, and the project briefs used to generate them are retained for 12 months from the date of creation, or for the duration of your active Deploy subscription for hosted projects, whichever is longer.
Billing records. Invoice records, payment history, and associated billing information are retained for 7 years from the date of the transaction, as required by U.S. federal tax law and Florida state law.
Usage logs. Raw access logs (IP address, request path, timestamp) are retained for 90 days and then deleted. Aggregated, anonymized usage statistics are retained indefinitely.
Support communications. Records of support conversations are retained for 2 years from the date of the last message in the thread.
Deletion requests. Upon a valid deletion request (see Section 9), we will delete your personal data from active systems within 30 days, subject to the retention obligations above (billing records, legal holds).
We implement industry-standard security controls to protect your data:
Encryption in transit. All data transmitted between your browser and Spectra is encrypted using TLS 1.2 or higher. API communications with third-party services use TLS encryption.
Encryption at rest. Data stored in Supabase is encrypted at rest using AES-256 encryption at the storage layer.
Row-Level Security (RLS). Our database enforces row-level access controls so that authenticated users can only access their own data. No query can return another user's project data.
Access controls. Internal access to production systems is restricted to authorized personnel, requires multi-factor authentication, and is logged for audit purposes.
Audit logging. All administrative actions affecting customer data are written to an immutable audit log table.
Penetration testing and scanning. We run automated security scanning on all generated code before delivery. We conduct periodic security reviews of the platform infrastructure.
Incident response. In the event of a data breach that affects your personal information, we will notify you within 72 hours of becoming aware, as required by applicable law.
No security system is impenetrable. We cannot guarantee absolute security, but we are committed to maintaining appropriate safeguards proportionate to the sensitivity of the data we process.
Regardless of your location, you have the following rights with respect to your personal data:
Access. You may request a copy of the personal data we hold about you.
Correction. You may request correction of inaccurate or incomplete personal data.
Deletion. You may request deletion of your personal data, subject to legal retention requirements (e.g., billing records).
Export (data portability). You may request an export of your project data and deliverables in a machine-readable format.
Opt-out of non-essential processing. If we process any data for purposes beyond service delivery (e.g., optional product improvement), you may opt out.
To exercise any of these rights, email privacy@spectra.app with the subject line "Privacy Request" and a description of your request. We will respond within 30 days. We may need to verify your identity before fulfilling the request.
You will not be discriminated against for exercising your privacy rights.
If you are located in the European Economic Area or the United Kingdom, the General Data Protection Regulation (GDPR) or UK GDPR applies to our processing of your personal data.
Lawful basis for processing. We rely on the following lawful bases: - Contract performance: processing necessary to provide the Services you have purchased - Legitimate interest: security monitoring, fraud prevention, and service improvement (anonymized analytics) - Legal obligation: retention of billing records as required by tax law - Consent: if we send marketing communications (you may withdraw consent at any time)
Data controller. Studio Tim is the data controller for personal data processed through Spectra.
Data processors. Supabase, Stripe, Vercel, and Anthropic act as data processors on our behalf under data processing agreements.
International transfers. Your data is processed in the United States (Supabase us-east-1). Transfers from the EEA to the US are made under Standard Contractual Clauses (SCCs) as approved by the European Commission.
Additional rights under GDPR. In addition to the rights in Section 9, you have the right to: - Object to processing based on legitimate interest - Restrict processing while a dispute is resolved - Lodge a complaint with your national data protection supervisory authority (for example, the ICO in the UK, or your local EU data protection authority)
Retention review. We periodically review whether we still need to retain the data we hold, consistent with the purposes for which it was collected.
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you additional rights.
Right to know. You have the right to request disclosure of the categories of personal information we collect, the purposes for which we use it, the categories of third parties with whom we share it, and the specific pieces of personal information we hold about you.
Right to delete. You have the right to request deletion of your personal information, subject to certain exceptions (e.g., completing a transaction, legal compliance).
Right to correct. You have the right to request correction of inaccurate personal information.
Right to opt out of sale or sharing. We do not sell personal information and do not share personal information for cross-context behavioral advertising purposes. You therefore have no "sale" to opt out of. If this ever changes, we will update this policy and provide a "Do Not Sell or Share My Personal Information" link.
Right to limit use of sensitive personal information. We do not use sensitive personal information (as defined by CPRA) beyond what is necessary to provide the Services.
Non-discrimination. We will not discriminate against you for exercising any of your CCPA rights. We will not deny you Services, charge different prices, or provide a different quality of service because you exercised a privacy right.
How to submit a request. Email privacy@spectra.app with the subject line "California Privacy Request." We will acknowledge receipt within 10 days and respond within 45 days (extendable by 45 additional days with notice).
Authorized agents. A California consumer may designate an authorized agent to make a request on their behalf. We will require proof of the agent's authorization and may verify the consumer's identity directly.
Spectra is not directed at children under the age of 18, and we do not knowingly collect personal information from anyone under 18. If you are under 18, do not use Spectra or submit any personal information.
If we become aware that we have collected personal information from a child under 18 without verified parental consent, we will delete that information promptly. If you believe we may have collected information from a minor, contact us at privacy@spectra.app.
Spectra is operated from the United States. If you are accessing Spectra from outside the United States, your personal data will be transferred to, stored, and processed in the United States, specifically in the AWS us-east-1 region (Northern Virginia).
The United States may not provide the same level of data protection as the laws of your home country. By using Spectra, you consent to the transfer of your data to the United States.
For transfers from the EEA or UK, we rely on Standard Contractual Clauses as the legal mechanism for cross-border data transfer, as described in Section 10.
We may update this Privacy Policy at any time. When we make material changes, we will:
- Post the updated policy on this page with a new effective date
Minor changes (such as typographical corrections or clarifications that do not affect how we process your data) may be made without notice. We encourage you to review this policy periodically.
Your continued use of Spectra after the effective date of the updated policy constitutes your acceptance of the changes.
For privacy-related questions, requests, or concerns:
**Privacy inquiries:** privacy@spectra.app **General support:** support@spectra.app **Security issues:** security@spectra.app
Studio Tim Orlando, Florida, United States
We aim to respond to all privacy inquiries within 5 business days. GDPR and CCPA requests will be acknowledged within 10 days and fulfilled within the timeframes required by applicable law.
Privacy questions? Email privacy@spectra.app — we respond within 5 business days.