Privacy policy
Last updated: 2026-04-24
1. Who we are
Specvo (the "service") is operated by the team behind specvo.com (the "operator"). For UK GDPR purposes the operator is the data controller for personal data processed through the service. Contact: support@specvo.com.
2. What we collect
Account data
- Email address (to authenticate you)
- Display name & org name (optional, set by you)
- Stripe customer ID (opaque reference to your payment method — we never see card data)
- Wallet balance & transaction history (in pence)
Project data
- Assessment metadata (title, UK address, postcode, dwelling profile you enter)
- Uploaded files (planning drawings, specifications, U-value calculations — whatever you upload)
- AI-extracted data (values our pipeline extracts from your files)
- SAP outputs (the JSON and XML we generate for you)
Technical data
- IP address (for rate limiting + abuse prevention)
- Browser user-agent + request metadata in server logs (90 days retention)
- Strictly-necessary auth cookies (session only; no analytics cookies are set)
3. Legal bases (UK GDPR Article 6)
| Purpose | Basis |
|---|---|
| Provide the service | Performance of contract (Art 6(1)(b)) |
| Bill you & keep financial records | Legal obligation (Art 6(1)(c)) — HMRC 6-year records retention |
| Prevent abuse, rate-limit, detect fraud | Legitimate interest (Art 6(1)(f)) |
| Run AI extraction on your files | Performance of contract (you asked us to) |
| Marketing emails | Consent (Art 6(1)(a)) — not used today; will be opt-in if added |
4. Automated decision-making
Our AI pipeline extracts candidate values from your drawings and specification. These are not final decisions — the OCDEA (you) reviews every extracted value before downloading the XML and signs for the resulting assessment. This is not automated individual decision-making within the meaning of UK GDPR Article 22 because a human is always in the loop.
5. Processors we use
The current list of sub-processors lives on a dedicated page at /subprocessors. We commit to notify active users by email at least 14 days before adding, removing, or replacing a sub-processor (UK GDPR Art 28(2) objection right).
Your uploaded drawings and extracted SAP fields are sent to Anthropic and/or Vertex for processing. Both providers contractually agree not to train models on your data under their business-tier terms of use.
6. How long we keep your data
| Data | Retention |
|---|---|
| Account profile | While active; deleted within 30 days of account closure |
| Projects + uploads | While active; deleted within 30 days of account closure |
| Frozen assessments (your paid XMLs) | While active; deleted within 30 days of account closure |
| Financial transactions (wallet + Stripe events) | 6 years from the transaction date — legal obligation under HMRC record-keeping. User-identifying fields are anonymised on account deletion. |
| Server logs / access logs | 90 days |
| Admin audit log | 6 years |
| Wallet balance if inactive | Expires after 12 months of no activity |
7. Your rights
Under UK GDPR Articles 15–22 you have the right to:
- Access your data — in-app export at /account/settings; full DSAR by email
- Rectify inaccurate data — most fields editable in-app
- Erase — request from /account/settings or email. Completed within 30 days; financial records are anonymised, not deleted (§6)
- Restrict or object to processing — email us
- Data portability — self-serve JSON export
- Withdraw consent where consent is the basis
- Complain to the UK ICO at ico.org.uk/make-a-complaint
8. Security
- TLS 1.2+ for all traffic
- Encryption at rest (Supabase Postgres + Storage default-encrypted)
- Row-level security scoped to your account on every table
- Stripe handles card data — we never see or store PANs (PCI SAQ A)
- Secrets rotated when staff change; admin actions logged
9. Cookies and similar tracking
We set only strictly-necessary cookies: Supabase session cookies so you stay signed in. We do not set analytics, advertising, or third-party tracking cookies.
We use Sentry for error tracking. Sentry captures unhandled JavaScript errors and request metadata (URL, HTTP status, error message, sanitised stack trace) — no full page replays, no DOM recordings, no PII. This processing is necessary for service security and stability (legitimate interest, Art 6(1)(f)).
10. Children
Specvo is a B2B tool for qualified OCDEAs. We don't knowingly collect data from children under 18.
11. Changes to this policy
Material changes will be emailed to active users at least 14 days before taking effect.
12. Contact
Email support@specvo.com.