Skip to content
Spec Stormer

Privacy

Privacy Policy

Last updated 2026-06-05

A plain-language overview of how Spec Stormer handles your data, written while the product is in early access. It does not replace your own legal advice.

Who we are

Spec Stormer is operated by De Groot Diensten (Netherlands Chamber of Commerce / KVK 76220826), the Netherlands. De Groot Diensten is the data controller for personal data processed through the service. For any privacy request or question, contact us below.

Information we collect

We collect: account details (email and authentication identifiers); content you create (project names, idea dumps, plans, questions, answers, comments, walk-session transcripts, generated proposals, chat messages, and exports); voice audio you record, which is sent for transcription; billing identifiers from Stripe (customer and subscription IDs — never your card number); usage records (AI calls, tokens, audio seconds); and technical data such as IP address, device/browser information, and timestamps in our logs.

Why we use it and our legal basis

We use your data only for specific purposes, each with a legal basis under the GDPR: to provide the service you signed up for — authentication, generating and refining plans, processing walk sessions, and running your subscription (performance of our contract, Art. 6(1)(b)); to keep the service secure, prevent abuse, debug problems, and improve it (our legitimate interests, Art. 6(1)(f), which you can object to); to meet tax, accounting, and other legal duties tied to billing (legal obligation, Art. 6(1)(c)); and, where required, with your consent (Art. 6(1)(a)). We do not sell your personal data or use it for third-party advertising.

AI processing and the providers we use

To run the product we share the minimum necessary data with processors who act on our instructions: Supabase (authentication and database storage, hosted in the EU); Stripe (payment processing); Inngest (background jobs); Vercel (hosting, logs, and privacy-friendly analytics); and AI providers — OpenAI, xAI, and Anthropic — for generation, scoring, chat, walk sessions, and voice-comment transcription. Provider processing is governed by the provider contracts, data-processing terms, and account settings used for this service.

International transfers

Some providers (for example OpenAI, xAI, Anthropic, and Vercel) process data outside the European Economic Area, including in the United States. Where that happens, we rely on the transfer safeguards available through those providers, such as adequacy decisions, Standard Contractual Clauses, and data-processing terms.

Cookies and analytics

We use strictly necessary cookies to keep you signed in (Supabase session cookies). For product analytics we use Vercel Analytics, which is privacy-friendly and does not set tracking cookies or build cross-site profiles. We do not use advertising or third-party marketing trackers. If we later add cookie-based analytics or marketing trackers, we will update this policy and the consent flow before using them.

How long we keep it

We keep account and project data while your account is active and for as long as needed afterward to cover backups, security, abuse prevention, support, and legal obligations. Billing records are kept for the statutory period required by Dutch law. Technical logs are kept for a limited period. When data is no longer needed for a lawful purpose, it is deleted or anonymised.

Your rights

Under the GDPR you can request access to your personal data, and ask us to correct, delete, restrict, or port it, or object to processing based on legitimate interests. Where processing relies on consent, you can withdraw it at any time. To exercise any right, email the contact below; we respond within the legal time limits. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl) or your local supervisory authority.

Children

Spec Stormer is not directed to children. You must be legally able to create an account and use paid digital services in your country. We do not knowingly collect data from children; if you believe a child has used the service, contact us and we will delete the data.

Security

We use Supabase authentication, row-level access controls, server-only service-role credentials, HTTPS, provider-side payment handling, environment-scoped secrets, webhook verification, and operational logging. No service is perfectly secure. Please do not submit special-category data (such as health, biometric, or other sensitive information), regulated data, or other people's personal data unless you have a lawful basis and the right to do so.

Changes to this policy

We may update this policy as the product and our providers evolve. We will change the date above and, for material changes, give reasonable notice. Continued use after an update means you accept the revised policy.

Contact

Privacy requests can be sent to support@spec-stormer.com.