Privacy Policy

Last updated: March 4, 2026

1. What We Collect

Specter collects the minimum data needed to operate the service:

  • Account data: Email address and authentication credentials when you sign up.
  • Product signals: Behavioral signals (page views, clicks, errors, custom events) sent from your product to our API via the SDK, script tag, or webhook integrations.
  • Usage analytics: We use PostHog to track how you use the Specter dashboard (page visits, feature usage). PostHog is self-hosted/proxied to minimize third-party data exposure.
  • Payment data: Billing is handled entirely by Stripe. We never see or store your credit card number.

2. How We Use Your Data

  • To operate the Specter service: analyzing signals, generating improvement proposals, and verifying deployments.
  • To enforce rate limits and plan quotas.
  • To send webhook notifications you configure.
  • To improve the product based on aggregate usage patterns.

3. Signal Data

Signals sent via the SDK, script tag, or webhook are stored in our database and processed by our analysis engine. Signal payloads may contain data you choose to send (URLs, element identifiers, error messages). We do not collect passwords, credit card numbers, or personal health information via signals. The script tag auto-track module captures page URLs, element tags/text, and error messages — it does not capture form field values.

4. Third-Party Services

  • Supabase: Database and authentication hosting.
  • Stripe: Payment processing.
  • Vercel: Application hosting and edge delivery.
  • MiniMax: AI analysis of signal patterns (signal data is sent to generate proposals).
  • PostHog: Product analytics for the Specter dashboard itself.

5. Data Retention

Signal data is retained for up to 24 months from the date of collection for analysis purposes. Signals older than 24 months may be automatically purged. Proposals and deployments are retained as long as your account is active. You can delete your account and all associated data at any time from the Account tab in Settings, or by contacting us. Upon account deletion, all data is permanently removed within 30 days.

6. Security

All data is transmitted over HTTPS. API keys authenticate signal ingestion but do not grant read access to your data. Database access is protected by Row-Level Security policies. Webhook URLs are validated against SSRF attacks before use.

7. Your Rights

You may request access to, correction of, or deletion of your personal data at any time. Contact us at the email below.

8. Contact

For privacy-related questions, contact: privacy@draftlabs.org