Privacy Policy

We collect the following categories of data:

• Account information. Your name, email address, and the name of the organization you create or join. Passwords are stored only as a salted hash, never in plain text.
• Uploaded documents. The business and product requirements documents (BRDs, PRDs, and similar files) you upload so Specwise can extract requirements from them.
• Generated content. The requirements, test cases, test runs, and test results produced from your documents and your activity in the product, including any evidence you attach to a test run.
• Usage and audit logs. Records of actions taken in your organization. Every change is written to an append-only audit log, along with standard request metadata such as timestamps and IP address.

We use the data above to:

• Provide the product — parse documents, extract requirements, generate draft test cases, build the traceability matrix, and produce exports.
• Authenticate you and keep your organization's data isolated from other organizations.
• Maintain security, prevent abuse, and keep an audit trail of changes.
• Operate billing for paid plans and communicate with you about your account, including service and security notices.
• Diagnose problems and improve the reliability of the service.

We do not sell your data, and we do not use the contents of your uploaded documents to train our own models.

When you ask Specwise to extract requirements or generate test cases, the relevant content from your documents is sent to a third-party large language model (LLM) provider to produce the draft output. The providers we use are listed as subprocessors below.

Before content is sent to an LLM provider, Specwise runs a best-effort, pattern-based scrubber that attempts to redact detectable personal data (such as email addresses, phone numbers, government identifiers, card-shaped numbers, and IP addresses). This is a risk-reduction step, not a guarantee of de-identification — it cannot detect every form of personal or sensitive data, so you should avoid placing data you are not comfortable processing with a third-party LLM into the documents you upload. Generated requirements and test cases are non-deterministic drafts that require human review.

We rely on the following third-party providers to operate the service. Each processes data only as needed to provide its function:

We update this list as our subprocessors change. A self-hosted deployment option, which keeps document content within your own environment, is on our roadmap for customers who cannot send specifications to a third party.

The controls below are implemented in the product today:

• Encryption in transit. Traffic to and from Specwise is protected with TLS.
• Tenant isolation. Every database query is scoped by organization_id, so one organization's data is not returned to another.
• Append-only audit log. Mutations are recorded in a log that is written to but not edited in place.
• Authentication. Short-lived access tokens with rotated refresh tokens, and password hashing with bcrypt.

No system is perfectly secure, and we do not claim any third-party certification or attestation (such as SOC 2) for Specwise. Where you need evidence for your own audit, the traceability matrix and compliance exports are designed to be produced from your data — you remain responsible for your own compliance.

We retain your account data, documents, and generated content for as long as your organization maintains an active account, so the product remains usable. Audit log retention depends on your plan (for example, 7 days on Starter and 1 year on Growth). When you delete content, or when an account is closed, we delete or de-identify the associated data within a commercially reasonable period, except where we must retain it to meet a legal or accounting obligation. Backups are purged on a rolling cycle.

Depending on where you are located, you may have the right to access, correct, export, or delete your personal data, and to object to or restrict certain processing. You can export your traceability data and generated artifacts directly from the product, and you can request access or deletion of your personal data by contacting us at the address below. We respond to verified requests within the time required by applicable law. If your organization is the controller of data you have placed in Specwise, we will direct certain requests to that organization.

Specwise uses cookies that are necessary for the service to function — primarily authentication and session cookies that keep you signed in and let the application subdomain read your session. We do not use these cookies for advertising. Blocking essential cookies will prevent you from signing in.

Specwise is operated using cloud infrastructure and subprocessors that may store or process data in countries other than the one in which you are located. Where such transfers occur, we rely on appropriate safeguards as required by applicable law (such as standard contractual clauses). The specific governing law and data-protection terms are set out in our agreement with you; where a specific legal detail is required and not yet finalized it is marked as a placeholder below.

We may update this policy as the product and our practices change. When we make a material change, we will update the "Last updated" date above and, where appropriate, notify you. Your continued use of Specwise after an update means you accept the revised policy.

Questions about this policy or your data can be sent to hello@specwise.dev, or see our contact page. The legal entity responsible for your data is [legal entity name], located at [registered business address]. Data-protection inquiries can be directed to [data protection contact].