Loading SpecStep…

Privacy Policy

Last updated: 2026-05-16

SpecStep ("we", "us", "our") provides an agentic documentation-generation service operated at specstep.com. SpecStep is owned and operated by No Compromise AI, a Delaware corporation (www.nocompromise.ai). This Privacy Policy explains what information we collect, how we use it, who we share it with, and what rights you have. By using SpecStep, you agree to the practices described here.

1. What we collect

1.1 Information you provide directly

  • Account identity: when you sign in via Google, GitHub, or Microsoft, we receive your email, display name, and the provider's stable user identifier. We do not see or store your password — authentication is handled by your chosen identity provider.
  • Profile fields you set: contact phone number, SMS phone number (verified via 6-digit code), and notification preferences.
  • Interview content: the conversation you have with the SpecStep agents to capture your project's vision, requirements, and architecture inputs.
  • Reference documents: any files you optionally attach to an interview (PDFs, design references, prior specs).
  • External storage connections: when you connect a OneDrive, SharePoint, or Google Drive folder, we store the folder identifier and display name, the connection status, and an encrypted OAuth access token and refresh token (where the provider issues one). We use read-only access scoped to the single folder you select; we do not scan or store the broader contents of your cloud storage. File contents from the connected folder are read transiently during an interview and materialized as reference-document records tied to that interview.
  • Source-control configuration: when you opt in to repository delivery, the repository details you specify for GitHub, Azure DevOps, GitLab, or Bitbucket. We write to your repository only at delivery time and never read your source code.
  • Outbound webhook settings: when you configure a webhook, we store the destination URL and an HMAC signing secret (encrypted at rest). We use these only to deliver generation lifecycle events you subscribed to.
  • Bring-your-own LLM API keys: if your account is configured for developer access, you may paste an API key for a supported LLM provider (currently Anthropic and OpenAI). We validate the key once against the provider's API, then store only the last four characters for display and an encrypted ciphertext. The raw key is never logged or stored in plaintext.
  • Bug reports: title, description, severity level, and diagnostic context (current route, browser user-agent, generation and interview identifiers if applicable) that you submit when reporting a problem.

1.2 Information generated by your use of the service

  • Generated packages: the documentation packages produced by your generations, including all intermediate artifacts (rubric scores, agent reviews, decision logs).
  • API keys: when you create them. We store only a salted SHA-256 hash plus the first 8 characters (the "prefix") for display. The raw key is shown to you exactly once at creation and never stored.
  • MCP OAuth tokens: when a third-party tool (such as a code editor extension) authorizes against SpecStep via OAuth, we issue a bearer token to that tool. We store only the SHA-256 hash and an 8-character prefix; the raw token is returned once and never stored. Tokens carry the full permissions of your account for the current version and expire after 90 days. You can revoke them at any time in Settings.
  • Profile photo: if your sign-in provider is Microsoft Entra and your account has a profile photo, we cache the photo bytes along with a content-type and cache timestamp. If your sign-in provider is Google or GitHub, we store the CDN URL your provider supplies, not the photo bytes. Profile photos are deleted when you delete your account.
  • Usage telemetry: timestamps, costs, error rates, LLM provider and model identifiers, token counts. Used to operate the service, bill subscriptions, and improve quality.
  • Audit log: a record of significant actions (sign-ins, generations started and completed, role changes, API key and webhook lifecycle events, billing events, external-connector connections and revocations, OAuth token issuance and revocation) with timestamps and the actor identity.
  • Recycle bin and soft-delete records: when you or the automated retention policy deletes a package or interview, we retain a soft-deleted record (with a deletion timestamp) in your Recycle Bin. You can permanently delete the item yourself at any time (both the database record and the underlying file are removed in the same operation), or wait — our automated nightly sweep permanently removes soft-deleted items 30 days after the soft-delete timestamp.

1.3 Information from third-party services

  • Identity providers (Google, GitHub, Microsoft): when you sign in, the provider tells us your email is verified or not. Unverified emails do not auto-link to existing accounts.
  • Stripe: when you start a paid subscription, Stripe handles checkout and payment-method capture. Stripe notifies us via webhook of subscription state changes (subscription created, renewed, canceled, and payment failures). We receive a customer identifier, subscription identifier, subscription state, and renewal dates — never card numbers, CVCs, or full bank details.
  • Azure Communication Services: when we send you an email or SMS, ACS may record delivery telemetry (delivered, bounced) and forward it back to us.

1.4 Anonymous traffic measurement

We measure aggregate traffic to our public pages (home, pricing, API docs, agent pages) using a self-hosted, cookieless approach. For each page view we compute a one-way hash of your IP address and user-agent combined with a salt that rotates every 24 hours. We never store your IP address, never set a tracking cookie that persists across days, and never share this data with any third party. We use the free DB-IP Lite database (CC BY 4.0) to derive a two-letter country code from your IP before discarding the IP. The hash cannot be linked across days — when the salt rotates, your visit appears as a fresh visitor. We use this only to count visitors, identify popular pages, and measure how many visitors create accounts. Raw page-view records are kept for 30 days and then deleted; daily aggregates are kept indefinitely. We honor the DNT: 1 browser header by not recording the visit at all. A short-lived (24-hour) HttpOnly first-party cookie carries the day's hash so that if you create an account during the same day you visited the marketing site, we can attribute the signup to the referring page; it contains no personally identifying information. This is consistent with our prior commitment to no browser fingerprinting, no advertising identifiers, and no cross-site tracking.

2. What we don't collect

  • Payment card details. Stripe handles billing; we never see card numbers or bank account details.
  • Source code from your repositories. When you configure repository delivery, SpecStep commits generated files to a feature branch; it does not read, copy, or analyze your existing source code.
  • Files beyond what you explicitly provide. When you connect an external storage folder (OneDrive, SharePoint, Google Drive), we access only the specific folder you select — not your broader cloud storage, other drives, or other accounts.
  • Browser fingerprinting data, advertising identifiers, or cross-site tracking signals.
  • The plaintext of API keys (yours or third-party LLM provider keys) beyond the moment of initial input. We encrypt and hash; the raw value is not retained.

3. How we use your information

  • To run the service: provision your account, run generations, deliver packages, send notifications you opted into, enforce quotas, surface usage in your Settings, dispatch outbound webhooks for generation lifecycle events you subscribed to, fetch files from connected external storage folders to populate interview reference documents, route LLM calls to your configured provider when you supply a bring-your-own key, and authenticate third-party tool requests made with an MCP OAuth token you authorized.
  • To bill you: track your subscription tier, count generations against your monthly quota, sync state with Stripe.
  • To support you: respond to questions you send to hello@specstep.com; triage bug reports you submit or that the platform auto-files when a generation fails; the operator may receive a notification when you sign up so they can welcome you directly.
  • To improve the service: aggregate, anonymized usage statistics may be used to improve agents, rubrics, and the platform. We do not use the content of your interviews or generations to train any LLM.
  • To comply with law: respond to legitimate legal requests, prevent fraud or abuse, enforce our Terms.

4. Third parties we share information with

4.1 LLM providers

SpecStep sends your interview content and intermediate artifacts to large language model providers so the agents can produce your package. When you use the platform's managed service, the current providers are Anthropic and OpenAI. When you supply a bring-your-own API key for a different provider, your content is sent to that provider instead. Both Anthropic and OpenAI have committed to not training their public models on data sent through their commercial APIs. We send the minimum necessary data and redact obvious secrets before sending. We cannot make commitments about the data policies of providers you configure yourself.

4.2 External storage providers

When you connect a folder from an external storage service, SpecStep communicates with that provider's API on your behalf using the OAuth credential you authorized. For OneDrive and SharePoint connections, we communicate with the Microsoft Graph API. For Google Drive connections, we communicate with the Google Drive REST API. These calls are limited to reading file listings and file contents within the specific folder you selected. We do not transmit your data to the storage provider beyond what is necessary to fulfill the folder-sync request.

4.3 Infrastructure providers

  • Microsoft Azure: hosts the application, the database (PostgreSQL), the cache (Redis), and the blob storage for packages and data exports.
  • Azure Communication Services: sends transactional email and SMS.
  • Twilio: may be used for SMS delivery in some configurations.
  • Stripe: handles billing and subscription management.
  • Cloudflare: provides DNS for the specstep.com domain.
  • GitHub, Azure DevOps, GitLab, Bitbucket: when you configure repository delivery, SpecStep writes generated package files to a branch in the repository you specified. Only the generated output files are transmitted; no personal information beyond the OAuth credential you provided is shared.

4.4 We don't sell or share your data

We do not sell your personal information. We do not share it with advertisers or data brokers. We do not use it for cross-context behavioral advertising. We do not share it with any party for any purpose unrelated to operating the SpecStep service.

5. How long we keep your information

  • Account and profile: as long as your account is active. When you delete your account, all linked data is permanently removed within a short processing window (typically minutes; at most 24 hours). The account-deletion request itself is retained as an audit record after the deletion completes.
  • Generated packages: until you delete them or until the retention window for your subscription tier elapses (configurable in Settings → Retention). Soft-deleted packages remain in your Recycle Bin for up to 30 days — you can permanently delete them yourself at any time (both the database record and the underlying zip file are removed in the same operation), or our automated nightly sweep removes them 30 days after the soft-delete timestamp.
  • External connector credentials: encrypted OAuth access and refresh tokens are retained until you disconnect the folder, revoke the connection, or delete your account. Tokens are rotated automatically when they near expiry.
  • MCP OAuth tokens: 90 days from issuance. Tokens are not automatically renewed; the connected tool must re-authorize on expiry. You can revoke any token at any time in Settings.
  • Bring-your-own LLM provider keys: the encrypted key ciphertext is retained until you revoke the key in Settings or delete your account.
  • API keys: the SHA-256 hash and prefix are retained until you revoke the key.
  • Data exports: when you request a data export, we generate a download file and make it available via a signed download link for 7 days. After 7 days the link expires.
  • Usage telemetry: 90 days for detailed traces, longer for aggregated billing records (required for tax and accounting purposes, typically 7 years).
  • SMS verification codes: hashed in transit, deleted after 10 minutes or after successful verification.
  • Pending external storage attach sessions: temporary session data for connecting an external folder expires after 30 minutes.
  • Profile photos: deleted when you delete your account.
  • Bug reports: retained until our support team triages and resolves the report. We do not apply an automatic deletion schedule to open bug reports.
  • Audit log: 90 days for detailed event records. Billing-related records are retained for the period required by applicable accounting law (typically 7 years). After you delete your account, audit events you generated are retained but both your identity and the free-text detail attached to those events are anonymized — only the action timestamp and action name remain.

6. Your rights

You have the right to:

  • Access the personal information we hold about you.
  • Export your account data via Settings → Data Export. The export includes your profile, settings, audit events, interview and generation metadata, and a README describing the export format. API key values and LLM provider key values are not included in the export for security reasons. The download link is available for 7 days from when the export is prepared.
  • Correct any inaccurate information by editing your profile or emailing hello@specstep.com.
  • Delete your account at any time via Settings → Delete account. Account deletion is permanent and removes all linked data, including generations, packages, interviews, reference documents, external storage connections, API keys, OAuth tokens, notification preferences, subscription records, and source-control settings. The deletion request is processed within 24 hours and confirmed by email.
  • Disconnect external storage at any time via the Integrations panel in Settings. Disconnecting revokes SpecStep's access to the folder immediately.
  • Revoke MCP OAuth tokens for any connected third-party tool at any time via Settings.
  • Opt out of non-essential email and SMS notifications via Settings → Notifications.
  • Withdraw consent for any optional data processing.

If you are in the European Economic Area, the United Kingdom, California, or another jurisdiction with specific privacy rights, those rights apply to your use of SpecStep regardless of where we operate.

7. Security

We protect your information with technical and organizational measures including:

  • TLS 1.2 or higher for all network traffic.
  • Encryption at rest for the database and blob storage.
  • Application-layer encryption (using ASP.NET Core Data Protection) for OAuth credentials and bring-your-own LLM API keys stored in the database.
  • SHA-256 hashing with prefix storage for API keys and MCP OAuth tokens; plaintext is never retained after initial issuance.
  • HMAC signing for all outbound webhook deliveries.
  • Scoped access for infrastructure operators.
  • Structured audit logging of authentication, credentialing, and billing events.
  • Short-lived verification codes for SMS flows.

No system is perfectly secure. If you discover a vulnerability or have reason to believe your account has been compromised, contact us immediately at hello@specstep.com. In the event of a data breach that affects your personal information, we will notify you as required by applicable law.

8. Children

SpecStep is intended for software developers and is not directed to children under 16. We do not knowingly collect information from children. If you believe we have done so inadvertently, contact us and we will delete the information.

9. International data transfers

SpecStep is operated from the United States and its primary infrastructure runs on Microsoft Azure in US regions. If you are located in the European Economic Area, the United Kingdom, or another region with laws governing transfers of personal data to other countries, your information will be transferred to and processed in the United States.

We rely on the EU-US Data Privacy Framework for transfers from the European Economic Area, the United Kingdom (under the UK Extension to the DPF), and Switzerland to the United States. No Compromise AI participates in the Data Privacy Framework and complies with its principles.

When you connect an external storage service (OneDrive, SharePoint, Google Drive) or configure repository delivery, your interaction data is also processed by those providers pursuant to their own privacy policies and transfer mechanisms.

10. Changes to this policy

We may update this Privacy Policy as the service evolves. The "Last updated" date at the top of this page reflects the current version. Material changes (e.g., new categories of data sharing) will be announced via email to your account address before they take effect.

11. Contact

Questions, requests, or complaints about privacy: hello@specstep.com. SpecStep is operated by No Compromise AI, a Delaware corporation — learn more at www.nocompromise.ai.