Privacy Policy

Last updated: April 1, 2026

This Privacy Policy describes how Quassum MB ("we", "us", "our"), a company registered in Lithuania, collects, uses, and protects your personal data when you use SpecSource.ai (the "Service").

Data We Collect

Account Information

When you create an account, we collect your name, email address, and authentication credentials. If you sign up via GitHub or Google, we receive your public profile information from those providers.

Connected Tool Data

When you connect third-party services (Linear, Sentry, GitHub, Slack), we access data from those services using OAuth tokens or API keys you provide. This includes:

  • Linear: Issue titles, descriptions, labels, comments, and project metadata
  • Sentry: Error messages, stack traces, event metadata, and tags
  • GitHub: Source code files, commit history, pull request descriptions, and repository metadata
  • Slack: Messages and threads relevant to issues being researched

We only access the data necessary to generate specifications for your Linear issues.

Usage Data

We collect information about how you use the Service, including agent run history, feature usage, and performance metrics.

How We Use Your Data

We use your data to:

  • Generate specifications — Our AI agent reads your Linear issues and gathers context from your connected tools to write detailed specifications.
  • Detect duplicates — We generate vector embeddings of your Linear issues to identify duplicate or related issues using semantic matching.
  • Improve the Service — We use aggregated, anonymized usage data to improve reliability and performance.
  • Communicate with you — We send transactional emails related to your account and, if you opt in, product updates.

We do not sell your personal data. We do not use your code, issues, or specifications to train AI models.

Third-Party Services

We use the following third-party services to operate SpecSource:

  • AI model providers (OpenAI, Anthropic) — Your issue data and gathered context are sent to AI model providers to generate specifications. These providers process data according to their API terms and do not use API inputs for model training.
  • Polar.sh — Handles subscription billing and payment processing. We do not store payment card details.
  • Analytics providers — We use privacy-respecting analytics to understand Service usage.
  • Hosting infrastructure — The Service is hosted on cloud infrastructure within the European Union where possible.

Data Security

We take the security of your data seriously:

  • Encryption at rest — All sensitive data, including OAuth tokens, API keys, and credentials, is encrypted at rest using industry-standard encryption algorithms.
  • Encryption in transit — All data transmitted between your browser and our servers is encrypted using TLS.
  • Access controls — Access to production data is restricted to authorized personnel on a need-to-know basis.
  • Token scoping — OAuth tokens are requested with the minimum scopes necessary for the Service to function.

Data Retention

  • Account data is retained for as long as your account is active.
  • Agent run data (specifications, gathered context, run logs) is retained for as long as your account is active.
  • Connected tool data is processed in real time during agent runs and is not permanently stored beyond what is needed for specifications and duplicate detection.

When you delete your account, we delete all associated data within 30 days, except where retention is required by law.

Your Rights

Under the General Data Protection Regulation (GDPR) and Lithuanian data protection law, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Delete your account and associated data
  • Export your data in a portable format
  • Object to processing based on legitimate interests
  • Withdraw consent where processing is based on consent

To exercise any of these rights, contact us at the address below.

Cookies

We use essential cookies to maintain your session and authentication state. We do not use third-party tracking cookies for advertising purposes.

Children's Privacy

The Service is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children.

International Data Transfers

Your data may be processed outside the European Economic Area (EEA) when sent to AI model providers for specification generation. Where this occurs, we ensure appropriate safeguards are in place, including standard contractual clauses.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

Contact

If you have questions about this Privacy Policy or your personal data, contact us at:

Quassum MB Email: info@quassum.com