Privacy Policy

We collect only what is necessary to provide the Spectr service:

Account data — when you register, we store your name, email address, and a bcrypt-hashed password. We never store passwords in plaintext.

API keys — if you add third-party LLM API keys (Anthropic, OpenAI, Google, Groq, Mistral), they are encrypted at rest using AES-256-GCM before storage. The plaintext key is held only in server memory for the duration of an API call and never written to logs or disk in unencrypted form.

Usage data — we record aggregated LLM call metadata (provider, token counts, latency, cost estimate) linked to your account for billing awareness and rate-limit enforcement. No message content is stored server-side beyond the duration of a streaming response.

Cookies & session — we use a single signed JWT session cookie issued by NextAuth.js. No third-party tracking cookies or analytics scripts are loaded.

We use your data solely to:

- Authenticate your account and maintain session security

- Route AI requests to the correct LLM provider using your stored API key

- Display usage statistics and cost estimates within your dashboard

- Send critical service emails (password reset, security alerts) — no marketing email without explicit opt-in

We do not sell, rent, or share your personal data with any third party for advertising or analytics purposes.

Database — all data is stored in a Railway-hosted PostgreSQL instance within the EU/US region. Connections use TLS in transit. We follow the principle of least privilege for all database credentials.

Encryption — API keys are encrypted with AES-256-GCM. Passwords use bcrypt (cost factor 12). Session tokens are signed with a secret that never leaves the server environment.

Security headers — every response includes Content-Security-Policy, X-Frame-Options: DENY, X-Content-Type-Options, Referrer-Policy, and Strict-Transport-Security (HSTS) in production.

We do not log AI prompts or responses. Spectr is a pass-through proxy to your chosen LLM provider. Message content is streamed directly to your browser.

Spectr routes AI requests to the following third-party providers on your behalf, using your API key:

- Anthropic (Claude) — anthropic.com/privacy

- OpenAI (GPT-4o) — openai.com/policies/privacy-policy

- Google (Gemini) — policies.google.com/privacy

- Mistral AI — mistral.ai/terms

- Groq — groq.com/privacy

Each provider's own privacy policy governs how they process your requests. Spectr does not intercept or store the content of these requests beyond the duration of the network call.

LangSmith (optional, disabled by default) — if you enable LangSmith tracing via your API key, request traces are sent to LangSmith per their privacy policy.

- Account data — retained until you delete your account. Contact hello@spectrtechnology.com to request deletion.

- Usage/LLM call logs — retained for 90 days, then automatically purged.

- Session tokens — expire after 30 days of inactivity.

On account deletion, all personal data is permanently removed from our databases within 30 days. API keys are deleted immediately.

You have the right to:

- Access — request a copy of all data we hold about you

- Rectification — correct inaccurate personal data

- Erasure — request deletion of your account and all associated data

- Portability — receive your data in a structured, machine-readable format

- Objection — object to specific processing of your data

To exercise any of these rights, email hello@spectrtechnology.com. We will respond within 30 days.

If you are in the European Economic Area (EEA), you may also lodge a complaint with your local data protection authority.

Spectr is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us personal data, contact us at hello@spectrtechnology.com and we will delete it promptly.

We may update this Privacy Policy periodically. We will notify registered users of material changes via email and display the updated date at the top of this page. Continued use of Spectr after changes constitutes acceptance of the revised policy.

For privacy inquiries, data requests, or security concerns:

Email: hello@spectrtechnology.com

Website: spectrtechnology.com

Response time: within 2 business days for general inquiries, within 72 hours for security disclosures.