Specularis

Privacy Policy

1. Controller

Benedikt Bingler
Pappelallee 18
10437 Berlin
Deutschland

E-Mail: [email protected]

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the controller within the meaning of applicable data protection laws is the person named above.

2. Scope and General Information

This Privacy Policy explains how we collect, use, and process personal data when you use our SaaS application and website.

We process personal data in accordance with:

  • The EU General Data Protection Regulation (GDPR)
  • Applicable national data protection laws
  • Where relevant, other international data protection frameworks

“Personal data” means any information relating to an identified or identifiable natural person.

3. Hosting and Infrastructure

3.1 Primary Server

Personal data is processed on a dedicated root server hosted in:

Germany (Nuremberg)

3.2 Storage of Non-Personal Data

Non-personal data may be stored using:

Amazon Web Services (AWS)
Region: eu-central-1 (Frankfurt, Germany)

4. Account Registration and Authentication

To create an account, we process:

  • Email address
  • Account metadata (e.g., created_at, last_login)

Authentication is passwordless via magic login links.
Authentication tokens are stored in hashed form (SHA-256).

Legal basis (EEA users):
Article 6(1)(b) GDPR (performance of a contract).

Accounts can be deleted at any time via self-service.
Upon deletion, personal data is permanently erased unless statutory retention obligations apply.

5. Team Workspaces

Users may invite additional members to a workspace.
In this case, we process the invited user's email address for account provisioning.

Legal basis: Article 6(1)(b) GDPR.

6. GitHub Verification

To verify repository permissions, we use OAuth provided by:

GitHub Inc.
United States

During this process, we may process:

  • githubId
  • githubLogin
  • githubAccessToken
  • Workspace-level eligibility status

The verification is performed server-side via GitHub’s API.

When a GitHub connection is disconnected:

  • githubAccessToken is deleted
  • githubId is deleted
  • githubLogin is deleted

Data may be transferred to the United States.
Transfers are based on appropriate safeguards pursuant to Article 46 GDPR (e.g., Standard Contractual Clauses).

Legal basis: Article 6(1)(b) GDPR.

7. Payments

Payments are processed via:

Stripe Payments Europe Ltd.

Payment information is processed directly by Stripe.
We do not store full payment details.

Legal basis: Article 6(1)(b) GDPR.

8. Transactional Emails

We use:

Postmark (Wildbit LLC)
United States

Postmark is used to send transactional emails such as login links and system notifications.

Personal data (e.g., email address) may be transferred to the United States.
Transfers rely on appropriate safeguards under Article 46 GDPR.

Legal basis: Article 6(1)(b) GDPR.

9. Analytics (Cookieless)

We use Plausible Analytics (cloud version).

Plausible:

  • Does not use cookies
  • Does not store information on users’ devices
  • Does not use persistent identifiers
  • Processes data in aggregated form

No personal profiles are created.

Legal basis (EEA users):
Article 6(1)(f) GDPR (legitimate interest in improving our service).

Because no cookies or device storage mechanisms are used, no consent banner is required.

10. Content Delivery Network (CDN)

We use Cloudflare for DNS and CDN services.

Cloudflare may process IP addresses to ensure security and delivery performance.

Legal basis (EEA users):
Article 6(1)(f) GDPR (legitimate interest in secure and stable service delivery).

11. Data Security

We implement appropriate technical and organizational measures pursuant to Article 32 GDPR, including:

  • TLS encryption
  • Restricted production access (single administrator)
  • Hashed authentication tokens
  • Automated backups

12. Data Retention

Personal data is retained only as long as necessary for:

  • Contractual purposes
  • Legal obligations
  • Legitimate business interests

Accounts are deleted immediately upon user-initiated deletion, subject to statutory retention requirements.

13. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs)
  • Additional technical safeguards where required

14. Your Rights (EEA / UK / Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the right to:

  • Access your personal data (Art. 15 GDPR)
  • Rectify inaccurate data (Art. 16 GDPR)
  • Erase data (Art. 17 GDPR)
  • Restrict processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Object to processing (Art. 21 GDPR)
  • Withdraw consent where applicable

You also have the right to lodge a complaint with a supervisory authority.

15. Changes to This Policy

We may update this Privacy Policy to reflect legal, technical, or operational changes.

Last updated: March 2026