LEGAL
Privacy Policy
Last updated: March 1, 2026
1. Introduction
PrimaSpec ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered architecture specification platform.
PrimaSpec is the data controller responsible for your personal data.
For data protection inquiries, contact us at [email protected].
2. Information We Collect
Account Information
When you create an account, we collect your email address and authentication credentials. If you sign in via a third-party provider, we receive basic profile information as permitted by that provider.
Project and Conversation Data
We store the project descriptions, conversation messages, and generated specifications you create through the Service. This data is necessary to provide and improve the Service.
Payment Information
Payment processing is handled by Coda Payments. We do not store your credit card numbers or full payment details on our servers. We retain transaction records (amounts, dates, credit purchases) for billing purposes.
Usage Data
We automatically collect technical data including IP address, browser type, device information, pages visited, and feature usage patterns. This helps us maintain, improve, and secure the Service.
Cookies and Tracking
We use cookies and similar technologies for authentication, preferences, and analytics. See our Cookie Policy for details.
3. How We Use Your Information
- Provide, operate, and maintain the Service
- Process your transactions and manage your account
- Generate architecture specifications from your inputs
- Send transactional communications (receipts, account alerts, security notices)
- Analyze usage patterns to improve the Service
- Detect, prevent, and address security issues and abuse
- Comply with legal obligations
3.5 Legal Basis for Processing
We process your personal data on the following legal bases under the General Data Protection Regulation (GDPR):
| Processing Activity | Legal Basis (GDPR) |
|---|---|
| Account creation & authentication | Art. 6(1)(b) — Contract performance |
| Service delivery (spec generation) | Art. 6(1)(b) — Contract performance |
| AI processing via Anthropic | Art. 6(1)(b) — Contract performance + Art. 6(1)(a) Consent |
| Payment processing via Coda Payments | Art. 6(1)(b) — Contract performance |
| Marketing communications | Art. 6(1)(a) — Consent |
| Security & fraud prevention | Art. 6(1)(f) — Legitimate interest |
| Legal compliance | Art. 6(1)(c) — Legal obligation |
| Analytics | Art. 6(1)(a) — Consent (via cookie banner) |
4. AI Processing
Your project descriptions and conversation messages are sent to third-party AI providers (currently Anthropic) to generate specifications. We do not use your content to train AI models. Our AI providers process data according to their data processing agreements with us and do not use your data for their own model training.
What Data Is Sent
When you use the specification generation feature, we send your project descriptions and conversation messages to the AI provider for processing.
Where It Goes
Your data is sent to Anthropic's API servers located in the United States.
Anthropic's Commitments
We have a Data Processing Agreement (DPA) in place with Anthropic. Anthropic does not use customer data for model training. Your content is processed solely to generate the requested output and is not retained by Anthropic for other purposes.
Data Flow
Your input travels from PrimaSpec servers to the Anthropic API, and the generated response is stored in the PrimaSpec database associated with your project.
Retention
AI-generated responses are stored with your project data. They are deleted when you delete your account.
5. Data Sharing and Disclosure
We do not sell your personal information. We may share data with:
- Service providers: Coda Payments (payments), Anthropic (AI processing), and infrastructure providers who help operate the Service under strict data processing agreements
- Legal requirements: When required by law, legal process, or to protect our rights, safety, or property
- Business transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users
6. Data Retention
We retain your data for the periods described below:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data (email, name) | While account active + 30 days after deletion | Contract |
| Conversation & spec data | While account active + 30 days after deletion | Contract |
| Consent records | 5 years after consent given/withdrawn | GDPR Art. 7(1) |
| Billing/purchase records | 10 years | Turkish Commercial Code Art. 82 |
| Session/auth data | Auto-deleted after expiry (7 days) | Legitimate interest |
| Anonymized analytics | Indefinitely | Aggregated, non-personal |
7. Data Security
We implement industry-standard security measures including encryption in transit (TLS), encryption at rest, access controls, and regular security assessments. However, no method of transmission or storage is completely secure. You are responsible for maintaining the security of your account credentials.
8. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access: Request a copy of your personal data
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your data
- Portability: Request your data in a structured, machine-readable format
- Objection: Object to certain processing of your data
- Restriction: Request restricted processing in certain circumstances
To exercise these rights, contact us at [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with your local data protection authority.
- For Turkey: Kisisel Verileri Koruma Kurumu (KVKK), kvkk.gov.tr
- For EU: Your local Data Protection Authority
9. International Transfers
Your data may be processed in countries other than your own. Specifically, data is transferred to the United States for AI processing via Anthropic, as well as to the countries where our hosting infrastructure is located.
We ensure appropriate safeguards are in place for international data transfers, including Standard Contractual Clauses (SCCs) with our service providers. For users subject to Turkish data protection law, we comply with KVKK cross-border transfer requirements.
9.5 Automated Decision-Making
We use AI (large language models) to generate specifications. This is not automated decision-making that produces legal or similarly significant effects on you. The AI-generated output is a tool for your use; you make all final decisions about your project architecture.
10. Children's Privacy
The Service is not intended for users under 16 years of age. We do not knowingly collect data from children. If we discover that a child has provided personal data, we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notice. The "Last updated" date at the top reflects the latest revision.
11.5 KVKK Notice
For users subject to Turkish data protection law: Please see our KVKK Transparency Notice for information required under Turkish Personal Data Protection Law No. 6698.
12. Contact Us
For privacy-related inquiries, contact us at [email protected].