← Back to Docs

Privacy Policy

Last updated: May 3, 2026

TL;DR

  • • We collect: email, org metadata, and analytics. We don't collect your code.
  • • We use data to render your catalog, send emails, and improve the product.
  • • We never sell your data to third parties.
  • • Data retention: active account + 30 days after deletion.
  • • Your rights: access, correct, delete, export. Email [email protected]

1. What We Collect

Specmark collects the following categories of information when you use our service:

1.1. Account Information

  • Email address: Provided during sign-up or via your GitHub account. Used for authentication, billing notifications, and service updates.
  • GitHub user ID and username: Retrieved from GitHub OAuth to link your account.
  • Organization metadata: Organization name, slug, installation ID, and contributor count.

1.2. Repository Metadata

  • What we access: Repository names, README files, file tree structures, commit activity timestamps, branch names, visibility settings (public/private), and custom .specmark.yml configuration files.
  • What we do NOT access: Application source code, secrets, environment variables, issue content, pull request comments, or any personally identifiable information (PII) stored in your repositories.

1.3. Usage Analytics

We collect anonymized usage data via PostHog, including page views, feature usage, and anonymized error reports via Sentry. This data helps us improve the product and diagnose issues. IP addresses are hashed before storage.

1.4. Cookies

We use cookies for the following purposes:

  • Authentication cookies (Clerk): To maintain your logged-in session. These are strictly necessary for the service to function.
  • Analytics cookies (PostHog): To understand how users interact with Specmark. These can be disabled via your browser settings or our cookie banner.
  • Consent cookies: To remember your cookie preferences (EU/GDPR users only).

2. What We Don't Collect

We explicitly do not collect:

  • Application source code or proprietary logic
  • Secrets, API keys, or credentials from your repositories
  • Issue or pull request content
  • Email addresses or names of repository contributors beyond what GitHub provides
  • Sensitive personal information such as health data, financial data, or biometrics

3. How We Use Your Data

We use the collected data for the following purposes:

  • Service delivery: To generate scorecards, render your public catalog, and display embeddable badges.
  • Communication: To send transactional emails (e.g., welcome emails, billing notifications, score-drop alerts).
  • Product improvement: To analyze usage patterns, diagnose errors, and develop new features.
  • Compliance: To comply with legal obligations, enforce our Terms of Service, and prevent abuse.

We never sell your data to third parties. We do not use your data for advertising or share it with data brokers.

4. Data Retention

We retain your data for as long as your account is active, plus 30 days after account deletion. Scorecard results are retained indefinitely for historical analytics unless you request deletion. Billing records are retained for 7 years to comply with accounting regulations.

5. Subprocessors

We use the following third-party service providers (subprocessors) to deliver Specmark:

  • Vercel (USA): Hosting and edge caching
  • Neon (USA): Postgres database
  • Clerk (USA): Authentication and user management
  • Inngest (USA): Background job orchestration
  • Resend (USA): Transactional email delivery
  • PostHog (USA/EU): Product analytics (anonymized)
  • Sentry (USA): Error monitoring
  • Stripe (USA): Payment processing

All subprocessors are GDPR-compliant and have signed Data Processing Agreements (DPAs) with us or provide Standard Contractual Clauses (SCCs) for data transfers outside the EU.

6. Your Rights (GDPR and CCPA)

If you are located in the European Union, United Kingdom, or California, you have the following rights:

  • Right to access: Request a copy of the data we hold about you.
  • Right to correction: Request correction of inaccurate data.
  • Right to deletion: Request deletion of your account and associated data.
  • Right to export: Request a machine-readable export of your data.
  • Right to restrict processing: Request that we stop processing your data in certain circumstances.
  • Right to object: Object to data processing for direct marketing or legitimate interests.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

7. Data Transfers

Specmark is based in the United States. If you are located outside the U.S., your data will be transferred to and processed in the U.S. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for GDPR-compliant data transfers.

8. Security

We implement industry-standard security measures to protect your data, including encryption in transit (TLS 1.3), encryption at rest, access controls, and regular security audits. However, no method of transmission over the internet is 100% secure. If you discover a security vulnerability, please report it to [email protected].

9. Children's Privacy

Specmark is not intended for use by individuals under the age of 13 (or 16 in the EU). We do not knowingly collect personal information from children. If we learn that we have collected data from a child without parental consent, we will delete it immediately.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on our website at least 14 days before the changes take effect. Continued use of the service after changes constitute acceptance of the updated policy.

11. Contact

For privacy-related questions or to exercise your rights, contact us at [email protected].

Privacy Policy — Specmark