Private beta· Free for OCDEA testers · Data may be reset before launch · Help us shape v1 — feedback button bottom-right
SAPThings

Privacy policy

Last updated: 2026-04-24

Draft notice. This policy reflects the product's current data handling practices. It has not yet been reviewed by a UK privacy solicitor. If you spot a gap or need a DPA, email support@specvo.com.

1. Who we are

SAPThings (the "service") is operated by the team behind specvo.com / specvo.com (the "operator"). For UK GDPR purposes the operator is the data controller for personal data processed through the service. Contact: support@specvo.com.

Company name, registered office and UK ICO registration number will be published here before the service leaves private beta.

2. What we collect

Account data

  • Email address (to authenticate you)
  • Display name & org name (optional, set by you)
  • Stripe customer ID (opaque reference to your payment method — we never see card data)
  • Wallet balance & transaction history (in pence)

Project data

  • Assessment metadata (title, UK address, postcode, dwelling profile you enter)
  • Uploaded files (planning drawings, specifications, U-value calculations — whatever you upload)
  • AI-extracted data (values our pipeline extracts from your files)
  • SAP outputs (the JSON and XML we generate for you)

Technical data

  • IP address (for rate limiting + abuse prevention)
  • Browser user-agent + request metadata in server logs (90 days retention)
  • Strictly-necessary auth cookies (session only; no analytics cookies are set)

3. Legal bases (UK GDPR Article 6)

PurposeBasis
Provide the servicePerformance of contract (Art 6(1)(b))
Bill you & keep financial recordsLegal obligation (Art 6(1)(c)) — HMRC 6-year records retention
Prevent abuse, rate-limit, detect fraudLegitimate interest (Art 6(1)(f))
Run AI extraction on your filesPerformance of contract (you asked us to)
Marketing emailsConsent (Art 6(1)(a)) — not used today; will be opt-in if added

4. Automated decision-making

Our AI pipeline extracts candidate values from your drawings and specification. These are not final decisions — the OCDEA (you) reviews every extracted value before downloading the XML and signs for the resulting assessment. This is not automated individual decision-making within the meaning of UK GDPR Article 22 because a human is always in the loop.

5. Processors we use

ProcessorRoleLocationTransfer mechanism
SupabaseAuth, database, file storageEU (Frankfurt)Intra-EEA
Stripe Payments UK LtdPayments & card handlingUK / EUIntra-UK/EEA
Anthropic PBCClaude LLM — extracts SAP fields from your filesUnited StatesUK IDTA / EU SCCs + UK-US Data Bridge (Anthropic is DPF-certified)
Google Cloud — Vertex AIGemini LLM (fallback)EU region pinned (europe-west1/2)Intra-EEA with SCCs
Vercel Inc.Frontend hostingGlobal edgeUK IDTA / SCCs
Render Services Inc.Backend API hostingUnited StatesUK IDTA / SCCs
Functional Software Inc. (Sentry)Error tracking & performance monitoringEU (Germany)Intra-EEA

Your uploaded drawings and extracted SAP fields are sent to Anthropic and/or Vertex for processing. Both providers contractually agree not to train models on your data under their business-tier terms of use.

6. How long we keep your data

DataRetention
Account profileWhile active; deleted within 30 days of account closure
Projects + uploadsWhile active; deleted within 30 days of account closure
Frozen assessments (your paid XMLs)While active; deleted within 30 days of account closure
Financial transactions (wallet + Stripe events)6 years from the transaction date — legal obligation under HMRC record-keeping. User-identifying fields are anonymised on account deletion.
Server logs / access logs90 days
Admin audit log6 years
Wallet balance if inactiveExpires after 12 months of no activity

7. Your rights

Under UK GDPR Articles 15–22 you have the right to:

  • Access your data — in-app export at /account/settings; full DSAR by email
  • Rectify inaccurate data — most fields editable in-app
  • Erase — request from /account/settings or email. Completed within 30 days; financial records are anonymised, not deleted (§6)
  • Restrict or object to processing — email us
  • Data portability — self-serve JSON export
  • Withdraw consent where consent is the basis
  • Complain to the UK ICO at ico.org.uk/make-a-complaint

8. Security

  • TLS 1.2+ for all traffic
  • Encryption at rest (Supabase Postgres + Storage default-encrypted)
  • Row-level security scoped to your account on every table
  • Stripe handles card data — we never see or store PANs (PCI SAQ A)
  • Secrets rotated when staff change; admin actions logged

9. Cookies

We set only strictly-necessary cookies: Supabase session cookies so you stay signed in. No analytics, advertising, or third-party tracking cookies today.

10. Children

SAPThings is a B2B tool for qualified OCDEAs. We don't knowingly collect data from children under 18.

11. Changes to this policy

Material changes will be emailed to active users at least 14 days before taking effect.

12. Contact

Email support@specvo.com.