Version 1.0 · June 2026
Spexsure — Version 1.0 · Effective June 2026
DRAFT — PENDING LEGAL REVIEW. This document has not been reviewed by qualified legal counsel and must not be treated as final. Do not publish or rely on it until reviewed by a licensed attorney.
This Privacy Policy explains how Heuristicworks LLC ("Spexsure", "we", "us", "our") collects, uses, stores, shares, and protects personal data when you use the Spexsure platform (spexsure.com) and related services ("Service").
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, Heuristicworks LLC is the data controller for your personal data. If you are a business customer using our Captive Deployment, you are the data controller for personal data processed within your infrastructure; we act as a data processor in that context and a Data Processing Agreement (DPA) is available on request.
Please read this policy carefully. By using the Service, you acknowledge that you have read and understood it.
When you register for an account using Google or Microsoft single sign-on, we receive from your identity provider:
We store this information to create and manage your Spexsure account.
We collect and store:
Raw payment card data is handled exclusively by Stripe and is never transmitted to or stored on our systems.
When you use the Service's AI features, we process:
Your Content is transmitted to Anthropic PBC for AI processing (see Section 4). It is stored in our database (hosted on Supabase) for the duration of your subscription plus 30 days.
If you connect the Service to Atlassian Jira:
If you use a BYOK plan and provide your Anthropic API key:
We collect data about how you interact with the Service to operate, improve, and secure it:
Where our security systems detect potentially malicious inputs, we may retain additional data as described in Section 3.5 of the Terms of Service, including the full content of the flagged submission and all associated metadata. This data is retained for investigative, evidentiary, and prosecutorial purposes and is subject to separate retention rules that supersede the standard retention periods in this policy.
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Creating and managing your account | Identity data, subscription data | Contract |
| Providing AI analysis and ticket generation | Content data, subscription/credit data | Contract |
| Processing payments and managing subscriptions | Billing data | Contract |
| Sending transactional emails (welcome, credit warnings, invitations) | Identity data, subscription data | Contract |
| Connecting third-party integrations (Jira, Anthropic) | Integration data | Contract |
| Monitoring and improving Service reliability | Usage data, technical data, error logs | Legitimate interests |
| Detecting and preventing abuse, fraud, and security threats | Technical data, usage data, content data (flagged) | Legitimate interests / Legal obligation |
| Archiving and disclosing flagged content for prosecutorial purposes | Security and compliance data | Legal obligation / Legitimate interests |
| Analytics and understanding how users navigate the platform | Usage data, session data | Legitimate interests |
| Complying with legal obligations | Any relevant data | Legal obligation |
| Enforcing our Terms of Service and policies | Any relevant data | Legitimate interests |
| Providing customer support | Communications data, account data | Contract / Legitimate interests |
We do not sell your personal data to third parties. We do not use your personal data or Your Content to train AI models.
We share personal data with the following categories of third parties, solely to provide the Service:
Your Content is transmitted to Anthropic under Anthropic's API terms. Anthropic's current API terms prohibit using customer API content to train their models without consent. If you use a BYOK plan, your API calls are subject to your own agreement with Anthropic.
We never receive or store raw card numbers. Stripe is a PCI DSS Level 1 certified payment processor.
We configure Sentry to minimise personal data in error reports. Stack traces may occasionally include request parameters; we scrub known sensitive fields before transmission.
We do not share Your Content with PostHog. Events sent to PostHog are anonymised at the journey-ID level and do not include PRD content.
IP addresses used for rate limiting are not stored beyond the rate limit window (60 seconds per sliding window).
We may disclose personal data to law enforcement agencies, courts, regulators, or other public authorities where required by law or where we have a good-faith belief that disclosure is necessary to prevent harm, comply with legal process, or enforce our rights. See Section 3.5 of our Terms of Service for the specific conditions governing disclosure of flagged security content.
If Spexsure is involved in a merger, acquisition, asset sale, or restructuring, personal data may be transferred as part of that transaction. We will notify affected users by email and provide an opportunity to delete accounts before transfer, unless prohibited by law or the acquiring entity assumes all obligations under this policy.
Spexsure is based in the United States. If you access the Service from the EEA, UK, or Switzerland, your personal data will be transferred to and processed in the United States, which may not provide the same level of data protection as your home jurisdiction.
Where we transfer personal data from the EEA or UK to the US, we rely on one or more of the following transfer mechanisms:
A copy of applicable transfer mechanisms is available on request at legal@heuristicworks.com.
| Data Category | Retention Period |
|---|---|
| Account and identity data | Duration of account + 90 days after deletion |
| Subscription and billing data | 7 years (tax and accounting requirements) |
| PRD content and AI output | Duration of subscription + 30 days |
| Jira OAuth tokens | Until integration is disconnected + 7 days |
| BYOK API keys | Until deleted by user or account closure |
| Journey event data | 90 days hot (PostgreSQL), then archived to cold storage for 1 year |
| Error reports and bug reports | 12 months |
| Audit logs | 12 months hot, 3 years cold |
| Support communications | 3 years |
| Security-flagged content (prosecutorial retention) | Indefinite, until legal matter is resolved or Spexsure determines retention is no longer necessary |
| Anonymised usage statistics | Indefinite (no personal data) |
When we delete data, we remove it from our active database. Residual copies may remain in encrypted backups for up to 90 days before those backups are overwritten.
We implement technical and organisational measures designed to protect your personal data, including:
No system is completely secure. We cannot guarantee absolute security. If you discover a security vulnerability, please report it responsibly at security@spexsure.com or via /.well-known/security.txt.
If you are located in the EEA, UK, or Switzerland, you have the following rights regarding your personal data:
To exercise any of these rights, email legal@heuristicworks.com with the subject line "Data Rights Request". We will respond within 30 days (extendable by a further 60 days for complex requests, with notice).
You also have the right to lodge a complaint with your local supervisory authority. In the UK, this is the Information Commissioner's Office (ico.org.uk). In the EU, contact your national data protection authority.
If you are a California resident, you have the following rights:
To submit a CCPA request, email legal@heuristicworks.com or write to: Heuristicworks LLC, Spring City, PA, USA.
You may request deletion of your account and associated personal data at any time via Settings → Account or by emailing support@spexsure.com. We will delete your account data within 30 days, subject to the retention obligations in Section 5 (particularly billing data, audit logs, and security-flagged content).
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
authjs.session-token / __Secure-authjs.session-token |
Authentication session | Strictly necessary | Session / 30 days |
__Host-jira_oauth_state |
Jira OAuth CSRF protection | Strictly necessary | 15 minutes |
PostHog (ph_*) |
Product analytics and session recording | Analytics | 1 year |
Sentry (sentry-*) |
Error tracking session context | Functional | Session |
We do not use advertising cookies, retargeting pixels, or third-party tracking for advertising purposes.
Strictly necessary cookies are used without consent as they are required to operate the Service. Analytics cookies (PostHog) require your consent where applicable law requires it. A cookie consent mechanism will be implemented prior to launch in markets where consent is required (including the EEA and UK).
We do not currently respond to "Do Not Track" browser signals, as there is no universally accepted standard for such signals. We will review this position as standards develop.
The Service is intended for business users aged 18 and over. We do not knowingly collect personal data from children under 18. If we become aware that we have collected personal data from a child under 18 without parental consent, we will delete it promptly. If you believe we have inadvertently collected such data, contact us at legal@heuristicworks.com.
The Service may contain links to third-party websites, including Atlassian, Anthropic, and payment providers. We are not responsible for the privacy practices of those sites. We encourage you to review their privacy policies before providing personal data.
If you are a business that processes personal data of EU or UK data subjects through the Service, you may require a Data Processing Agreement (DPA) under GDPR. To request a DPA, email legal@heuristicworks.com. We will provide a DPA within 14 business days of a valid request.
For Captive Deployment customers, the DPA should be executed before go-live, as Spexsure may act as a data processor in connection with diagnostic telemetry and licence validation data.
We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 30 days before the change takes effect. The "Effective" date at the top of this policy indicates when the current version was last updated. Continued use of the Service after the effective date of a revised policy constitutes acceptance.
For privacy-related questions, requests, or complaints:
Mailing address: Heuristicworks LLC Spring City, PA, USA
For security vulnerabilities, use security@spexsure.com (see also /.well-known/security.txt).
Heuristicworks LLC · Spring City, PA, USA
Questions? legal@heuristicworks.com