Privacy Policy

Spectrae (“we”, “us”, “our”) operates the browser automation platform at spectrae.dev. We are the data controller for personal data collected through this website and the Spectrae platform.

Our data protection contact is [email protected].

This Privacy Policy explains how we collect, use, store, share, and protect personal data relating to:

• Visitors to spectrae.dev;
• Registered users of the Spectrae platform;
• Individuals whose data may be incidentally included in browser session logs.

This policy does not cover how our customers use the Spectrae platform to process data about their own users. Where you use Spectrae to process personal data of third parties, you are the data controller for that processing and we act as a data processor on your instructions (see clause 9).

We process personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Our lawful bases are:

• Contract (Article 6(1)(b) UK GDPR): Processing necessary to provide the Service, manage your account, process payments, and communicate with you about your account.
• Legitimate interests (Article 6(1)(f) UK GDPR): Security monitoring, fraud prevention, platform abuse detection, service improvement, and sending product updates to existing customers. Our legitimate interests do not override your rights and freedoms.
• Legal obligation (Article 6(1)(c) UK GDPR): Compliance with tax, financial reporting, and law enforcement obligations.
• Consent (Article 6(1)(a) UK GDPR): Marketing communications to non-customers and any optional analytics where we have obtained your consent.

We use your personal data to:

• Create and manage your account;
• Provide and operate the Service;
• Process payments and maintain billing records;
• Send transactional communications (account confirmations, invoices, security alerts);
• Detect, investigate, and prevent fraud, abuse, and violations of our Terms of Service;
• Comply with legal and regulatory obligations;
• Improve and develop the Service;
• Send product updates and service announcements to existing customers (you may opt out at any time);
• Respond to your support and legal enquiries.

We do not sell your personal data. We share personal data only in the following circumstances:

• Stripe: Payment processing. Stripe is a data processor acting on our behalf and subject to a Data Processing Agreement. Stripe may independently process data as a controller for fraud prevention purposes under its own privacy policy.
• Infrastructure and hosting providers: Cloud infrastructure providers used to run the Spectrae platform. These providers process data under UK GDPR-compliant data processing agreements and do not use your data for their own purposes.
• Email service providers: Transactional email delivery (e.g., account confirmation, billing receipts). Data shared is limited to what is necessary to deliver the specific communication.
• Legal and regulatory disclosure: We may disclose data where required by law, court order, or request from a competent public authority. Where permitted, we will notify you of such a request.
• Business transfer: In the event of a merger, acquisition, or sale of all or part of our business, your data may be transferred to a successor entity. We will notify you before your data is transferred and becomes subject to a different privacy policy.
• With your consent: For any purpose where you have given explicit consent.

Where we transfer personal data outside the UK or EEA, we ensure that appropriate safeguards are in place, including the UK International Data Transfer Agreement (IDTA), Standard Contractual Clauses (SCCs) approved by the ICO, or reliance on an adequacy decision. You may request details of the safeguards in place by contacting us at [email protected].

We retain personal data for the following periods:

• Account data: For the duration of your account plus 2 years after closure, or longer where required by law.
• Billing records: 7 years from the date of the transaction, as required by UK tax and accounting law.
• Session logs: Up to 90 days from the date of the session, after which they are deleted or anonymised.
• Security and fraud logs: Up to 12 months, or longer where an active investigation is ongoing.
• Communications: Up to 3 years from the date of the last communication, unless related to a dispute that is still unresolved.

Where we retain data under a legal obligation, we will retain it for the minimum period required by that obligation.

When you use Spectrae to operate browser sessions, you may direct the Service to visit websites and retrieve content that includes personal data of third parties. In that context, Spectrae acts as a data processor and you are the data controller.

You are responsible for: (a) ensuring you have a lawful basis for processing that data; (b) complying with your obligations as a data controller under UK GDPR; and (c) ensuring your instructions to us comply with applicable data protection law.

We will process such data only on your documented instructions and in accordance with our Data Processing Agreement, available on request.

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration. These include:

• Encryption of data in transit (TLS) and at rest;
• API keys stored as hashed values, never in plain text;
• Access controls limiting data access to authorised personnel;
• Regular security reviews of our platform and infrastructure;
• Incident response procedures for data breaches.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, as required by Article 33 UK GDPR.

We use functional cookies that are necessary for the operation of the Service, including session authentication and security tokens.

We also use product analytics to understand usage of the website and dashboard, improve the Service, troubleshoot errors, and measure conversion and activation. We do not use third-party advertising cookies or sell personal data.

Under UK GDPR, you have the right to:

• Access: Request a copy of the personal data we hold about you;
• Rectification: Request correction of inaccurate or incomplete data;
• Erasure: Request deletion of your personal data where we no longer have a lawful basis to retain it (“right to be forgotten”);
• Restriction: Request that we restrict processing of your data in certain circumstances;
• Portability: Receive your personal data in a structured, machine-readable format and have it transferred to another controller;
• Object: Object to processing based on our legitimate interests, including direct marketing;
• Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at [email protected]. We will respond within one month. We may ask you to verify your identity before acting on your request.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) if you believe we have not handled your data in accordance with UK GDPR.

The Service is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a child, please contact us at [email protected] and we will delete it promptly.

We may update this Privacy Policy from time to time. Where a change is material, we will notify you by email or by a prominent notice in the dashboard at least 14 days before the change takes effect. The current version is always available at spectrae.dev/privacy.

For privacy-related questions, requests, or complaints, contact us at: [email protected].

If you are not satisfied with our response, you have the right to complain to the ICO at ico.org.uk/make-a-complaint.