Privacy Policy
Table of Contents
- Who We Are
- Scope of This Policy
- Information We Collect
- Information We Do NOT Collect
- How We Use Your Information
- Legal Basis for Processing (GDPR)
- Third-Party Services
- Data Storage, Security & Retention
- Cookies & Local Storage
- Data Sharing & Disclosure
- International Data Transfers
- Children's Privacy
- Your Rights
- Changes to This Policy
- Contact Us
1. Who We Are
Specimen ("we", "our", "us") is the developer and publisher of software products including browser extensions and web applications. Our contact email is contact@auth.specimen.website.
This Privacy Policy governs how Specimen collects, uses, stores, and protects personal information in connection with the use of our products, websites, and any related services (collectively, the "Service"). By using any of our products, you acknowledge that you have read, understood, and agree to the practices described in this policy.
2. Scope of This Policy
This Privacy Policy applies to all users of Specimen's products and websites. It covers:
- Information collected through our browser extensions installed in your browser.
- Information collected through our websites and landing pages.
- Information collected through our payment processor when you subscribe to a paid plan.
- Communications between you and Specimen through email or support channels.
This policy does not apply to third-party websites, services, or applications that may be linked to or referenced within our Service. We encourage you to review the privacy policies of any third-party services you interact with.
3. Information We Collect
We believe in minimal, purposeful data collection. We collect only what is strictly necessary to operate the Service and provide you with a secure and functional experience.
3.1 Account Information
When you create an account, we collect your email address. This is used exclusively for authentication purposes. We use a passwordless system that sends a one-time verification code to your email address each time you log in. We do not collect usernames, passwords, dates of birth, phone numbers, or any other personal identifiers beyond your email address unless you voluntarily provide them in a support request.
3.2 Usage Data
We may record usage metrics related to our products, such as the number of requests made within a billing period. This data is strictly necessary to enforce usage limits associated with your subscription tier. This data is linked to your account by a unique user ID and is stored in our secure backend database.
3.3 Subscription and Billing Status
We store your current subscription tier, subscription start date, and renewal or expiration date. This information is necessary to determine which features you have access to. Detailed billing and payment information (such as credit card numbers) is handled exclusively by our payment processor, Stripe, and is never stored on our servers.
3.4 Session Tokens
After you authenticate, we issue a session token that is stored locally in your browser's secure storage. This token allows you to remain logged in between sessions. Session tokens are opaque identifiers — they do not contain any personally identifiable information. Tokens are automatically invalidated after 30 days of inactivity.
3.5 Error Logs (Anonymous)
To diagnose technical issues and improve reliability, we may log anonymized, non-personal error events — for example, failed API calls or unexpected errors. These logs do not contain your email address, IP address, or any personal content. They are used solely for debugging and are retained for no more than 14 days.
3.6 Communications
If you contact us by email, we retain the content of your message and your email address in order to respond to your inquiry. We do not use incoming support communications for marketing purposes.
4. Information We Do NOT Collect
We want to be explicit about what we do not collect:
- No passwords or security questions. We use a passwordless email code system entirely.
- No browsing history. Our products only activate on relevant websites and do not monitor, record, or transmit any information about other websites you visit.
- No location data from your device. We do not access your device's GPS, IP-based location, or any geolocation API of your browser.
- No microphone, camera, or sensor data. Our products do not request or access any hardware sensors on your device.
- No third-party tracking pixels or advertising identifiers. We do not use Facebook Pixel, Google Analytics, or any behavioral advertising technology.
- No credit card or payment details. All payment processing is handled directly and exclusively by Stripe.
- No data about minors. Our products are not intentionally directed at children under the age of 13.
5. How We Use Your Information
We use the information we collect for the following purposes only:
- Authentication: To verify your identity when you log in using one-time email codes.
- Service operation: To provide, maintain, and improve the core functionality of our products.
- Usage management: To track and enforce your usage limits according to your subscription tier.
- Billing and subscription: To manage your subscription, process renewals, and apply the correct access level.
- Security: To detect and prevent fraudulent use, unauthorized access, and abuse of the Service.
- Technical support: To investigate and resolve issues you report to us.
- Legal compliance: To comply with applicable laws, legal processes, or enforceable governmental requests.
We do not use your information for advertising, profiling, or data brokering. We do not sell your data to any third party under any circumstances.
6. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data under the following legal bases:
- Contract performance (Art. 6(1)(b) GDPR): Processing your email address and subscription status is necessary to provide the Service you have requested.
- Legitimate interests (Art. 6(1)(f) GDPR): Maintaining basic anonymized error logs for service reliability is in our legitimate interest and does not override your rights and freedoms.
- Legal obligation (Art. 6(1)(c) GDPR): We may process data where necessary to comply with a legal obligation.
7. Third-Party Services
Our products rely on a small number of carefully selected third-party services. These providers process data only to the extent necessary to deliver the Service:
7.1 Supabase (Authentication & Database)
We use Supabase, a backend-as-a-service platform hosted on Amazon Web Services (AWS), to manage user authentication and store account and usage data. Supabase's privacy policy is available at supabase.com/privacy.
7.2 Stripe (Payments)
Stripe, Inc. processes all payments for our paid subscriptions. We only receive a customer reference ID and subscription status from Stripe — we never receive or store raw payment card data. Stripe's privacy policy is available at stripe.com/privacy.
8. Data Storage, Security & Retention
We take the security of your data seriously and implement industry-standard safeguards:
- Encryption at rest: User data stored in our database is encrypted at rest using AES-256.
- Encryption in transit: All communications between our products, servers, and third-party APIs are encrypted using TLS 1.2 or higher.
- Access control: Access to production databases is restricted to authorized personnel only, using role-based access controls and multi-factor authentication.
- Session tokens: Automatically invalidated after 30 days of inactivity.
- Email verification codes: One-time codes expire after 10 minutes and are invalidated immediately upon use.
- Anonymized error logs: Retained for a maximum of 14 days, then automatically purged.
- Account data: Retained for as long as your account remains active. Upon account deletion, all personal data is permanently removed within 30 days, except where retention is required by law.
While we employ robust security measures, no system is completely immune to security risks. We encourage you to report any suspected security vulnerabilities to contact@auth.specimen.website.
9. Cookies & Local Storage
Our products do not use cookies for advertising or tracking purposes. Our browser extensions use browser local storage exclusively to persist your session token — this is a technical necessity for maintaining your logged-in state. No third-party tracking cookies are injected by our products into any page you visit.
Our websites may use minimal, anonymized analytics to understand page visit counts. If such tools are used, they will be configured to respect Do Not Track signals and will not collect personally identifiable information.
10. Data Sharing & Disclosure
We do not sell, rent, lease, or trade your personal information to any third party. We may disclose information only in the following limited circumstances:
- Service providers: As described in Section 7, we share data with Supabase and Stripe only to the extent necessary to operate the Service.
- Legal requirements: We may disclose data if required to do so by law, court order, or other governmental authority.
- Protection of rights: We may disclose data to protect the rights, property, or safety of Specimen, our users, or the public.
- Business transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.
11. International Data Transfers
Specimen is operated from Canada. Our data infrastructure is hosted on AWS servers, which may be located in the United States or other jurisdictions. If you are located in the EEA or United Kingdom, please be aware that your data may be transferred to and processed in countries that may not provide the same level of data protection as your home country.
When such transfers occur, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) to ensure your data is protected in compliance with applicable data protection law.
12. Children's Privacy
Our products are not directed at or intended for use by children under the age of 13 (or under 16 in the EEA). We do not knowingly collect personal information from children. If you are a parent or guardian and believe that your child has provided personal information to us, please contact us at contact@auth.specimen.website and we will promptly delete any such data.
13. Your Rights
Depending on your location and applicable law, you may have the following rights:
- Right of access: You can request a copy of the personal data we hold about you.
- Right to rectification: You can request that we correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten"): You can request that we delete your personal data.
- Right to restriction of processing: You can request that we limit how we use your data.
- Right to data portability: You can request a copy of your data in a machine-readable format.
- Right to object: You can object to our processing of your data where we rely on legitimate interests.
- Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time.
To exercise any of these rights, contact us at contact@auth.specimen.website. We will respond within 30 days.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify registered users by email.
Your continued use of our products after the effective date of an updated Privacy Policy constitutes your acceptance of the changes.
15. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy, please contact us:
- Email: contact@auth.specimen.website
- Response time: We aim to respond to all privacy-related inquiries within 5 business days.