Privacy Policy

How we collect, use, and protect your data

Last updated: March 2026

Data controller

The data controller for this service is:

Speqs AB
Org.nr 559546-0162
Hallandsgatan 50A, 118 57 Stockholm, Sweden
info@speqs.io

1. Information we collect

Account data

  • Name and email address
  • Company name and role
  • Authentication credentials (via Google or Figma OAuth)

Product data

  • Simulation configurations and study parameters
  • Uploaded design files and prototypes (e.g. from Figma)
  • Session recordings and screenshots generated during simulations
  • AI-generated simulation results and analysis
  • Audio transcription data

Billing data

Payments are processed by Stripe. We do not store payment card details. We retain records of credit purchases, consumption, and transaction history.

Usage data

  • Feature usage and credit consumption
  • Platform interactions and preferences

Automatically collected information

  • Website analytics (page views, time on site, browser type) via Google Analytics
  • IP address and general location for security and analytics

2. How we use your information

We use your information to:

  • Provide and operate the Speqs platform
  • Run AI-powered simulations of user behavior
  • Process and store simulation results
  • Handle billing and credit management
  • Send service notifications and product updates
  • Improve our platform and develop new features
  • Prevent fraud and maintain security

Legal basis (GDPR)

We process your data based on:

  • Contract performance: To provide the services you have signed up for
  • Legitimate interests: To improve our platform, ensure security, and communicate about our product
  • Consent: For marketing communications and optional features
  • Legal obligation: To comply with accounting and tax requirements

3. AI and automated processing

Speqs uses AI to simulate user behavior in digital products. All AI processing runs on Google Vertex AI within the EU.

  • Customer data is not sent to third-party AI providers outside of Google Cloud
  • Your data is not used to train AI models
  • We do not make automated decisions that produce legal or similarly significant effects on individuals (GDPR Article 22)

4. How we protect your data

Security measures

  • Encryption in transit (TLS 1.2+) and at rest
  • Strict access controls and role-based permissions
  • Secrets management with typed, non-loggable credentials

For full details on our security practices, see our security page.

What we don't do

  • We never sell your personal information
  • We don't share your data with third parties for their marketing purposes
  • We don't use your data for purposes beyond those stated here

5. Data retention

We retain your information only as long as necessary:

  • Account data: While your account is active, plus 30 days after deletion
  • Simulation data: While your account is active, deleted on request
  • Billing records: As required by Swedish accounting law (up to 7 years)
  • Analytics data: Up to 26 months

You can request deletion of your data at any time.

6. Third-party services

We use third-party services to operate our platform, including cloud infrastructure (Google Cloud Platform), database and authentication (Supabase), design integration (Figma), browser automation (Browserbase), audio transcription (ElevenLabs), billing (Stripe), and email (Resend).

A complete list of subprocessors with their locations and certifications is available on our security page.

7. International data transfers

We process and store data primarily within the European Economic Area (EU, Belgium). Some of our subprocessors operate in the United States (Figma, Browserbase, Stripe, Resend). Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, and we assess the data protection laws of the receiving country.

8. Your rights under GDPR

Under the General Data Protection Regulation (GDPR), you have the right to:

  • Access your personal information
  • Rectify inaccurate or incomplete information
  • Erasure (right to be forgotten)
  • Data portability – receive your data in a portable format
  • Object to processing based on legitimate interests
  • Restrict processing in certain circumstances
  • Withdraw consent at any time without affecting prior processing
  • Opt-out of marketing communications

To exercise these rights, contact us at info@speqs.io. We will respond within one month as required by GDPR.

9. Cookies

We use cookies for the following purposes:

  • Essential: Authentication and session management (required for the platform to function)
  • Analytics: Google Analytics for website usage statistics

You can control cookies through your browser settings. Disabling essential cookies may affect platform functionality.

10. Children's privacy

Our services are not directed to individuals under 16 (the age of digital consent under GDPR). We don't knowingly collect information from children under 16 without parental consent.

11. Changes to this policy

We may update this privacy policy as our service evolves. If we make significant changes, we'll notify registered users by email. Continued use after changes means you accept the updated policy.

12. Supervisory authority

If you have concerns about how we handle your data, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten - IMY):

Questions?

For privacy questions or to exercise your rights, contact us at: info@speqs.io