Specter Privacy Notice

Data protection laws sometimes distinguish between a "controller" or "business," which decides why and how personal information is processed, and a "processor," "service provider," or "contractor," which processes personal information on behalf of another organization.

When we process personal information in materials submitted, transmitted, connected, or otherwise provided by or on behalf of a customer through the Specter platform, we generally act as a processor or service provider for that customer. We refer to those materials as "Customer Materials."

When we process personal information for our own business purposes, such as operating our website, managing accounts, communicating with prospects and customers, processing billing information, conducting sales and marketing, recruiting, securing our services, or responding to privacy requests, we generally act as a controller or business.

If your personal information is included in Customer Materials, such as because you are an employee, contractor, vendor, customer, supplier, approver, finance team member, or other individual associated with one of our customers, please direct privacy requests to that customer. We may not be able to respond directly to privacy requests relating to Customer Materials except as instructed by the relevant customer or required by law.

The personal information we collect depends on how you interact with us and how our customers configure the Services.

Information you provide

We may collect account and user information, such as name, work email address, company name, job title, role, workspace information, authentication information, user permissions, and account settings.

We may collect billing and commercial information, such as billing details, subscription details, order history, invoices, payment status, tax information, and related business records. If payment card or payment account information is used, it may be processed by our payment processors.

We may collect communications and support information, such as the contents of emails, support tickets, chat messages, call notes, meeting notes, survey responses, feedback, and other communications with us. Where permitted by law, we may record sales, support, or product calls.

We may collect sales, marketing, and event information, such as business profile information, company information, demo requests, lead information, meeting details, marketing preferences, event registrations, website form submissions, and information about your engagement with our website, emails, and campaigns.

If you apply for a job with us, we may collect job applicant information, such as personal details, resume or CV information, employment history, education history, portfolio information, references, interview notes, and other information you provide during the recruiting process.

Customer Materials

Customers may upload, transmit, connect, or authorize us to access Customer Materials to use the Specter platform. Customer Materials may include financial, accounting, operational, and business records, such as general ledger data, journal entries, bank statements, transaction records, invoices, receipts, purchase orders, accounts payable records, accounts receivable records, payroll records, vendor records, customer records, contracts, approvals, reconciliations, close checklists, audit materials, spreadsheets, files, messages, and data from connected systems.

Customer Materials may include personal information about employees, contractors, customers, vendors, suppliers, finance personnel, approvers, and other individuals. Depending on what a customer provides and what is permitted by the applicable agreement, Documentation, and configuration, Customer Materials may also include sensitive personal information, such as payroll information, financial account information, government identifiers, employment information, account credentials, or similar information.

Customer Materials are not intended to include protected health information, cardholder data requiring PCI DSS controls, consumer credit reports, children's data, biometric data, or other specially regulated data unless the applicable agreement, Documentation, and configuration expressly permit that use.

Automatically collected data

When you use our website or Services, we may automatically collect information such as IP address, device type, browser type, operating system, device identifiers, referring and exit pages, pages viewed, session information, interaction data, product usage data, authentication events, log data, diagnostics, error reports, performance data, and security telemetry.

We may collect this information through cookies, pixels, tags, local storage, server logs, SDKs, and similar technologies.

Third-party sources

We may collect information from third-party sources, including customers, customer administrators, authorized users, connected systems, identity providers, service providers, marketing providers, advertising partners, business partners, event partners, lead providers, data enrichment providers, publicly available sources, recruiting providers, and references.

Connected systems may include ERP, accounting, payroll, banking, payment, storage, email, messaging, workflow, identity, and other systems that customers choose to connect to the Services.

We use personal information for the following purposes.

Provide the Services

We use personal information to create and manage accounts, authenticate users, provide access to the Services, configure workspaces, process Customer Materials, operate AI agents, generate outputs, support accounting workflows, write back to connected systems where authorized, provide support, troubleshoot issues, maintain audit trails, and communicate about the Services.

Process Customer Materials

When we process Customer Materials as a processor or service provider, we use Customer Materials only as permitted by our customer agreements, customer instructions, and applicable law. This may include using Customer Materials to provide, operate, maintain, secure, support, troubleshoot, and improve the Services for the customer; enforce our agreements and policies; create de-identified or aggregated data; and comply with law.

We do not sell Customer Materials.

We do not use Customer Materials for targeted advertising or cross-context behavioral advertising.

We do not permit third-party AI model providers to use Customer Materials to train their models.

Secure the Services

We use personal information to monitor, secure, debug, repair, test, and maintain the Services; detect and prevent fraud, abuse, security incidents, and unauthorized access; verify permissions; maintain logs; investigate suspicious activity; and protect the rights, property, and safety of Upgrade AI, our customers, users, and others.

Improve the Services

We use personal information to understand product performance, improve user experience, develop features, measure reliability, perform analytics, test systems, improve agent quality, and create aggregated or de-identified information.

Where we use Customer Materials for improvement, we do so only as permitted by the applicable customer agreement and applicable law. We do not use Customer Materials to train third-party foundation models.

To communicate with you

We use personal information to respond to inquiries, provide support, send administrative messages, schedule meetings, notify users about product changes, manage customer relationships, and send service-related communications.

For sales and marketing

We may use business profile information, website activity, lead information, event information, and marketing engagement data to send B2B marketing communications, provide product updates, invite you to events, personalize website content, measure marketing performance, conduct campaign attribution, and understand prospect and customer engagement.

Where permitted by agreement or consent, we may use customer names, logos, testimonials, or case study information in marketing materials.

We do not use Customer Materials for advertising.

Legal and admin purposes

We use personal information to comply with legal obligations, respond to lawful requests, enforce agreements and policies, collect fees, resolve disputes, manage corporate transactions, maintain records, conduct audits, manage insurance, and operate our business.

With consent or direction

We may use personal information for other purposes with your consent or at your direction.

Specter uses third-party AI and model providers to support AI-enabled features in the Services. These providers may include OpenAI, Anthropic, Google/Gemini, Mistral, and other providers we may use from time to time.

Depending on the workflow and processing step, we may transmit limited subsets of Customer Materials, prompts, inputs, outputs, metadata, extracted document text, OCR outputs, transaction-level data, entity names, vendor names, customer names, and contextual instructions to model providers to generate requested outputs or perform requested processing.

We scope data shared with model providers to what is reasonably necessary for the task being performed.

For Customer Materials, we configure model-provider integrations to use zero-data-retention, no-training, or equivalent enterprise privacy settings where available under provider terms. We require model providers that process Customer Materials to process that information only to provide services to us and not to train their models on Customer Materials.

Outputs, generated artifacts, validation results, and audit trails may be retained as Customer Materials in accordance with the applicable customer agreement and platform retention settings.

We may disclose personal information as described below.

To customer organizations

If you use the Services through an organization, we may disclose information about your account, role, permissions, settings, usage, support requests, and activity to that organization and its authorized administrators.

Service providers

We disclose personal information to vendors, service providers, and subprocessors that help us provide, secure, operate, support, analyze, and improve the Services. These may include hosting providers, cloud infrastructure providers, database providers, security providers, logging and monitoring providers, analytics providers, payment processors, customer support tools, email and communications providers, identity and authentication providers, compliance tools, professional services providers, and other business operations providers.

Core subprocessors that may process Customer Materials include Amazon Web Services and third-party AI and model providers, including OpenAI, Anthropic, Google/Gemini, and Mistral. A current list of subprocessors is available upon request.

To AI and model providers

We may disclose limited Customer Materials and related information to third-party AI and model providers as described in Section 4.

Customer integrations

If a customer connects the Services to third-party systems, we may disclose information to those systems as directed by the customer or its users. The customer is responsible for the third-party systems it chooses to connect and for obtaining any required permissions, licenses, and consents.

Ads and analytics partners

We may disclose website, sales, marketing, and engagement information to advertising, analytics, and visitor-intelligence partners, including Google Ads, Meta, Unify, and similar providers. These providers may process information such as IP address, device and browser information, online identifiers, page views, referral source, campaign information, lead information, business profile information, and hashed identifiers for advertising measurement, attribution, visitor intelligence, campaign analytics, and targeted advertising.

This does not include Customer Materials.

To professional advisors

We may disclose personal information to lawyers, auditors, accountants, insurers, bankers, consultants, and other professional advisors where necessary for the services they provide to us.

Legal and safety reasons

We may disclose personal information if we believe disclosure is necessary or appropriate to comply with law, legal process, or governmental requests; protect rights, property, or safety; prevent fraud, abuse, or security incidents; enforce our agreements or policies; collect amounts owed; or assist with an investigation.

In corporate transactions

We may disclose or transfer personal information in connection with an actual or proposed merger, acquisition, financing, investment, reorganization, bankruptcy, receivership, sale of assets, transfer of business, or similar corporate transaction.

With consent or direction

We may disclose personal information with your consent or at your direction.

We and our service providers may use cookies, pixels, tags, local storage, SDKs, server logs, and similar technologies to operate our website and Services, remember preferences, authenticate users, secure sessions, analyze usage, improve performance, measure marketing effectiveness, conduct campaign attribution, and deliver or measure advertising.

We may use the following categories of technologies:

Essential technologies. These are necessary to operate the website or Services, authenticate users, maintain sessions, prevent fraud, secure the Services, and provide requested functionality.

Functional technologies. These help remember preferences, settings, and user choices.

Analytics technologies. These help us understand website and product usage, diagnose issues, measure performance, and improve the Services.

Marketing and advertising technologies. These help us measure campaigns, understand website engagement, identify business visitors, conduct attribution, and deliver or measure advertising. We use, or may use, tools such as Google Ads, Meta advertising tools, Unify, Google Tag Manager, and similar services.

You can control cookies through your browser settings and through the Privacy Choices or Cookie Settings link on our website. Blocking cookies may affect website or Services functionality.

Some browsers offer "Do Not Track" signals. We do not currently respond to Do Not Track signals.

Where required by applicable law, we honor legally recognized opt-out preference signals, such as Global Privacy Control, as an opt-out of sale, sharing, and targeted advertising for the browser or device sending the signal.

You can opt out of marketing emails by using the unsubscribe link in the email. We may still send transactional, administrative, legal, security, and service-related messages.

We do not sell personal information for money.

We do not sell Customer Materials.

We do not share Customer Materials for cross-context behavioral advertising or targeted advertising.

We may disclose website, sales, marketing, and engagement information to advertising, analytics, and visitor-intelligence partners, including Google Ads, Meta, Unify, and similar providers. Depending on applicable law, these disclosures may be considered a "sale," "sharing," or processing for targeted advertising.

You may opt out of these activities by using the Privacy Choices or Do Not Sell or Share link on our website or enabling Global Privacy Control in a supported browser.

We may create aggregated, anonymized, or de-identified information that does not identify a customer or individual. We may use and disclose that information for lawful business purposes, including analytics, benchmarking, security, reporting, and product improvement.

Where required by law, we will maintain de-identified information in de-identified form and will not attempt to re-identify it except as permitted by law.

We retain personal information for as long as reasonably necessary for the purposes described in this Privacy Notice, including to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, maintain security, and operate our business.

Customer Materials are retained according to the applicable customer agreement, customer instructions, and any applicable data processing terms.

Unless the applicable customer agreement states otherwise, upon expiration or termination of the agreement and upon the customer's written request, we will make Customer Materials available for export for thirty (30) days following the effective date of expiration or termination. After the export window, we will delete Customer Materials from production systems within thirty (30) days, except to the extent required to retain such data to comply with applicable law or as retained in backups under our standard backup retention policies. Customer Materials retained in backups will be deleted in the ordinary course within ninety (90) days.

Backup data may persist for a limited period because backups are point-in-time snapshots. Security logs, audit logs, legal records, billing records, and compliance records may be retained for longer periods where reasonably necessary or required by law.

When personal information is no longer needed, we will delete, de-identify, anonymize, or securely store it and isolate it from further active processing until deletion is possible.

We use reasonable technical and organizational measures designed to protect personal information against unauthorized access, loss, misuse, alteration, and disclosure. These measures include encryption in transit and at rest where appropriate, access controls, role-based permissions, least-privilege access, authentication controls, network and infrastructure safeguards, monitoring and logging, vulnerability management, employee confidentiality obligations, vendor review, incident response procedures, and periodic review of our security practices.

Access to Customer Materials by Upgrade AI personnel is limited to authorized personnel with a business need, such as providing support, troubleshooting, securing, maintaining, or improving the Services, responding to incidents, complying with law, or as otherwise permitted by the applicable customer agreement.

No method of transmission or storage is completely secure. We cannot guarantee absolute security.

Upgrade AI is based in the United States.

For the Specter platform, Customer Materials stored and processed within Specter-managed infrastructure are assigned to a U.S. or Canada deployment based on the applicable customer agreement, configuration, or residency requirements. Customer Materials stored and processed within Specter-managed infrastructure remain within the assigned residency environment, including applicable backups and disaster recovery operations.

This residency commitment applies to Specter-managed infrastructure. It does not necessarily apply to customer-directed integrations, third-party systems selected by customers, website and marketing tools, third-party AI and model providers, or other subprocessors unless expressly stated in the applicable agreement or subprocessor terms.

We and our service providers may process and store other personal information in the United States, Canada, and other countries that may have data protection laws different from those in your location.

Where required, we use appropriate safeguards for international transfers, such as standard contractual clauses, the UK international data transfer addendum or agreement, adequacy decisions, customer-approved transfer terms, or other lawful transfer mechanisms.

Depending on your location and the context in which we process your personal information, you may have rights to request access, correction, deletion, portability, restriction, objection, withdrawal of consent, opt-out of sale or sharing, opt-out of targeted advertising, or appeal a decision we make about your request.

For security, we may need to verify your identity before completing a request. We may ask for information reasonably necessary to verify the request and locate relevant records.

If your request relates to Customer Materials that we process on behalf of a customer, we may direct you to that customer or forward the request to that customer, depending on the applicable agreement and law.

Where permitted by law, you may authorize an agent to submit a privacy request on your behalf. We may require proof of authorization and may still ask you to verify your identity directly.

We will not discriminate against you for exercising privacy rights.

This section provides additional information for residents of U.S. states with comprehensive privacy laws, to the extent those laws apply.

Categories collected

In the last 12 months, we may have collected the following categories of personal information:

Identifiers, such as name, email address, account identifiers, IP address, device identifiers, and online identifiers.

Commercial information, such as subscription information, billing records, transaction records, payment status, and customer relationship information.

Internet or electronic network activity information, such as log data, usage data, browser information, device information, page views, website interactions, and campaign engagement.

Professional or employment-related information, such as company, title, role, work details, job applicant information, and business relationship information.

Education information, where provided by job applicants.

Audio, electronic, or visual information, such as call recordings, video meeting recordings, or support communications where permitted by law.

Sensitive personal information, where included in Customer Materials or otherwise provided and permitted by the applicable agreement, Documentation, and configuration, such as financial account information, payroll information, government identifiers, account credentials, or similar information. Protected health information, cardholder data requiring PCI DSS controls, consumer credit reports, children's data, biometric data, and other specially regulated data are not intended for the Services unless expressly permitted.

Inferences, such as information about product interests, account engagement, or likely business needs.

Other information you choose to provide, such as support messages, feedback, uploaded files, and communications.

Sources

We collect personal information from you, your organization, customer users and administrators, connected systems, identity providers, service providers, advertising partners, marketing providers, business partners, public sources, and automated technologies.

Purposes

We collect, use, and disclose personal information for the purposes described in this Privacy Notice, including to provide, secure, support, improve, and market the Services; process Customer Materials; communicate with you; comply with law; enforce agreements; and operate our business.

Categories of recipients

We may disclose the categories of personal information listed above to the categories of recipients described in Section 5, including customer organizations, service providers, subprocessors, AI and model providers, connected integrations, advertising and analytics partners, visitor-intelligence providers, professional advisors, legal authorities, and transaction counterparties.

Sale, sharing, and ads

We do not sell personal information for money.

We do not sell Customer Materials or share Customer Materials for cross-context behavioral advertising or targeted advertising.

Our use of advertising, analytics, and visitor-intelligence technologies may be considered a sale, sharing, or targeted advertising under some state privacy laws. The categories of personal information disclosed for these purposes may include identifiers, internet or electronic network activity information, commercial information, professional or employment-related information, and inferences. The categories of recipients may include advertising partners, analytics providers, and visitor-intelligence providers, including Google Ads, Meta, Unify, and similar providers.

You may opt out by using the Privacy Choices or Do Not Sell or Share link on our website or enabling Global Privacy Control.

Sensitive information

We do not use or disclose sensitive personal information for purposes that require a right to limit under California law. We process sensitive personal information only as reasonably necessary to provide the Services, comply with law, secure the Services, and for other purposes permitted by applicable law.

Rights

Depending on your state, you may have the right to know or access personal information, correct inaccurate personal information, delete personal information, obtain a portable copy of personal information, opt out of sale, sharing, or targeted advertising, restrict certain processing, withdraw consent, or appeal a denied request.

If you are located in the European Economic Area, United Kingdom, or Switzerland, this section provides additional information.

For personal information we process as a controller, the controller is Upgrade AI, Inc.

For Customer Materials, the relevant customer is generally the controller and Upgrade AI is generally the processor.

We process personal information under the following legal bases:

Contract. We process account, user, billing, support, and service information where necessary to provide the Services or take steps before entering into a contract.

Legitimate interests. We process personal information for our legitimate interests in operating, securing, improving, and marketing the Services; communicating with customers and prospects; preventing fraud and abuse; enforcing agreements; and managing business operations, except where those interests are overridden by your rights and interests.

Legal obligation. We process personal information where necessary to comply with applicable laws, regulations, legal processes, and government requests.

Consent. We process personal information based on consent where required, such as for certain cookies, marketing communications, or other activities where consent is the appropriate legal basis. You may withdraw consent at any time, without affecting processing that occurred before withdrawal.

Subject to applicable law, you may have the right to access, correct, delete, restrict, or object to processing of your personal information; request portability; withdraw consent; and lodge a complaint with your local data protection authority.

If your request relates to Customer Materials, please direct the request to the customer organization that controls the relevant data.

We may transfer personal information outside the EEA, UK, or Switzerland, including to the United States. Where required, we use appropriate safeguards, such as standard contractual clauses, the UK transfer addendum or agreement, adequacy decisions, or other lawful transfer mechanisms.

If you are located in Canada, you may have privacy rights under Canadian federal or provincial privacy laws, depending on the context. These rights may include the right to request access to personal information, request correction of inaccurate personal information, withdraw consent where processing is based on consent and withdrawal is legally available, and challenge our compliance with applicable privacy laws.

If your request relates to Customer Materials, please direct the request to the customer organization that controls the relevant data.

The Services are intended for business use and are not directed to children. We do not knowingly collect personal information from children under 13, or under a higher age where required by applicable law. We do not knowingly sell or share personal information of children under 16.

If you have questions about this Privacy Notice or want to exercise a privacy right when Upgrade AI acts as controller, please use the contact form available on our website or the contact method provided in your applicable agreement.

The Services may link to or integrate with third-party websites, applications, platforms, or services. We do not control those third parties, and this Privacy Notice does not apply to their privacy practices. Review their privacy notices before providing information to them.

Customers are responsible for the third-party systems they choose to connect to the Services.

We may update this Privacy Notice from time to time at our sole discretion. If we do, we will post the updated Privacy Notice on our website and/or send other communications.