Data Protection Policy
Last updated: 11 March 2026
At ReqSpecs, protecting your data is a core priority. This Data Protection Policy explains the technical and organisational measures we employ to safeguard your information, how we handle data in the context of AI processing, and your rights regarding your data.
This policy supplements our Privacy Policy and should be read alongside it.
1. Data Security Measures
1.1 Encryption
- In transit: All data transmitted between your browser and our servers is encrypted using industry-standard protocols (HTTPS).
- At rest: Data stored in our database is encrypted at rest using industry-standard encryption provided by our infrastructure providers.
1.2 Access Controls
- Data isolation: Our database enforces strict access control policies, ensuring that users can only access their own project data. No user can view, modify, or delete another user's data through the application.
- Authentication: User authentication is handled through secure, industry-standard protocols including email verification and encrypted password storage.
- Administrative access: Access to production systems and databases is restricted to authorised personnel only, using secure credentials and audit logging.
1.3 Infrastructure
ReqSpecs is hosted on enterprise-grade cloud infrastructure that maintains industry-standard security certifications, regular security audits, and automated threat detection.
2. AI Data Handling
ReqSpecs uses AI services to generate and refine requirements documentation. Here is how your data is handled in this context:
- Processing: When you use AI-powered features (e.g. generating requirements, refining user stories), your project content is sent to our AI provider's API for processing.
- No model training: Our AI provider does not use data submitted via their API to train or improve their models. Your data is processed solely to return a response to your request.
- Data retention by AI provider: Our AI provider may retain API inputs and outputs for a limited period for abuse and misuse monitoring, after which they are deleted. They do not use this data for model training.
- Minimal data sent: We only send the specific project content needed to fulfil your request — not your entire account data, billing information, or credentials.
3. Data Storage Location
Your data is stored on servers managed by our infrastructure providers, which maintain data centres across multiple geographic locations. We endeavour to store data in regions that align with applicable data protection requirements.
4. Data Minimisation
We follow the principle of data minimisation — we only collect and process the personal information that is necessary to provide the Service. We do not collect data beyond what is required for account management, billing, and platform functionality.
5. Data Breach Notification
In the event of a data breach that compromises your personal information:
- We will investigate and assess the scope and impact of the breach as promptly as reasonably possible.
- We will notify affected users via email within 72 hours of becoming aware of a breach that is likely to result in a risk to your rights and freedoms.
- We will notify the Office of the Australian Information Commissioner (OAIC) if the breach meets the threshold for a Notifiable Data Breach under the Privacy Act 1988.
- Our notification will include the nature of the breach, the data involved, the likely consequences, and the steps we are taking to address it.
6. Sub-Processors
We use third-party sub-processors to deliver the Service. Each operates under contractual obligations to protect your data. The categories of sub-processors we use include:
| Category | Purpose | Data Processed |
|---|---|---|
| Cloud infrastructure provider | Database, authentication, storage, hosting | Account data, project content |
| AI service provider | AI content generation and refinement | Project content (requirements text) |
| Stripe | Payment processing | Billing and payment details |
We will update this list if we engage additional sub-processors and will notify users of material changes.
7. Your Rights
Under the Australian Privacy Act and the Australian Privacy Principles (APPs), you have the right to:
- Access: Request a copy of the personal information we hold about you.
- Correction: Request correction of inaccurate or incomplete personal information.
- Deletion: Request deletion of your account and associated personal data. We will action deletion requests within 30 days, subject to any legal retention obligations.
- Data portability: Export your project data at any time using the export features built into the platform.
- Complaint: If you believe your data has been mishandled, you may lodge a complaint with us or with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
8. Data Retention
We retain your personal information and project data for as long as your account remains active. Upon account deletion:
- Project data and personal information are deleted within 30 days.
- Billing records may be retained for up to 7 years as required by Australian tax law.
- Anonymised, aggregated usage data (which cannot identify you) may be retained indefinitely for analytics purposes.
9. Changes to This Policy
We may update this Data Protection Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. For material changes, we will notify users via email.
10. Contact Us
If you have questions about this Data Protection Policy or wish to exercise your data rights, please contact us at:
Email: info@reqspecs.io
Website: reqspecs.io