Privacy Policy

Last updated: May 20, 2026

Speculos lets operators describe internal apps in plain English and get working apps wired to their team's real data. This policy explains what we collect, how we use it, and the choices you have.

1. What we collect

  • Account information. Name, work email, and company name when you sign up or request beta access.
  • Data-source credentials. OAuth tokens, API keys, or database connection strings that you explicitly authorize Speculos to use. These are stored encrypted at rest and used only to execute queries within the apps you build.
  • App definitions and prompts. When you describe an app, we store the prompt, the agent's generated tool calls, and the resulting app source code in your workspace.
  • Live query data. When an app runs, it reads live data from your connected sources. We process this data in memory to render the app. We do not persist your source data on our infrastructure — no copies of your CRM rows or database records are stored on our side.
  • Usage telemetry. Which apps your team opens, how often, and error logs. Stripped of personally identifying details where possible. Used to improve reliability and product quality.

2. How we use it

  • To build, run, and serve the internal apps you create
  • To execute queries against data sources you connect
  • To send technical notices, security alerts, and support replies
  • To respond to beta access requests and evaluate fit
  • To detect abuse and protect the Service
  • To improve the agent's app-building quality using aggregated, de-identified usage patterns

We do not use your data or your prompts to train machine learning models.

3. What we don't store

  • Your source data. We never copy CRM rows, database tables, or spreadsheet contents to our infrastructure. Apps query live each time they run.
  • Prompts for training. App-building prompts are stored in your workspace for your use only. They are not used to train any model.
  • Plaintext credentials. Connector credentials are encrypted at rest. Database connection strings are never written to logs.

4. LLM processing

When you describe an app or an existing app runs its agent step, we send relevant context (your prompt, schema hints, and query results) to a hosted LLM service to generate the response. Today, model access is provided by Speculos through Amazon Bedrock, which runs Anthropic Claude models. Per Amazon Bedrock's terms, customer content is not used to train any models. In the future, your workspace will be able to use its own LLM provider account (for example Anthropic API, OpenAI, or your own Amazon Bedrock setup); when that option is enabled, the terms of that provider govern the inference traffic and we'll surface the choice in your workspace settings.

5. Subprocessors

We use a small number of vendors to deliver the Service. They are contractually limited to acting on our instructions.

  • AWS — hosting, compute, and Amazon Bedrock for hosted LLM inference (currently running Anthropic Claude models)
  • Vercel — frontend hosting
  • Data-source providers — HubSpot, Salesforce, Google, Notion, etc., when you connect them via their official OAuth flows
  • Analytics and observability — e.g. Sentry, PostHog; operational data only, no customer source data
  • Your chosen LLM provider — when you opt to bring your own LLM key in a future release, the provider you select becomes a subprocessor on your behalf

The up-to-date list is available on request — email privacy@speculos.ai.

6. Your rights and choices

  • Disconnect a data source. You can disconnect any connector at any time from your workspace settings. This immediately revokes Speculos's access and removes the stored credential.
  • Delete your workspace. Deleting your workspace permanently removes your app definitions, connector credentials, and usage logs. Deletion completes within 30 days.
  • Export your app definitions. You can export all app definitions from your workspace before deletion.
  • Access and correction. Depending on where you live, you may have rights to access, correct, port, or object to processing of your personal data. Email us to exercise any of these.

To exercise any of the above: privacy@speculos.ai. We respond within 30 days.

7. Security

Credentials are encrypted at rest and in transit. We use OAuth where possible so your passwords never pass through Speculos. Connector credentials are scoped to read-only access unless an app explicitly requires write operations, and those permissions are shown to you at connect time. Access to production infrastructure is restricted and audited by our team.

8. Contact

Questions, complaints, or deletion requests: privacy@speculos.ai.