Speax
Get startedSign in

© 2026 Speax. All rights reserved.

Privacy Policy

Last updated: 13 April 2026

Who we are

Speax ("Speax", "we", "us", "our") operates the website at speax.ai and the AI agent platform at app.speax.ai. We are the data controller for personal data processed through the service.

Registered address: [Registered address] — Company number: [Number] — Jurisdiction: Ireland (EU). DPO contact: privacy@speax.ai.

Data we collect

Account data

When you register: email address, name, password hash (bcrypt), OAuth provider identifier if you sign up via Google. We never store your plain-text password.

Session and agent content

Prompts you type, files you upload, URLs you provide, agent responses, tool execution logs, sandbox output, and any files the agent creates or downloads during a session. This content is stored encrypted at rest.

Billing metadata

Subscription tier, credit balance, transaction history, Stripe customer ID. We do not store full card numbers — Stripe handles payment instrument data under their own privacy policy.

Usage metrics

Pages visited on speax.ai, session durations, feature usage counts, API request logs (with IP address and user agent), error reports.

Cookies and local storage

Auth tokens (session cookies), consent preferences, and optional analytics cookies. See our Cookie Policy.

How we use your data

  • Providing the service: authenticate you, run agent sessions, process your prompts, store your files, manage your account.
  • Billing: charge subscriptions, track credit usage, issue invoices, process refund requests.
  • Security: detect abuse, prevent fraud, enforce rate limits, investigate reports.
  • Improving the service: aggregated, anonymized usage analysis to guide product development. We do not use your session content to train AI models (see Section 5).
  • Communications: transactional emails (password reset, invoices, important service notices). Marketing emails only with explicit consent, which you can withdraw at any time.
  • Legal compliance: responding to lawful requests from courts and regulators, maintaining audit records.

AI model providers

Speax sends your prompts and session content to third-party AI foundation model providers to generate responses. This is a core part of the service — without it, the agent cannot function.

Current providers:

  • Anthropic, Inc.(United States) — Claude models. Data processing agreement in place. Anthropic's API terms prohibit training models on API-submitted data. Anthropic Privacy Policy
  • OpenAI, LLC(United States) — GPT models. Data processing agreement in place. OpenAI's API terms prohibit training models on API-submitted data by default. OpenAI Privacy Policy
  • Moonshot AI (Beijing Moonshot AI Technology Co., Ltd.) — Kimi models. Data processing agreement in place. Moonshot Privacy Policy

Transfers to US providers are covered by Standard Contractual Clauses (SCCs) under GDPR Chapter V. See Section 7.

We do not use your session content to train our own models or instruct any provider to do so. All three providers above have contractual commitments preventing use of API-submitted data for model training.

Who we share data with

We share personal data only as follows:

  • AI model providers — as described above (Section 5).
  • Infrastructure: Microsoft Azure (cloud hosting, blob storage, databases — Northern Europe region); E2B (sandbox execution environments).
  • Payments: Stripe, Inc. — for subscription and billing processing.
  • Email: Resend — for transactional email delivery.
  • Error monitoring: Sentry — for application error reporting (IP and browser data may be transmitted).
  • Legal authorities: where required by law, court order, or to protect the safety of users.

We do not sell personal data. We do not share personal data for advertising purposes.

For the full subprocessor list, see our Subprocessors page.

International transfers

Several of our subprocessors are based in the United States. Transfers from the EU/EEA to the US are governed by Standard Contractual Clauses (SCCs) under GDPR Art. 46(2)(c), as adopted by the European Commission in June 2021.

Transfers to Moonshot AI (China) are covered by SCCs with supplementary measures where required.

Data retention

  • Account data: retained while your account is active and for 30 days after deletion (for potential recovery), then permanently deleted.
  • Session content: retained for 90 days after the session, then deleted unless you explicitly archive or export it.
  • Billing records: retained for 7 years to comply with accounting and tax obligations (Art. 6(1)(c)).
  • Audit logs: retained for 90 days.
  • Usage metrics: aggregated and anonymized after 12 months; raw request logs deleted after 90 days.
  • Backup copies: may persist for up to 30 additional days in encrypted backups before full deletion.

Your rights

Under GDPR (Art. 15–22) and UK GDPR, you have the following rights:

  • Access (Art. 15): request a copy of the personal data we hold about you.
  • Rectification (Art. 16): correct inaccurate data.
  • Erasure (Art. 17): request deletion of your data, subject to retention obligations.
  • Portability (Art. 20): receive your data in a structured, machine-readable format.
  • Restriction (Art. 18): restrict processing in certain circumstances.
  • Object (Art. 21): object to processing based on legitimate interests.
  • Withdraw consent: where processing is based on consent, you may withdraw at any time via account settings or by contacting us.
  • Lodge a complaint: you have the right to complain to your local supervisory authority. In Ireland, this is the Data Protection Commission (DPC).

To exercise any right, email privacy@speax.ai. We will respond within 30 days (Art. 12(3)). We may need to verify your identity before processing the request.

California residents have additional rights under the CCPA/CPRA, including the right to know, delete, and opt-out of sale (we do not sell data). Contact the same address to exercise these rights.

Children

Speax is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@speax.ai and we will delete it promptly.

Cookies

We use strictly necessary cookies for authentication and security. Optional cookies (analytics, functional) are only set after you provide consent via our cookie banner. For full details, see our Cookie Policy.

Security

We implement technical and organizational measures appropriate to the risk: encryption at rest (AES-256) and in transit (TLS 1.3), access controls, key rotation, audit logging, and regular penetration testing. No system is perfectly secure; if you discover a vulnerability please email security@speax.ai.

Changes to this policy

We may update this policy. We will notify you of material changes by email and by posting a notice on the website at least 14 days before changes take effect. The "Last updated" date at the top of this page reflects the most recent version. Continued use of the service after the effective date constitutes acceptance.

Contact us

For privacy questions or to exercise your rights:

Back to home