Privacy Policy

---

Last updated: July 1, 2024
Effective: July 1, 2024

DevGru.us (“DevGru,” “we,” “us”) builds and deploys technology systems and apps for web, mobile, desktop, and related software and services (the “Services”).
Legal entity: DevGru US Inc, a Delaware corporation.
Principal place of business / mailing address: 16192 Coastal Highway, Lewes, Delaware 19958.
Contacts: privacy@devgru.us | legal@devgru.us | security@devgru.us

Scope. This policy covers personal data processed on devgru.us, our apps (iOS/Android/macOS/Windows/Linux), APIs/SDKs, and support channels.

Roles. We act as:

• Controller for data about users of our Services.
• Processor when business customers send us end-user data under a contract. A Data Processing Addendum (DPA) with SCCs is available at legal@devgru.us.

We collect the minimum reasonably necessary for the purposes below. Examples include:

• Account & Profile: name, email, password hash, company, role, settings, phone (optional).
• Content & Project Data: files, code, prompts, notes, attachments, and related metadata you upload or create.
• Payments: billing name/address and limited payment metadata via our processors (e.g., Stripe). We do not store full card numbers.
• Device & Usage: IP address, device identifiers, OS, app/browser version, pages/screens, feature use, telemetry, performance metrics, crash logs, referral sources, cookies/SDK IDs.
• Connected Accounts: identifiers/tokens from SSO or integrations (Google, Apple, GitHub) you choose to connect.
• Communications: support chats/tickets, emails, and (where permitted) call recordings.
• Sensitive data: Not sought. If a customer instructs us to process sensitive data, we do so only under a DPA.

We may also receive data from service providers (fraud, security, analytics), public sources, and partners where legally allowed.

• Operate, maintain, and secure the Services.
• Personalize experiences and remember settings.
• Monitor performance; detect, prevent, and investigate fraud, abuse, and security incidents.
• Communicate about updates, security, and transactional notices; send marketing where permitted (you can opt out).
• Comply with legal, tax, and regulatory obligations.
• AI features. When you use AI-powered features, we process inputs to generate outputs. We may log limited data to prevent abuse and improve quality. We do not use your content to train foundation models without your consent.

Legal bases (EEA/UK): contract necessity, legitimate interests, consent, and/or legal obligation.

We do not sell personal information for money. We share as follows:

• Vendors/Processors: cloud hosting, storage/CDN, analytics/measurement, payments, communications, crash reporting, and AI infrastructure—under written contracts with confidentiality and security obligations.
• Affiliates: controlled entities assisting operations.
• Legal/Safety: to comply with law or legal process; protect rights, safety, security, and integrity.
• Business changes: in a merger, acquisition, financing, or reorganization (information may transfer as part of the transaction).
• With your direction/consent: when you connect third-party services or share data.

“Sale”/“Share.” Some ad/analytics uses may be treated as a “sale” or “share.” Where applicable, you may opt out (see §7). We honor Global Privacy Control (GPC) signals where required.

We use cookies and similar technologies (SDKs, pixels) for core functionality, preferences, analytics, and (where permitted) advertising measurement. Manage preferences in our cookie banner or Settings → Privacy → Cookies, and through browser/system controls. Blocking certain cookies may limit features.

We retain personal data for at least the minimum periods below. After the minimum, we may retain data longer—including indefinitely—where reasonably necessary for security, fraud prevention, compliance, audits, product integrity, suppression/block lists, dispute resolution, business continuity, or legal holds. We may delete data any time after the minimum period. If a law requires earlier deletion or a shorter maximum, we follow that law.

• Account & Profile. Retained while the account is active and for a minimum of 24 months after inactivity. After the minimum, we may delete or retain longer/indefinitely for compliance and safety.
• Your Content/Projects. Retained while the account is active; after closure, we may delete. Copies may remain in backups and logs until those media rotate.
• Device & Usage Logs. Retained for at least 12 months; after the minimum, we may delete or retain longer/indefinitely for security and fraud prevention.
• Crash Reports. Retained for at least 180 days; may be deleted thereafter.
• Billing & Tax. Retained for at least 7 years or longer if required by law; we may retain longer/indefinitely for audits or legal holds.
• Backups. Maintained on rolling cycles (typically 30–90 days). Certain snapshots may persist longer for continuity or legal holds; backup copies are not used for routine processing and purge as media rotate.
• Marketing Preferences. Retained until you opt out or close your account. We may keep suppression lists indefinitely to honor your opt-out.
• Aggregated/De-identified Data. We may retain indefinitely; these records are not reasonably linkable to a person.

Deletion on request. See §7.

Your rights depend on your location (e.g., CA/CO/CT/UT/VA and EEA/UK). Where applicable, you may have rights to access, correct, delete, port, or object/restrict processing, and to opt out of targeted advertising, certain profiling, or uses deemed a “sale”/“share.”

How to exercise rights (fastest first):

• In-app: Settings → Privacy → Delete Account & Data; Settings → Privacy → Ad/Analytics Controls; Settings → Privacy → Cookies.
• Web: devgru.us/choices (Do Not Sell/Share; Limit Sensitive PI; Cookie Preferences).
• Email: privacy@devgru.us with the request type in the subject (e.g., “Delete My Data,” “Access My Data”).

Verification & timelines. We verify via your login, email confirmation, or reasonable additional info. We respond within 45 days (may extend once where permitted).
Deletion scope & exceptions. We will delete personal data unless an exception applies (e.g., legal recordkeeping, security logs, fraud prevention, or legal holds). Backups and logs purge on their normal cycles.
Marketing emails. Click unsubscribe or update Settings → Privacy → Marketing.
GPC. We honor Global Privacy Control where required.
Appeals (US state laws). If we deny your request, reply to our decision email with “Appeal” in the subject. We’ll review and respond as required by law.
Regulator complaints. You may lodge a complaint with a supervisory authority (EEA/UK) or attorney general (US states).

We may transfer, store, and process information outside your country, including in the United States. Where required, we use appropriate safeguards (e.g., Standard Contractual Clauses and additional measures).

We implement administrative, technical, and physical safeguards proportional to the nature of our Services and data (e.g., encryption in transit, access controls, monitoring, secure development practices). No method is 100% secure. Report issues to security@devgru.us.

The Services are not intended for children under 13 (or under 16 in the EEA/UK). We do not knowingly collect such data; if we learn of it, we will delete it.

When acting as a Processor, we process personal data per the customer’s written instructions, our agreement, and the DPA (available at legal@devgru.us). Customers are responsible for notifying their end users and honoring end-user rights.

We do not rely on solely automated decisions that produce legal or similarly significant effects without appropriate human review. If such features are introduced, we will describe them and your rights where required.

The Services may link to third-party sites or integrate third-party tools. Their privacy practices are their own. Review their policies before using those services.

We may update this policy from time to time. We will post changes here and update the “Last updated” date. For material changes, we may provide additional notice (e.g., email or in-app).

This policy and any dispute or claim arising from it are governed by the laws of the State of Delaware, USA, without regard to conflict-of-law rules. Where local privacy law grants you specific rights or imposes stricter rules, we will apply that law to the extent required.

• Privacy requests: privacy@devgru.us
• Legal notices & DPA: legal@devgru.us
• Security reports: security@devgru.us
• Mail: DevGru US Inc, 16192 Coastal Highway, Lewes, Delaware 19958