Data Protection
1. GDPR Principles
We process personal data in accordance with the core principles of GDPR Art. 5:
- Lawfulness, fairness, and transparency — clear legal basis for every processing activity
- Purpose limitation — data collected for specified, explicit, and legitimate purposes
- Data minimization — only data that is necessary for the stated purpose
- Accuracy — kept up to date; inaccurate data corrected or deleted
- Storage limitation — retained only as long as necessary
- Integrity and confidentiality — protected by appropriate security measures
2. Roles & Processors
- Controller: Devi Devs Technologies S.R.L.
- Processors:
- Supabase (database, EU Frankfurt)
- Upstash (rate limiting, EU Frankfurt)
- Vercel (hosting, global CDN)
- Resend (transactional email)
- Google reCAPTCHA (abuse protection)
- Google Analytics 4 (analytics, consent-based)
- Plausible Analytics (privacy-respecting analytics, EU Estonia)
For full details on each processor including location and transfer mechanisms, see our Privacy Policy, Section 4.
3. Data Processing Activities
| Process | System | Categories | Purpose | Legal basis |
|---|---|---|---|---|
| Contact form | Vercel → Supabase | Name, email, phone, message | Responding to inquiries | Art. 6(1)(b) |
| Newsletter | Vercel → Supabase → Resend | Email address | Sending updates and insights | Art. 6(1)(a) (consent) |
| Email engagement | Resend webhooks → Supabase | Delivery events | Monitoring deliverability | Art. 6(1)(f) |
| GDPR requests | Vercel → Supabase | Name, email, request | Fulfilling data subject rights | Art. 6(1)(c) |
| Rate limiting | Upstash Redis | IP address (hashed) | Abuse prevention | Art. 6(1)(f) |
4. Analytics & Measurement
- Google Analytics 4: Loads only after consent. Controls in Ads Settings and My Activity.
- Plausible Analytics: Privacy-respecting, cookie-free, no personal data collected. Hosted in the EU.
- Consent Mode v2: All four signals (
ad_storage,ad_user_data,ad_personalization,analytics_storage) are set based on your consent choices.
5. Retention & Deletion
We retain data only for the minimum period necessary. Specific retention periods:
| Data category | Retention period | Basis |
|---|---|---|
| Contact form submissions | 3 years from last interaction | Pre-contractual + fiscal obligations |
| Newsletter subscriptions | Until unsubscribe + 30 days | Consent-based |
| Consent records | 3 years | Legal obligation (GDPR Art. 7(1) proof) |
| Security / audit logs | 12 months | Legitimate interest |
| Database backups | 30 days from primary deletion | Technical necessity |
After the retention period, data is deleted or anonymized unless retention is required by law.
6. Technical & Organizational Measures
We implement measures appropriate to the risk level (GDPR Art. 32):
- TLS 1.2+ encryption for all data in transit
- Nonce-based Content Security Policy (CSP) with strict-dynamic
- HSTS with preload for enforced HTTPS
- Rate limiting via Upstash Redis (sliding window algorithm)
- Input validation (Zod schemas), XSS entity escaping, reCAPTCHA + honeypot
- Row Level Security (RLS) at database level
- Need-to-know access, role-based access control
- Regular backups with restore testing
- Data minimization and environment segregation
7. Security Incidents
In the event of a personal data breach affecting confidentiality, integrity, or availability, we will: (1) assess impact and contain the breach; (2) notify the supervisory authority (ANSPDCP) within 72 hours where required per GDPR Art. 33; (3) communicate to affected data subjects where the breach poses a high risk per GDPR Art. 34; (4) document the incident, its effects, and remedial actions taken.
8. Data Protection Impact Assessment
Where a processing activity is likely to result in a high risk to the rights and freedoms of natural persons, we conduct a Data Protection Impact Assessment (DPIA) in accordance with GDPR Art. 35. We consult with the supervisory authority (ANSPDCP) where required per GDPR Art. 36.
9. Access & Control
Data access is restricted to authorized personnel on a role and need-to-know basis. Data subject requests can be sent to security@devidevs.com (response within 30 days). You may also submit a request via our GDPR request form.
10. International Transfers
Where data is transferred outside the EU/EEA, we rely on the EU-US Data Privacy Framework (for certified US providers) and/or Standard Contractual Clauses (SCCs) per Commission Implementing Decision (EU) 2021/914. Primary data storage (Supabase, Upstash) is in the EU (Frankfurt). See our Privacy Policy, Section 5 for details.
11. Supervisory Authority
ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336, București, România
Email: anspdcp@dataprotection.ro
Website: www.dataprotection.ro
12. Legislative References
- General Data Protection Regulation (Regulation (EU) 2016/679)
- Romanian Law 190/2018 (GDPR implementation)
- Romanian Law 506/2004 (electronic communications data processing)
- ePrivacy Directive 2002/58/EC
- EU AI Act (Regulation (EU) 2024/1689)
Version: v2.1.0 · Last updated: 2026‑02‑13