Privacy Policy
1. Data Controller
Devi Devs Technologies S.R.L.
Registration: J40/13982/2023 · CUI: 48553919
Aleea Textiliștilor 7, Bl. MY12, Sc. 2, Et. 8, Ap. 63, Sector 3, București, România
General: contact@devidevs.com
Data protection: security@devidevs.com
DeviDevs acts as the Data Controller (GDPR Art. 4(7)) for all personal data processed through this Website.
2. Data We Collect
Data you provide directly
- Contact form: name, email, phone number, company name, message content
- Newsletter subscription: email address
- GDPR requests: name, email address, request type and details
Data collected automatically
- Technical data: IP address, browser type and version, device type, operating system, referral URL
- Analytics data (with consent): page views, session duration, interactions, UTM campaign parameters
- Cookie data: consent preferences, session identifiers (see our Cookie Policy)
3. Purpose, Legal Basis & Retention
| Category | Purpose | Legal basis | Retention |
|---|---|---|---|
| Contact form data | Responding to inquiries, pre-contractual steps | Art. 6(1)(b) GDPR | 3 years from last interaction |
| Newsletter email | Sending updates, insights, and marketing | Art. 6(1)(a) GDPR (consent) | Until unsubscribe + 30 days |
| GDPR request data | Processing data subject requests | Art. 6(1)(c) GDPR (legal obligation) | 3 years (proof of compliance) |
| Analytics data | Website usage analysis, UX improvement | Art. 6(1)(a) GDPR (consent) | 26 months (GA4 default) |
| Email engagement | Monitoring deliverability | Art. 6(1)(f) GDPR (legitimate interest) | 12 months |
| Security logs | Rate limiting, abuse prevention, security monitoring | Art. 6(1)(f) GDPR (legitimate interest) | 12 months |
| Consent records | Proving consent was obtained (Art. 7(1)) | Art. 6(1)(c) GDPR (legal obligation) | 3 years |
4. Data Processors (Sub-Processors)
We use the following third-party processors to provide our services:
| Provider | Service | Location | Transfer mechanism |
|---|---|---|---|
| Supabase Inc. | Database (PostgreSQL) | EU (Frankfurt) | N/A (EU data) |
| Upstash Inc. | Rate limiting (Redis) | EU (Frankfurt) | N/A (EU data) |
| Vercel Inc. | Website hosting (Next.js) | USA (Edge: global) | EU-US DPF + SCCs |
| Resend (Plus Five Five, Inc.) | Transactional email | USA | SCCs |
| Google LLC | reCAPTCHA + Analytics (GA4) | USA | EU-US DPF + SCCs |
| Plausible Insights OÜ | Privacy-respecting analytics | EU (Estonia) | N/A (EU data) |
5. International Data Transfers
Some of our processors are located outside the EU/EEA. We ensure adequate protection through:
- EU-US Data Privacy Framework (DPF): For US-based providers certified under the framework (adequacy decision adopted July 10, 2023).
- Standard Contractual Clauses (SCCs): Commission Implementing Decision (EU) 2021/914, used as primary or supplementary safeguard for all US transfers.
- We do not transfer personal data to countries without an adequate level of protection unless one of the above safeguards is in place.
6. Your Rights (GDPR Chapter III)
As a data subject, you have the following rights under GDPR:
| Right | GDPR Article | Description |
|---|---|---|
| Access | Art. 15 | Obtain confirmation and a copy of your personal data |
| Rectification | Art. 16 | Correct inaccurate or incomplete data |
| Erasure | Art. 17 | Request deletion of your personal data |
| Restriction | Art. 18 | Restrict processing in specific circumstances |
| Portability | Art. 20 | Receive your data in a structured, machine-readable format |
| Objection | Art. 21 | Object to processing based on legitimate interest |
| Withdraw consent | Art. 7(3) | Withdraw consent at any time (does not affect prior processing) |
To exercise your rights: security@devidevs.com or use our GDPR request form. We respond within 30 days, extendable to 90 days for complex requests (with prior notification).
7. Security Measures
We implement appropriate technical and organizational measures (GDPR Art. 32) including:
- TLS 1.2+ encryption for all data in transit
- Nonce-based Content Security Policy (CSP) with strict-dynamic
- Rate limiting via Upstash Redis to prevent abuse
- Input validation and XSS protection (Zod schemas, entity escaping)
- reCAPTCHA v3 + honeypot fields for form abuse prevention
- Row Level Security (RLS) at database level
- HSTS with preload for enforced HTTPS
- Regular security reviews and dependency auditing
No system is 100% secure. We continuously improve our security posture.
8. Cookies & Analytics
- Consent-based: Analytics (GA4) loads only after you grant consent via our cookie banner. You can withdraw consent at any time.
- Privacy-respecting: We also use Plausible Analytics, which requires no cookies and collects no personal data.
- reCAPTCHA: Used for form abuse protection, subject to Google's Privacy Policy and Terms.
- Google signals (if enabled): allows Google to associate visit information with signed-in Google accounts. You can control this in Ads Settings and My Activity.
- Ads personalization: When allowed, GA audiences/events may be exported to linked Ads accounts. Disable via our banner or your Google settings.
For full details, see our Cookie Policy.
9. Automated Decision-Making
We do not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of GDPR Art. 22. Our use of AI tools is limited to content generation and research assistance under human supervision.
10. Children's Data
Our services are not directed to individuals under 16 years of age (GDPR Art. 8(1), as maintained by Romania). We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without parental consent, we will delete it promptly.
11. Supervisory Authority
You have the right to lodge a complaint with the competent supervisory authority (GDPR Art. 77):
ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336, București, România
Email: anspdcp@dataprotection.ro
Website: www.dataprotection.ro
12. Legislative References
- General Data Protection Regulation (Regulation (EU) 2016/679)
- Romanian Law 190/2018 (GDPR implementation)
- Romanian Law 506/2004 (electronic communications data processing)
- ePrivacy Directive 2002/58/EC
- EU AI Act (Regulation (EU) 2024/1689)
- EDPB Guidelines 05/2020 (consent)
13. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated where practicable. The latest version will always be published on this page.
Version: v2.0.0 · Last updated: 2026‑02‑13