PRIVACY POLICY
Effective date: July 22, 2025
Last updated: July 22, 2025
Quick summary: We collect only the data needed to run Devento Chat and our enterprise Devento Sandbox platform, process payments, secure accounts, and understand how our products are used so we can improve them. We do not sell your personal data, and we do not use your uploaded content to train our AI models unless you give us explicit permission in writing. This Policy explains what we collect, why we collect it, how long we keep it, how we secure it, and the rights you have over your information.
1. Who we are
Devento ("Devento," "we," "us," or "our") operates the website devento.ai and provides two core digital services:
- Devento Chat – a subscription-based AI assistant product for individuals and small teams.
- Devento Sandbox – an enterprise-grade sandbox computing and data-execution environment available only under a separate, negotiated contract.
2. Scope of this privacy policy
This Privacy Policy applies to:
- Visitors to our website at devento.ai.
- Registered users of Devento Chat, including Free, Lite, Pro, and Ultra plans.
- Prospective and contracted enterprise customers evaluating or using Devento Sandbox.
- Support interactions, pre-sales meetings, and communications with our team.
This Policy does not override any conflicting privacy, confidentiality, or data processing terms in a separately executed enterprise agreement for Devento Sandbox; that agreement will control where it differs. Where that agreement is silent, this Policy applies.
3. Age requirements / children's privacy
Our Services are not directed to children under 13 (or the minimum digital consent age in your jurisdiction, e.g., 16 in parts of the EEA). We do not knowingly collect personal data from children. If we learn that a child has created an account or submitted personal data without verified parental consent, we will delete that data and take appropriate action to close the account. If you believe a child has provided us data, please contact contact@devento.ai.
4. The data we collect
We collect information in three main ways: (1) you provide it to us, (2) it's collected automatically when you use our Services, and (3) we receive it from third parties as needed to operate the platform (e.g., payment processors).
4.1 Data you provide directly
| Data category | Examples | Required? | Used for |
|---|---|---|---|
| Account identifiers | Name, username/handle, email, auth provider ID (Google, GitHub, etc.) | Yes (to create & maintain account) | Login, account management, notifications. |
| Subscription & plan selections | Free, Lite, Pro, Ultra; usage preferences | Required for paid upgrades | Billing, plan enforcement, feature eligibility. |
| Payment-Related Info (via Stripe) | Billing name, billing email, payment method tokenized data | Required for paid plans | Process payments, prevent fraud, comply w/ tax & financial laws. |
| Support Communications | Emails, chat messages to support | Optional | Respond to inquiries, troubleshooting, improving service quality. |
| Enterprise Evaluation Data | Business contact info, technical environment descriptions, NDA materials | Required for enterprise deals | Sales evaluation, scoping contracts, onboarding Sandbox deployments. |
4.2 User content you upload for analysis
You may upload, paste, or otherwise provide content for Devento Chat (and, in enterprise contexts, Devento Sandbox) to analyze or process. This may include text, code, images, documents, spreadsheets, datasets, archives/zip files, logs, and other materials (collectively, "User Content").
We process User Content only to provide the Services you request (e.g., to generate AI responses, run computations, summarize documents, or test code in sandboxed environments). We do not use User Content to train our AI models unless you opt in via a separate, explicit agreement.
Sensitive Data Warning: Please avoid uploading personal data you do not have the right to process, and do not upload special-category data (e.g., health, biometric, political, financial account numbers) unless absolutely necessary and allowed by law. You are responsible for ensuring you have a lawful basis to submit any personal data contained in User Content.
4.3 Data collected automatically
When you access or use the Services, we and certain third parties automatically collect some technical and usage information. This may include:
- IP address (truncated or full, depending on region & controls)
- Approximate geolocation inferred from IP (country / region level)
- Device type, operating system, browser type/version
- Log data: timestamps, login events, request/response metadata, API errors
- Session interaction data (e.g., page views, navigation, click events)
- Performance metrics (latency, compute usage, container resource consumption)
4.4 Analytics & diagnostics data
We currently use or may implement the following analytics / experience tools:
- Google Analytics – traffic metrics (users, sessions, device info, geolocation approximations, engagement statistics).
- Microsoft Clarity (planned) – session replay & heatmaps to improve UX; we will mask or suppress sensitive fields.
- Posthog (planned) – interaction recording & heatmaps; form inputs are suppressed by default; masking is configurable.
We may introduce additional analytics, marketing, or monitoring tools in the future; any new tools will be documented in our Cookie Policy, even if not listed explicitly in this Privacy Policy.
These tools rely on cookies, scripts, and similar tracking technologies (see Section 10). You can control many of these through cookie banners, browser settings, or opt-out links where provided.
4.5 Data from third parties
We may receive limited data about you from:
- Stripe (payments) – payment status, fraud signals, billing country, last4 or tokenized payment reference (not full card numbers stored by us).
- Authentication Providers – basic identity attributes (email, name, avatar) when you sign in with Google, GitHub, etc.
- Enterprise Partners / Your Organization – user provisioning lists, SSO metadata, usage assignments under enterprise contracts.
5. Purposes & legal bases for processing
Because Devento serves a global audience, we identify legal bases under the EU/UK GDPR framework. Where other laws apply (e.g., U.S. state privacy laws), we map similar concepts.
| Purpose | Examples of processing | Legal basis (EU/UK) | Legitimate interests |
|---|---|---|---|
| Provide the Service | Account creation; authenticate users; run AI responses; process uploads; maintain chat history | Contract (Art. 6(1)(b)) | - |
| Process Payments | Subscription billing; fraud checks; tax calculation | Contract; Legal Obligation (tax/financial) | Preventing fraud / ensuring payment integrity |
| Usage-Based Plan Enforcement | Track Credits, usage limits | Contract | Efficient service delivery |
| Analytics & Service Improvement | Measure traffic, debug errors, UX optimization | Legitimate Interests (Art. 6(1)(f)) | Improve reliability, user experience, product decisions |
| Security & Abuse Prevention | Detect malicious uploads, rate limiting, credential abuse | Legitimate Interests; Legal Obligation (security laws in some jurisdictions) | Protect platform & users |
| Marketing & Communications | Service announcements, feature updates (opt-out always available); optional promotional emails (opt-in where required) | Legitimate Interests (service notices); Consent (promotional emails where required) | Grow user base; keep users informed |
| Compliance & Enforcement | Respond to lawful requests; enforce Terms; handle disputes | Legal Obligation; Legitimate Interests | Protect legal rights, prevent misuse |
Where we rely on legitimate interests, we balance our interests against your privacy rights. You can object (see Section 12).
6. How we use your data (narrative overview)
We use personal data to:
- Operate and deliver Devento Chat functionality.
- Enable secure, sandboxed execution environments (including container orchestration, file storage, and output retrieval).
- Provide customer support and respond to technical issues.
- Process payments and manage subscriptions.
- Monitor system performance, detect abuse, and maintain platform security.
- Improve features, user workflows, and reliability through aggregated analytics.
- Communicate important service-related notices (downtime, policy changes, security alerts).
- Send optional product updates or marketing messages when permitted.
- Fulfill contractual commitments for enterprise Devento Sandbox deployments.
7. No sale of personal data / No advertising-based data sharing
We do not sell your personal data. We also do not share personal data with third parties for their independent advertising or marketing purposes. If this ever changes, we will update this Policy and obtain any required consent.
We may use aggregated, de-identified, or anonymized data (that cannot reasonably identify you) to understand platform usage patterns, capacity planning, or to publish high-level benchmarks.
8. AI model training and data use commitments
Your uploaded User Content and AI interaction history are not used to train our AI models by default. We may aggregate anonymized telemetry (for example: frequency of feature usage, error types) to improve system-level behavior, but this does not include the substance of your private uploads in identifiable form.
If, in the future, we introduce an opt-in program that lets users contribute anonymized data to improve Devento models, we will request clear, granular consent and provide controls to opt out at any time.
Enterprise customers may negotiate separate data processing terms governing dataset residency, encryption, data access controls, or private model fine-tuning; such terms will override this Section where in conflict.
9. Sharing and disclosure of information
We share personal data only as needed to run the Service, comply with law, or with your permission.
9.1 Service providers / subprocessors
We engage carefully selected third parties under contractually binding confidentiality and data protection obligations. These may include:
- Cloud & Infrastructure Hosting Providers (compute, storage, networking, backups).
- Database / Application Backend (Convex) – managed data storage & sync services used by Devento Chat.
- Payment Processor (Stripe) – subscription billing, fraud detection, tax reporting.
- Analytics & Experience Tools – Google Analytics; (planned) Microsoft Clarity; (planned) Posthog.
- Email / Notification Services – transactional email delivery, verification, system alerts.
We require these providers to process personal data only on our documented instructions and only to provide services to us; they may not use data for their own unrelated purposes.
9.2 Enterprise partners
If your organization purchases Devento Sandbox or provisions multi-seat access to Devento Chat, we may share limited usage or account-level data (e.g., seat activity, billing status, admin console logs) with designated organizational administrators under the applicable enterprise agreement.
9.2 Legal, safety, and rights protection
We may disclose information if we believe in good faith that it is reasonably necessary to:
- Comply with applicable law, regulation, legal process, or government request;
- Enforce our Terms of Service, enterprise contracts, or other agreements;
- Protect the safety, rights, or property of Devento, our users, or the public;
- Detect, prevent, or investigate fraud, abuse, or security incidents.
9.4 Business transfers
If Devento is involved in a merger, acquisition, reorganization, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will notify you of any such change and any new choices you may have.
10. Cookies, SDKs, and tracking technologies
We and our service providers use cookies, local storage, SDKs, and similar technologies to operate and improve the Services. These technologies fall into the categories below:
| Type | Purpose | Is it required? | Control options |
|---|---|---|---|
| Strictly Necessary / Functional | Login state, session continuity, fraud prevention, security | Required for core functionality | Browser-level blocking may break site |
| Performance & Analytics | Traffic measurement, feature engagement, debugging | Optional (consent/opt-out where required) | Cookie banner settings; opt-out links; browser add-ons |
| Experience / UX Diagnostics | Session replay tools (Clarity, Posthog) for product improvement | Optional | Cookie settings; in-tool suppression; do-not-track signals where supported |
| Marketing / Communications | Product announcements, campaign measurement (currently limited; may expand) | Consent where required | Email unsubscribe; cookie preferences panel |
You can manage cookie preferences through our cookie banner (where shown), browser settings, or industry opt-out tools. Note: Disabling analytics may degrade our ability to improve the product.
11. Data retention
We keep personal data only as long as necessary for the purposes described in this Policy (or as required by law, contract, or security obligations). Retention periods vary by data type:
| Data type | Typical retention | Notes |
|---|---|---|
| Account Data (email, auth ID) | For life of account; deleted ~90 days after closure | Backups may persist longer (encrypted, access-controlled). |
| Subscription & Billing Records | 7–10 years (tax & accounting laws vary) | Required for audit & compliance; cannot be fully erased on request where law requires retention. |
| User Content in Chats | Until you delete conversation or close account; otherwise retained for service continuity | May be hard-deleted from active systems ~90 days post-account deletion, subject to backup cycles. |
| Uploaded Files (analysis) | Retained to support conversation history & reproducibility; you may delete | Enterprise retention configurable by contract. |
| Analytics Data | Aggregated / pseudonymized after short raw log window (e.g., 30–90 days) | Non-identifiable aggregates may be retained longer. |
| Security Logs | 90–365 days, longer if needed for investigations | Rotated & archived securely. |
Where exact retention is not feasible to predefine, we apply documented criteria: account status, legal requirements, dispute periods, and technical feasibility of erasure.
12. Your privacy rights
12.1 EU / EEA & UK (GDPR / UK GDPR)
You may have the right to:
- Access a copy of your personal data we hold.
- Correct inaccurate or incomplete data.
- Delete your data ("right to erasure") in certain circumstances.
- Restrict or object to certain processing (especially where based on legitimate interests).
- Data portability (receive data in a structured, commonly used format).
- Withdraw consent at any time (for processing based on consent; withdrawal does not affect prior lawful processing).
- Lodge a complaint with a supervisory authority (see Section 14).
12.2 United States (state privacy laws)
Residents of certain U.S. states (e.g., California, Colorado, Virginia, Connecticut, Utah) may have rights to access, delete, correct, and opt out of certain data sharing. Devento does not sell personal data in the sense defined by the California Consumer Privacy Act (as amended by CPRA). We do not share data for cross-context behavioral advertising. If this changes, we will update this Policy and provide required opt-out mechanisms.
12.3 Brazil (LGPD) and other regions
Where local law grants access, correction, deletion, portability, revocation of consent, or information about processing, we will respond in line with those laws. Contact us to submit a request.
12.4 How to Submit a data request
Email privacy@devento.ai (or contact@devento.ai) with the subject line "Data Rights Request," and include:
- The email associated with your Devento account.
- The type of request (access, deletion, correction, etc.).
- Any relevant context (e.g., enterprise account, uploaded datasets).
We may ask for additional verification to protect your data from unauthorized access.
13. International data transfers
We operate globally. Your information may be transferred to and processed in countries other than the one in which you live. These countries may have data protection laws that differ from those in your jurisdiction.
Where we transfer personal data out of the EEA/UK, we rely on one or more of the following safeguards, as appropriate:
- Standard Contractual Clauses (SCCs) issued by the European Commission.
- UK International Data Transfer Addendum (IDTA) or equivalent.
- Data Privacy Framework–aligned transfer mechanisms (where applicable to the recipient).
- Other lawful derogations (e.g., performance of a contract at your request) in limited cases.
Details of relevant transfer mechanisms for specific subprocessors are available upon request.
14. Supervisory authority contacts
If you are in the European Economic Area (EEA), you have the right to complain to your local data protection authority. If you reside in another EEA country, please refer to your national regulator. In the UK, contact the Information Commissioner's Office (ICO).
15. Data security
We employ a combination of technical, organizational, and administrative safeguards designed to protect personal data and User Content from unauthorized access, alteration, disclosure, or destruction. Measures include:
- Encryption of data in transit (HTTPS/TLS) and at rest where supported.
- Segregated environments for sandboxed compute workloads.
- Access controls and authentication (least-privilege principles).
- Audit logging, intrusion detection, and abuse monitoring.
- Regular security patching & vulnerability management.
- Vendor due diligence and contractual data protection requirements for subprocessors (e.g., Convex, Stripe, hosting providers).
No system is 100% secure. If we learn of a data breach affecting your personal data, we will notify you and/or relevant authorities as required by applicable law.
16. Devento Sandbox (Enterprise) data handling
Enterprise customers often impose additional or stricter privacy, confidentiality, security, data residency, retention, and audit requirements. These will be governed by a separate written Enterprise Agreement / Data Processing Agreement (DPA). Key customizable elements include:
- Data residency / hosting region selection
- Encryption key management / KMS ownership
- Access logging & audit exports
- Role-based access for administrators
- Custom retention & deletion SLAs
- Optional private model or dataset isolation
Where an enterprise agreement exists, its terms will override this Privacy Policy in the event of conflict.
17. Automated decision-making and profiling
Devento does not engage in automated decision-making that produces legal or similarly significant effects about you without human involvement. Our AI responses generate text/code suggestions based on your prompts; these are tools, not decisions. Usage-based throttling (e.g., enforcing plan limits) is automated but does not produce legal effects beyond service access tiers.
18. Third-party links and integrations
Our Services may contain links to websites or services operated by third parties. Your use of those services is governed by their own privacy policies, not this one. Examples include:
- Stripe (payments)
- Convex (application data backend)
- Google Analytics (analytics)
- Microsoft Clarity (UX analytics; planned)
- Posthog (UX analytics)
- OAuth identity providers (Google, GitHub, etc.)
We encourage you to review their privacy policies when interacting with those services.
19. How to manage your data and settings
You can manage many aspects of your data directly in the product:
- Profile & Account: View or update profile info and authentication connections.
- Subscription & Billing: Manage plan level, payment method, and invoices.
- Chat History & Uploaded Files: Delete individual conversations or file attachments.
- Export: Request a machine-readable export of your conversations and account data (coming soon; contact support to request manually in the meantime).
- Cookie Preferences: Adjust consent for analytics/experience tools (where banner is deployed).
For any request you cannot complete in-product, email privacy@devento.ai.
20. Changes to this privacy policy
We may update this Privacy Policy from time to time to reflect changes in technology, laws, our business, or the Services. When we make material changes, we will:
- Update the "Last Updated" date at the top of this Policy;
- Provide notice in-product or by email where required or appropriate; and
- Explain the key changes in summary form.
Your continued use of the Services after the effective date of an updated Policy constitutes your acceptance of the revised Policy. If you do not agree, you should stop using the Services and request account deletion.
21. Contact us
Questions, requests, or complaints?
Email: contact@devento.ai
Privacy Requests: privacy@devento.ai
Security Reports: security@devento.ai (or use our responsible disclosure form if made available)
If you are an enterprise customer, please also reach out through your assigned account representative.
Thank you for trusting Devento. We are committed to respecting your privacy while delivering powerful AI and sandbox computing tools.