Effective from July 8, 2025
Please note: While most of our users would likely prefer a shorter privacy notice, current laws and regulations require us to offer a lot of information on our processing operations. We have thereby endeavoured to offer summarised snapshots of the most relevant information under certain sections of this notice. Feel free to read the short section summaries provided at the beginning of most sections or read the full legally binding text below each summary.
We truly hope that you find the contents contained herein understandable. Should you require a “clean” version of this notice as well as any additional information or clarifications regarding the processing of your personal data and the use of our products and services, feel free to reach out to us at dpo@devrev.ai.
1. Introduction
This privacy policy serves as a notice to individuals under Article 13 of the General Data Protection Regulation (GDPR) regarding the processing of personal data by DEVREV, inc. as well as its subsidiaries, and outlines how personal and other data is processed in connection with the DevRev service and the corresponding features, as well as our website, other company-wide operations and processes, as further outlined below (hereinafter: privacy notice or notice).
All California residents that visit our website, use our products or otherwise interact with our organisation are kindly asked to observe section 5 of this notice which has been prepared in accordance with the California Consumer Privacy Act.
1.1. Information on the controller of your personal data
Summary: Information on us (i.e. the data controller responsible for your personal data and our various subsidiaries) and where we, our EU representative or our dedicated Data Protection Officer can be reached.
DEVREV, inc., 300 Hamilton Avenue, 2nd Floor, Palo Alto, CA 94301, United States of America, company reg. no.: 4656646, the owner and supplier of the DevRev service and its subsidiaries:
- DevRev, razvoj programske opreme, d.o.o., Železna cesta 18, 1000 Ljubljana, Slovenia, Europe, company reg. No.: 8879311000, VAT ID no.: SI 51541556 that is acting as its EEA representative as per Article 27 of the GDPR;
- DevRev UV Cloud, Inc., 300 Hamilton Avenue, 2nd Floor, Palo Alto, CA 94301, USA bearing EIN: 93-4295372;
- DevRev Cloud India Private Limited, 608, 12th Main Rd, 8th cross, HAL 2nd Stage, Indiranagar, Bengaluru, Karnataka 560038, India bearing (CIN) U72900KA2020FTC141826 with registration number 141826;
- DevRev GmbH, Herzogweg 40, 71083 Herrenberg, Germany bearing company registration number: HRB 786019;
(hereinafter jointly referred to: we, us, our, DevRev, the controller, organisation or company)
Our data protection officer has been appointed and is reachable at dpo@devrev.ai.
1.2. Use and applicability of this privacy notice
Summary: This privacy notice is applicable if you visit our websites, use the DevRev service or otherwise interact with our company in a way where we receive or otherwise process your data as mentioned under sections 2 and 3 of this notice. If you are a resident of California, please see section 5. In the event of substantial changes to this notice, we will notify you accordingly via email or through our website (depending on the importance of the change).
More information
This privacy notice is addressed to our website visitors, customers, DevRev users and all other individuals who offer their personal data to DevRev in connection with its websites, operations, products and services, as stated in sections 2 and 3 of this notice.
This privacy notice undertakes to explain which personal data we process, to what end we process such data, under which legal grounds, how long the data is kept and under what circumstances we may share or disclose said personal data to third parties.
This privacy notice has been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of individuals with regard to the processing of personal data and the free movement of such information and repealing Directive 95/46 / EC (hereinafter the General Data Protection Regulation or the GDPR), the United Kingdom General Data Protection Regulation and the California Consumer Privacy Act that came into force on January 1, 2020 (hereinafter the: CCPA or California Consumer Privacy Act).
All California residents that visit our website, use our products or otherwise interact with our organisation are kindly asked to observe section 5 of this notice which has been prepared in accordance with the California Consumer Privacy Act.
In the case of any conflict or ambiguity between this privacy notice and the provisions of any special privacy notice or data processing information that we might have offered to you in connection with a particular website, product or service, the provision of the latter shall prevail.
For the purposes of this notice, the term “personal data” means any information that relates to, describes or could be used to identify any individual, either directly or indirectly. Unless otherwise stated, other various terms that can be found in this privacy notice and which stem from the GDPR (e.g. processing, controller, processor, etc.) have the same meaning as specified in the GDPR.
In this notice, the word “service” means the DevRev service (available at https://devrev.ai/) which we develop and provide, unless it is clearly stated that we are referring to another service.
In this notice, the word “user” shall mean the natural or legal persons which are acting as registered or unregistered users of the DevRev service (i.e. entities which had obtained a licence from DevRev for the use of the service (or a feature or subservice of the service) or which are using the service in a capacity that does not require account registration).
In this notice, the words “user website” (hereinafter referred to as the user website) shall mean the website that belongs to a DevRev service user where the DevRev service (or a feature/subservice) had been deployed or integrated.
In this notice, the words “article”, “file” or “document” mean the corresponding input data or content, as the case may be, that a user may elect to upload or otherwise use in connection with the service in order to receive automatically generated summaries or other outputs from the service.
This privacy notice may be updated from time to time in order to better reflect the changes that we might make in relation to our data processing or data protection operations or for other operational and legal reasons.
If this notice is significantly changed, we will publish the news on our website or send the notification as a message within the service or via email to the relevant data subjects that the change might affect. The importance of the change shall dictate the type of notification method used (i.e. sending emails when we would like to implement additional processing purposes which require your explicit consent).
This notice may contain links to websites of third party processors/service providers or individual controllers that may be involved in our processing activities (see point 4.4 of this notice). If you follow a link to any third-party website, please note that the contents of the website may have changed since the link has been added. Please also consider that all third parties have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal data that is unlawful or goes beyond the scope of our engagement.
This notice does not offer insights on how to use our products or services. More information about the functionalities and use of our products and services can be gained by contacting us at dpo@devrev.ai
1.3. Our adherence to the Data Transfer Framework Principles (DPF)
Summary: We adhere to the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework. This framework offers DevRev, a USA based organisation, a reliable and legally recognised mechanism for personal data transfers to the USA from the EU / EEA and the UK. This means that our processing of personal data from individuals that are residents from these areas is in compliance with EU / UK privacy laws even though the USA might not have similar privacy rules in place. An explanation on the Data Privacy Framework Principles and how they may relate to your data can be found under “More information” below.
More information
This section explains everything you need to know about or adherence to the DPF principles and how this affects you and your rights.
a. Notice
i. DevRev, Inc. and its subsidiaries comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce. DevRev, Inc. and its subsidiaries have certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
The U.S. entities or U.S. subsidiaries of DevRev, Inc. also adhering to the DPF Principles are:
- DevRev UV Cloud, Inc., 300 Hamilton Avenue, 2nd Floor, Palo Alto, CA 94301, USA bearing EIN: 93-4295372;
ii. The types of personal data we collect and process as per each processing situation are listed in sections 2 to 3 of this notice. The details of our USA subsidiaries that are also adhering to the DPF principles are listed in section 1.1. of this notice.
iii. As a certified participant to the DPF, we are committed to subjecting to the DPF all of the data and/or processing activities that we collect/process in relation to EU/EEA and UK individuals in reliance on the DPF.
iv. The purposes for which we collect and use personal data in relation to each processing situation are listed in sections 2 to 3 of this notice.
v. You can contact our organisation with any inquiries or complaints, including our EEA representative by using the contact information that is set out in section 1.1. of this notice.
vi. The identity of third parties to which we disclose personal information, and the purposes for which such disclosures may happen are listed in section 4.4.3 of this notice. The list of the various subprocessors we might engage when offering our services (particularly as “data processors” as further explained in section 3.1. of this notice) is available here: https://devrev.ai/security/sub-processors.
vii. The right of individuals to access their personal data is explained in section 4.6 of this notice.
viii. The choices and means our organisation offers individuals for limiting the use and disclosure of their personal data are described in this section under b. Choice.
ix. The independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to you as the individual, is disclosed in this section under
c. Recourse, Enforcement, and Liability.
x. As a USA based participant we and our subsidiaries are subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) and any other U.S. authorized statutory body in relation to such data transfers.
xi. You, as the affected EEA / UK individual, might have the legal possibility, under certain conditions, to invoke binding arbitration against us, as further described here: https://www.dataprivacyframework.gov/framework-article/G%E2%80%93Arbitration-Procedures
xii. In certain situations we might also be under the requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, as disclosed in section 4.4.2 of this notice.
xiii. Our liability in cases of onward transfers of your data to third parties is explained in this section under d. Onward transfers.
b. Choice
The majority of data we process (both as data “controllers” and as data “processors”) is processed on contractual legal grounds, whereby we process the data based on a contract with either you or one of our users who is acting as a controller in relation to your data, so that we can provide our services. In such situations, an individual can choose to do business with us (or do business with a user of our services) or not.
When acting as a controller and where “consent” is listed as the legal basis for each processing situation in sections 2 to 3 of this notice, we obtain consent directly from individuals to process their data. Should you wish to withdraw consent, you can do so by either deleting your data (i.e. in the user panel of one of our services), by following an “unsubscribe” link (if we process your data for sending you commercial emails) or by contacting us at any time by sending a free form email to dpo@devrev.ai.
When acting as a Controller, we also offer individuals the opportunity to offer their additional consent in situations, where an existing data processing purpose to which the individual in question had previously consented is to be materially changed (e.g. if we have obtained your email for marketing purposes based on your explicit consent and would like to process the email address for a different purpose, we will notify you of this and seek out your additional consent. In situations where the processing purpose is to be materially changed and the legal ground for processing is not consent, we shall also offer you the option of opt-ing via email (or through the user panel of our services) out of such processing activities before the change takes place.
Please note that opting out may affect our ability to provide our services to you as well as affect other interactions we might have with you.
Regarding special category data and as listed in section 4.5 of this notice, we do not currently knowingly process such data. If we elect to process such data as data controller in the future, we will obtain affirmative express consent (opt-in) from you if your special category data is to be disclosed to a third party or is to be used for a purpose other than that for which it was originally collected or subsequently authorized by the individuals through the exercise of opt in choice, unless the data in question is subject to an exception under valid privacy laws and the DPF principles.
In cases where we are acting as a Processor, we will assist the other party in complying with the Choice Principle.
c. Recourse, Enforcement, and Liability
In compliance with the DPF Principles, DevRev commits to resolve DPF Principles-related complaints about our collection or use of any personal data tied to EEA/EA and/or UK residents. Individuals with inquiries or complaints regarding our handling of personal data which we have collected or otherwise processed on the basis of the DPF should first contact us via email at dpo@devrev.ai, whereby we shall respond within 45 days.
As a DPF participant, we provide, at no cost to you, an independent recourse mechanism by committing to cooperate with the appropriate European data protection authorities for the relevant part(s) of the DPF program (i.e., the EU data protection authorities (EU DPAs) under the EU-U.S. DPF; the UK Information Commissioner’s Office (ICO) and, as applicable the Gibraltar Regulatory Authority (GRA) under the UK Extension to the EU-U.S. DPF).
In the Republic of Slovenia (the country where the EEA representative entity of DevRev (namely DevRev, Razvoj Programske Opreme, d.o.o., Železna Cesta 18, 1000 Ljubljana, Slovenia, Europe, Company Reg. No.: 8879311000, Vat ID No.: SI 51541556) is located, the authority is the Information Commissioner (Informacijski pooblaščenec), Dunajska 22, 1000 Ljubljana, Slovenia, EU, email: gp.ip@ip-rs.com, phone: +38612309730, website: www.ip-rs.com.
A list of other EU supervisory authorities and their contact information can be found here: https://edpb.europa.eu/about-edpb/about-edpb/members_en#.
If an individual submits a complaint to a data protection authority (DPA) in the European Union / European Economic Area, the United Kingdom (and/or, as applicable, Gibraltar), the Federal Trade Commission (FTC) may participate in the enforcement of the rights of individuals under the program.
We are obligated to arbitrate claims and follow the terms as set forth in Annex I of the DPF Principles, provided that an individual has invoked binding arbitration by delivering notice to our organization via our official privacy email at dpo@devrev.ai or we have been served such mail at our official addresses following the procedures and subject to conditions set forth in Annex I of the DPF Principles.
If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may be able to invoke binding arbitration for some residual claims not resolved by other redress mechanisms, as further explained here: https://www.dataprivacyframework.gov/framework-article/G%E2%80%93Arbitration-Procedures.
DevRev agrees to periodically review and verify its compliance with the DPF Principles, and to remedy any issues arising out of failure to comply with the DPF Principles. DevRev acknowledges that its failure to provide an annual self-certification to the U.S. Department of Commerce will remove it from the Department’s list of DPF participants.
For any unresolved complaints regarding the handling of personal data received under the DPF, particularly in the context of employment relationships, DevRev shall be committed to cooperating with and adhering to the advice of the panel established by EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO).
d. Onward transfers
If we transfer personal data covered by this notice and belonging to EEA/EU and/or UK residents to a third party acting as a controller, we will ensure that the transfer aligns with any notice provided to the individuals involved, which had provided their consent.
Additionally, as stated in section 4.5.1 of this notice, when engaging contractual processors/service providers that have their place of business registered in the USA or in other non-EEA countries, we require such third parties to provide contractual assurances (generally Data Processing Agreements or addendums) under which they: (i) process the personal data for specific, limited purposes consistent with the data subjects’ consent/processing purpose; (ii) offer at least the same level of protection required by us (and as required by the DPF Principles) and notify us if they can no longer meet these standards; and (iii) cease processing the personal data or take other reasonable steps to address the issue if they determines it cannot comply. If we become aware that a third party acting as a controller is processing personal data in violation of the DPF Principles, we will take appropriate measures to prevent or stop such processing.
In relation to EEA/EU and/or UK resident personal data that falls within the scope of the DPF Principles and data regarding which DevRev is considered as the “data controller”, DevRev retains responsibility under the DPF Principles if an engaged third party processes personal data in a way that violates the DPF Principles (or applicable laws), except in cases where DevRev cannot be held accountable for the event that caused the harm.
DevRev also remains accountable in all cases where any affected individual may hold DevRev accountable under privacy or other applicable laws.
e. Purpose Limitation
DevRev collects personal data only to the extent necessary for the purposes of processing and does not process personal data in ways that are incompatible with the original purposes for which it was collected or subsequently authorized by the individual. The specific purposes are listed for each processing situation in sections 2 to 3 of this notice.
DevRev takes reasonable steps to ensure that the personal data it processes is accurate, complete, current, and reliable for its intended use. We also implement appropriate measures to comply with the DPF requirement to retain personal data in identifiable form only for as long as it serves the purposes of processing. Specifically, personal data is retained in alignment with DevRev’s business needs, legal obligations, and professional standards, unless a longer retention period is permitted by law and remains consistent with the DPF Principles. The specific data retention periods are listed for each processing situation in sections 3 to 4 of this notice.
f. Security
Our commitment to data security in terms of all data transfers is listed in section 4.5.1 of this notice while our other data security efforts are disclosed in section 4.9 of this notice.
g. Amendments
This notice may be updated in accordance with the requirements of the DPF and its changes. Any updates will be included in the “Version History” table at the bottom of this document or as otherwise required by the framework.
For more information, feel free to reach out to us at dpo@devrev.ai.
2. Data processing activities that relate to our websites, communication, sales and delivery of our products, our general marketing and other company operations
Summary: The following is an overview of when we process your personal data, what personal data we process, why we process said data, what underlying legal basis allows us to do this and how long we keep your data in each case. This section refers to situations where you visit our websites, communicate with us, buy from us, or when we perform our general marketing and other activities. We do not sell personal data of any individuals.
2.1. Visiting and using our websites
2.1.1. Visiting our website involves the placing of necessary and other cookies
Summary: We automatically place necessary cookies on your device when you visit our website and place other cookies on the basis of your consent. Necessary cookies are necessary so that our website may be displayed and function properly while other cookies offer us various business and other capabilities (see our dedicated Cookie Policy to learn more).
More information
When: When you visit our website, we automatically place necessary cookies on your device and place other cookies if we obtain your consent (i.e. through the cookie pop-up).
Data: Necessary cookie data which typically only reveals technical information about your device while other cookies can store (and share) other data (see our Cookie Policy to learn more).
Purpose: Necessary cookies are essential for the correct functioning of our website and enable key functions like page navigation, display features, page responsiveness, etc., while other “non-necessary” cookies are used (see our Cookie Policy to learn more).
Legal basis: We are legally permitted to place necessary cookies on your device without consent, while we shall actively seek your consent before placing all other cookies.
Data retention: Necessary cookie data can either be stored for the duration of your browsing session or longer. See our Cookie Policy to learn more about the retention period for each cookie.
2.2. Communication, sales and delivery of our products
2.2.1. When reaching out to us both on and off our websites
Summary: When you reach out to us (e.g. by sending an email to an address that belongs to us, messaging us through the DevRev live-chat service, etc.), we shall process any data you might share (or have shared with us in the past) in order to respond to you or fulfil your request. The data is shared using “SendGrid” (a service provider that we use for sending you emails), “Vercel" (a company that helps us host and manage our website), “Tally BV” provider that we use for distributing forms and gathering form results). Please note that for some of the website features we are also using https://vwo.com/ and https://getkoala.com/ services.
More information
When: When you choose to reach out to us or contact with us (i.e. by sending an email to an address that belongs to us, submitting a question through our DevRev live-chat service, reaching out to us through our official email channels or social media platforms, or in communication with our employees/agents or via other means).
Data: We may process any data/information you disclose in your communication (such as your name, email address, billing address, shipping address, products ordered and order number) or which we might already have and require to formulate our response/solve your issue.
Purpose: In order to respond to emails, messages, formal inquiries, proposals, support, troubleshooting and other inbound communication.
Legal basis: We carry out these processing activities because processing might be necessary for the performance of a contract to which the person reaching out to us is a party (e.g. if you have bought a product from us and reach out to us for product related information) or in order to take steps at the request of the data subject prior to entering into a contract (e.g. if you reach out to us with questions about our products prior to placing an order) or on the basis of our legitimate interests.
Data retention: We typically do not keep communication data after responding to you. An exception to the aforementioned can be made if messaging or other communication had been performed through the use of a dedicated service (i.e. email, chat module, etc.), whereby we may keep data in such systems for up to 3 years or any such stipulated and relevant statutory period after having received it.
In certain rare cases, we might keep parts of the data/communication for a longer period, if it is evident that certain data is needed in a legal or other official proceeding that is being carried out.
If such communications took place through platforms such as Facebook, please refer to the data retention periods that Meta Inc. or other platform providers might offer, as data deletion in such circumstances is not solely dependent on us (please see point 4.4 of this notice).
2.2.2. When purchasing a product subscription/license from us for using our service through our website or through our agents
Summary: When you purchase a product or subscription on our website or through the check-out module, we are required to collect and process certain contact, payment and transactional data for product invoicing, delivery and other necessary administrative or legally required purposes. The data is shared with “Stripe” which offers the relevant check-out module of our website and for sending you transactional emails, and may be used by different payment facilitators (depending on your desired payment method). We may be legally required to store parts of such data for up to 7 or 10 years under applicable tax and other legislation(s).
More information
When: When you purchase a product or subscription from us through our website or the payment check-out module we employ.
Data: Your contact information (such as your name, email, country, address, billing address, shipping address, telephone number, products ordered, order number, your payment information, such as your credit card number, billing address, holder name, issuing bank, expiry date, and security code (whereby this data is collected by “Stripe” as our data processor in connection with the check-out module for purchasing our products and is not necessarily shared with us or even visible to us).
Purpose: We use this data in order to legally sell our products to you and send you transactional emails (e.g. order status, invoice, etc.).
Your contact and invoice data is shared with our delivery services and your payment information is collected and stored by our third-party payment facilitators on our behalf (such as “Stripe” (see point 4.4 to learn more), whereby these parties may be considered as individual data controllers or processors, as the case may be.
Data you share with us through the check-out or default payment module of our website also collected by “Stripe” that our check-out module uses and which is acting as our data processor (please see point 4.4 of this notice to find out more about who we might share your data with and why).
This data may also be processed when we are required to comply with legal requirements and other regulations, especially those governing the control of personal data, taxes, invoicing and payments.
Legal basis: Contractual (i.e. the concluded distance sale contract you enter into when you agree to our terms of sale and place your order).
Data retention: We may retain a minimised set of the aforementioned data that includes your contact information, payment and shipping information (such as your name, email address, billing address, shipping address, products ordered and order number) until the expiration of the statutory period under which we may be held liable in relation to any possible hidden defects on the products we have sold you. This does not include any data that you might have given us on any other grounds or for any other purposes (i.e. data that we process for marketing purposes based on your consent, data that relates to your user account, etc.).
We are legally obliged to retain certain transactional data in unminimized form (such as invoicing data) for a minimum of 10 years (depending on the point of sale and the location of our subsidiary that is issuing the invoice).
We may also retain certain data on the grounds of our legitimate interest if we detect reasonable grounds that fraud or attempted fraud had taken place in relation to the sale of our products. Such data shall not be kept longer than necessary in order to assess the situation and take any necessary action.
Our payment facilitation/payment service providers typically do not retain any personal data other than the data that they might have a legal obligation or legitimate interest in retaining (or the data that they already keep in relation to your individual use of their payment/banking services). Please see the relevant privacy policy of the payment facilitation/payment service provider that has been engaged in the sale of our product to find out more.
2.2.3. When wishing to communicate transactional/essential information in connection with your purchase or use of our products or services
Summary: When you purchase a product or service from us (or have done so in the past) and we consider it necessary (or are legally required to do so), we may send you emails with transactional/essential information (i.e. emails about your order having been successfully placed, changes of product delivery dates, information regarding a potentially serious issue that might affect your product, updates and changes to our policies and terms, etc.). The data is shared with “SendGrid” a service provider that we use for sending transactional emails.
More information
When: When you purchase a product or service from us or have done so in the past and we deem it necessary to reach out to you with important information or are required to do so by law.
Data: We may process any data/information you disclose to us during your purchase (such as your name, email address, billing address, shipping address, products ordered and order number) or which we might already have and need in order to formulate our transactional/essential messages.
Purpose: To communicate transactional/essential service-/product-related information to you (i.e. notify you that your order had been placed successfully, offer assistance regarding the use of our products, inform you of important product issues, updates and changes to our policies and terms, get in touch with you regarding changes to products and features, etc.).
Legal basis: We carry out these processing activities because processing is necessary in order to fulfil the contract that we have concluded with you (i.e. the Terms of Sale you enter into when purchasing a product from us or the DevRev Terms of Service you accept when registering your account or using our service).
We may also be required to perform the above mentioned data processing because we are required to do so under law (i.e. sending you an invoice) or on the basis of our legitimate interests (i.e. providing functioning and safe products). In certain rare cases, the above stated processing might be performed by us in order to protect your vital interests (or the vital interests of another natural person) (e.g. in case of informing you that we have detected a serious issue with our product that may pose business or other risks).
Data retention: We typically do not keep communication data after communicating with you. An exception to the aforementioned can be made if messaging or other communication had been performed through the use of a dedicated service (i.e. email, chat module, etc.), whereby we may keep data in such systems for up to 3 years or any such stipulated and relevant statutory period after the receipt of communication.
2.3. General marketing activities
2.3.1. When sending email marketing messages to existing customers
Summary: When you purchase a product on our website or elsewhere, certain EU/USA legislation gives us the right to send you email marketing messages that contain information on our similar products and services. Every email you receive as a result of this shall always contain an “unsubscribe” link, and we shall never share your email with any other entity or market products or services that do not belong to us or may not be considered “similar” to those that you had originally purchased from us. Data is shared with “SendGrid” or “Mailmodo” a service provider that we use for sending marketing emails (where we may host emails from our “wait list”).
More information
When: When you purchase a product from us through our website or through other means.
Data: Your email address and past purchase history with us, as well as information regarding whether you have opened/clicked on links in our email messages.
Purpose: Keeping you informed of similar products and services that we offer.
Legal basis: Our legitimate interests (i.e. under certain EU legislation we are legally allowed to send email marketing messages on an opt-out basis if the recipient's details were originally collected "in the context of a sale", if the entity sending the marketing is the same legal entity that collected the recipient's details initially (i.e. us), the marketing relates to "similar" products and/or services for which the recipient's details were originally obtained, and you as the recipient are given the opportunity, free of charge, to object to our email marketing, both at the time when your details had been collected and in each subsequent communication (i.e. by clicking the “unsubscribe” link that is contained in each of our marketing emails).
Note that we shall not sell or share your email and other related data with any other third party and shall only use it within the “SendGrid” or “Mailmodo” service which we use for sending such emails.
Data retention: Until we receive your unsubscribe/data deletion request or if you have not opened our marketing emails for more than 3 years or any such stipulated and relevant statutory period whereby your data shall be permanently deleted in all of these cases.
2.4. Other company operations
2.4.1. When responding/applying to our open job postings as a potential candidate
Summary: If you respond or apply to any of our open job postings, we may process the data we receive from you in order to evaluate you as a candidate and carry out the necessary hiring procedures. We will keep any relevant data after the hiring procedure only in line applicable data law(s) and for legitimate business interests and we will not keep any other data (not required for the aforementioned purposes) after the hiring procedure ends if we do not receive your explicit consent for doing so. It is however, pertinent to note that a prospective candidate applying to our organisation may do so via an external hiring agency/headhunter (that has a contract with us) and thus, your data shared with such external agencies is a matter of concern between said agency and yourself and we would merely be a “sub-processor” in the instant scenario.
When: When you respond/apply to our open job posting as a potential candidate through a dedicated online form or reach out to us for this purpose via email.
Data: The data that we might require as part of your application will be stated next to the job posting or dedicated online application form. We typically consider your general contact details (full name, email address, place of residence, age, nationality) as well as any information you might have included in your resume or CV and the details about your current or past employment or other working experience. We may also process any other information you elect to share with us for this purpose as well as any information you have made public on the Internet (such as your blog, Github or LinkedIn page).
Purpose: In order to evaluate you as a candidate and carry out the necessary hiring procedures and interviews.
Note that we may share the data with external HR firms we might employ to help us with the hiring process (please see point 4.4 of this notice).
Legal basis: We carry out these processing activities on the basis of entering into negotiations for the conclusion of an (employment) or other work contract.
Should you explicitly consent to this, we may keep your data after the conclusion of the hiring process in order to keep you posted of any future job opportunities that may interest you. To withdraw consent, you can send a free form email to dpo@devrev.ai at any time or follow the unsubscribe link included in all of our job posting emails.
Data retention: Until the conclusion of the hiring procedure or until we receive your consent withdrawal or data deletion request or if you have not opened our job posting emails for more than 3 years or any such stipulated and relevant statutory period whereby your data shall be permanently deleted in all of these cases.
2.4.2. Sending email marketing messages to new consenting customers
Summary: When you consent to receiving our marketing messages (e.g. newsletters, product waitlist messages, new product launch notifications, discounts etc.) via email or other channels we shall send marketing messages to the email address that you entered for this purpose, whereby every email shall always contain an “unsubscribe” link. You can also withdraw your consent at any time by sending a free form email to dpo@devrev.ai. The data is shared with “SendGrid” or “Mailmodo” , a service provider that we use for sending marketing emails. We shall not sell or share your email and other related data with any other third party.
More information
When: When you’re open to hearing from us and consent to receiving our various email marketing messages (e.g. tips & tricks, surveys, contests, newsletters, new product launch notifications, discounts, etc.) via email from time to time.
Data: When marketing to an individual, we typically process the individual's email address. We may also process the name of the individual (and potential other information) if this has been explicitly stated next to the input fields where the individual entered said data and consented to the processing.
Purpose: In order to send newsletters, product waitlist messages, new product launch notifications, discounts, surveys, promotion codes, information on contests and other marketing messages to consenting individuals to their email address.
Legal basis: We carry out these processing activities on the basis of your consent.
To withdraw consent, you can send a free form email to dpo@devrev.ai at any time or follow the unsubscribe link included in all of our marketing emails.
Note that we shall not sell or share your email and other related data with any other third party and shall only use it in the “SendGrid” or “Mailmodo” service which we use for sending emails.
Data retention: Until we receive your unsubscribe/consent withdrawal or data deletion request or if you have not opened our marketing emails for more than 3 years or any such stipulated and relevant statutory period whereby your data shall be permanently deleted in all of these cases.
3. Data processed in connection with the DevRev service, 1st and 3rd party snap-ins and the DevRev Marketplace
3.1. Data we process as “processors” when offering the DevRev service and its features to our customers (i.e. DevRev users that are acting as individual data “Controllers”)
Summary: By providing the DevRev service to businesses who have set up a user account and use the service and its features in connection with their own websites, web-stores and other digital products (hereinafter: “DevRev users”, “users” or “Controllers”), DevRev acts as the “processor” of certain personal data that might get collected and stored in connection with the service, while each individual user acts as the “controller” of such data, as defined by the GDPR.
More information
If, as an individual, you want to obtain information about the processing of your data by a user as the controller of your personal data (e.g. a DevRev service user to whom you have entrusted your personal data to so that he may process it for his own purposes, such as offering you his support services through DevRev live chat, etc.), we advise you to refer to the privacy policy of said user (whereby links to privacy policies are generally available in the footers of website/web-store stores).
We advise you to refer to the email address of the relevant data protection officer of such user/controller as stated within their respective Privacy Policy/Data Processing Addendum and they should be in a position to help you with identifying which user may be acting as the data controller in relation to your data.
The data of a user (i.e. controller), as well as other information on the processing of personal data in connection with the service by said user must always be available to you at the time you entrust your personal data to the user (e.g. when you interact with the DevRev live chat feature a user has deployed on his website). According to the GDPR, the disclosure of this information as well as the responsibility for the lawfulness of processing thus performed is the responsibility of the individual user (e.g. store/website owner).
However, if an individual (i.e. the end user has any queries or requests in respect of information required for data processing, such individual may refer to our data processing addendum and if further clarification/confirmation is needed on the same, such user may contact our data protection officer at dpo@devrev.ai
If you as an individual contact DevRev directly with a personal data related request (e.g. a request for access to data, rectification, erasure, right to be forgotten, etc.), DevRev shall immediately forward the request to the relevant user who is acting as the controller of your data. DevRev shall, after receiving the instructions of the relevant user, correct, delete, forward, rectify or otherwise process the data in order to comply with/reject the request of the individual.
The data we process for our users when providing our DevRev service is further explained and listed in our Data Processing Agreement.
Data deletion: As per the Data Processing Agreement, DevRev will store the data in relation to which the user is acting as the “controller” for as long as it is necessary to fulfil the above stated purposes for processing and shall delete and procure the deletion of all copies of stored data within within 30 (thirty) business days of the date of termination of the Services Agreement or the date of the user account deletion (whatever comes first). Individual data deletion takes place instantly after initiation by the user via the relevant user dashboard/dedicated data deletion feature.
3.2. When signing up or signing in to the DevRev service as a user by providing your email and login credentials
Summary: We process your username, email, password and the IP of the device you are accessing the app on for account sign-up and authorisation purposes so that you can register an account with us and use your feeder through our app. We also use your email in order to communicate essential service/product related information.
More information
When: When you sign up or sign in to use our service either as a user by providing your email and login credentials.
Data: We process your username/email via Google Identity logout and LinkedIn whilst you are accessing our software application. We may also process certain technical data such as data logs (for technical support purposes) and your account customisation preferences.
Purpose: Sign-up and sign-in account authorisation as well as account management and security purposes so that the user can use the service and its various features.
We use the email that is tied to your account in order to offer you password management and restoration capabilities as well as technical and customer support and in order to communicate essential service-/product-related information to you (i.e. inform you of important product issues, updates and changes to our policies and terms, etc.).
Please note: we do not retain DevRev user data obtained through Google Workspace APIs to develop, improve, or train generalized AI and/or machine learning models.
Legal basis: Contractual (i.e. the Services Agreement the user is required to accept when registering his account).
Data retention: Until a user decides to delete his user account or any such stipulated and relevant statutory period.
3.3. When using the DevRev service as a user we may collect general analytical data so that we may make improvements to our services
Summary: We may collect and process general analytical data (such as session time, app updated status, app crash status, feeder stream status data, etc.) from users so that we may offer support and gain insights which may allow us to make improvements to our services. We do not use this data to identify you and do not combine it with other data we might have for any other purposes other than offering support (when requested). We use “DataDog” and other services in order to collect and process this data (see point 4.4 of this notice).
More information
When: When you open, sign in and use our services.
Data: We process data on whether your service has crashed, whether features and functions had been triggered or stopped, when the service had first been opened (necessary for identifying service versions), as well as the length of your service use sessions.
When offering support, we may also combine this data with other data we might have in relation to you so that we may infer your device ID, your country/region/city, your DevRev identity, the service build number/version, the dimensions of your screen and the type of device and browser that is used.
Purpose: So that we may offer technical support and make improvements to our services. We also use this data when planning our next update or analysing systemic issues that users have reported.
We do not use this data to identify users and do not combine it with other data we might have for any other purposes other than offering individual technical support (when requested).
Legal basis: Our legitimate interest.
Data retention: Until you decide to delete your account or send us your data deletion request via a free form email to dpo@devrev.ai
Note that we may irreversibly anonymize and keep the analytical data that has been tied to your user account indefinitely (whereby this data shall not be attributable to you in any way).
Please also note that “DataDog” may retain any analytical data you generate in connection with our app for up to 60–90 days or any such stipulated and relevant statutory period after we receive and execute your account/data deletion request, after which the data will be hard deleted and unrecoverable.
3.4. When using the Plug Observability feature in connection with our products and services
Summary: When you as a user of our service agree to this, we may collect metadata of user visits on our web and mobile applications such as device model, OS version, app version, engagement time, in-app screenshots and other data in order to understand application usage and environment monitoring as well as gain in depth product analytics. This allows us to understand user behaviour and create customer cohorts for our sales efforts.
More information
When: When you consent to our use of the Plug Observability feature inside of our service.
Data: Metadata of of user visits on our web and mobile application which includes device model, OS version, app version, browser version, browser type, device type, engagement time, performance metrics such as API response time, app Launch time, custom user behaviour data such as user events & user attributes and in-app screenshots.
Purpose: In order to understand application usage and environment monitoring as well as gain in depth product analytics. This allows us to understand user behaviour and create customer cohorts for our sales efforts as well as potentially identify and troubleshoot customer issues faster.
Legal basis: Consent.
Data retention: Until a user decides to delete his user account or withdraw his consent. Please note that we may keep anonymised data even after a user decides to delete his account or withdraw his consent.
3.5. When registering for and using our DevRev Snap-in Marketplace
Summary: When you register for and use our DevRev Snap-in Marketplace, we process Customer Personal Data as a data controller to provide and operate the Marketplace service. This includes managing user accounts, facilitating integrations, and enabling access to Snap-ins.
More information
When: When you create an account, access, or use the DevRev Snap-in Marketplace.
Data: Customer Personal Data, including user accounts, integrations, documents, logs, documentation, and any other related Customer Personal Data.
Purpose: To provide the DevRev Snap-in Marketplace service, enabling users to discover, install, and manage Snap-ins within their DevRev Services environment.
Legal basis: Contractual obligation (DevRev Marketplace Terms of Service).
Data retention: As long as the user maintains an account or as otherwise required under the applicable agreement.
Additional Considerations
For more details on the data processed, processing activities, and subprocessors associated with the DevRev Snap-in Marketplace, please see section “Marketplace” of our List of Subprocessors.
3.6. When integrating and using 1st party Snap-ins in connection with our services
Summary: When you agree to this (i.e., based on the instructions we receive from you through your interactions with the 1st party Snap-in installation disclaimer), we may process data related to your installation and use of 1st party snap-ins within your DevRev Services environment. This processing may be carried out by us as a “data processor” (or subprocessor, as the case may be and as further disclosed in the 1st party snap-in installation disclaimer) in order to facilitate the functionality of the selected 1st party snap-in that is created and/or powered by DevRev.
More information
When: When you elect to install and use a 1st party snap-in that is created and/or powered by DevRev, we may process the data as a “data processor” (or subprocessor, as the case may be and as further disclosed in the 1st party snap-in installation disclaimer) based on your interactions with the 1st party snap-in installation disclaimer.
Data: The specific data processed depends on the 1st party snap-in you choose to install. It may include Customer Personal Data as disclaimed in the 1st party snap-in installation disclaimer and other data necessary for the operation of the snap-in.
Purpose: To provide and facilitate the operation of the 1st party snap-in that a user has elected to install and use with their Customer Personal Data inside their DevRev Service environment. The processing activities and purposes vary depending on the specific Snap-in and its features and are disclosed in the 1st party snap-in installation disclaimer.
Legal basis: Contractual obligation (Services Agreement and the Controller’s direct instructions when accepting the installation of each 1st party snap-in through the 1st party snap-in installation disclaimer).
Data retention: As long as the 1st party snap-in remains installed and for as long as specified in our Data Processing Agreement, as the case may be.
Additional Considerations
Please note that the data processed and the purposes of processing depend on the specific 1st party snap-ins that are created and/or powered by DevRev which you choose to install. The extent of their involvement in data processing activities varies based on the features and integrations you enable within your DevRev Service environment, as disclaimed in the 1st party snap-in installation disclaimer.
For a detailed overview of the data processed, processing activities, purposes, and subprocessors associated with each 1st party snap-in, please refer to the 1st party snap-in installation disclaimer and our Data Processing Agreement. Additionally, please see section “Marketplace - 1st party Snap-ins created or powered by DevRev” of our List of Subprocessors.
3.7. When integrating and using 3rd party Snap-ins in connection with our services
Summary: When you agree to this (i.e. based on the instructions we receive from you through your interactions with the 3rd party snap-in installation disclaimer), we may process data related to your installation and use of 3rd party snap-ins within your DevRev Service environment. This processing is carried out by us as “data processors” in order to facilitate the functionality of the selected snap-in that is provided to you by a 3rd party snap-in provider on our Snap-in Marketplace.
When: When you elect to install and use a 3rd party snap-in within your DevRev Service environment and offer us your data processing instructions through the 3rd party snap-in installation disclaimer.
Data: The specific data processed depends on the 3rd party snap-in you choose to install. It may include metadata related to integration, configuration settings, usage logs, and other relevant information required for the snap-in’s operation, as specified in the data processing agreement that is offered by each 3rd party snap-in provider and in the 3rd party snap-in installation disclaimer.
Purpose: To enable the operation of the 3rd party snap-in that a user had elected to install and use with their data inside the DevRev Service environment. The processing activities and purposes vary depending on the specific Snap-in and its features and are specified in the data processing agreement that is offered by each 3rd party snap-in provider and in the 3rd party snap-in installation disclaimer.
Legal basis: Contractual obligation (Services Agreement and the Controller’s direct instructions when accepting the installation of each 3rd party Snap-in through the 3rd party snap-in installation disclaimer).
Data retention: As long as the 3rd party Snap-in remains installed or as otherwise required under the applicable agreement or 3rd party snap-in installation disclaimer.
Additional Considerations
Please note that the data processed and the purposes of processing depend on the specific 3rd party Snap-ins you choose to install. The extent of their involvement in data processing activities varies based on the features and integrations you enable within your DevRev Service environment.
For a detailed overview of the data processed, processing activities, purposes, and subprocessors associated with each Snap-in, please refer to the corresponding 3rd party snap-in installation disclaimer and the 3rd party snap-in developer data processing agreement.
4. Additional general information
4.1. How we might obtain your personal data
Summary: We use different methods to collect data from and about you, including: direct interactions, automated technologies or interactions, third parties or publicly available sources.
More information
Direct interactions
You may give us information about you by filling in forms or by communicating with us by phone, email or otherwise. This includes information you might provide when creating an account in order to use our service or when obtaining a licence to use our service, subscribe to our newsletter, search for a product online with a tracking cookie from our partners installed on your device, place an order through our website or its check-out module, enter one of our competitions, promotions or surveys and when reporting a problem with our website or a bug in our service.
Automated technologies or interactions
As you interact with our website, we may automatically collect technical data about your device, browsing actions and patterns by using cookies and other similar technologies as specified above in section 2 of this notice and in our Cookie Policy.
We may also receive information that relates to you (or another third party individual) if such information had been tied to texts or other data that had been inputted into our service or otherwise collected by our bot on a particular channel.
Third parties or publicly available sources
We may receive information about you if you visit other websites that place tracking cookies from our partners on your device (see our Cookie Policy to find out more). You may also post some of your information publicly online.
4.2. Additional explanations regarding the legal bases that we may use in order to carry out our processing activities from sections 2 and 3 of this notice:
4.2.1. When conducting processing activities in order to comply with a legal obligation
Summary: Our organisation may occasionally process personal data for the purposes of complying with legal requirements and other regulations, especially those governing taxes, invoicing and payments (an example of this may include a court, inspector or other holder of public authority ordering our organisation to provide it with access to certain information which may include personal data).
More information
This may also be the case if someone else had filed for criminal or other legal procedures to be instituted against us by local or international law enforcement agencies or other tax and regulatory bodies, which might therefore contact our organisation for additional details (e.g. when data from our database would have to be presented as evidence in criminal or civil proceedings, otherwise our organisation would suffer material and irreparable damages). Note that we shall only fulfil such requests if specifically required by local or international law and shall adhere to anonymizing or at least minimising any personal data that we are required to share.
In the above stated cases we will always strive to fulfil the request with full transparency, except in cases where this might not be possible as (in accordance with a particular request of an authorised body) notifying the public of such request might endanger the proceedings at hand.
4.2.2. When our processing activities are based on our legitimate interests
Summary: In certain cases (i.e. when evaluating the threat of fraud), we may rely on our legitimate interests in order to process certain payment-, order- or account-related data as described in sections 2.2.2. of this notice.
More information
Our legitimate interests can also include instances where we process your personal data for our own internal business purposes and commercial interests, such as our own marketing activities (i.e. sending you marketing emails when you are our past customer unless consent is required under applicable laws, as described in point 2. of this notice), and offering additional customer and technical support or collecting analytical data or analysing data in instances where we legitimately deem that fraud had taken place.
4.2.3. When our processing activities are based on your consent
Summary: When you had given your consent for the processing of your data for one or more specific purposes (such as sending email marketing messages to new consenting customers as described in point 2.4.2 of this notice), your consenting to the processing of personal data is voluntary, whereby you may withdraw your consent at any time by contacting us at dpo@devrev.ai (or by clicking the “unsubscribe” link found in each of our marketing emails). If you do not provide personal data or if you withdraw your consent, this may mean that we will not always be able to fulfil the purposes for which we had collected the data.
More information
Where consent has been withdrawn, we shall delete/anonymize any data we or our processors/service providers have kept on the basis of your consent.
Additionally, every effort will be made to remove relevant personal data from products/marketing campaigns and other distributions. However, this may not be possible in some situations, and in such cases, certain personal data that cannot be removed or otherwise anonymized may still appear in publications, products and other media already in use or circulation.
4.2.4. When processing activities are necessary for the performance/negotiating of a contract
Typical situations as mentioned in sections 2 and 3 of this notice include your acceptance of our terms of sale when purchasing our products and your acceptance of our Service Agreement when setting up your user account.
This also includes instances when we need to communicate (i.e. negotiate) with you so that you may decide to enter into a contract with us (i.e. buy our product, accept a job position with us, etc.).
4.3. How long do we store your personal data and when do we delete/anonymize it?
Please see the “Data retention” section of each processing activity described in the points above.
If a user sends us a personal data deletion request to dpo@devrev.ai, we shall manually delete or anonymize their data, so that the data can no longer be linked to said user.
More information
Unless otherwise stated, we generally keep personal data for as long as it is listed under each “Data retention” section of each processing activity described in the points above.
As a rule, we generally store data for as long as it is necessary to fulfil the purpose for which the data had been collected, or for as long as legal obligation or regulation requires us to keep the data. After that, the data is deleted or anonymized, as mentioned above.
Please also note that our processors (see point 4.4.3 below) may retain certain data for up to 30 days after we receive and execute your account/data deletion request, after which the data will be hard deleted and unrecoverable (please refer to their privacy policies to learn more).
We may store data even after receiving a data deletion request as mentioned above, if legitimate interest or relevant laws allow us to do this (i.e. in order to negate a users capabilities of accessing the service after he has not paid the corresponding licensing and other fees, when a civil action exits in relation to which we might need these data in the course of the proceedings, etc.)
Our organisation undertakes to immediately remove any unnecessary data or data for which it has no legal grounds for processing/storing or regarding which the data retention periods have been exceeded.
4.4. Who might process your personal data and who do we share it with
4.4.1. Certain employees within our organisation or subsidiaries and affiliated organisations
Summary: Your personal data is processed by individual employees of our organisation or our external collaborators.
More information
Your personal data is processed by individual employees of our organisation or our external collaborators (hereinafter: “employees”). Employees of our organisation process only the personal data that they need for their work, but they can also share it with each other if their work tasks and the internal rules of our organisation allow them to do so. All of our employees are committed to confidentiality and the protection of personal data.
Based on certain corporate events or changes in the ownership or structure of our organisation (i.e. our company being acquired) your data may also be shared with our subsidiaries or affiliate companies (both present and future). This includes instances such as corporate divestitures, mergers, consolidations, acquisitions, reorganizations, or any other situation involving the transfer or disposal of our business or assets, as well as the business or assets of our affiliates/subsidiaries. This may also apply in the context of bankruptcy or similar proceedings.
4.4.2. Public authorities
In certain cases, as prescribed by applicable law, our organisation must hand over your personal data to the competent state authorities which may have explicit legal grounds for reviewing certain data in the context of criminal, financial, tax or other types of official procedures/supervision. In certain cases, our organisation is compelled to provide data to third parties if such an obligation to provide or disclose the data is imposed on our organisation by law or on the basis of a valid legal right of a third party (see point 4.2.1 of this notice).
4.4.3. Our processors/service providers
In addition to the employees in our organisation, employees of entities that we engage so that they help us achieve the processing purposes described in the various processing activity sections of notice (hereinafter: “processors/service providers”), may also process personal data as confidential and only within the scope of the data processing agreement/standard contractual clauses, which have been concluded/put in place in relation to the processors/service provider in question.
The processors/service providers may only process personal data in accordance with the relevant data processing agreement/standard contractual clauses, and may not use the data to pursue any other purpose or interest.
To obtain a detailed list of all of our processors/service providers, which data they process, the purposes we employ their processing/services for, as well as how we keep your data safe when engaging them, feel free to reach out to us at dpo@devrev.ai.
The processors/service providers with whom we cooperate for providing our products and services (as per section 2 and 3 of this notice) are:
a) Processors/service providers that we may engage in connection with data processing activities that relate to our websites, communication, sales and delivery of our products, our general marketing and other company operations;
More information
Cookie providers: We use third party necessary, analytical and advertising cookie providers which are listed in our dedicated Cookie Policy.
Payment facilitators: We use payment facilitators such as “Stripe”.
Our email messaging provider: We use the “SendGrid” or “Mailmodo” service to send all of our transactional or marketing emails. We may also use “SendGrid” or “Mailmodo” in order to obtain your cookie consent and input your contact and order information/invoices/delivery location data into the service (see the relevant parts of section 2 of this notice to learn more).
Our website/web store provider: Our website and its online store are built on and partially provided by “Vercel”, whereby you might be sharing your contact and order information/payment information as well as other potential information with these companies and their partners when purchasing products or otherwise interacting with our website (see the relevant parts of section 2 of this notice to learn more).
To obtain a detailed list of all of our processors/service providers, which data they process, the purposes we employ their processing/services for, as well as how we keep your data safe when engaging them, feel free to reach out to us at dpo@devrev.ai.
More information
b) Other companies or individual consultants we may engage or cooperate with in the provision of our services that may need access to certain parts of your data
More information
- Consultants who cooperate with our organisation on the basis of relevant business and data processing agreements so that they can provide us with their accounting, legal, marketing, HR and other consulting services.
- External IT system maintenance providers and/or platform/service developers who cooperate with our organisation on the basis of relevant business and data processing agreements that may gain limited access to our back-end or databases. Where such entities are from third countries (i.e. countries where the GDPR is not applicable) sufficient data safeguards (such as agreements containing standard contractual clauses) have been put in place.
To gain more information on other apps and plugins we might use in connection with the DevRev service please reach out to us at dpo@devrev.ai.
4.5. Processing special categories of personal data
We do not knowingly process special categories of personal data. If it comes to our attention that special category data is inputted into our system we shall delete them as soon as possible.
4.5.1. Engaging contractual processors/service providers have their place of business registered in the USA or in other “third countries”
Summary: The sale of our products and the provision of our services also require that we engage contractual processors/service providers as specified in sections 2 to 3 and point 4.4, whereby many of these processors/service providers have their place of business registered in the USA (or in other non-EEA countries where the GDPR is not applicable or where the requirements of the GDPR are not adequately reflected in national privacy laws, as the case may be).
More information
As stated above, many of our processors/service providers have their place of business registered in the USA (or in other non-EEA countries where the GDPR is not applicable or where the requirements of the GDPR are not adequately reflected in national privacy laws, as the case may be) (hereinafter: “third countries”).
As stated above, we thereby regularly engage contractual processors/service who may process personal data on our behalf in third countries, whereby we only do so with the appropriate safeguards in place so that your data is safe and your data subject rights are respected.
Following decision C-311/18 (Schrems II) of the CJEU and the fall of the EU-US Privacy Shield we have reached out to our US-based processors/service providers and decided on alternative safeguards on a case-by-case basis in accordance with the guidance of the European Data Protection Board.
Where we could not put in place such appropriate safeguards (such as standard contractual clauses, data encryption, automated data deletion intervals, etc.), we ask for your specific consent before processing/sharing your data or have engaged third party service provider, which have self-certified under the “Data Privacy Framework” (https://www.dataprivacyframework.gov). More details on third country service providers and the measures taken to ensure your rights can be found in point 4.4 of this notice.
In addition to the purposes and providers listed in sections 2, 3 and point 4.4 of this notice, your data may also effectively be considered as transferred (i.e. disclosed) in the following situations, where we might have legitimate interests in buying/selling our assets in connection with entities that are registered in third countries:
- If we sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer of such business or assets that may be registered in a third country (whereby we shall only do so if all applicable confidentiality and security requirements are offered to us by any potential buyer and their organisation). Please note that we shall only do so if all applicable confidentiality and security requirements are offered to us by any potential buyer and their organisation and shall never disclose any data in this way if the processing of such data had been carried out on the basis of your explicit consent.
- If all or a substantial part of our assets are acquired by a third party that may be registered in a third country whereby our assets may include parts of your data. Please note that we shall only do so if all applicable confidentiality and security requirements are offered to us by any potential buyer and their organisation and shall never disclose any data in this way if the processing of such data had been carried out on the basis of your explicit consent.
Your data may also effectively be considered as transferred (i.e. disclosed) if we are required on the basis of EU law or the law of a Member State to disclose or share your personal data with an international organisation / public authority or other entity that might be registered in a third country, whereby we are required to do so to comply with a legal obligation.
4.6. What rights do you have in connection with your personal data and how can you exercise them?
You can contact us at any time and without hesitation at dpo@devrev.ai in connection with this notice or regarding the processing of your personal data by our organisation and our processors/service providers.
You can also contact us at the email mentioned above in order to send us your specific requests and for exercising your other rights which relate to your personal data and applicable local legislation or the GDPR. If we have reasonable doubts concerning your identity, we may request additional information to verify your identity.
As a data subject of the EEA, the GDPR gives you the opportunity to exercise the following rights with our organisation as the controller of your personal Data: Right of access, Right to rectification, Right of objection, Right to data portability, Right to restrict data processing, Right of erasure (“right to be forgotten”), Right to refuse or withdraw consent, Automated decision-making, Right to lodge a complaint with a supervisory authority.
More information
Right of access
You have the right to obtain confirmation from us on whether personal data or personally identifiable information is being processed by us or our processors/service providers and the right to obtain a copy of your personal data that is being processed.
Right to rectification
You have the right to request the rectification of inaccurate personal data and to have incomplete data completed.
Right of objection
You have the right to object to the processing of your personal data for compelling and legitimate reasons relating to your particular situation, except in cases where legal provisions expressly provide for that processing. You also have the right to object/opt out of the processing of your personal data for direct marketing purposes by clicking on the unsubscribe link at the bottom of our marketing emails or by contacting us at dpo@devrev.ai.
Right to data portability
You have the right to receive the personal data that you have provided to us in a structured, commonly used and machine-readable format, and have the right to transmit it to other data controllers without hindrance. This right only exists if the processing is based on your consent or a contract and the processing is carried out by automated means.
Right to restrict data processing
You have the right to request the restriction of processing your personal data in certain cases.
Right of erasure (“right to be forgotten”)
You may request to erase your personal data if (i) it is no longer necessary for the purposes for which we had collected it, (ii) you have withdrawn your consent and no other legal ground for processing exists, (iii) you objected and no overriding legitimate grounds for processing exist, (iv) the processing is unlawful, or (v) erasure is required to comply with a legal obligation.
Right to refuse or withdraw consent
In case we request your consent for processing, you are free to refuse it and can withdraw it at any time without any adverse negative consequences by contacting us at dpo@devrev.ai. The lawfulness of any processing of your personal data that occurred prior to the withdrawal of your consent will not be affected.
Automated decision-making
Under the GDPR you have the right not to be subject to decisions based solely on automated processing and have the right to be given more information about why any such decision has been made. Note that this is currently not applicable to our processing activities (see 4.8 of this notice).
Right to lodge a complaint with a supervisory authority
If you believe that the processing of personal data performed in connection with you by our organisation as the controller violates personal data protection regulations, you may, without prejudice to any other (administrative or other) remedy, lodge a complaint with the supervisory authority, in particular in the country where you have your habitual residence, your place of work or where the infringement is alleged to have taken place.
In the Republic of Slovenia (the country where the EEA representative entity of DevRev (namely DevRev, razvoj programske opreme, d.o.o. is located) the authority is the:
- Information Commissioner (Informacijski pooblaščenec), Dunajska 22, 1000 Ljubljana, Slovenia, EU, email: gp.ip@ip-rs.com, phone: +38612309730, website: www.ip-rs.com.
A list of other EU supervisory authorities and their contact information can be found here: https://edpb.europa.eu/about-edpb/about-edpb/members_en#.
4.7. Processing the personal data of persons under 16 years of age
Our organisation does not knowingly collect or otherwise process the personal data of persons under 16 years of age, as our products and services are not intended or directed towards such persons. However, our organisation may collect personal data regarding children below the age of 16 years of age directly from their parent or guardian, and with that person’s explicit consent.
If our organisation subsequently finds out that it has processed the personal data of such a person without the consent of their parent or guardian, our organisation shall do everything necessary to delete all provided personal data.
At the address dpo@devrev.ai, the above described persons or their parents or guardians shall be able to submit their requests for the deletion of the data concerned at any time.
4.8. Who can you contact for further clarification regarding the processing of personal data in our organisation and regarding your rights?
You can contact us at any time and without hesitation at dpo@devrev.ai.
4.9. Security and protection of personal data
Summary: Our organisation carefully stores and protects personal data through organisational, technical and logical procedures and measures to protect data from accidental or intentional unauthorised access, destruction, alteration or loss, and unauthorised disclosure or other form of processing not explicitly stated in sections 2, 3 and point 4.4, or to which you have not expressly consented to.
More information
To this end, our organisation has also adopted appropriate internal processes and set up various measures (e.g. assigning, using and changing passwords, locking premises, offices, server and workstation locations, regularly updating software and upgrading security-critical components, the physical protection of materials/data carriers containing personal data in specially designated places, the training of employees, etc.). Our organisation also demands these security commitments from its contractual processors.
5. Privacy information for California residents
5.1. Applicability of this section
If you are a California resident (as defined in section 17014 of Title 18 of the California Code of Regulations), California law requires us to provide you with some additional information regarding your rights with respect to your “personal information” as defined in the CCPA.
5.2. Information on whether we disclose or sell personal data of CA residents
Summary: In the preceding twelve (12) months we have not sold any personal data from the last update to this notice.
Based on your cookie/browser/analytics preferences when visiting our website and/or using our services (and potentially on our partners websites), we may have disclosed personal information that relates to your device/browser identifiers and internet activity data to our third party advertisers in connection with showing you targeted advertisements across the web (please see our dedicated cookie policy to see when this might have been applicable).
In addition, we may have also disclosed to or allowed third parties to collect personal data from you on our websites and/or our services when we engage such third parties as subprocessors in the provision of our services to you (see section 4.4.3 of this notice) whereby such third-party subprocessors/service providers have concluded data processing agreements with us (or offered similar safeguards) to ensure your rights are respected. We may have also been required to disclose certain information under applicable legal or contractual obligations (see section 4.4. of this notice).
More information
As a business subject to the CCPA, we have not sold any personal data in the last 12 months from the last update of this notice.
Under the CCPA, businesses are also required to disclose whether they sell or share personal data, whereby the sharing of personal data may include giving access to personally identifiable information (such as your IP or device ID) to third parties in the context of cross-site behavioural advertising by using cookies or similar technologies.
Based on your cookie/browser/analytics preferences when visiting our website and/or using our services (and potentially on our partners websites), we may have disclosed personal information that relates to your device/browser identifiers and internet activity data to our third party advertisers in connection with showing you targeted advertisements across the web. Please see our dedicated cookie policy to learn when this might had been applicable and what data had been collected or shared and with whom.
California law also mandates that we specify the categories of personal data that are disclosed for our specific "business purposes." These purposes include situations when we engage third parties as subprocessors in the provision of our services to you (see section 4.4.3 of this notice).
In connection with our business purposes and when offering you our services, we may have disclosed the following categories of personal data if the relevant underlying situation arose during our interactions (e.g. if you had consented to our use of cookies, if you had purchased products or services from us, if we engage third parties for billing and accounting purposes in relation to you as our customer, if you have volunteered the information during signup or when negotiating a sale with our representatives, as the case may be):
- Identifiers;
- Commercial information
- Internet activity;
- Financial information;
- Professional and employment-related information;
- Geolocation data;
- Audio and visual data;
- In limited circumstances where allowed by law, information that may be protected characteristics under California or United States law; and
- Inferences drawn from any of the above information categories.
5.3. Information on the rights of CA residents
Summary: The CCPA provides Californian residents with the following rights: Right to know, Right to delete, Right to opt out, The right to non-discrimination.
More information
Right to know (i.e. request disclosure of any personal information we have collected about you).
You have the right to request the disclosure of the categories of personal information we have collected from you, along with the categories of sources from which they have been collected, the purpose of their collection, the categories of third parties with whom we have shared your personal information (“Categories Report”), and the specific pieces of personal information that have been collected (“Specific Pieces Report”).
You may request that we disclose which personal information we have collected, used, shared, or sold in relation to you, and why we have collected, used, shared, or sold that information. Specifically, you may request that we disclose:
- The categories of personal information collected.
- Specific pieces of personal information collected.
- The categories of sources from which we have collected the personal information.
- The purposes for which we have used the personal information.
- The categories of third parties with whom we have shared the personal information.
- The categories of information that we sell or disclose to third parties.
We shall provide you this information for the 12-month period preceding your request. We shall provide you this information free of charge.
To request the above stated information, please send your request to dpo@devrev.ai. Please allow 45 days for our response. For your protection and the protection of all of our users, we may ask you to provide proof of identity before we can oblige such a request.
Right to delete (i.e. request deletion of any personal information that we have collected from you).
After we have verified your request to delete your personal information, we shall delete it from our servers/records and direct any of our processors/service providers to delete your personal information from their servers/records, except when certain exemptions from the relevant parts of the CCPA are applicable, namely in cases where the personal information is necessary so that we may continue to provide our services (i.e. when the data do not contain any personally identifiable information) and in order to detect security incidents, to identify and repair errors that impair existing intended functionalities of our products and services.
Right to opt out (of the sale of your personal information).
You may request that we stop selling your personal information, whereby this is currently not applicable as we do not currently sell any personal information.
The right to non-discrimination (when exercising your CCPA rights).
We will not discriminate against you in any manner prohibited by applicable law for exercising your CCPA rights (as listed above).
5.4. Information on how CA residents may contact us in order to exercise their rights
If you wish to opt-out from any of our data sharing activities, please reach out to us at dpo@devrev.ai. You can also exercise any other rights under the CCPA via this email or by contacting us through our phone number (650) 209-0109.
6. Document version and updates
Version and date of the last update of this notice
The text of this notice represents version 2.2. of this document.
Please reach out to us at dpo@devrev.ai in order to receive the previous version of this document.
This notice was last updated on the 8th of July, 2025.
S.no | Particulars |
|---|---|
Version 1.0: Initial version of this Privacy policy. active from the 1st of July, 2024 till November 12, 2024. | |
Version 2.0: Added section “3.4. When using the Plug Observability feature in connection with our products and services” and minor grammatical changes. Active from November 12, 2024 till December 13, 2024. | |
Version 2.1.: Added the clarification that we do not retain DevRev user data obtained through Google Workspace APIs to develop, improve, or train generalized AI and/or machine learning models under section 3.2. When signing up or signing in to the DevRev service as a user by providing your email and login credentials. Also added additional clarifications and changes to the table in section 3.1. Data we process as “processors” when offering the DevRev service and its features to our customers (i.e. DevRev users that are acting as individual data “Controllers”). Also removed “research purposes” and changed the wording of the “Right to delete” section so that it explicitly mentions anonymised data under section “5.3 Information on the rights of CA residents”. Active from the 13th of December, 2024 till March 26, 2025. | |
Active Version 2.2: Changed the heading of section 3., revised some of the wording and added a link to our Data Processing Agreement section. Added points 3.5. When registering for and using our DevRev Snap-in Marketplace, 3.6. When integrating and using 1st party Snap-ins in connection with our services, 3.7. When integrating and using 3rd party Snap-ins in connection with our services. Also added section 1.3. Our adherence to the Data Transfer Framework Principles (DPF) as per our Data Transfer Framework certification efforts as we became certified under the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S Data Privacy Framework. Other minor grammatical corrections. Active from June 2, 2025. |