Privacy Policy
Last updated: 2026-07-03
1. Who We Are
Devya Solutions ("Devya", "we", "us") is a software development agency operating at devya.dev. For the personal data described in this policy, Devya Solutions acts as the data controller. You can reach us at any time at contact@devya.dev.
2. Data We Collect
We collect the following categories of personal data:
- Contact form data — your name, email address, subject, and message when you contact us through this website.
- Booking data — your name, email address, phone number, company, meeting notes, and the date and time you select when you book a call through our booking system.
- Contract and e-signature data — party names, email addresses, signature details, and signing timestamps when you review or electronically sign an agreement we issue.
- Analytics and marketing data — usage and device information collected by Google Analytics, Meta Pixel, and Amplitude, and only after you accept the corresponding cookie categories. No such trackers load before consent.
- Technical and security data — server logs, IP addresses, and audit-trail events that we keep to operate and secure our systems.
3. Why We Process It (Lawful Bases)
We process personal data only where a lawful basis under Article 6 GDPR applies:
- Responding to enquiries and preparing proposals — steps prior to entering a contract and our legitimate interest in running our business (Art. 6(1)(b), (f)).
- Scheduling and holding booked calls — steps taken at your request prior to a contract (Art. 6(1)(b)).
- Issuing and executing contracts, including e-signature records — performance of a contract and legal record-keeping (Art. 6(1)(b), (c)).
- Analytics, advertising, and product-usage measurement — your consent only (Art. 6(1)(a)); you may withdraw it at any time.
- Security, abuse prevention, and audit logging — our legitimate interest in protecting our systems (Art. 6(1)(f)).
- Compliance with tax, accounting, and other legal obligations (Art. 6(1)(c)).
4. Processors and Recipients
We share personal data only with service providers (processors) that help us run our business, under data-processing agreements. We do not sell personal data. Our processors are:
- Google — Google Analytics (consent-gated analytics) and Gmail (business email).
- Meta Platforms — Meta Pixel (consent-gated advertising measurement).
- Amplitude — consent-gated product analytics.
- New Relic — performance and error monitoring.
- Cloudflare — DNS, CDN, and traffic security.
- Vercel — website hosting.
- Hostinger — email, DNS, and VPS hosting.
5. Retention
We keep personal data only for as long as it is needed for the purposes above. Retention periods are configurable per data category in our systems and are enforced by an automated retention job that deletes or anonymises expired records. As a guide: contact enquiries are kept up to 24 months after our last exchange; booking records up to 24 months after the meeting; contracts and signature records for the life of the agreement plus statutory record-keeping periods; consent-based analytics data according to the retention settings of each tool. We delete data earlier when you make a valid erasure request.
6. Your Rights
Under the GDPR you have the right to:
- Access the personal data we hold about you and receive a copy.
- Rectify inaccurate or incomplete data.
- Erase your data ("right to be forgotten").
- Restrict processing in certain circumstances.
- Receive your data in a portable, machine-readable format.
- Object to processing based on legitimate interests.
- Withdraw consent at any time, without affecting processing carried out before the withdrawal.
To exercise any of these rights, email contact@devya.dev. We respond within one month. Our systems support machine-readable export and erasure of your data on request. You also have the right to lodge a complaint with your local data protection supervisory authority.
7. International Transfers
Some of our processors (including Google, Meta, Amplitude, New Relic, Vercel, and Cloudflare) may process data outside the European Economic Area, primarily in the United States. Where this happens, transfers are protected by adequacy decisions (such as the EU-U.S. Data Privacy Framework) and/or Standard Contractual Clauses. For client systems that we host and operate, EU data location is available where applicable.
8. Cookies
We use no analytics, advertising, or other non-essential cookies until you accept them in the consent banner. Details of every tracker, its category, and how to change your choice are in our Cookie Policy.
9. Security
All traffic is encrypted in transit with TLS, passwords are hashed with argon2id, access to internal systems is role-based, and administrative actions are audit-logged. A full description of our security practices is published on our Security page.
10. Children
Our services are aimed at businesses and are not directed at children under 16. We do not knowingly collect personal data from children.
11. Changes to This Policy
We may update this policy from time to time. We will post the new version on this page and update the "Last updated" date above. Significant changes will be highlighted on the website.
12. Contact Us
If you have any questions about this Privacy Policy or how we handle your data, please contact us at contact@devya.dev. Postal contact details are available on request.