Skip to main content

Privacy Policy

Last updated: 2026-07-03

1. Who We Are

Devya Solutions ("Devya", "we", "us") is a software development agency operating at devya.dev. For the personal data described in this policy, Devya Solutions acts as the data controller. You can reach us at any time at contact@devya.dev.

2. Data We Collect

We collect the following categories of personal data:

  • Contact form data — your name, email address, subject, and message when you contact us through this website.
  • Booking data — your name, email address, phone number, company, meeting notes, and the date and time you select when you book a call through our booking system.
  • Contract and e-signature data — party names, email addresses, signature details, and signing timestamps when you review or electronically sign an agreement we issue.
  • Analytics and marketing data — usage and device information collected by Google Analytics, Meta Pixel, and Amplitude, and only after you accept the corresponding cookie categories. No such trackers load before consent.
  • Technical and security data — server logs, IP addresses, and audit-trail events that we keep to operate and secure our systems.

3. Why We Process It (Lawful Bases)

We process personal data only where a lawful basis under Article 6 GDPR applies:

  • Responding to enquiries and preparing proposals — steps prior to entering a contract and our legitimate interest in running our business (Art. 6(1)(b), (f)).
  • Scheduling and holding booked calls — steps taken at your request prior to a contract (Art. 6(1)(b)).
  • Issuing and executing contracts, including e-signature records — performance of a contract and legal record-keeping (Art. 6(1)(b), (c)).
  • Analytics, advertising, and product-usage measurement — your consent only (Art. 6(1)(a)); you may withdraw it at any time.
  • Security, abuse prevention, and audit logging — our legitimate interest in protecting our systems (Art. 6(1)(f)).
  • Compliance with tax, accounting, and other legal obligations (Art. 6(1)(c)).

4. Processors and Recipients

We share personal data only with service providers (processors) that help us run our business, under data-processing agreements. We do not sell personal data. Our processors are:

  • Google — Google Analytics (consent-gated analytics) and Gmail (business email).
  • Meta Platforms — Meta Pixel (consent-gated advertising measurement).
  • Amplitude — consent-gated product analytics.
  • New Relic — performance and error monitoring.
  • Cloudflare — DNS, CDN, and traffic security.
  • Vercel — website hosting.
  • Hostinger — email, DNS, and VPS hosting.

5. Retention

We keep personal data only for as long as it is needed for the purposes above. Retention periods are configurable per data category in our systems and are enforced by an automated retention job that deletes or anonymises expired records. As a guide: contact enquiries are kept up to 24 months after our last exchange; booking records up to 24 months after the meeting; contracts and signature records for the life of the agreement plus statutory record-keeping periods; consent-based analytics data according to the retention settings of each tool. We delete data earlier when you make a valid erasure request.

6. Your Rights

Under the GDPR you have the right to:

  • Access the personal data we hold about you and receive a copy.
  • Rectify inaccurate or incomplete data.
  • Erase your data ("right to be forgotten").
  • Restrict processing in certain circumstances.
  • Receive your data in a portable, machine-readable format.
  • Object to processing based on legitimate interests.
  • Withdraw consent at any time, without affecting processing carried out before the withdrawal.

To exercise any of these rights, email contact@devya.dev. We respond within one month. Our systems support machine-readable export and erasure of your data on request. You also have the right to lodge a complaint with your local data protection supervisory authority.

7. International Transfers

Some of our processors (including Google, Meta, Amplitude, New Relic, Vercel, and Cloudflare) may process data outside the European Economic Area, primarily in the United States. Where this happens, transfers are protected by adequacy decisions (such as the EU-U.S. Data Privacy Framework) and/or Standard Contractual Clauses. For client systems that we host and operate, EU data location is available where applicable.

8. Cookies

We use no analytics, advertising, or other non-essential cookies until you accept them in the consent banner. Details of every tracker, its category, and how to change your choice are in our Cookie Policy.

Read the Cookie Policy

9. Security

All traffic is encrypted in transit with TLS, passwords are hashed with argon2id, access to internal systems is role-based, and administrative actions are audit-logged. A full description of our security practices is published on our Security page.

Read the Security page

10. Children

Our services are aimed at businesses and are not directed at children under 16. We do not knowingly collect personal data from children.

11. Changes to This Policy

We may update this policy from time to time. We will post the new version on this page and update the "Last updated" date above. Significant changes will be highlighted on the website.

12. Contact Us

If you have any questions about this Privacy Policy or how we handle your data, please contact us at contact@devya.dev. Postal contact details are available on request.