Privacy, Data Protection and Trust

Effective date: September 19, 2025

Devels AI (“Devels AI,” “we,” “us,” or “our”) provides services for building and operating AI Agents, Retrieval‑Augmented Generation (RAG) pipelines, LLM chains/orchestration, and advisory services on AI adoption and governance. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit https://devels.ai (the “Website”), interact with our products, use our APIs and dashboards, deploy agents built with our stack, or engage our consulting services (collectively, the “Services”).

Short version: We collect the minimum information needed to deliver secure, reliable AI solutions. We don’t sell your personal information. We don’t use your Customer Content to train our or third‑party foundation models unless you expressly opt‑in.

If you do not agree with this Policy, please do not use the Services. If you have questions, contact us at [email protected].

Table of Contents

What We Collect
How We Use Information
Legal Bases (EEA/UK)
How We Disclose Information
International Data Transfers
Data Retention
Security
Your Privacy Choices & Rights
Automated Decision-Making
Children’s Privacy
Roles: Controller vs. Processor/Service Provider
Cookies & Similar Technologies
Third‑Party Services & Links
Changes to This Policy
How to Contact Us
California “Notice at Collection”

What We Collect

We collect information in three ways: (1) directly from you, (2) automatically through the Services, and (3) from third parties.

1) Information you provide directly

Account & profile: name, email, company, job title, and password or SSO identifiers.
Customer Content (for AI Agents, RAG, Chains): prompts and messages; uploaded files and documents; knowledge‑base connectors and sync metadata; chain graphs and orchestration traces; tool and API call parameters; embeddings and vector entries; evaluation data; feedback signals (e.g., thumbs up/down); annotations; and chat transcripts.
Support & consulting: project briefs, architecture diagrams, datasets you choose to share, issue reports, and correspondence.
Billing: billing contact, transaction identifiers, and limited payment details processed via a PCI‑compliant provider (we do not store full card numbers).
Recruiting (if you apply): résumé/CV, LinkedIn/GitHub, and other details you provide.

Your responsibility: Only provide data you have a lawful right to share with us.

2) Information collected automatically

Usage & device data: IP address, approximate location, device/browser type, operating system, language, time stamps, pages viewed, referring/exit pages, unique identifiers, crash and performance logs, API request/response metadata (including token counts), and feature interaction events.
Cookies & local storage: described in Cookies & Similar Technologies.

3) Information from third parties

Integrations & connectors you enable (e.g., cloud storage, issue trackers, knowledge bases).
Vendors (e.g., analytics, security, payments) supplying usage or fraud signals.
Public sources (e.g., published company websites) to enrich business contact information.

Sensitive data

We generally do not seek sensitive personal information (e.g., health, biometrics). If you intentionally submit it, we process it only as necessary to provide requested functionality and consistent with applicable law.

How We Use Information

We use information to:

Provide and operate the Services: authenticate users; build, run, and monitor AI agents, RAG pipelines, and LLM chains; route prompts; generate outputs; store/retrieve embeddings; and deliver consulting outcomes.
Maintain safety & integrity: detect abuse, spam, security incidents; enforce acceptable-use; prevent fraud; and debug.
Improve the Services: measure performance, conduct QA, optimize relevance, and develop new features. We may use de-identified and aggregated data for these purposes.
Communicate with you: service messages, updates, and - where permitted - marketing communications (you may opt out at any time).
Comply with law: legal, regulatory, and contractual obligations; assert and defend legal claims.

Our stance on model training

No training on your Customer Content by default. We do not use Customer Content (prompts, files, knowledge-base data, chain traces, or outputs) to train our or third-party foundation models unless you expressly opt-in.
We may train customer-dedicated models for you using your data under your instructions (e.g., fine-tuning), in which case we process it as your processor/service provider.
We may use de-identified, aggregated usage statistics to improve service-level features (e.g., autoscaling, latency, generic relevance heuristics) without attempting to re-identify individuals.

Legal Bases (EEA/UK)

Where GDPR/UK GDPR applies, we process personal data on these bases:

Contract: to deliver the Services you request.
Legitimate interests: to secure and improve our Services, prevent abuse, and market to business contacts (balanced against your rights).
Consent: for certain cookies/analytics/marketing and any optional training use; you can withdraw at any time.
Legal obligation and legal claims: to comply and to establish/exercise/defend claims.
Vital interests: rarely, to prevent serious harm.

How We Disclose Information

We do not sell personal information. We may disclose information as follows:

Service providers / subprocessors: cloud hosting, storage, vector databases, analytics, email/SMS, payments, logging/monitoring, security, and support tools-bound by confidentiality and data-processing terms.
Third-party LLM providers (when you enable or we configure them to fulfill your requests): they receive your prompts/inputs as necessary to generate outputs. Where available, we configure settings so they do not train on your data; if training retention cannot be disabled, we will disclose that clearly before use or require your opt-in.
Integration partners you choose: when you connect external systems, we share/receive data per your configuration.
Affiliates: for corporate operations under this Policy.
Business transfers: merger, acquisition, financing, or sale of assets (we will require the recipient to honor this Policy).
Legal and safety: to comply with law, enforce terms, or protect rights, safety, and property.
With your direction or consent.
De-identified/aggregated data: that cannot reasonably be linked to you.

We maintain a current list of core subprocessors and can provide it upon request.

International Data Transfers

If you are in the EEA/UK or other regions with data‑transfer restrictions, we implement appropriate safeguards for transfers to countries that may not provide the same level of protection, including Standard Contractual Clauses and comparable mechanisms. Where applicable, we may also rely on certified vendors participating in recognized transfer frameworks. You can request details at [email protected].

Data Retention

We retain personal information only as long as necessary to deliver the Services, comply with our legal obligations, resolve disputes, and enforce agreements. Factors include the type of data, the purpose of processing, and applicable laws. You may request deletion as described in Your Privacy Choices & Rights. For enterprise customers, certain retention periods and backups can be configured contractually.

Security

We employ administrative, technical, and physical safeguards appropriate to the risk, including encryption in transit, access controls, network segmentation, and continuous monitoring. No system is 100% secure; please use strong, unique credentials and notify us immediately of any suspected unauthorized access.

Your Privacy Choices & Rights

Preferences & controls

Marketing opt‑out: follow unsubscribe links in emails or contact us.
Cookies: manage via our banner (where shown) or your browser settings; see Cookies.
LLM providers & integrations: you can disable specific providers/integrations in your configuration (where available) or contact us.

EEA/UK and other regions with similar rights

You may have the right to access, correct, delete, restrict or object to processing, and data portability; and to withdraw consent at any time without affecting prior processing. You also have the right to lodge a complaint with your local supervisory authority.

U.S. State privacy rights (e.g., CA, CO, CT, UT, VA, TX, OR, NJ, DE and others)

Depending on your state, you may have rights to know/access, correct, delete, opt out of (a) “sale,” (b) sharing/targeted advertising, and/or (c) certain profiling, and to appeal a denied request. We do not sell personal information for money and we only engage in cross‑context behavioral advertising with appropriate notice and choice.

Submitting a request or appeal: Email [email protected] with the subject “Privacy Request.” If you reside in a state providing appeal rights and you disagree with our response, reply with “Appeal” in the subject.
Verification & authorized agents: We may verify your request via account login or email confirmation. Authorized agents must provide proof of authorization, and we may still require you to verify your identity directly.
Global Privacy Control (GPC): Where legally required, we treat a valid GPC signal from your browser as a request to opt out of sale/sharing/targeted advertising for that browser.

Automated Decision-Making

We use automation to route queries, retrieve context, and generate outputs. We do not make decisions that produce legal or similarly significant effects solely using automated processing without meaningful human involvement. Where applicable law grants you rights related to automated decisions or profiling, you may request information and human review via [email protected].

Children’s Privacy

The Services are not directed to children. We do not knowingly collect personal information from anyone under 13 (U.S.) or under 16 (EEA/UK). If you believe a child has provided personal information, contact us and we will take appropriate steps to delete it.

Roles: Controller vs. Processor/Service Provider

Website, accounts, marketing, and general operations: Devels AI is the controller of personal information.
Customer Content and end‑users of your deployed agents: Devels AI acts as your processor/service provider, processing data solely per your documented instructions and our agreement (including any Data Processing Addendum and security exhibits). We offer a DPA with Standard Contractual Clauses upon request.

Cookies & Similar Technologies

We use cookies, local storage, and similar technologies to:

keep you signed in and remember preferences;
measure usage and improve performance;
(where permitted) support analytics and limited marketing.

You can manage cookies via our banner (where shown) and your browser settings. Blocking certain cookies may impact functionality. At this time we do not respond to “Do Not Track” signals, but we honor legally recognized GPC signals as described above.

Third‑Party Services & Links

Our Services may link to third‑party websites or allow you to enable third‑party integrations. Their privacy practices are governed by their own policies. Please review those policies before enabling integrations or sharing data with third parties.

Changes to This Policy

We may update this Policy from time to time. The “Effective date” shows when it last changed. If we make material changes, we will provide additional notice (e.g., via email or an in‑product message).

How to Contact Us

Questions or requests about this Policy or your information? Email: [email protected]

California “Notice at Collection”

This section applies to “personal information” as defined by California law (including CPRA). It supplements the information above.

Categories we collect, examples, purposes, sources, retention, and disclosure (for business purposes):

Category	Examples	Purposes of Use	Sources	Typical Retention	Disclosed to (business purpose)
Identifiers	name, email, IP, account ID	provide Services, security, support, communications	you; automatic collection	no longer than necessary for each purpose	service providers (hosting, security, support), affiliates
Commercial info	subscription tier, transactions	billing, fraud prevention, support	you; payment processor	per legal/accounting requirements	payment and billing vendors
Internet/technical	device/browser, pages viewed, API logs, telemetry	operate, debug, secure, improve Services	automatic collection; analytics	operational need + backups	analytics, security/monitoring providers
Geolocation (approx.)	derived from IP	content routing, abuse prevention	automatic collection	operational need	hosting/security providers
Professional info	company, role	account administration, B2B sales	you; public sources	operational need	CRM/support providers
Inferences (limited)	de‑identified usage trends	improve Services	derived internally	de‑identified/aggregated	not applicable (de‑identified)
Customer Content	prompts, files, KB data, embeddings, chain traces, outputs	deliver requested AI features	you; integrations you enable	per customer configuration & contract	cloud/LLM providers you enable; subprocessors under DPA

Sale/Share: We do not sell personal information for money. We also do not “share” personal information for cross‑context behavioral advertising unless you opt‑in or where permitted with notice and choice. You may opt out or withdraw consent at [email protected] and via applicable cookie controls.

Sensitive personal information: We do not use or disclose sensitive personal information to infer characteristics about you.

Your CPRA rights: access/know, delete, correct, portability, opt out of sale/sharing and certain profiling, limit use of sensitive personal information, and non‑discrimination for exercising rights. Submit requests as described in Your Privacy Choices & Rights.

Final Notes

This Policy is written for a U.S. and EEA/UK audience in plain American English.
If any part of this Policy conflicts with a localized version required by law, the localized version will apply to residents of that jurisdiction to the extent of the conflict.
This Policy is not legal advice. For enterprise deployments, we recommend executing our Data Processing Addendum and reviewing your configuration (LLM providers, storage locations, retention) to meet your compliance requirements.