DevRev Privacy Policy v.2.1. - effective from December 13, 2024

Please note: While most of our users would likely prefer a shorter privacy notice, current laws and regulations require us to offer a lot of information on our processing operations. We have thereby endeavoured to offer summarised snapshots of the most relevant information under certain sections of this notice. Feel free to read the short section summaries provided at the beginning of most sections or read the full legally binding text below each summary.

We truly hope that you find the contents contained herein understandable. Should you require a “clean” version of this notice as well as any additional information or clarifications regarding the processing of your personal data and the use of our products and services, feel free to reach out to us at dpo@devrev.ai.

1. Introduction

This privacy policy serves as a notice to individuals under Article 13 of the General Data Protection Regulation (GDPR) regarding the processing of personal data by DEVREV, inc. as well as its subsidiaries, and outlines how personal and other data is processed in connection with the DevRev service and the corresponding features, as well as our website, other company-wide operations and processes, as further outlined below (hereinafter: privacy notice or notice).

All California residents that visit our website, use our products or otherwise interact with our organisation are kindly asked to observe section 5 of this notice which has been prepared in accordance with the California Consumer Privacy Act.

1.1. Information on the controller of your personal data

Summary: Information on us (i.e. the data controller responsible for your personal data and our various subsidiaries) and where we, our EU representative or our dedicated Data Protection Officer can be reached.

DEVREV, inc., 300 Hamilton Avenue, 2nd Floor, Palo Alto, CA 94301, United States of America, company reg. no.: 4656646, the owner and supplier of the DevRev service and its subsidiaries:

  • DevRev, razvoj programske opreme, d.o.o., Železna cesta 18, 1000 Ljubljana, Slovenia, Europe, company reg. No.: 8879311000, VAT ID no.: SI 51541556 that is acting as its EEA representative as per Article 27 of the GDPR;
  • DevRev UV Cloud, Inc., 300 Hamilton Avenue, 2nd Floor, Palo Alto, CA 94301, USA bearing EIN: 93-4295372;
  • DevRev Cloud India Private Limited, 608, 12th Main Rd, 8th cross, HAL 2nd Stage, Indiranagar, Bengaluru, Karnataka 560038, India bearing (CIN) U72900KA2020FTC141826 with registration number 141826;
  • DevRev GmbH, Herzogweg 40, 71083 Herrenberg, Germany bearing company registration number: HRB 786019;

(hereinafter jointly referred to: we, us, our, DevRev, the controller, organisation or company)

Our data protection officer has been appointed and is reachable at dpo@devrev.ai.

1.2. Use and applicability of this privacy notice

Summary: This privacy notice is applicable if you visit our websites, use the DevRev service or otherwise interact with our company in a way where we receive or otherwise process your data as mentioned under sections 2 and 3 of this notice. If you are a resident of California, please see section 5. In the event of substantial changes to this notice, we will notify you accordingly via email or through our website (depending on the importance of the change).

More information

This privacy notice is addressed to our website visitors, customers, DevRev users and all other individuals who offer their personal data to DevRev in connection with its websites, operations, products and services, as stated in sections 2 and 3 of this notice.

This privacy notice undertakes to explain which personal data we process, to what end we process such data, under which legal grounds, how long the data is kept and under what circumstances we may share or disclose said personal data to third parties.

This privacy notice has been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of individuals with regard to the processing of personal data and the free movement of such information and repealing Directive 95/46 / EC (hereinafter the General Data Protection Regulation or the GDPR), the United Kingdom General Data Protection Regulation and the California Consumer Privacy Act that came into force on January 1, 2020 (hereinafter the: CCPA or California Consumer Privacy Act).

All California residents that visit our website, use our products or otherwise interact with our organisation are kindly asked to observe section 5 of this notice which has been prepared in accordance with the California Consumer Privacy Act.

In the case of any conflict or ambiguity between this privacy notice and the provisions of any special privacy notice or data processing information that we might have offered to you in connection with a particular website, product or service, the provision of the latter shall prevail.

For the purposes of this notice, the term “personal data” means any information that relates to, describes or could be used to identify any individual, either directly or indirectly. Unless otherwise stated, other various terms that can be found in this privacy notice and which stem from the GDPR (e.g. processing, controller, processor, etc.) have the same meaning as specified in the GDPR.

In this notice, the word “service” means the DevRev service (available at https://devrev.ai/) which we develop and provide, unless it is clearly stated that we are referring to another service.

In this notice, the word “user” shall mean the natural or legal persons which are acting as registered or unregistered users of the DevRev service (i.e. entities which had obtained a licence from DevRev for the use of the service (or a feature or subservice of the service) or which are using the service in a capacity that does not require account registration).

In this notice, the words “user website” or “user web-store/marketplace” (hereinafter jointly referred to as the user website) shall mean the website that belongs to a DevRev service user where the DevRev service (or a feature/subservice) had been deployed or integrated.

In this notice, the words “article”, “file” or “document” mean the corresponding input data or content, as the case may be, that a user may elect to upload or otherwise use in connection with the service in order to receive automatically generated summaries or other outputs from the service.

This privacy notice may be updated from time to time in order to better reflect the changes that we might make in relation to our data processing or data protection operations or for other operational and legal reasons.

If this notice is significantly changed, we will publish the news on our website or send the notification as a message within the service or via email to the relevant data subjects that the change might affect. The importance of the change shall dictate the type of notification method used (i.e. sending emails when we would like to implement additional processing purposes which require your explicit consent).

This notice may contain links to websites of third party processors/service providers or individual controllers that may be involved in our processing activities (see point 4.4 of this notice). If you follow a link to any third-party website, please note that the contents of the website may have changed since the link has been added. Please also consider that all third parties have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal data that is unlawful or goes beyond the scope of our engagement.

This notice does not offer insights on how to use our products or services. More information about the functionalities and use of our products and services can be gained by contacting us at dpo@devrev.ai

2. Data processing activities that relate to our websites, communication, sales and delivery of our products, our general marketing and other company operations

Summary: The following is an overview of when we process your personal data, what personal data we process, why we process said data, what underlying legal basis allows us to do this and how long we keep your data in each case. This section refers to situations where you visit our websites, communicate with us, buy from us, or when we perform our general marketing and other activities. We do not sell personal data of any individuals.

2.1. Visiting and using our websites

2.1.1. Visiting our website involves the placing of necessary and other cookies

Summary: We automatically place necessary cookies on your device when you visit our website and place other cookies on the basis of your consent. Necessary cookies are necessary so that our website may be displayed and function properly while other cookies offer us various business and other capabilities (see our dedicated Cookie Policy to learn more).

More information

When: When you visit our website, we automatically place necessary cookies on your device and place other cookies if we obtain your consent (i.e. through the cookie pop-up).

Data: Necessary cookie data which typically only reveals technical information about your device while other cookies can store (and share) other data (see our Cookie Policy to learn more).

Purpose: Necessary cookies are essential for the correct functioning of our website and enable key functions like page navigation, display features, page responsiveness, etc., while other “non-necessary” cookies are used (see our Cookie Policy to learn more).

Legal basis: We are legally permitted to place necessary cookies on your device without consent, while we shall actively seek your consent before placing all other cookies.

Data retention: Necessary cookie data can either be stored for the duration of your browsing session or longer. See our Cookie Policy to learn more about the retention period for each cookie.

2.2. Communication, sales and delivery of our products

2.2.1. When reaching out to us both on and off our websites

Summary: When you reach out to us (e.g. by sending an email to an address that belongs to us, messaging us through the DevRev live-chat service, etc.), we shall process any data you might share (or have shared with us in the past) in order to respond to you or fulfil your request. The data is shared using “SendGrid” (a service provider that we use for sending you emails), “Vercel" (a company that helps us host and manage our website), “Tally BV” provider that we use for distributing forms and gathering form results). Please note that for some of the website features we are also using https://vwo.com/ and https://getkoala.com/ services.

More information

When: When you choose to reach out to us or contact with us (i.e. by sending an email to an address that belongs to us, submitting a question through our DevRev live-chat service, reaching out to us through our official email channels or social media platforms, or in communication with our employees/agents or via other means).

Data: We may process any data/information you disclose in your communication (such as your name, email address, billing address, shipping address, products ordered and order number) or which we might already have and require to formulate our response/solve your issue.

Purpose: In order to respond to emails, messages, formal inquiries, proposals, support, troubleshooting and other inbound communication.

Legal basis: We carry out these processing activities because processing might be necessary for the performance of a contract to which the person reaching out to us is a party (e.g. if you have bought a product from us and reach out to us for product related information) or in order to take steps at the request of the data subject prior to entering into a contract (e.g. if you reach out to us with questions about our products prior to placing an order) or on the basis of our legitimate interests.

Data retention: We typically do not keep communication data after responding to you. An exception to the aforementioned can be made if messaging or other communication had been performed through the use of a dedicated service (i.e. email, chat module, etc.), whereby we may keep data in such systems for up to 3 years or any such stipulated and relevant statutory period after having received it.

In certain rare cases, we might keep parts of the data/communication for a longer period, if it is evident that certain data is needed in a legal or other official proceeding that is being carried out.

If such communications took place through platforms such as Facebook, please refer to the data retention periods that Meta Inc. or other platform providers might offer, as data deletion in such circumstances is not solely dependent on us (please see point 4.4 of this notice).

2.2.2. When purchasing a product subscription/license from us for using our service through our website or through our agents

Summary: When you purchase a product or subscription on our website or through the check-out module, we are required to collect and process certain contact, payment and transactional data for product invoicing, delivery and other necessary administrative or legally required purposes. The data is shared with “Stripe” which offers the relevant check-out module of our website and for sending you transactional emails, and may be used by different payment facilitators (depending on your desired payment method). We may be legally required to store parts of such data for up to 7 or 10 years under applicable tax and other legislation(s).

More information

When: When you purchase a product or subscription from us through our website or the payment check-out module we employ.

Data: Your contact information (such as your name, email, country, address, billing address, shipping address, telephone number, products ordered, order number, your payment information, such as your credit card number, billing address, holder name, issuing bank, expiry date, and security code (whereby this data is collected by “Stripe” as our data processor in connection with the check-out module for purchasing our products and is not necessarily shared with us or even visible to us).

Purpose: We use this data in order to legally sell our products to you and send you transactional emails (e.g. order status, invoice, etc.).

Your contact and invoice data is shared with our delivery services and your payment information is collected and stored by our third-party payment facilitators on our behalf (such as “Stripe” (see point 4.4 to learn more), whereby these parties may be considered as individual data controllers or processors, as the case may be.

Data you share with us through the check-out or default payment module of our website also collected by “Stripe” that our check-out module uses and which is acting as our data processor (please see point 4.4 of this notice to find out more about who we might share your data with and why).

This data may also be processed when we are required to comply with legal requirements and other regulations, especially those governing the control of personal data, taxes, invoicing and payments.

Legal basis: Contractual (i.e. the concluded distance sale contract you enter into when you agree to our terms of sale and place your order).

Data retention: We may retain a minimised set of the aforementioned data that includes your contact information, payment and shipping information (such as your name, email address, billing address, shipping address, products ordered and order number) until the expiration of the statutory period under which we may be held liable in relation to any possible hidden defects on the products we have sold you. This does not include any data that you might have given us on any other grounds or for any other purposes (i.e. data that we process for marketing purposes based on your consent, data that relates to your user account, etc.).

We are legally obliged to retain certain transactional data in unminimized form (such as invoicing data) for a minimum of 10 years (depending on the point of sale and the location of our subsidiary that is issuing the invoice).

We may also retain certain data on the grounds of our legitimate interest if we detect reasonable grounds that fraud or attempted fraud had taken place in relation to the sale of our products. Such data shall not be kept longer than necessary in order to assess the situation and take any necessary action.

Our payment facilitation/payment service providers typically do not retain any personal data other than the data that they might have a legal obligation or legitimate interest in retaining (or the data that they already keep in relation to your individual use of their payment/banking services). Please see the relevant privacy policy of the payment facilitation/payment service provider that has been engaged in the sale of our product to find out more.

2.2.3. When wishing to communicate transactional/essential information in connection with your purchase or use of our products or services

Summary: When you purchase a product or service from us (or have done so in the past) and we consider it necessary (or are legally required to do so), we may send you emails with transactional/essential information (i.e. emails about your order having been successfully placed, changes of product delivery dates, information regarding a potentially serious issue that might affect your product, updates and changes to our policies and terms, etc.). The data is shared with “SendGrid” a service provider that we use for sending transactional emails.

More information

When: When you purchase a product or service from us or have done so in the past and we deem it necessary to reach out to you with important information or are required to do so by law.

Data: We may process any data/information you disclose to us during your purchase (such as your name, email address, billing address, shipping address, products ordered and order number) or which we might already have and need in order to formulate our transactional/essential messages.

Purpose: To communicate transactional/essential service-/product-related information to you (i.e. notify you that your order had been placed successfully, offer assistance regarding the use of our products, inform you of important product issues, updates and changes to our policies and terms, get in touch with you regarding changes to products and features, etc.).

Legal basis: We carry out these processing activities because processing is necessary in order to fulfil the contract that we have concluded with you (i.e. the Terms of Sale you enter into when purchasing a product from us or the DevRev Terms of Service you accept when registering your account or using our service).

We may also be required to perform the above mentioned data processing because we are required to do so under law (i.e. sending you an invoice) or on the basis of our legitimate interests (i.e. providing functioning and safe products). In certain rare cases, the above stated processing might be performed by us in order to protect your vital interests (or the vital interests of another natural person) (e.g. in case of informing you that we have detected a serious issue with our product that may pose business or other risks).

Data retention: We typically do not keep communication data after communicating with you. An exception to the aforementioned can be made if messaging or other communication had been performed through the use of a dedicated service (i.e. email, chat module, etc.), whereby we may keep data in such systems for up to 3 years or any such stipulated and relevant statutory period after the receipt of communication.

2.3. General marketing activities

2.3.1. When sending email marketing messages to existing customers

Summary: When you purchase a product on our website or elsewhere, certain EU/USA legislation gives us the right to send you email marketing messages that contain information on our similar products and services. Every email you receive as a result of this shall always contain an “unsubscribe” link, and we shall never share your email with any other entity or market products or services that do not belong to us or may not be considered “similar” to those that you had originally purchased from us. Data is shared with “SendGrid” or “Mailmodo” a service provider that we use for sending marketing emails (where we may host emails from our “wait list”).

More information

When: When you purchase a product from us through our website or through other means.

Data: Your email address and past purchase history with us, as well as information regarding whether you have opened/clicked on links in our email messages.

Purpose: Keeping you informed of similar products and services that we offer.

Legal basis: Our legitimate interests (i.e. under certain EU legislation we are legally allowed to send email marketing messages on an opt-out basis if the recipient's details were originally collected "in the context of a sale", if the entity sending the marketing is the same legal entity that collected the recipient's details initially (i.e. us), the marketing relates to "similar" products and/or services for which the recipient's details were originally obtained, and you as the recipient are given the opportunity, free of charge, to object to our email marketing, both at the time when your details had been collected and in each subsequent communication (i.e. by clicking the “unsubscribe” link that is contained in each of our marketing emails).

Note that we shall not sell or share your email and other related data with any other third party and shall only use it within the “SendGrid” or “Mailmodo” service which we use for sending such emails.

Data retention: Until we receive your unsubscribe/data deletion request or if you have not opened our marketing emails for more than 3 years or any such stipulated and relevant statutory period whereby your data shall be permanently deleted in all of these cases.

2.4. Other company operations

2.4.1. When responding/applying to our open job postings as a potential candidate

Summary: If you respond or apply to any of our open job postings, we may process the data we receive from you in order to evaluate you as a candidate and carry out the necessary hiring procedures. We will keep any relevant data after the hiring procedure only in line applicable data law(s) and for legitimate business interests and we will not keep any other data (not required for the aforementioned purposes) after the hiring procedure ends if we do not receive your explicit consent for doing so. It is however, pertinent to note that a prospective candidate applying to our organisation may do so via an external hiring agency/headhunter (that has a contract with us) and thus, your data shared with such external agencies is a matter of concern between said agency and yourself and we would merely be a “sub-processor” in the instant scenario.

When: When you respond/apply to our open job posting as a potential candidate through a dedicated online form or reach out to us for this purpose via email.

Data: The data that we might require as part of your application will be stated next to the job posting or dedicated online application form. We typically consider your general contact details (full name, email address, place of residence, age, nationality) as well as any information you might have included in your resume or CV and the details about your current or past employment or other working experience. We may also process any other information you elect to share with us for this purpose as well as any information you have made public on the Internet (such as your blog, Github or LinkedIn page).

Purpose: In order to evaluate you as a candidate and carry out the necessary hiring procedures and interviews.

Note that we may share the data with external HR firms we might employ to help us with the hiring process (please see point 4.4 of this notice).

Legal basis: We carry out these processing activities on the basis of entering into negotiations for the conclusion of an (employment) or other work contract.

Should you explicitly consent to this, we may keep your data after the conclusion of the hiring process in order to keep you posted of any future job opportunities that may interest you. To withdraw consent, you can send a free form email to dpo@devrev.ai at any time or follow the unsubscribe link included in all of our job posting emails.

Data retention: Until the conclusion of the hiring procedure or until we receive your consent withdrawal or data deletion request or if you have not opened our job posting emails for more than 3 years or any such stipulated and relevant statutory period whereby your data shall be permanently deleted in all of these cases.

2.4.2. Sending email marketing messages to new consenting customers

Summary: When you consent to receiving our marketing messages (e.g. newsletters, product waitlist messages, new product launch notifications, discounts etc.) via email or other channels we shall send marketing messages to the email address that you entered for this purpose, whereby every email shall always contain an “unsubscribe” link. You can also withdraw your consent at any time by sending a free form email to dpo@devrev.ai. The data is shared with “SendGrid” or “Mailmodo” , a service provider that we use for sending marketing emails. We shall not sell or share your email and other related data with any other third party.

More information

When: When you’re open to hearing from us and consent to receiving our various email marketing messages (e.g. tips & tricks, surveys, contests, newsletters, new product launch notifications, discounts, etc.) via email from time to time.

Data: When marketing to an individual, we typically process the individual's email address. We may also process the name of the individual (and potential other information) if this has been explicitly stated next to the input fields where the individual entered said data and consented to the processing.

Purpose: In order to send newsletters, product waitlist messages, new product launch notifications, discounts, surveys, promotion codes, information on contests and other marketing messages to consenting individuals to their email address.

Legal basis: We carry out these processing activities on the basis of your consent.

To withdraw consent, you can send a free form email to dpo@devrev.ai at any time or follow the unsubscribe link included in all of our marketing emails.

Note that we shall not sell or share your email and other related data with any other third party and shall only use it in the “SendGrid” or “Mailmodo” service which we use for sending emails.

Data retention: Until we receive your unsubscribe/consent withdrawal or data deletion request or if you have not opened our marketing emails for more than 3 years or any such stipulated and relevant statutory period whereby your data shall be permanently deleted in all of these cases.

3. Data processed in connection with the DevRev service

3.1. Data we process as “processors” when offering the DevRev service and its features to our customers (i.e. DevRev users that are acting as individual data “Controllers”)

Please note: By providing the DevRev service to businesses who have set up a user account and use the service and its features in connection with their own websites, web-stores and other digital products (hereinafter: “DevRev users”, “users” or “Controllers”), DevRev acts as the “processor” of certain personal data that might get collected and stored in connection with the service, while each individual user acts as the “controller” of such data, as defined by the GDPR.

The data of a user (i.e. controller), as well as other information on the processing of personal data in connection with the service by said user must always be available to you at the time you entrust your personal data to the user (e.g. when you interact with the DevRev live chat feature a user has deployed on his website). According to the GDPR, the disclosure of this information as well as the responsibility for the lawfulness of processing thus performed is the responsibility of the individual user (e.g. store/website owner).

More information

If, as an individual, you want to obtain information about the processing of your data by a user as the controller of your personal data (e.g. a DevRev service user to whom you have entrusted your personal data to so that he may process it for his own purposes, such as offering you his support services through DevRev live chat, etc.), we advise you to refer to the privacy policy of said user (whereby links to privacy policies are generally available in the footers of website/web-store stores).

We advise you to refer to the email address of the relevant data protection officer of such user/controller as stated within their respective Privacy Policy/Data Processing Addendum and they should be in a position to help you with identifying which user may be acting as the data controller in relation to your data.

However, if the user has any queries or requests in respect of information required for data processing, such user may refer to our data processing addendum and if further clarification/confirmation is needed on the same, such user may contact our data protection officer at dpo@devrev.ai

If you as an individual contact DevRev directly with a personal data related request (e.g. a request for access to data, rectification, erasure, right to be forgotten, etc.), DevRev shall immediately forward the request to the relevant user who is acting as the controller of your data. DevRev shall, after receiving the instructions of the relevant user, correct, delete, forward, rectify or otherwise process the data in order to comply with/reject the request of the individual.

Below is a general rundown of the data we process in connection with the provision of our services for each user, based on the feature/part of the service he had deployed:

Personal Data types and the subject-matter, nature and purpose of processing

Subject to the Controller's use of the DevRev Services, the following processing of Controller Personal Data is instructed by the Controller to be carried out by the Supplier or his Affiliates/Subprocessors in order to provide each feature of the DevRev Services:

DevRev Services : Support and Maintenance

Controller Personal Data or other personally identifiable informationPurpose of processing / Legal grounds for processing Categories of individuals
Customer communication and interactions via tickets, inbox messages, PluG messages, slack integrations, and other forms.Essential for offering the manual and automatic customer support services to the Controller in relation to the provisions of the Services. Legal ground: Contractual (Services Agreement).DevRev users / other individuals that may be tied to Controller data.

DevRev Services Feature: CRM

Controller Personal Data or other personally identifiable informationPurpose of processing / Legal grounds for processing Categories of individuals
Controller data stored for rendering Services and capitalising on potential customer prospects by the Controller.Providing the DevRev CRM functionality to the Controller. Legal ground: Contractual (Services Agreement)DevRev users / other individuals that may be tied to Controller data.

DevRev Services Feature: Analytics

Controller Personal Data or other personally identifiable informationPurpose of processing / Legal grounds for processing Categories of individuals
Tickets, issue reports, account data and product data which can include personally identifiable information of individuals that are tied to the Controller.Essential for offering the analytics features (Analytics service, Data taps, Default analytics dashboard, presenting data to the user through visualisations in summarised and aggregated form to the Controller). Legal ground: Contractual (Services Agreement)DevRev users and individuals that may be tied to Controller data.

DevRev Services Feature: SOR

Controller Personal Data or other personally identifiable informationPurpose of processing / Legal grounds for processing Categories of individuals
System of records, records of engagements (meetings, surveys, etc.), attachments and other artefacts, events and comments as well as any other custom/specific data that is added by the Controller.Essential for offering the record keeping features of the DevRev Services. Legal ground: Contractual (Services Agreement)DevRev users / other individuals that may be tied to Controller data.

DevRev Services Feature: Airdrop

Controller Personal Data or other personally identifiable informationPurpose of processing / Legal grounds for processing Categories of individuals
Any custom/specific data that is added by the Controller from any other service (such as Jira, Zendesk, ServiceNow, GitHub, Linear, SalesForce, etc.) that the Controller transfers via the AirDrop feature to the DevRev Services.Essential for offering the AirDrop API (importing/exporting all of the data the Controller had requested from/to each supported external service) as well as debugging the AirDrop feature. Legal ground: Contractual (Services Agreement)DevRev users / other individuals that may be tied to Controller data.

DevRev Services Feature: Workflow Engine

Controller Personal Data or other personally identifiable informationPurpose of processing / Legal grounds for processing Categories of individuals
Any custom/specific data that is added by the Controller in connection with any automation or content related with each automation, to and fro any external services they use.Essential for offering the Workflow Engine feature. Legal ground: Contractual (Services Agreement)DevRev users / other individuals that may be tied to Controller data.

DevRev Services Feature: Turing AI

Controller Personal Data or other personally identifiable informationPurpose of processing / Legal grounds for processing Categories of individuals
Internal documentation data, attachments and other artefacts, events and comments as well as any other custom/specific data that is added by the Controller.Essential for offering machine learning and other aspects of the Turing AI feature. Legal ground: Contractual (Services Agreement)DevRev users / other individuals that may be tied to Controller data.

DevRev Services Feature: Identity

Controller Personal Data or other personally identifiable informationPurpose of processing / Legal grounds for processing Categories of individuals
System of records for internal users (employees) and external users (end users of the Controller’s application) with identifiers, properties and associations as created/submitted by the Controller on the platform.Essential for offering the Controller the User Authentication, Authorization, Profile Management features of the Service as well as for offering Controller End Users the CRM Data Management, Authentication and Authorization Services. Also used for offering the Controller our support services. Legal ground: Contractual (Services Agreement)DevRev users / other individuals that may be tied to Controller data.

DevRev Services Feature: Marketplace

Controller Personal Data or other personally identifiable informationPurpose of processing / Legal grounds for processing Categories of individuals
Any custom/specific data that is added by the Controller in connection with any plugin, that the Controller y decided to publish on the DevRev marketplace as an author.Essential for the publishing/provision of a plugin by the Controller on the DevRev marketplace. Allows plugin authors to be able to publish their plugin on the DevRev marketplace. Legal ground: Contractual (Services Agreement).DevRev users / other individuals that may be tied to Controller data / Controller plug-in customers (i.e. Controller End Users).

DevRev Services Feature: Search

Controller Personal Data or other personally identifiable informationPurpose of processing / Legal grounds for processing Categories of individuals
Tickets, iIssues, information imported into the Devrev Service,, iInternal documentation data, attachments and other artefacts, events and comments as well as any other custom/specific data that is added by the Controller.Essential for offering the Controller the search functionality within the DevRev services. Legal ground: Contractual (Services Agreement).DevRev users / other individuals that may be tied to Controller data as well as End-users of DevRev Users.

DevRev Services Feature: Notification

Controller Personal Data or other personally identifiable informationPurpose of processing / Legal grounds for processing Categories of individuals
Any Controller or Controller End User related information that is specified by the Controller and configured on the DevRev platform that can be used for communication purposes.Essential for configuring important notifications to be triggered for business purposes. Legal ground: Contractual (Services Agreement).DevRev users / other individuals that may be tied to Controller data

DevRev Services Feature: Snap-ins

Controller Personal Data or other personally identifiable informationPurpose of processing / Legal grounds for processing Categories of individuals
Any custom/specific data that is added by the Controller in connection with any automation or content related with each automation, to and from any external services that may be used in connection with each snap-in feature they use.Essential for offering the plugin engine. Legal ground: Contractual (Services Agreement).DevRev users / other individuals that may be tied to Controller data.

DevRev Services Feature: Plug Observability

Controller Personal Data or other personally identifiable informationPurpose of processing / Legal grounds for processing Categories of individuals
Allows the Controller to collect metadata of of user visits on the their web and mobile application, such as device model, OS version, App version, browser version, browser type, Device Type, Engagement time, performance metrics such as API response time, App Launch time. Allows the Controller to collect custom user behaviour data such as user events & user attributes. Allows the Controller to collect user session information in the form of in app screenshots. Purpose of processing: Essential for offering the plugin engine and its features. Allows the Controller to understand application usage and environment monitoring as well as user behaviour, better product analytics and troubleshooting. Legal ground: Contractual (Services Agreement).DevRev users / other individuals that may be tied to Controller data.

Data deletion: DevRev will store the data in relation to which the user is acting as the “controller” for as long as it is necessary to fulfil the above stated purposes for processing and shall delete and procure the deletion of all copies of stored data within within 30 (thirty) business days of the date of termination of the Services Agreement or the date of the user account deletion (whatever comes first). Individual data deletion takes place instantly after initiation by the user via the relevant user dashboard/dedicated data deletion feature.

3.2. When signing up or signing in to the DevRev service as a user by providing your email and login credentials

Summary: We process your username, email, password and the IP of the device you are accessing the app on for account sign-up and authorisation purposes so that you can register an account with us and use your feeder through our app. We also use your email in order to communicate essential service/product related information.

More information

When: When you sign up or sign in to use our service either as a user by providing your email and login credentials.

Data: We process your username/email via Google Identity logout and LinkedIn whilst you are accessing our software application. We may also process certain technical data such as data logs (for technical support purposes) and your account customisation preferences.

Purpose: Sign-up and sign-in account authorisation as well as account management and security purposes so that the user can use the service and its various features.

We use the email that is tied to your account in order to offer you password management and restoration capabilities as well as technical and customer support and in order to communicate essential service-/product-related information to you (i.e. inform you of important product issues, updates and changes to our policies and terms, etc.).

Please note: we do not retain DevRev user data obtained through Google Workspace APIs to develop, improve, or train generalized AI and/or machine learning models.

Legal basis: Contractual (i.e. the Services Agreement the user is required to accept when registering his account).

Data retention: Until a user decides to delete his user account or any such stipulated and relevant statutory period.

3.3. When using the DevRev service as a user we may collect general analytical data so that we may make improvements to our services

Summary: We may collect and process general analytical data (such as session time, app updated status, app crash status, feeder stream status data, etc.) from users so that we may offer support and gain insights which may allow us to make improvements to our services. We do not use this data to identify you and do not combine it with other data we might have for any other purposes other than offering support (when requested). We use “DataDog” and other services in order to collect and process this data (see point 4.4 of this notice).

More information

When: When you open, sign in and use our services.

Data: We process data on whether your service has crashed, whether features and functions had been triggered or stopped, when the service had first been opened (necessary for identifying service versions), as well as the length of your service use sessions.

When offering support, we may also combine this data with other data we might have in relation to you so that we may infer your device ID, your country/region/city, your DevRev identity, the service build number/version, the dimensions of your screen and the type of device and browser that is used.

Purpose: So that we may offer technical support and make improvements to our services. We also use this data when planning our next update or analysing systemic issues that users have reported.

We do not use this data to identify users and do not combine it with other data we might have for any other purposes other than offering individual technical support (when requested).

Legal basis: Our legitimate interest.

Data retention: Until you decide to delete your account or send us your data deletion request via a free form email to dpo@devrev.ai

Note that we may irreversibly anonymize and keep the analytical data that has been tied to your user account indefinitely (whereby this data shall not be attributable to you in any way).

Please also note that “DataDog” may retain any analytical data you generate in connection with our app for up to 60–90 days or any such stipulated and relevant statutory period after we receive and execute your account/data deletion request, after which the data will be hard deleted and unrecoverable.

3.4. When using the Plug Observability feature in connection with our products and services

Summary: When you as a user of our service agree to this, we may collect metadata of user visits on our web and mobile applications such as device model, OS version, app version, engagement time, in-app screenshots and other data in order to understand application usage and environment monitoring as well as gain in depth product analytics. This allows us to understand user behaviour and create customer cohorts for our sales efforts.

More information

When: When you consent to our use of the Plug Observability feature inside of our service.

Data: Metadata of of user visits on our web and mobile application which includes device model, OS version, app version, browser version, browser type, device type, engagement time, performance metrics such as API response time, app Launch time, custom user behaviour data such as user events & user attributes and in-app screenshots.

Purpose: In order to understand application usage and environment monitoring as well as gain in depth product analytics. This allows us to understand user behaviour and create customer cohorts for our sales efforts as well as potentially identify and troubleshoot customer issues faster.

Legal basis: Consent.

Data retention: Until a user decides to delete his user account or withdraw his consent. Please note that we may keep anonymised data even after a user decides to delete his account or withdraw his consent.

4. Additional general information

4.1. How we might obtain your personal data

Summary: We use different methods to collect data from and about you, including: direct interactions, automated technologies or interactions, third parties or publicly available sources.

More information

Direct interactions

You may give us information about you by filling in forms or by communicating with us by phone, email or otherwise. This includes information you might provide when creating an account in order to use our service or when obtaining a licence to use our service, subscribe to our newsletter, search for a product online with a tracking cookie from our partners installed on your device, place an order through our website or its check-out module, enter one of our competitions, promotions or surveys and when reporting a problem with our website or a bug in our service.

Automated technologies or interactions

As you interact with our website, we may automatically collect technical data about your device, browsing actions and patterns by using cookies and other similar technologies as specified above in section 2 of this notice and in our Cookie Policy.

We may also receive information that relates to you (or another third party individual) if such information had been tied to texts or other data that had been inputted into our service or otherwise collected by our bot on a particular channel.

Third parties or publicly available sources

We may receive information about you if you visit other websites that place tracking cookies from our partners on your device (see our Cookie Policy to find out more). You may also post some of your information publicly online.

4.2.1. When conducting processing activities in order to comply with a legal obligation

Summary: Our organisation may occasionally process personal data for the purposes of complying with legal requirements and other regulations, especially those governing taxes, invoicing and payments (an example of this may include a court, inspector or other holder of public authority ordering our organisation to provide it with access to certain information which may include personal data).

More information

This may also be the case if someone else had filed for criminal or other legal procedures to be instituted against us by local or international law enforcement agencies or other tax and regulatory bodies, which might therefore contact our organisation for additional details (e.g. when data from our database would have to be presented as evidence in criminal or civil proceedings, otherwise our organisation would suffer material and irreparable damages). Note that we shall only fulfil such requests if specifically required by local or international law and shall adhere to anonymizing or at least minimising any personal data that we are required to share.

In the above stated cases we will always strive to fulfil the request with full transparency, except in cases where this might not be possible as (in accordance with a particular request of an authorised body) notifying the public of such request might endanger the proceedings at hand.

4.2.2. When our processing activities are based on our legitimate interests

Summary: In certain cases (i.e. when evaluating the threat of fraud), we may rely on our legitimate interests in order to process certain payment-, order- or account-related data as described in sections 2.2.2. of this notice.

More information

Our legitimate interests can also include instances where we process your personal data for our own internal business purposes and commercial interests, such as our own marketing activities (i.e. sending you marketing emails when you are our past customer unless consent is required under applicable laws, as described in point 2. of this notice), and offering additional customer and technical support or collecting analytical data or analysing data in instances where we legitimately deem that fraud had taken place.

4.2.3. When our processing activities are based on your consent

Summary: When you had given your consent for the processing of your data for one or more specific purposes (such as sending email marketing messages to new consenting customers as described in point 2.4.2 of this notice), your consenting to the processing of personal data is voluntary, whereby you may withdraw your consent at any time by contacting us at dpo@devrev.ai (or by clicking the “unsubscribe” link found in each of our marketing emails). If you do not provide personal data or if you withdraw your consent, this may mean that we will not always be able to fulfil the purposes for which we had collected the data.

More information

Where consent has been withdrawn, we shall delete/anonymize any data we or our processors/service providers have kept on the basis of your consent.

Additionally, every effort will be made to remove relevant personal data from products/marketing campaigns and other distributions. However, this may not be possible in some situations, and in such cases, certain personal data that cannot be removed or otherwise anonymized may still appear in publications, products and other media already in use or circulation.

4.2.4. When processing activities are necessary for the performance/negotiating of a contract

Typical situations as mentioned in sections 2 and 3 of this notice include your acceptance of our terms of sale when purchasing our products and your acceptance of our Service Agreement when setting up your user account.

This also includes instances when we need to communicate (i.e. negotiate) with you so that you may decide to enter into a contract with us (i.e. buy our product, accept a job position with us, etc.).

4.3. How long do we store your personal data and when do we delete/anonymize it?

Please see the “Data retention” section of each processing activity described in the points above.

If a user sends us a personal data deletion request to dpo@devrev.ai, we shall manually delete or anonymize their data, so that the data can no longer be linked to said user.

More information

Unless otherwise stated, we generally keep personal data for as long as it is listed under each “Data retention” section of each processing activity described in the points above.

As a rule, we generally store data for as long as it is necessary to fulfil the purpose for which the data had been collected, or for as long as legal obligation or regulation requires us to keep the data. After that, the data is deleted or anonymized, as mentioned above.

Please also note that our processors (see point 4.4.3 below) may retain certain data for up to 30 days after we receive and execute your account/data deletion request, after which the data will be hard deleted and unrecoverable (please refer to their privacy policies to learn more).

We may store data even after receiving a data deletion request as mentioned above, if legitimate interest or relevant laws allow us to do this (i.e. in order to negate a users capabilities of accessing the service after he has not paid the corresponding licensing and other fees, when a civil action exits in relation to which we might need these data in the course of the proceedings, etc.)

Our organisation undertakes to immediately remove any unnecessary data or data for which it has no legal grounds for processing/storing or regarding which the data retention periods have been exceeded.

4.4. Who might process your personal data and who do we share it with

4.4.1. Certain employees within our organisation or subsidiaries and affiliated organisations

Summary: Your personal data is processed by individual employees of our organisation or our external collaborators.

More information

Your personal data is processed by individual employees of our organisation or our external collaborators (hereinafter: “employees”). Employees of our organisation process only the personal data that they need for their work, but they can also share it with each other if their work tasks and the internal rules of our organisation allow them to do so. All of our employees are committed to confidentiality and the protection of personal data.

Based on certain corporate events or changes in the ownership or structure of our organisation (i.e. our company being acquired) your data may also be shared with our subsidiaries or affiliate companies (both present and future). This includes instances such as corporate divestitures, mergers, consolidations, acquisitions, reorganizations, or any other situation involving the transfer or disposal of our business or assets, as well as the business or assets of our affiliates/subsidiaries. This may also apply in the context of bankruptcy or similar proceedings.

4.4.2. Public authorities

In certain cases, as prescribed by applicable law, our organisation must hand over your personal data to the competent state authorities which may have explicit legal grounds for reviewing certain data in the context of criminal, financial, tax or other types of official procedures/supervision. In certain cases, our organisation is compelled to provide data to third parties if such an obligation to provide or disclose the data is imposed on our organisation by law or on the basis of a valid legal right of a third party (see point 4.2.1 of this notice).

4.4.3. Our processors/service providers

In addition to the employees in our organisation, employees of entities that we engage so that they help us achieve the processing purposes described in the various processing activity sections of notice (hereinafter: “processors/service providers”), may also process personal data as confidential and only within the scope of the data processing agreement/standard contractual clauses, which have been concluded/put in place in relation to the processors/service provider in question.

The processors/service providers may only process personal data in accordance with the relevant data processing agreement/standard contractual clauses, and may not use the data to pursue any other purpose or interest.

To obtain a detailed list of all of our processors/service providers, which data they process, the purposes we employ their processing/services for, as well as how we keep your data safe when engaging them, feel free to reach out to us at dpo@devrev.ai.

The processors/service providers with whom we cooperate for providing our products and services (as per section 2 and 3 of this notice) are:

a) Processors/service providers that we may engage in connection with data processing activities that relate to our websites, communication, sales and delivery of our products, our general marketing and other company operations;

More information

Cookie providers: We use third party necessary, analytical and advertising cookie providers which are listed in our dedicated Cookie Policy.

Payment facilitators: We use payment facilitators such as “Stripe”.

Our email messaging provider: We use the “SendGrid” or “Mailmodo” service to send all of our transactional or marketing emails. We may also use “SendGrid” or “Mailmodo” in order to obtain your cookie consent and input your contact and order information/invoices/delivery location data into the service (see the relevant parts of section 2 of this notice to learn more).

Our website/web store provider: Our website and its online store are built on and partially provided by “Vercel”, whereby you might be sharing your contact and order information/payment information as well as other potential information with these companies and their partners when purchasing products or otherwise interacting with our website (see the relevant parts of section 2 of this notice to learn more).

To obtain a detailed list of all of our processors/service providers, which data they process, the purposes we employ their processing/services for, as well as how we keep your data safe when engaging them, feel free to reach out to us at dpo@devrev.ai.

More information

b) Other companies or individual consultants we may engage or cooperate with in the provision of our services that may need access to certain parts of your data

More information

  • Consultants who cooperate with our organisation on the basis of relevant business and data processing agreements so that they can provide us with their accounting, legal, marketing, HR and other consulting services.
  • External IT system maintenance providers and/or platform/service developers who cooperate with our organisation on the basis of relevant business and data processing agreements that may gain limited access to our back-end or databases. Where such entities are from third countries (i.e. countries where the GDPR is not applicable) sufficient data safeguards (such as agreements containing standard contractual clauses) have been put in place.

To gain more information on other apps and plugins we might use in connection with the DevRev service please reach out to us at dpo@devrev.ai.

4.5. Processing special categories of personal data

We do not knowingly process special categories of personal data. If it comes to our attention that special category data is inputted into our system we shall delete them as soon as possible.

4.5.1. Engaging contractual processors/service providers have their place of business registered in the USA or in other “third countries”

Summary: The sale of our products and the provision of our services also require that we engage contractual processors/service providers as specified in sections 2 to 3 and point 4.4, whereby many of these processors/service providers have their place of business registered in the USA (or in other non-EEA countries where the GDPR is not applicable or where the requirements of the GDPR are not adequately reflected in national privacy laws, as the case may be).

More information

As stated above, many of our processors/service providers have their place of business registered in the USA (or in other non-EEA countries where the GDPR is not applicable or where the requirements of the GDPR are not adequately reflected in national privacy laws, as the case may be) (hereinafter: “third countries”).

As stated above, we thereby regularly engage contractual processors/service who may process personal data on our behalf in third countries, whereby we only do so with the appropriate safeguards in place so that your data is safe and your data subject rights are respected.

Following decision C-311/18 (Schrems II) of the CJEU and the fall of the EU-US Privacy Shield we have reached out to our US-based processors/service providers and decided on alternative safeguards on a case-by-case basis in accordance with the guidance of the European Data Protection Board.

Where we could not put in place such appropriate safeguards (such as standard contractual clauses, data encryption, automated data deletion intervals, etc.), we ask for your specific consent before processing/sharing your data or have engaged third party service provider, which have self-certified under the “Data Privacy Framework” (https://www.dataprivacyframework.gov). More details on third country service providers and the measures taken to ensure your rights can be found in point 4.4 of this notice.

In addition to the purposes and providers listed in sections 2, 3 and point 4.4 of this notice, your data may also effectively be considered as transferred (i.e. disclosed) in the following situations, where we might have legitimate interests in buying/selling our assets in connection with entities that are registered in third countries:

  • If we sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer of such business or assets that may be registered in a third country (whereby we shall only do so if all applicable confidentiality and security requirements are offered to us by any potential buyer and their organisation). Please note that we shall only do so if all applicable confidentiality and security requirements are offered to us by any potential buyer and their organisation and shall never disclose any data in this way if the processing of such data had been carried out on the basis of your explicit consent.
  • If all or a substantial part of our assets are acquired by a third party that may be registered in a third country whereby our assets may include parts of your data. Please note that we shall only do so if all applicable confidentiality and security requirements are offered to us by any potential buyer and their organisation and shall never disclose any data in this way if the processing of such data had been carried out on the basis of your explicit consent.

Your data may also effectively be considered as transferred (i.e. disclosed) if we are required on the basis of EU law or the law of a Member State to disclose or share your personal data with an international organisation / public authority or other entity that might be registered in a third country, whereby we are required to do so to comply with a legal obligation.

4.6. What rights do you have in connection with your personal data and how can you exercise them?

You can contact us at any time and without hesitation at dpo@devrev.ai in connection with this notice or regarding the processing of your personal data by our organisation and our processors/service providers.

You can also contact us at the email mentioned above in order to send us your specific requests and for exercising your other rights which relate to your personal data and applicable local legislation or the GDPR. If we have reasonable doubts concerning your identity, we may request additional information to verify your identity.

As a data subject of the EEA, the GDPR gives you the opportunity to exercise the following rights with our organisation as the controller of your personal Data: Right of access, Right to rectification, Right of objection, Right to data portability, Right to restrict data processing, Right of erasure (“right to be forgotten”), Right to refuse or withdraw consent, Automated decision-making, Right to lodge a complaint with a supervisory authority.

More information

Right of access

You have the right to obtain confirmation from us on whether personal data or personally identifiable information is being processed by us or our processors/service providers and the right to obtain a copy of your personal data that is being processed.

Right to rectification

You have the right to request the rectification of inaccurate personal data and to have incomplete data completed.

Right of objection

You have the right to object to the processing of your personal data for compelling and legitimate reasons relating to your particular situation, except in cases where legal provisions expressly provide for that processing. You also have the right to object/opt out of the processing of your personal data for direct marketing purposes by clicking on the unsubscribe link at the bottom of our marketing emails or by contacting us at dpo@devrev.ai.

Right to data portability

You have the right to receive the personal data that you have provided to us in a structured, commonly used and machine-readable format, and have the right to transmit it to other data controllers without hindrance. This right only exists if the processing is based on your consent or a contract and the processing is carried out by automated means.

Right to restrict data processing

You have the right to request the restriction of processing your personal data in certain cases.

Right of erasure (“right to be forgotten”)

You may request to erase your personal data if (i) it is no longer necessary for the purposes for which we had collected it, (ii) you have withdrawn your consent and no other legal ground for processing exists, (iii) you objected and no overriding legitimate grounds for processing exist, (iv) the processing is unlawful, or (v) erasure is required to comply with a legal obligation.

Right to refuse or withdraw consent

In case we request your consent for processing, you are free to refuse it and can withdraw it at any time without any adverse negative consequences by contacting us at dpo@devrev.ai. The lawfulness of any processing of your personal data that occurred prior to the withdrawal of your consent will not be affected.

Automated decision-making

Under the GDPR you have the right not to be subject to decisions based solely on automated processing and have the right to be given more information about why any such decision has been made. Note that this is currently not applicable to our processing activities (see 4.8 of this notice).

Right to lodge a complaint with a supervisory authority

If you believe that the processing of personal data performed in connection with you by our organisation as the controller violates personal data protection regulations, you may, without prejudice to any other (administrative or other) remedy, lodge a complaint with the supervisory authority, in particular in the country where you have your habitual residence, your place of work or where the infringement is alleged to have taken place.

In the Republic of Slovenia (the country where the EEA representative entity of DevRev (namely DevRev, razvoj programske opreme, d.o.o. is located) the authority is the:

  • Information Commissioner (Informacijski pooblaščenec), Dunajska 22, 1000 Ljubljana, Slovenia, EU, email: gp.ip@ip-rs.com, phone: +38612309730, website: www.ip-rs.com.

A list of other EU supervisory authorities and their contact information can be found here: https://edpb.europa.eu/about-edpb/about-edpb/members_en#.

4.7. Processing the personal data of persons under 16 years of age

Our organisation does not knowingly collect or otherwise process the personal data of persons under 16 years of age, as our products and services are not intended or directed towards such persons. However, our organisation may collect personal data regarding children below the age of 16 years of age directly from their parent or guardian, and with that person’s explicit consent.

If our organisation subsequently finds out that it has processed the personal data of such a person without the consent of their parent or guardian, our organisation shall do everything necessary to delete all provided personal data.

At the address dpo@devrev.ai, the above described persons or their parents or guardians shall be able to submit their requests for the deletion of the data concerned at any time.

4.8. Who can you contact for further clarification regarding the processing of personal data in our organisation and regarding your rights?

You can contact us at any time and without hesitation at dpo@devrev.ai.

4.9. Security and protection of personal data

Summary: Our organisation carefully stores and protects personal data through organisational, technical and logical procedures and measures to protect data from accidental or intentional unauthorised access, destruction, alteration or loss, and unauthorised disclosure or other form of processing not explicitly stated in sections 2, 3 and point 4.4, or to which you have not expressly consented to.

More information

To this end, our organisation has also adopted appropriate internal processes and set up various measures (e.g. assigning, using and changing passwords, locking premises, offices, server and workstation locations, regularly updating software and upgrading security-critical components, the physical protection of materials/data carriers containing personal data in specially designated places, the training of employees, etc.). Our organisation also demands these security commitments from its contractual processors.

5. Privacy information for California residents

5.1. Applicability of this section

If you are a California resident (as defined in section 17014 of Title 18 of the California Code of Regulations), California law requires us to provide you with some additional information regarding your rights with respect to your “personal information” as defined in the CCPA.

5.2. Information on whether we disclose or sell personal data of CA residents

Summary: In the preceding twelve (12) months we have not sold any personal data from the last update to this notice.

Based on your cookie/browser/analytics preferences when visiting our website and/or using our services (and potentially on our partners websites), we may have disclosed personal information that relates to your device/browser identifiers and internet activity data to our third party advertisers in connection with showing you targeted advertisements across the web (please see our dedicated cookie policy to see when this might have been applicable).

In addition, we may have also disclosed to or allowed third parties to collect personal data from you on our websites and/or our services when we engage such third parties as subprocessors in the provision of our services to you (see section 4.4.3 of this notice) whereby such third-party subprocessors/service providers have concluded data processing agreements with us (or offered similar safeguards) to ensure your rights are respected. We may have also been required to disclose certain information under applicable legal or contractual obligations (see section 4.4. of this notice).

More information

As a business subject to the CCPA, we have not sold any personal data in the last 12 months from the last update of this notice.

Under the CCPA, businesses are also required to disclose whether they sell or share personal data, whereby the sharing of personal data may include giving access to personally identifiable information (such as your IP or device ID) to third parties in the context of cross-site behavioural advertising by using cookies or similar technologies.

Based on your cookie/browser/analytics preferences when visiting our website and/or using our services (and potentially on our partners websites), we may have disclosed personal information that relates to your device/browser identifiers and internet activity data to our third party advertisers in connection with showing you targeted advertisements across the web. Please see our dedicated cookie policy to learn when this might had been applicable and what data had been collected or shared and with whom.

California law also mandates that we specify the categories of personal data that are disclosed for our specific "business purposes." These purposes include situations when we engage third parties as subprocessors in the provision of our services to you (see section 4.4.3 of this notice).

In connection with our business purposes and when offering you our services, we may have disclosed the following categories of personal data if the relevant underlying situation arose during our interactions (e.g. if you had consented to our use of cookies, if you had purchased products or services from us, if we engage third parties for billing and accounting purposes in relation to you as our customer, if you have volunteered the information during signup or when negotiating a sale with our representatives, as the case may be):

  • Identifiers;
  • Commercial information
  • Internet activity;
  • Financial information;
  • Professional and employment-related information;
  • Geolocation data;
  • Audio and visual data;
  • In limited circumstances where allowed by law, information that may be protected characteristics under California or United States law; and
  • Inferences drawn from any of the above information categories.

5.3. Information on the rights of CA residents

Summary: The CCPA provides Californian residents with the following rights: Right to know, Right to delete, Right to opt out, The right to non-discrimination.

More information

Right to know (i.e. request disclosure of any personal information we have collected about you).

You have the right to request the disclosure of the categories of personal information we have collected from you, along with the categories of sources from which they have been collected, the purpose of their collection, the categories of third parties with whom we have shared your personal information (“Categories Report”), and the specific pieces of personal information that have been collected (“Specific Pieces Report”).

You may request that we disclose which personal information we have collected, used, shared, or sold in relation to you, and why we have collected, used, shared, or sold that information. Specifically, you may request that we disclose:

  • The categories of personal information collected.
  • Specific pieces of personal information collected.
  • The categories of sources from which we have collected the personal information.
  • The purposes for which we have used the personal information.
  • The categories of third parties with whom we have shared the personal information.
  • The categories of information that we sell or disclose to third parties.

We shall provide you this information for the 12-month period preceding your request. We shall provide you this information free of charge.

To request the above stated information, please send your request to dpo@devrev.ai. Please allow 45 days for our response. For your protection and the protection of all of our users, we may ask you to provide proof of identity before we can oblige such a request.

Right to delete (i.e. request deletion of any personal information that we have collected from you).

After we have verified your request to delete your personal information, we shall delete it from our servers/records and direct any of our processors/service providers to delete your personal information from their servers/records, except when certain exemptions from the relevant parts of the CCPA are applicable, namely in cases where the personal information is necessary so that we may continue to provide our services (i.e. when the data do not contain any personally identifiable information) and in order to detect security incidents, to identify and repair errors that impair existing intended functionalities of our products and services.

Right to opt out (of the sale of your personal information).

You may request that we stop selling your personal information, whereby this is currently not applicable as we do not currently sell any personal information.

The right to non-discrimination (when exercising your CCPA rights).

We will not discriminate against you in any manner prohibited by applicable law for exercising your CCPA rights (as listed above).

5.4. Information on how CA residents may contact us in order to exercise their rights

If you wish to opt-out from any of our data sharing activities, please reach out to us at dpo@devrev.ai. You can also exercise any other rights under the CCPA via this email or by contacting us through our phone number +1 (919) 452 7053.

6. Document version and updates

Version and date of the last update of this notice

The text of this notice represents version 2.1. of this document.

Please reach out to us at dpo@devrev.ai in order to receive the previous version of this document.

This notice was last updated on 13th of December, 2024.

S.noParticulars
1.Version 1.0: Initial version of this Privacy policy. active from the 1st of July, 2024 till November 12, 2024.
2.Version 2.0: Added section “3.4. When using the Plug Observability feature in connection with our products and services” and minor grammatical changes. Active from November 12, 2024 till November 29, 2024.
3.Active version - Version 2.1.: Added the clarification that we do not retain DevRev user data obtained through Google Workspace APIs to develop, improve, or train generalized AI and/or machine learning models under section 3.2. When signing up or signing in to the DevRev service as a user by providing your email and login credentials. Also added additional clarifications and changes to the table in section 3.1. Data we process as “processors” when offering the DevRev service and its features to our customers (i.e. DevRev users that are acting as individual data “Controllers”). Also removed “research purposes” and changed the wording of the “Right to delete” section so that it explicitly mentions anonymised data under section “5.3 Information on the rights of CA residents”. Active from the 13th of December, 2024.