DevalandDevalandAI Deal OS

Privacy Policy

Last updated: June 2026

This Privacy Policy explains how DEVALAND MARKETING S.R.L. ("Devaland", "we", "us") handles personal data in connection with the Devaland website (devaland.com) and the Devaland AI Deal OS platform (os.devaland.com).

Who Is the Data Controller

  • Account & contact data: for the data you give us to create an account or contact us, Devaland is the data controller.
  • Documents you upload into a workspace (CIMs, financials, and similar) may contain personal data. For these, your organisation is the controller and Devaland acts as a processor on your instructions.
  • Client platforms in done-for-you services: when you engage us for services such as Shopify store work, you may authorize us to access your store or platform. Any personal data we process there (for example store, product, or customer data) is processed as a processor on your instructions, with your organisation as the controller, under our DPA.

For business customers acting as controllers of workspace data, our Data Processing Agreement (GDPR Article 28) applies automatically and is available to view at any time, no separate request needed.

Personal Data We Collect

  • Account data: your name, email address, and a securely hashed password.
  • Security & session data: IP address and browser type, kept with your login session to secure the service and prevent abuse.
  • Uploaded documents: the deal documents and data you add to your workspace, processed to provide the diligence features you request.
  • Billing data: handled by Stripe; we store a Stripe customer ID and subscription status, not card numbers.
  • Contact data: if you email us or submit a form, the details you provide.

AI Processing

To generate a brief, relevant excerpts of the documents in that workspace are sent to Anthropic (our AI provider) to produce source-cited output. These excerpts are processed only to fulfil your request and are not used to train AI models. Every claim in a brief must quote your source document and is verified before you see it.

In-App Support Assistant

When you use our in-app support assistant, we store a redacted, truncatedversion of your question, financial-looking figures are masked and long pasted text is removed, together with which help articles matched, never the full verbatim content. These logs are tied to your workspace and user, are used only to improve our documentation and support, and are automatically deleted after 90 days. The assistant answers only from our published help articles and does not access your deal documents.

Analytics & cookies: We do not run analytics, advertising, or session-recording trackers anywhere on our website. We do not use Google Analytics, the Meta (Facebook) Pixel, Microsoft Clarity, Hotjar, or LinkedIn Insight. The only thing we store in your browser is your cookie-consent choice, see our Cookie Policy.

Why We Process Your Data

We process account and workspace data to provide the service under our contract with you; security and session data under our legitimate interest in keeping the service safe; billing data to take payment; and any marketing email only with your consent (you can unsubscribe at any time). We keep collection to the minimum needed.

Processors & Sub-processors

We use a small number of vetted providers to operate the service:

  • Anthropic, AI generation of diligence briefs (document excerpts).
  • Stripe, payment processing and subscription billing.
  • Google Workspace, transactional and account email.
  • Hosting provider, server hosting and encrypted backups.

International Data Transfers

As a Romanian company we comply with the GDPR. Some of our providers are located in the United States; where data is transferred outside the European Economic Area, we rely on Standard Contractual Clauses or other lawful safeguards to keep it protected.

Data Retention

We retain account and workspace data while your subscription is active. After cancellation we keep your workspace data for a 30-day wind-down period so you can export it, then delete it (sooner on request). Encrypted backups roll off on a fixed cycle, daily backups within about 14 days and weekly backups within about 8 weeks, and offsite backup copies are deleted after 30 days. Support-assistant logs are deleted after 90 days. Marketing data is kept until you unsubscribe.

Your Rights Under GDPR

  • Be informed: know what data we hold and how we use it.
  • Access & portability: request a copy of your data in a usable format.
  • Rectification: have inaccurate data corrected.
  • Erasure: request deletion of your personal data.
  • Restriction & objection: ask us to pause processing, or object to it (including marketing).
  • Lodge a complaint: you can complain to a data-protection supervisory authority, in Romania, the National Supervisory Authority for Personal Data Processing (ANSPDCP, dataprotection.ro), or to the authority in your country of residence.

Where your organisation is the controller of workspace documents, we act on the controller's instructions for such requests. Workspace administrators can also request a data export or deletion from Settings → Privacy & data in the app. We action verified requests within 30 days; we do not automatically delete a live, paying workspace, but we record an audited request and confirm completion by email. To exercise any right you can also email us at the address below.

Security

Traffic is encrypted in transit (TLS), session cookies are HTTP-only and Secure, each client workspace is isolated at the database and file level, and backups run on a regular schedule. We never log credential values.

Personal-Data Breach Notification

If a personal-data breach occurs, we act in accordance with applicable data-protection law, including GDPR Articles 33–34. Where we are required to notify the competent supervisory authority, we do so without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where a breach is likely to result in a high risk to your rights and freedoms, we also inform affected customers without undue delay.

Contact

For any privacy question or to exercise your rights, email office@devaland.com.