Privacy Policy

1. Introduction

DevMatrix ("we", "our", "us") operates the DevMatrix platform at app.devmatrix.devand related services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

2. Data Controller

DevMatrix is the data controller for personal data processed through the Service.

• Entity: DevMatrix
• Location: Marbella, Spain
• Email: [email protected]

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

• Full name
• Email address
• Password (hashed, never stored in plaintext)
• Profile image (if provided via OAuth)
• Organization name (if applicable)

3.2 Authentication Data

We support Google OAuth and email/password authentication. When using Google OAuth, we receive your name, email, and profile picture from Google. We do not access your Google contacts, calendar, or any other Google service data.

3.3 Usage Data

We automatically collect:

• IP address and approximate geolocation
• Browser type and version
• Device type and operating system
• Pages visited and features used
• Compilation requests and their metadata (timestamps, status, module count)
• Session duration and frequency

3.4 Compilation Data

When you use the compiler, we process your DMX specifications to generate code output. Your specifications and generated code are stored within your organization's isolated environment and are not shared with other users or organizations.

3.5 LLM Interaction Data

When you use the Workshop's LLM-assisted features, your prompts and the LLM responses are transmitted to the third-party LLM provider you configure (e.g., Anthropic, OpenAI, Google). We store chat session history to provide conversation continuity. Your LLM API keys are encrypted at rest using industry-standard encryption (Fernet/AES-128-CBC).

3.6 Payment Information

Payment processing is handled by Stripe. We do not store credit card numbers, CVVs, or full payment details on our servers. We retain only the information necessary for billing records (last four digits, expiration date, billing address).

4. How We Use Your Information

We use collected information to:

• Provide, operate, and maintain the Service
• Authenticate your identity and manage sessions
• Process compilations and generate code output
• Enforce access control and tenant isolation
• Send transactional emails (account verification, password resets, compilation notifications)
• Monitor and improve Service performance, reliability, and security
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations
• Provide customer support

We do not sell your personal data. We do not use your compilation data or specifications to train machine learning models.

5. Legal Basis for Processing (GDPR)

We process your data under the following legal bases:

• Contract performance: Processing necessary to provide the Service you subscribed to.
• Legitimate interests: Security monitoring, fraud prevention, and Service improvement.
• Consent: Marketing communications and optional analytics (you may withdraw consent at any time).
• Legal obligation: Compliance with tax, accounting, and regulatory requirements.

6. Data Sharing and Disclosure

We may share your information with:

• Infrastructure providers: Railway (hosting), Cloudflare (DNS/CDN), Neon/Supabase (database hosting) — under data processing agreements.
• LLM providers: Anthropic, OpenAI, or Google — only when you actively use the Workshop LLM feature, using your own API key. We act as a conduit; your data is governed by the respective provider's terms.
• Payment processor: Stripe — for subscription billing.
• Email service: Resend — for transactional emails.
• Law enforcement: When required by law, court order, or to protect our rights and safety.

We require all third-party service providers to respect the security of your personal data and to treat it in accordance with applicable law.

7. Data Retention

• Account data: Retained for the duration of your account. Upon deletion request, data is purged within 30 days.
• Compilation data: Retained for 12 months after creation, then automatically archived or deleted per your plan settings.
• Chat history: Retained until you delete it or close your account.
• Audit logs: Retained for 24 months for security and compliance purposes.
• Backup data: Purged within 90 days of the primary data deletion.

8. Data Security

We implement industry-standard security measures including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Row-Level Security (RLS) for multi-tenant data isolation
• Role-Based Access Control (RBAC) with granular permissions
• Rate limiting and DDoS protection
• Regular security audits and vulnerability assessments
• Secrets management with encrypted key storage
• Secure session management with automatic expiry
• Multi-factor authentication (TOTP) support

9. Your Rights

9.1 GDPR Rights (EEA Residents)

• Access: Request a copy of your personal data.
• Rectification: Correct inaccurate or incomplete data.
• Erasure: Request deletion of your personal data ("right to be forgotten").
• Portability: Receive your data in a structured, machine-readable format.
• Restriction: Request restriction of processing in certain circumstances.
• Objection: Object to processing based on legitimate interests.
• Withdraw consent: Where processing is based on consent, withdraw it at any time.

9.2 CCPA Rights (California Residents)

• Know: Request disclosure of personal information collected, used, and shared.
• Delete: Request deletion of personal information.
• Opt-out: Opt out of the sale of personal information (we do not sell personal data).
• Non-discrimination: Exercise rights without discriminatory treatment.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (GDPR) or 45 days (CCPA).

10. Cookies

We use the following cookies:

• Essential cookies: Session authentication cookies required for the Service to function. These cannot be disabled.
• Preference cookies: Theme and language preferences.

We do not use third-party advertising or tracking cookies.

11. International Data Transfers

Your data may be processed in the European Union and the United States. When data is transferred outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

12. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete such information promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a prominent notice on the Service at least 30 days before the changes take effect.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

• Email: [email protected]
• General inquiries: [email protected]
• Address: DevMatrix, Marbella, Spain

You also have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD) or your local supervisory authority.