Privacy Policy

1. Introduction

devto (“we”, “us”, “our”) operates the devto platform, including the web dashboard at devto.ai and the devto-mcp CLI package published on npm. This Privacy Policy explains how we collect, use, store, and protect your information when you use our services.

2. Information We Collect

We collect the following categories of information:

• —Account information: Email address, name, and authentication credentials provided through Clerk (our authentication provider).
• —Workspace configuration: Your project management tool instance URL (e.g. Jira), project keys, and email address used for workspace connection. API tokens for connected tools are encrypted with AES-256-GCM before storage.
• —Usage data: Action counts, feature descriptions submitted for planning, and API activity logs. These help us enforce plan limits, detect abuse, and improve the product.
• —Analytics: Anonymous usage analytics collected via PostHog, including page views and feature engagement. You can opt out of analytics via browser settings.
• —Payment information: Billing details are collected and processed by Stripe. We do not store your credit card number, CVC, or full card details on our servers.
• —Support communications: Messages submitted through in-app support tickets or the contact form, including your email address and message content.

3. Information We Do NOT Collect

• —Source code: We never access, transmit, or store your source code. The devto MCP server runs locally on your machine.
• —Anthropic API keys: Your Anthropic API key is stored locally on your machine (in ~/.devto/config.json or your project’s .devto/config.json). It is never sent to our servers.
• —AI prompts and responses: All AI interactions happen directly between your machine and Anthropic’s API. We do not proxy, log, or store these communications.
• —Repository contents: We have no access to your git repositories, branches, commits, or pull requests.

4. How We Use Your Information

• —To provide, operate, and maintain the devto service
• —To authenticate your identity and authorize API access
• —To enforce usage limits on free-tier accounts
• —To process payments and manage subscriptions through Stripe
• —To send transactional emails (team invitations, support responses, account notifications)
• —To detect, investigate, and prevent abuse or fraudulent activity
• —To monitor and improve service performance and reliability
• —To respond to support requests and communicate with you about the service

5. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), we process your personal data on the following legal bases:

• —Contract performance: Processing necessary to provide the service you signed up for.
• —Legitimate interests: Fraud prevention, service improvement, and security monitoring.
• —Consent: Analytics tracking, which you can opt out of at any time.

6. Data Storage and Security

Data is stored in PostgreSQL hosted on Railway with tenant isolation enforced at the application layer. All queries are scoped to the authenticated tenant’s ID.

• —Sensitive credentials (workspace API tokens) are encrypted with AES-256-GCM using a server-side encryption key
• —API keys are stored as SHA-256 hashes and cannot be reversed
• —All data is transmitted over HTTPS/TLS
• —API endpoints are rate-limited (60 requests/minute) to prevent abuse
• —Database backups are maintained by Railway’s infrastructure

7. Third-Party Services

We use the following third-party services that may process your data:

• —Clerk — Authentication and user management (privacy policy)
• —Railway — Database hosting and application deployment (privacy policy)
• —Stripe — Payment processing (privacy policy)
• —Resend — Transactional email delivery (privacy policy)
• —Sentry — Error monitoring and performance tracking (privacy policy)
• —PostHog — Product analytics (privacy policy)

We do not sell your data to any third party. Data shared with third-party services is limited to what is necessary for them to provide their services.

8. Cookies and Tracking

We use the following cookies and similar technologies:

• —Authentication cookies: Set by Clerk to maintain your session. These are essential for the service to function.
• —Theme preference: Stored in localStorage to remember your light/dark mode choice. No data is sent to our servers.
• —Analytics: PostHog may set cookies for anonymous usage tracking. You can opt out via your browser’s Do Not Track setting.

We do not use advertising cookies or retargeting pixels.

9. Data Retention

• —Account data: Retained for the lifetime of your account.
• —Activity logs: Retained for 12 months, then automatically purged.
• —Support tickets: Retained for the lifetime of your account.
• —Payment records: Retained by Stripe in accordance with financial regulations.

When you delete your account, all associated data (tenant configuration, API keys, activity logs, support tickets, and team memberships) is permanently deleted via cascading database deletes. This deletion is irreversible.

10. Your Rights

Depending on your jurisdiction, you may have the following rights:

• —Access: Request a copy of the personal data we hold about you.
• —Correction: Request correction of inaccurate or incomplete data.
• —Deletion: Request deletion of your personal data (you can also self-serve this through dashboard settings).
• —Export: Request a machine-readable export of your data.
• —Restriction: Request restriction of processing in certain circumstances.
• —Objection: Object to processing based on legitimate interests.

You can exercise most of these rights directly through the dashboard settings. For data export requests or any other privacy concerns, contact us at privacy@devto.ai. We will respond within 30 days.

11. International Data Transfers

Our services are hosted in the United States and Europe. If you access devto from outside these regions, your data may be transferred to and processed in these locations. We rely on our service providers’ data processing agreements and standard contractual clauses to ensure appropriate safeguards for international transfers.

12. Children’s Privacy

devto is not intended for use by children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly.

13. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via the dashboard or email at least 14 days before taking effect. Continued use of the service after changes constitutes acceptance of the updated policy. The “Last updated” date at the top of this page indicates when this policy was last revised.

14. Contact

For privacy-related questions or to exercise your data rights, contact us at privacy@devto.ai.