Privacy Policy

The data controller within the meaning of the GDPR for the processing of your personal data is:

If you have any questions about data protection, you can contact us at any time by email at david@dev-automations.com. We reserve the right to appoint an external Data Protection Officer upon recommendation of the data protection authority or when the relevant thresholds are met. Currently, no legally required Data Protection Officer has been appointed.

DEV Automations processes personal data in the following contexts:

• Website Operation: Technical usage data when visiting our website (web server logs, cookies).
• Customer Management (CRM): Contact details, company information, and communication history of prospects and customers.
• Contract Processing: Billing and payment data to fulfill existing contracts.
• Platform Usage: Usage data, telemetry, and log data from our AI automation platform.
• AI Systems: Data processed through our AI agents (chatbot, voice, email), including conversation content.
• Marketing: Email communications and newsletters (only with explicit consent).

We process only the data that is necessary to achieve the respective processing purpose (principle of data minimisation). Processing for other purposes only takes place if it is compatible with the original purpose, you have given consent, or there is a legal basis.

We process personal data on the following legal bases under the GDPR:

• Art. 6(1)(a) GDPR (Consent): Where you have given us explicit consent (e.g., for newsletters or non-essential cookies).
• Art. 6(1)(b) GDPR (Contract Performance): Where processing is necessary for the performance of a contract with you or to take pre-contractual steps.
• Art. 6(1)(c) GDPR (Legal Obligation): Where we are legally obliged to process data (e.g., retention obligations under commercial and tax law).
• Art. 6(1)(f) GDPR (Legitimate Interest): Where we have an overriding legitimate interest in the processing and your interests or fundamental rights do not override it (e.g., IT security, fraud prevention, direct marketing to existing customers).
• Art. 28 GDPR (Data Processing Agreement): Where we process personal data on behalf of our customers as a data processor. In this case, the customer is the controller and we enter into a corresponding Data Processing Agreement (DPA).

Depending on the nature of your use of our services, we collect the following categories of personal data:

We do not process special categories of personal data within the meaning of Art. 9 GDPR (e.g., health data, biometric data, political opinions) unless this is exceptionally required as part of our service and explicit consent has been given.

Server Logs: When you visit our website, our web server automatically stores access logs (web server logs). These contain the IP address, date and time of access, the URL accessed, the HTTP status code, and (if present) the referrer URL. This data is processed exclusively for technical operational security, error diagnosis, and to defend against attacks. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in operational security). Logs are deleted after a maximum of 7 days.

Cookies: We use cookies and similar technologies. We distinguish between:

• Technically Necessary Cookies: These are strictly required for the operation of the website (e.g., session cookies, CSRF protection). They are set without your consent. Legal basis: Art. 6(1)(f) GDPR.
• Analytics Cookies: With your consent, we may use anonymized analytics data (e.g., to measure page views) to improve our website. Legal basis: Art. 6(1)(a) GDPR.
• Marketing Cookies: Currently, no third-party marketing or tracking cookies are set.

You can disable or delete cookies in your browser settings at any time. Please note that disabling technically necessary cookies may impair the functionality of the website.

Google reCAPTCHA: On certain forms on our website, we use the CAPTCHA service "reCAPTCHA" provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). This service processes technical data from your browser (including your IP address) and uses cookies to distinguish automated requests from human ones. The data may be transmitted to Google servers in the USA. The legal basis is our legitimate interest in preventing spam and automated abuse (Art. 6(1)(f) GDPR). Google is certified under the EU-US Data Privacy Framework. Please refer to Google's privacy policy at policies.google.com/privacy.

When you contact us via our contact form or by email, the data you provide (name, email address, company, message) is stored and processed by us to handle your inquiry. The legal basis is Art. 6(1)(b) GDPR (pre-contractual measures) and, if applicable, Art. 6(1)(f) GDPR (legitimate interest in processing inquiries).

Demo Bookings: When you initiate a demo request through our website, your contact details and the information you provide (e.g., company size, requirements) are used to prepare and conduct the demo. This data is stored in our CRM system and retained for a maximum of 24 months following the conclusion of the relevant sales activity, unless a contract relationship is established.

Newsletter: If you sign up for our newsletter, we use the so-called double opt-in procedure. After signing up, you will receive a confirmation email in which you must actively confirm your registration. The legal basis for sending the newsletter is your consent pursuant to Art. 6(1)(a) GDPR. You can withdraw your consent at any time by unsubscribing via the unsubscribe link in the newsletter or by sending us an email.

As part of our AI automation solutions, personal data may be processed by automated systems (AI agents, chatbots, voice agents, email automations). This happens either:

• On behalf of our customers (data processing pursuant to Art. 28 GDPR): When customers use our platform to process data of their own customers, employees, or partners, we act as a data processor. In this case, the customer is the controller. For this setup, we enter into a Data Processing Agreement (DPA) that fully meets the documentation requirements of the GDPR.
• For our own purposes (as data controller): When we use AI-supported communication to process inquiries addressed to us.

Zero Data Retention at LLM Providers: We have concluded strict Data Processing Agreements with our AI model providers (e.g., OpenAI, Anthropic) ensuring that your data is not used for training foundation models. Prompt data and responses are only held in working memory at these providers for the duration of the API processing (typically a few seconds to minutes).

Automated Decision-Making: To the extent that our AI systems make automated decisions that have a legal or similarly significant effect on you, we will inform you separately and — where required — ensure a legal basis in accordance with Art. 22 GDPR. Upon request, you may request a manual review of automated decisions.

Transcripts: Chat and voice transcripts generated during AI interactions are stored by default for 30 days. Customers can configure different retention periods in their workspace settings.

To provide our services, we engage carefully selected service providers who process personal data on our behalf (processors pursuant to Art. 28 GDPR). We have entered into appropriate contracts with each processor ensuring compliance with the GDPR and an equivalent level of data protection.

This list is subject to change. The current, complete subprocessor list is available upon request. In the event of material changes to the subprocessor list, customers with a DPA will be informed in advance by email.

Some of our processors are located in third countries outside the European Economic Area (EEA), particularly in the USA. For these transfers, we always ensure an adequate level of data protection through:

• EU Standard Contractual Clauses (SCCs): Pursuant to the EU Commission's implementing decision (Decision 2021/914).
• EU-US Data Privacy Framework (DPF): For US providers certified under this adequacy decision (e.g., Cloudflare).
• Adequacy Decisions by the EU Commission: For countries for which a valid adequacy decision exists.

Upon request, we will provide you with the relevant safeguards (e.g., copies of the SCCs). Please contact us at david@dev-automations.com.

We store personal data only as long as necessary for the respective processing purpose or as required by statutory retention obligations:

• Customer data (active contracts): For the duration of the contractual relationship plus statutory retention periods (generally 10 years under commercial and tax law).
• Prospects (without contract): Up to 24 months after the last contact.
• AI transcripts: 30 days by default; configurable by customers (minimum 7 days, maximum 180 days).
• Server logs: Maximum 7 days.
• Newsletter subscribers: Until withdrawal of consent, followed by immediate deletion.
• Applicant data: Up to 6 months after the conclusion of the application process.

After the respective retention period expires, data is securely and irrevocably deleted or anonymized, provided no statutory retention obligation prevents this.

Under the GDPR, you have the following rights, which you may exercise against us at any time:

To exercise your rights, please contact us in writing or by email at david@dev-automations.com. We will respond to your request within 30 days. For complex requests or high volumes, we may extend this period by up to 2 months, of which we will inform you. Identification may be required to process your request.

We implement appropriate technical and organisational measures (TOMs) pursuant to Art. 32 GDPR to protect your personal data against unauthorised access, loss, destruction, or manipulation. Our security measures include, in particular:

• Encryption: All data transmissions use TLS 1.3. Data at rest is encrypted (AES-256).
• Access Controls: Role-based access management (RBAC), multi-factor authentication (MFA) for administrators, and the principle of least privilege.
• Monitoring: Continuous security monitoring, intrusion detection systems, and regular penetration tests by external specialists.
• Backup & Recovery: Daily encrypted backups with defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).
• Employee Training: Regular data protection and IT security training for all employees.
• Incident Management: A defined process for reporting and handling data breaches. Reportable incidents are notified to the competent supervisory authority within 72 hours (Art. 33 GDPR).

Our services are directed exclusively at businesses and persons who have reached the age of 18. We do not knowingly collect personal data from minors under the age of 18. Should we learn that data of a minor has been inadvertently stored, we will delete it immediately. If you are a parent or guardian and believe your child has submitted data to us, please contact us at david@dev-automations.com.

We reserve the right to update this Privacy Policy to reflect changes in legal requirements, technological developments, or new processing activities. The current version is always available on our website. For material changes that affect your rights, we will inform you in advance by email. We recommend reviewing this Privacy Policy regularly.

The current version of this Privacy Policy was last updated in April 2026.