GDPR Policy

Introduction

This GDPR Policy explains how Devta ("we," "our," or "us") processes personal data in accordance with the General Data Protection Regulation (GDPR) for users in the European Economic Area (EEA) and the United Kingdom. This policy supplements our Privacy Policy and applies specifically to individuals covered by the GDPR.

Data Controller Information

For the purposes of the GDPR, we are the data controller responsible for your personal data. Our contact details are:

Company Name: Devta Technologies, Inc.
Address: 123 Tech Plaza, Suite 400, San Francisco, CA 94103
Email: gdpr@devta.so
Data Protection Officer: privacy-team@devta.so

Legal Basis for Processing

We process your personal data on the following legal bases:

• Contract: Processing necessary for the performance of a contract with you or to take steps at your request before entering into a contract
• Consent: Processing based on your specific, informed, and unambiguous consent
• Legitimate Interests: Processing necessary for our legitimate interests or those of a third party, provided these interests are not overridden by your interests or fundamental rights and freedoms
• Legal Obligation: Processing necessary for compliance with a legal obligation to which we are subject

We will always be transparent about which legal basis we rely on for each processing activity.

Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

• Right to Access: You can request a copy of your personal data that we hold
• Right to Rectification: You can request correction of inaccurate or incomplete personal data
• Right to Erasure: You can request deletion of your personal data in certain circumstances
• Right to Restrict Processing: You can request restriction of processing of your personal data
• Right to Data Portability: You can request transfer of your personal data in a structured, commonly used, and machine-readable format
• Right to Object: You can object to processing based on legitimate interests, direct marketing, or research/statistical purposes
• Rights Related to Automated Decision Making: You can request human intervention in automated decision-making processes that significantly affect you
• Right to Withdraw Consent: You can withdraw consent at any time where we rely on consent as the legal basis for processing

How to Exercise Your Rights

To exercise any of your rights under the GDPR, please contact us at gdpr@devta.so. We will respond to your request within one month. This period may be extended by up to two additional months if necessary, taking into account the complexity and number of requests.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data or to exercise any of your other rights. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

Data Retention

We will retain your personal data only for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process the data, and whether we can achieve those purposes through other means, as well as applicable legal requirements.

International Transfers

We may transfer your personal data to countries outside the EEA or UK. When we do so, we ensure a similar degree of protection is afforded to your data by implementing appropriate safeguards, such as using Standard Contractual Clauses approved by the European Commission or UK authorities, or relying on adequacy decisions where available. If you would like more information about the specific mechanism we use when transferring your personal data, please contact us at gdpr@devta.so.

Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) when processing is likely to result in a high risk to the rights and freedoms of individuals, particularly when using new technologies or considering processing on a large scale. These assessments help us identify and minimize data protection risks.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of the breach. We will also notify you directly if the breach is likely to result in a high risk to your rights and freedoms.

Updates to This Policy

We may update this GDPR Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the updated policy on our website with a new "Last Updated" date.

Complaints

If you have concerns about our processing of your personal data, please contact us first at gdpr@devta.so so that we can address your concerns.

You also have the right to lodge a complaint with a supervisory authority in the EU member state or UK where you reside, work, or where an alleged infringement of data protection law has occurred.