Privacy Policy

Last Updated: 13 November 2025

Dev Sav ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service (the "Service").

We are based in the United Kingdom and act as a "data processor" for your Service Data and a "data controller" for your Personal Data under UK GDPR.

1. Information We Collect

We collect two types of information:

• Personal Data: This is information that identifies you as an individual.
  • From our Website: If you use the "Contact Us" form, we collect your email address and name to respond to you.
  • From our Service: When you sign up, we collect your Name, Email, Company Name, and a Hashed Password.
  • From our Billing Provider: We use Stripe to process payments. We do not receive or store your credit card details. We only receive a token and confirmation of your subscription.
• Service Data: This is non-personal data generated from your use of the Service.
  • Cloud Configuration: We process resource inventory, states, tags, and pricing information from your connected cloud account.
  • We DO NOT Process: We never scan, process, or store any of your customer content, user data, or any other Personal Identifiable Information (PII) from within your cloud resources.

2. How We Connect to Your Cloud

We are committed to the principle of least privilege. We connect to your cloud account using secure, temporary credentials via AWS AssumeRole with an external ID. We do not require or store permanent AWS Access Keys.

• Scanner Role: The primary role you grant us is read-only.
• Executor Role (Optional): If you enable automation, you grant a separate, write-access role with a tightly-scoped policy limited to the actions required by the Service (e.g., starting/stopping instances).

3. How We Use and Store Your Data

• To Provide the Service: We use your Personal Data to create your account and your Service Data to generate plans and execute approved actions.
• Audit Logs: A key feature of our Service is transparency. By default, all audit logs and plans are written directly to an S3 bucket in your own cloud account. You have full control over this data and its retention policy.
• Service Improvement: During your free trial, we may use de-identified and aggregated Service Data (e.g., "planning engine proposed to stop 10 't2.micro' instances") to improve our planning algorithms. We never store your raw inventory. You may opt-out of this.
• Service Logs: We keep minimal, internal service logs (e.g., "Plan generation for customer X failed") to monitor and debug our Service. These logs are retained for 30 days.

4. Sub-processors

We use a minimum number of third-party services:

• Stripe: For payment processing.

No sub-processor has access to your cloud credentials or raw Service Data.

5. Your Data Rights

In line with UK GDPR, you have the right to:

• Access, Correction, Deletion: You may access, update, or request deletion of your Personal Data (your account info) at any time.
• Export: You can export your audit data at any time from your S3 bucket.

6. Security

We encrypt all data in transit (TLS) and at rest. All sensitive information (like your role ARNs) is encrypted and stored in a secure vault.

7. Contact Us

If you have any questions about this Privacy Policy, please contact us at support@devsav.com.