1. Scope
This privacy policy applies to use of the Devctrl platform (console, API, and gateway) during the private beta. A separate Website Privacy Policy applies to visits of the informational website devctrl.ai. We process personal data only to the extent necessary to operate, secure, and improve the platform.
2. Data controller
The data controller under the GDPR is the operator named in the Imprint. For privacy-related questions, contact [email protected].
3. Hosting, authentication, and database (subprocessors)
We use the following external service providers on the basis of Art. 6(1)(b) GDPR (necessary for contract performance or pre-contractual steps) and Art. 6(1)(f) GDPR (legitimate interest in a secure, stable platform). All providers are based in the USA; transfers rely on Standard Contractual Clauses and, where certified, the EU-US Data Privacy Framework.
Railway (platform infrastructure hosting)
Railway Corp., 2261 Market St #4008, San Francisco, CA 94114, USA. Railway provides the application infrastructure and processes server log files and IP addresses.
Details: https://railway.app/legal/privacy
Cloudflare (CDN, DDoS protection, SSL)
Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA. Cloudflare delivers content through its CDN, encrypts the connection, and protects against DDoS attacks; IP addresses and metadata are processed for that purpose.
Clerk (user authentication)
Clerk, Inc., USA. Clerk handles registration, login, session, and organization management. Email address, optionally name, authentication metadata, and session tokens are processed.
Details: https://clerk.com/legal/privacy
Neon (serverless PostgreSQL)
Neon, Inc., USA. Neon provides the database used to store platform data (policies, identities, tasks, audit logs, user mappings).
Details: https://neon.tech/privacy-policy
4. Data collected and processed
Registration and access data
When you sign up via Clerk we process in particular your email address, optionally your name, authentication metadata, and session tokens.
Content data
All data you actively create in the platform is stored in the Neon database — including organizations, projects, MCP server configurations, policies (CEL), task schemas, identities/credentials, and audit logs.
Log and telemetry data
For attack protection, debugging, and capacity planning, Railway and Cloudflare log IP addresses, timestamps, user agent information, and request paths.
No production data in the beta
During the private beta, under our Beta Terms of Use, users must not upload production data, real special-category data (e.g. health data, financial data), or personal data of third parties to the platform. The platform is explicitly not approved for regulated or sensitive data processing during the beta.
5. Retention
We store personal data only for as long as necessary for the purposes stated above or as required by statutory retention periods. Audit-log entries on the platform are retained according to the platform's configured retention (currently 7 days during beta). After termination of your account, your personal data will be deleted within a reasonable period, unless statutory retention duties apply.
6. Beta disclaimer
Please note that this is a beta version. Despite strong technical and organisational safeguards, complete protection of data against unauthorised access cannot be guaranteed. Use of the platform is at your own risk; see also the Beta Terms of Use.
7. Your rights
Under the GDPR, you have in particular the following rights:
- Access (Art. 15 GDPR)
- Rectification (Art. 16 GDPR)
- Erasure (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Objection (Art. 21 GDPR)
- Complaint to a supervisory authority (Art. 77 GDPR)
To exercise these rights, please contact [email protected].
8. Changes to this policy
We may update this privacy policy when technical or legal conditions change. The current version is always available on this page.