Privacy Policy
DevChain ("we", "us", or "our") operates the DevChain mobile application (the "App") and associated backend services. This policy explains what personal data we collect, why we collect it, and how it is stored and protected.
By using the App you agree to the collection and use of information described here.
1. Data We Collect
| Data type | Purpose | Where stored |
|---|---|---|
| Email address | Authentication via magic-link sign-in | Server-side (identity-service), encrypted in transit (HTTPS/TLS) |
| Device push token (FCM) | Delivering push notifications to your Android device | Server-side (notifications-service), encrypted in transit |
| OAuth / JWT session tokens | Maintaining your authenticated session without repeated sign-in | On-device only, in Android Keystore-backed encrypted storage (expo-secure-store). Never transmitted in plaintext. |
| User-generated content | Accessing your projects, epics, tasks, and agent sessions via the bridge service | Server-side (bridge / identity services), encrypted in transit |
We do not collect analytics, advertising identifiers, precise location, contacts, photos, or any other data not listed above. We do not use any third-party analytics SDK inside the App. Platform-provided crash and stability signals (Google Play Vitals) are provided by the operating system and Google Play — not by any code we embed.
2. How We Use Your Data
- Email address — sole purpose: send you a one-time magic-link sign-in URL. We do not send marketing email.
- Device push token — sole purpose: deliver session alerts, agent status updates, and notifications you have enabled.
- Session tokens — kept on your device to authenticate API requests during your session. Cleared on sign-out.
- User-generated content — processed only on your behalf to display your own data within the App.
3. Data Sharing
We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes.
Push notifications are delivered via Google Firebase Cloud Messaging (FCM). Your device push token is transmitted to Google's FCM servers solely for the purpose of delivering notifications. Google's privacy policy applies to that transmission: policies.google.com/privacy.
4. Data Retention
- Session tokens — expire automatically (access tokens: 15 minutes; refresh tokens: 7 days). Immediately invalidated on sign-out.
- Device push tokens — retained until you sign out or uninstall the App, at which point the token registration is removed.
- Email address — retained as long as your account exists. Deleted on account deletion request.
- User-generated content — retained until you delete it or request account deletion.
5. Your Rights
You may request access to, correction of, or deletion of your personal data at any time by contacting us at the address below. We will respond within 30 days.
To delete your account and all associated data, visit our Account Deletion page for step-by-step instructions and details on what gets deleted.
6. Security
All data in transit is protected by TLS 1.2 or higher. Session tokens are stored using
Android Keystore-backed encryption via expo-secure-store. Server-side data
is stored in encrypted-at-rest PostgreSQL databases on OCI infrastructure.
No method of transmission or storage is 100% secure. We maintain commercially reasonable safeguards and will notify affected users of any confirmed data breach as required by law.
7. Children's Privacy
The App is not directed at children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
8. Changes to This Policy
We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the App after changes constitutes acceptance of the updated policy.
9. Contact
Questions about this policy or requests regarding your data:
[email protected]