Privacy Policy

Last Updated: August 15, 2025

1. General Provisions

1.1 Who We Are

This Privacy Policy explains how Devlight LLC (“Devlight”, “we”, “us” or “our”), a legal entity incorporated under the laws of Ukraine, company code 40478965, with its registered office at 1B Kraykivskogo Street, Office 304, Ivano-Frankivsk, Ivano-Frankivsk Region, 76019, Ukraine, collects, uses, stores, and protects your personal data when you visit our website https://devlight.io or interact with us through other means.

1.2 Purpose of This Policy

We are committed to protecting your privacy and ensuring that your personal data is processed in strict compliance with:

The Law of Ukraine On Personal Data Protection;
Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – “GDPR”); and
Any other applicable data protection and privacy legislation.

The purpose of this Privacy Policy is to provide you with clear, transparent, and accessible information regarding:

The categories of personal data we collect and process;
The purposes and legal bases for such processing;
Your rights as a data subject and how to exercise them; and
The measures we take to protect your personal data.

1.3 Scope of Application

This Privacy Policy applies to all processing of personal data carried out by Devlight LLC in connection with:

The operation, maintenance, and improvement of our website and any related online services;
Communications with you via email, telephone, social media platforms, or other communication channels; and
Any other interactions, whether online or offline, in which we act as a data controller determining the purposes and means of processing your personal data.

This Policy applies to all website visitors, users of our services, clients, partners, and other individuals whose personal data we process, regardless of their country of residence, to the extent permitted by applicable law.

1.4 Data Controller

For the purposes of applicable data protection laws, Devlight acts as the Data Controller, meaning we determine the purposes and means of processing your personal data.

1.5 Contact Details

If you have any questions regarding this Privacy Policy or our data protection practices, you can contact us at:

Email: [email protected]

Postal Address: 1B Kraykivskogo Street, Office 304, Ivano-Frankivsk, Ivano-Frankivsk Region, 76019, Ukraine
Attention: Data Protection Officer

2. Principles of Data Processing

We process your personal data in accordance with the following fundamental principles:

2.1 Lawfulness, Fairness and Transparency

We process personal data only where there is a valid legal basis (such as your consent, the performance of a contract, compliance with a legal obligation, or our legitimate interests). We are transparent about how and why we process your data.

2.2 Purpose Limitation

We collect personal data for specific, explicit, and legitimate purposes, and we do not process it further in a manner incompatible with those purposes.

2.3 Data Minimisation

We only collect personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.

2.4 Accuracy

We take reasonable steps to ensure that personal data is accurate and kept up to date. You can request corrections at any time.

2.5 Storage Limitation

We keep personal data in an identifiable form only for as long as is necessary for the purposes for which it was collected, unless a longer retention period is required by law.

2.6 Integrity and Confidentiality (Security)

We process personal data in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage, by using suitable technical and organisational measures.

2.7 Accountability

We are responsible for, and able to demonstrate compliance with, all the above principles.

3. What Data We Collect and How

We collect only the personal data that is necessary for the purposes described in this Policy. Depending on your interaction with us, this may include:

3.1 Data You Provide Directly

Contact Information – such as your name, email address, phone number, job title, and company name.
Business Correspondence – any information you include in emails, forms, or documents you send to us.
Account Details – if you create or manage an account on our platform or services.
Job Application Data – CVs, cover letters, and other recruitment-related information.

3.2 Data Collected Automatically

When you visit https://devlight.io, we may automatically collect:

Device and Browser Data – such as your IP address, device type, operating system, browser type, version, language settings, and display resolution.
Usage Data – such as the pages you visit, links you click, the date and time of your visits, the time spent on each page, navigation paths, and referring/exit pages.
Geolocation Data – approximate location derived from your IP address, to tailor website content and improve security.
Technical Logs and Error Reports – diagnostic and performance information to help us detect and fix technical issues.
Cookies and Similar Technologies – information collected through cookies, pixels, tags, and local storage, as described in our Cookie Policy, which also explains how you can manage or disable such technologies.

3.3 Data from Third-Party Sources

We may receive limited personal data about you from:

Business Partners – e.g., where a partner refers you to us.
Publicly Available Sources – professional social media profiles, company websites.
Analytics and Marketing Tools – such as Google Analytics, subject to your consent.

3.4 Special Categories of Data

We do not intentionally collect special categories of personal data (such as information about your health, political opinions, or biometric data) unless you voluntarily provide it and we have a lawful basis to process it.

3.5 AI-Generated or AI-Processed Data

If you interact with features of our website or services that involve automated decision-making or AI-powered tools, we may process your data through such systems. We ensure these processes are transparent, include meaningful human oversight, and comply with applicable AI governance standards.

We do not engage in fully automated decision-making that produces legal or similarly significant effects without human involvement.

3.6 Children’s Privacy

Our website and services are not directed at children under the age of 18, and we do not knowingly collect personal data from them. If we learn that we have inadvertently collected personal data from a child, we will delete it without undue delay.

4. Purposes and Legal Bases for Processing

We process your personal data only when we have a lawful basis under the applicable Ukrainian law. The table below summarizes the purposes for which we process data.

Purpose	Description
Service Provision	To respond to enquiries, provide requested services, and maintain client relationships.
Website Operation & Security	To operate, maintain, and secure our website, including fraud prevention and system monitoring.
Analytics & Improvements	To analyse website usage and improve our services, user experience, and content.
Marketing Communications	To send newsletters, event invitations, or other marketing content (only if you opt in).
Recruitment	To process job applications and communicate with candidates.
Legal Compliance	To comply with applicable laws, regulations, and court orders.
AI-Driven Features	To operate AI-enabled functionalities on our website or services, ensuring transparency and human oversight.

5. Data Sharing and International Transfers

5.1 Data Sharing with Third Parties

We may share your personal data only with trusted third parties, and solely to the extent necessary for the purposes described in this Privacy Policy. Such recipients may include:

Affiliates – companies, which may process personal data on our behalf and in accordance with this Policy:

– DEVLIGHT ENGINEERING, LLC (ТОВ “ДЕВЛАЙТ ІНЖІНІРИНГ”), Ukraine, 76018, Ivano-Frankivsk Region, Ivano-Frankivsk District, Ivano-Frankivsk, 72 Hetmana Mazepy Street, company code 45384091.

– DEVLIGHT ENTERPRISES, LLC (ТОВ “ДЕВЛАЙТ ЕНТЕРПРАЙЗЕЗ”), Ukraine, 76014, Ivano-Frankivsk Region, Ivano-Frankivsk District, Ivano-Frankivsk, 23D Akademika Sakharova Street, company code 45714959.

– DEVLIGHT DIGITAL OÜ, Harju County, Tallinn, Kesklinna District, Kaupmehe St. 7-120, 10114, Republic of Estonia, registered with the Estonian Commercial Register under company number 16739546.

Service Providers and Vendors – providers of IT infrastructure, hosting, analytics, marketing, recruitment, and other operational services that support the delivery of our business activities.
Business Partners – where collaboration is necessary to deliver our services to you.
Legal and Regulatory Authorities – when disclosure is required by applicable law or in response to valid legal requests.
Professional Advisers – such as lawyers, auditors, and consultants, who are bound by strict confidentiality obligations.

All third parties that process personal data on our behalf are bound by contractual obligations to protect the data and process it only in accordance with our instructions.

5.2 International Data Transfers

Given the global nature of our operations, your personal data may be transferred to, and processed in, countries outside your country of residence, including countries outside the European Economic Area (EEA) or Ukraine.

Whenever we transfer personal data internationally, we ensure that an adequate level of protection is in place.

5.3 Cloud and Hosting Services

Our website and services may be hosted on servers located in multiple jurisdictions. We select hosting providers that demonstrate strong security practices and compliance with international data protection standards.

5.4 Your Rights in Cross-Border Transfers

If your personal data is transferred outside your jurisdiction, you have the right to request information about the safeguards applied and to obtain a copy of the relevant transfer mechanisms.

6. Data Retention

6.1 Retention Principles

We keep your personal data only for as long as necessary to fulfil the purposes for which it was collected, or to comply with legal, accounting, or reporting obligations. Once the retention period expires, we securely delete or anonymize the data.

6.2 Retention Periods by Category

Data Category	Typical Retention Period	Retention Criteria
Contact Information (enquiries, forms)	Up to 24 months after the last interaction	Needed to respond to queries or maintain potential business relationships.
Client Account Data	Duration of the contract + 3 years	Required for contractual and post-contractual claims.
Recruitment Data	Up to 12 months after the recruitment process ends	Retained for potential re-engagement unless the candidate requests earlier deletion.
Marketing Data (email subscriptions)	Until you withdraw consent	Data is deleted immediately upon unsubscribing.
Website Analytics Data	14 months (Google Analytics default) or as specified in our Cookie Policy	Data is aggregated or anonymized after this period.
Legal Records	Up to 10 years	Required by Ukrainian law and applicable accounting regulations.

6.3 Anonymization and Aggregation

Where possible, we anonymize or aggregate personal data so it can no longer identify you. Such data may be retained indefinitely for research, statistical, or service improvement purposes.

6.4 Data Disposal

When personal data is no longer needed, we ensure it is securely deleted using industry-standard methods to prevent recovery or misuse.

7. Data Security

7.1 Our Commitment to Security

We take the protection of your personal data seriously and implement a combination of technical, organizational, and procedural measures to prevent unauthorized access, use, alteration, or disclosure.

7.2 Technical Measures

Encryption – Data is encrypted in transit (TLS/SSL) and at rest where applicable.
Access Controls – Role-based access and authentication to ensure only authorized personnel can access personal data.
Network Security – Firewalls, intrusion detection and prevention systems, and anti-malware protection.
Secure Development – Privacy and security measures integrated into our software development lifecycle (Privacy by Design).

7.3 Organizational Measures

Staff Training – Regular training for employees on data protection and cybersecurity awareness.
Data Processing Policies – Internal policies that govern how personal data is handled, stored, and shared.
Vendor Risk Management – Due diligence and contractual safeguards for all third-party processors.

7.4 Incident Response

In the event of a personal data breach:

We will promptly investigate and contain the incident;
Where required by law, we will notify the competent supervisory authority without undue delay;
If the breach is likely to result in a high risk to your rights and freedoms, we will inform you without undue delay, providing clear guidance on steps you should take.

7.5 Continuous Improvement

We regularly review and update our security practices to align with emerging threats, new legal requirements, and industry standards.

8. Your Rights

As a data subject, you have specific rights under the applicable laws. You may exercise these rights at any time by contacting us (see Section 1.5).

8.1 Right of Access

You can request confirmation of whether we process your personal data, obtain a copy of such data, and receive information about how and why we process it.

8.2 Right to Rectification

You can request correction of any inaccurate or incomplete personal data we hold about you.

8.3 Right to Erasure (“Right to be Forgotten”)

You can request that we delete your personal data when:

It is no longer necessary for the purposes for which it was collected;
You withdraw your consent (where processing is based on consent);
You object to processing and there are no overriding legitimate grounds; or
The processing is unlawful.

8.4 Right to Restriction of Processing

You can request that we temporarily suspend processing of your data if:

You contest its accuracy;
The processing is unlawful and you oppose erasure;
We no longer need the data but you require it for legal claims; or
You have objected to processing and verification of our legitimate grounds is pending.

8.5 Right to Data Portability

Where processing is based on your consent or a contract and carried out by automated means, you may request to receive your personal data in a structured, commonly used, machine-readable format, and to transmit it to another controller.

8.6 Right to Object

You may object at any time to processing based on our legitimate interests, including profiling, or to processing for direct marketing purposes.

8.7 Right to Withdraw Consent

If we process your data based on your consent, you may withdraw it at any time. Withdrawal will not affect the lawfulness of processing before consent was withdrawn.

8.8 Right to Lodge a Complaint

If you believe we have infringed your data protection rights, you have the right to lodge a complaint with:

The Ukrainian Parliament Commissioner for Human Rights (Ombudsman); or
Your local supervisory authority within the EU/EEA, if applicable.

9. Changes to This Privacy Policy

9.1 Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or industry standards. The “Last Updated” date at the top of the Policy will indicate when the latest changes were made.

9.2 Notification of Changes

If we make significant changes, we will notify you through prominent notice on our website, by email (where appropriate), or through other suitable means before the changes take effect.

9.3 Continued Use

By continuing to use our website or services after the updated Privacy Policy takes effect, you acknowledge that you have read and understood the changes.