Last updated: April 28, 2026

Privacy Policy

DevLevelUp is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights under applicable data protection laws including GDPR.

1. Data Controller

DevLevelUp operates as the data controller for personal data processed through our platform. For GDPR inquiries, contact us at privacy@devlevelup.com.

2. Data We Collect

Account Data

  • Name and email address (provided during registration)
  • Hashed passwords (never stored in plain text)
  • Profile information (job role, company, preferred language)

Company and Team Data

  • Company name, size, and industry
  • Team structure and member roles
  • Employee invitation records

Assessment and Performance Data

  • Skill self-assessments and manager evaluations
  • Peer review responses (anonymized per cycle settings)
  • Development goals and progress records

Usage Data

  • Pages visited and features used (aggregated analytics)
  • Browser type and approximate geographic region (for locale detection)
  • Session activity timestamps

Billing Data

  • Subscription plan and payment history
  • Payment method details are processed by Stripe and not stored on our servers

3. How We Use Your Data

PurposeLegal Basis (GDPR)
Providing and operating the ServiceContract performance (Art. 6(1)(b))
Sending transactional emails (invites, notifications)Contract performance (Art. 6(1)(b))
Processing paymentsContract performance (Art. 6(1)(b))
Improving the platform (aggregated analytics)Legitimate interest (Art. 6(1)(f))
Security and fraud preventionLegitimate interest (Art. 6(1)(f))
Marketing communications (opt-in)Consent (Art. 6(1)(a))

4. Data Sharing and Third Parties

We do not sell your personal data. We share data only with:

  • Stripe — Payment processing. Subject to Stripe's Privacy Policy.
  • Railway — Database hosting infrastructure. Data stored in secure cloud environments.
  • Email providers — Transactional email delivery (e.g., SendGrid). Used solely for sending notifications.

All third-party processors are bound by data processing agreements ensuring GDPR compliance.

5. Data Retention

  • Active accounts: Data retained for the duration of the subscription
  • Cancelled accounts: Data retained for 30 days after cancellation, then deleted
  • Assessment records: Retained for the company's active period to maintain historical context
  • Billing records: Retained for 7 years for tax and legal compliance
  • Anonymized analytics: May be retained indefinitely in aggregated form

6. Your Rights (GDPR)

If you are in the European Economic Area, you have the following rights:

  • Right of Access: Request a copy of all personal data we hold about you
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your data
  • Right to Portability: Receive your data in a machine-readable format
  • Right to Restrict Processing: Limit how we use your data
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time for consent-based processing

To exercise any of these rights, email us at privacy@devlevelup.com. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority.

7. Cookies

We use the following cookies:

  • Session cookie (devlevelup.sid) — Required for authentication. Session-scoped, expires after 24 hours of inactivity.
  • Locale cookie (locale) — Stores your language preference. Expires after 1 year.

We do not use advertising cookies or third-party tracking cookies. Analytics are processed server-side without cookies.

8. Data Security

We implement industry-standard security measures including:

  • HTTPS/TLS encryption for all data in transit
  • Bcrypt password hashing (never stored in plain text)
  • Rate limiting to prevent brute-force attacks
  • HTTP security headers (Helmet.js: CSP, HSTS, X-Frame-Options)
  • Input sanitization and SQL injection prevention

In the event of a data breach affecting your rights, we will notify you within 72 hours as required by GDPR.

9. International Data Transfers

Your data may be stored on servers in the United States or other countries. When transferring data outside the EEA, we ensure appropriate safeguards are in place through Standard Contractual Clauses or equivalent mechanisms.

10. Children's Privacy

DevLevelUp is a professional B2B tool intended for users aged 18 and over. We do not knowingly collect data from minors. If you believe a minor has registered, contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes via email or a prominent notice on the platform. Continued use after notification constitutes acceptance.

12. Contact

For privacy questions or to exercise your rights: privacy@devlevelup.com