Privacy & GDPR

Privacy Policy

Last updated: April 2026 · DevJets OÜ · EU Registered Company

Who We Are Data We Collect How We Use It AI Processing Legal Basis What Companies See Retention Your Rights Security Cookies

Welcome to DevJets. DevJets OÜ ("we," "our," or "us") is an EU registered company based in Estonia and is subject to the General Data Protection Regulation (GDPR) and applicable EU data protection law.

This Privacy Policy explains how we collect, use, process, and protect your personal data when you use the DevJets platform, AI tools, talent pipeline, and verification services at devjets.io.

Please read this policy carefully. If you have questions, email [email protected].

1. Who We Are

DevJets OÜ is the data controller for all personal data processed through devjets.io.

We operate an AI-powered verified talent pipeline connecting global tech engineers to EU, Gulf, and US companies ranked by evidence, not keywords. Talents use free AI tools to verify their skills and build a verified profile. Companies receive shortlists of pre-verified developers. We do not provide Employer of Record (EOR), Agent of Record (AOR), payroll, or immigration services.

Legal entity: DevJets OÜ

Registration: EU Registered Company (Estonia)

Data protection contact: [email protected]

2. What Data We Collect

2.1 Data you provide directly

Talent accounts:

Name and email address (account creation)

CV content (uploaded for AI tool analysis)

Professional information: skills, experience, location, target role, tech stack

Language proficiency and salary expectations

Feedback submissions on AI tool results

GDPR consent records (for talent pool participation)

Company accounts:

Company name, contact name, and email address

Job descriptions submitted for matching

Billing information (processed by Stripe we do not store card data)

Feedback on candidate matches

2.2 Data generated by platform use

AI tool results and scores (DTS score, pillar breakdown, individual tool scores)

Vector embeddings generated from your profile for matching purposes

Session activity and tool usage logs

Devy AI conversation history (stored per session, cleared on request)

2.3 Technical data collected automatically

IP address and approximate location

Browser type and version

Device type and operating system

Pages visited, actions taken, time on platform

Session identifiers and authentication tokens

3. How We Use Your Data

Talent users:

Analyse CV content through AI tools to generate scores and recommendations

Build and maintain your DTS score across five verified pillars

Index your profile in the talent pool vector database for company matching

Present your anonymised profile to companies matching your skills

Send platform notifications (tool results, product updates)

Improve AI tool quality using anonymised, consent-gated feedback

Company users:

Process job descriptions through the matching engine to generate ranked candidate shortlists

Facilitate introductions between companies and talents

Invoice for subscription and success fees

Send platform notifications relevant to your hiring activity

All users:

Operate and maintain the platform

Comply with legal obligations

Respond to support requests

Detect and prevent fraud or abuse

Send platform update communications where consent is given

Important

4. AI Processing and Sub-Processors

DevJets uses two AI providers as data processors under Article 28 GDPR. Both have signed Data Processing Agreements (DPAs) with DevJets.

Anthropic (Claude API)

Purpose: Powers AI tool analysis (CV scoring, interview simulation, career coaching) and the Devy AI assistant.

Data processed: CV text, feedback text, Devy conversation messages.

Retention: Data is processed per request. Anthropic does not retain API data for model training.

Transfer basis: Standard Contractual Clauses (SCCs) approved by the European Commission.

OpenAI (Embeddings API)

Purpose: Generates vector embeddings from structured talent profile data for semantic matching.

Data processed: Anonymised skill and profile data no names, emails, or contact details.

Retention: Data is processed per request. OpenAI does not retain API embeddings for training.

Transfer basis: Standard Contractual Clauses (SCCs) approved by the European Commission.

Stripe

Purpose: Payment processing for company subscriptions and success fees.

Data processed: Billing contact information and payment data.

Governed by Stripe's own privacy policy and DPA.

No other third-party AI providers are used. We do not use your data to train any AI model without your explicit consent.

5. Legal Basis for Processing

We process personal data under the following legal bases:

Account creation and managementPerformance of contract (Art. 6(1)(b))

AI tool analysis of CV contentPerformance of contract (Art. 6(1)(b))

Talent pool indexing and matchingExplicit consent (Art. 6(1)(a))

Using feedback to improve AIExplicit consent (Art. 6(1)(a))

Legal and tax complianceLegal obligation (Art. 6(1)(c))

Marketing communicationsConsent (Art. 6(1)(a))

Fraud detection and securityLegitimate interests (Art. 6(1)(f))

Your Data, Your Control

6. What Companies See and Do Not See

Companies accessing the talent pool see only:

✓ DTS score and tier

✓ Match percentage against their job description

✓ Verified skill list extracted from tool results

✓ Seniority level and years of experience

✓ Communication level score (CEFR, interview readiness)

Companies do NOT see:

✗ Your name

✗ Your email address or phone number

✗ Your photo

✗ Your raw CV

✗ Your feedback submissions

✗ Any personal identifying information

Your identity is shared only after you explicitly approve a connection request from a company. You can decline any request without consequence.

7. Data Retention

Account dataUntil account deletion

CV uploadsProcessed in memory not stored unless you join the talent pool

AI tool results and DTS scoresFor the life of your account

Talent pool profile embeddingUntil you withdraw pool consent or delete account

Feedback submissions3 years (anonymised for AI improvement)

Devy conversation historySession only cleared when session ends

Company job descriptions12 months after last activity

Billing records7 years (legal requirement)

When you delete your account, all personal data is removed within 30 days, subject to legal retention requirements for billing records.

GDPR Compliant

8. Your GDPR Rights

As a data subject under GDPR you have the following rights:

Right of access — Request a copy of all personal data we hold about you.

Right to rectification — Correct inaccurate or incomplete information.

Right to erasure — Request deletion of your account and all associated data. We action all erasure requests within 30 days.

Right to portability — Receive your data in a structured, machine-readable format (JSON).

Right to object — Object to processing based on legitimate interests.

Right to restrict processing — Limit how we use your data while a dispute is resolved.

Right to withdraw consent — Withdraw consent for talent pool participation, AI improvement use, or marketing at any time. Withdrawal does not affect lawfulness of prior processing.

Right to lodge a complaint — If you believe we have violated your rights, you may lodge a complaint with the data protection authority in your country of residence.

To exercise any right, email [email protected] with the subject line "GDPR Request [Right Type]". We respond within 30 days. No charge applies.

9. Data Security

We implement the following security measures to protect your personal data:

TLS encryption for all data in transit

Encrypted storage for sensitive data at rest

Role-based access controls staff access only what is required for their role

Regular security reviews

Incident response procedures we notify affected users within 72 hours of discovering a breach as required by GDPR Art. 33

10. Cookies

Strictly necessary

Session management, authentication tokens, CSRF protection. Cannot be disabled.

Analytics

Anonymous usage data to understand how the platform is used. You can opt out.

Preference

Remembers your settings (language, dark mode, etc.). You can opt out.

We do not use advertising cookies. We do not allow third-party advertising networks to track you on our platform.

You can manage your cookie preferences at any time using the cookie settings link in the footer.

11. Children

DevJets is not directed at or intended for use by anyone under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has submitted data, contact [email protected] and we will delete it.

12. Changes to This Policy

We will notify you of material changes to this policy by email (if you have an account) or by prominent notice on the platform at least 14 days before changes take effect. The "last updated" date at the top of this page reflects the most recent revision.

Continued use of the platform after changes take effect constitutes acceptance of the updated policy.

13. Contact

For all privacy-related questions, data requests, or complaints:

DevJets OÜ

Email: [email protected]

Website: devjets.io

We aim to respond to all enquiries within 5 business days.

Questions about your data?

[email protected]devjets.io

DevJets OÜ · EU Registered Company

This privacy policy was last updated in April 2026 and supersedes all previous versions.