Privacy Policy

Draft notice. This Privacy Policy is prepared to meet the requirements of the Thai Personal Data Protection Act B.E. 2562 (2019) ("PDPA"). It is pending final legal review. Please contact us with questions before relying on it for a specific purpose.

This Privacy Policy explains how devqo ("we", "us", "our") collects, uses, shares, and protects your personal data when you use the devqo application, website, and related services (the "Service"). By using the Service, you acknowledge that you have read this policy.

1. Who we are (Data Controller)

The Data Controller for the processing described here is:

• Name: devqo
• Address: Bangkok, Thailand
• Contact (privacy): privacy@devqo.io
• Data Protection Officer: dpo@devqo.io

If you are in Thailand, you may also contact the Personal Data Protection Committee (PDPC) at pdpc.or.th.

2. What data we collect

Account data: email, password hash, name, avatar image, date of birth (optional), phone (optional).

Profile data: job title, department, timezone, bio — all provided voluntarily.

Workspace content: organizations, projects, issues, comments, documents, files, and anything else you create or upload.

Session & security data: IP address, user agent, session tokens, two-factor authentication secrets.

Billing data: handled directly by Stripe. We store only a customer reference and a subscription status — never card numbers.

Usage data: page views, feature usage, error reports (via Sentry) — only if you have consented to analytics cookies.

Communications: emails you send us, support tickets, and replies.

We do not intentionally collect sensitive personal data as defined in PDPA §26 (religion, health, genetic data, biometrics, criminal record, etc.). Do not submit such data to the Service.

3. Why we collect it & legal basis

Under PDPA §24, we rely on the following lawful bases:

Purpose	Lawful basis
Creating and operating your account	Contract (§24(3))
Providing the core Service (projects, issues, docs)	Contract (§24(3))
Sending transactional emails (verification, security alerts, invoices)	Contract (§24(3))
Billing and payment processing	Contract (§24(3)), Legal obligation (§24(6))
Security, fraud prevention, abuse mitigation	Legitimate interest (§24(5))
Error monitoring & service reliability	Legitimate interest (§24(5))
Product analytics (opt-in)	Consent (§19)
Marketing emails (opt-in)	Consent (§19)
Complying with Thai law, court orders, or regulators	Legal obligation (§24(6))

You may withdraw consent for the consent-based items at any time — see section 9.

4. How we share your data

We share data only with the following categories of recipients:

• Subprocessors who help us run the Service — see the table below.
• Members of your workspace — data you add to a workspace is visible to other members of that organization.
• Authorities where required by law (subpoena, court order, or lawful government request).
• Business transfers — if we merge or are acquired, your data may be transferred under equivalent protections.

We do not sell personal data and we do not use your workspace content to train AI foundation models.

5. International transfers

We are based in Thailand but use service providers in the United States, European Union, Singapore, and other regions. Where transfers occur outside Thailand, we rely on the mechanisms permitted by PDPA §28, including:

• Transfer to countries with adequate protection as determined by the PDPC;
• Standard Contractual Clauses (SCCs) or equivalent binding terms in our agreements with subprocessors;
• Your explicit consent where none of the above applies.

6. How long we keep it

Data	Retention
Account & profile	Until you delete your account, then 30 days for recovery, then purged
Workspace content	Until deleted by an authorized member, then 30 days in soft-delete
Billing records	7 years (Thai tax/accounting law)
Audit logs	12 months rolling
Session tokens	7 days from last activity
Error logs (Sentry)	90 days
Marketing list	Until you unsubscribe

We may retain anonymized aggregate data indefinitely for analytics and benchmarking.

7. How we protect it

• All data is encrypted in transit (TLS 1.2+).
• Passwords are hashed with bcrypt.
• Two-factor authentication is available and recommended.
• Production databases are hosted by Neon with encryption at rest.
• We follow a least-privilege access policy for employees and audit every administrative action.

No system is perfectly secure. We will notify affected users and the PDPC without undue delay (and, where feasible, within 72 hours) of becoming aware of a personal data breach that is likely to result in risk to your rights and freedoms, as required by PDPA §37.

8. Children

The Service is intended for use by businesses and professionals aged 20 or older. We do not knowingly collect data from persons under 20 without parental or guardian consent as required by PDPA §20. If we learn that we have done so, we will delete the data.

9. Your rights under PDPA

You have the following rights concerning your personal data. We will respond within 30 days as required by PDPA §30.

1. Right of access (§30) — request a copy of the data we hold about you.
2. Right to data portability (§31) — receive your data in a machine-readable format.
3. Right to object (§32) — object to processing based on legitimate interest or for direct marketing.
4. Right to erasure (§33) — request deletion where the data is no longer necessary or you have withdrawn consent.
5. Right to restrict processing (§34) — ask us to pause processing while a complaint or correction is pending.
6. Right to rectification (§35) — correct inaccurate or incomplete data.
7. Right to withdraw consent (§19) — withdraw consent you previously gave.
8. Right to lodge a complaint — file a complaint with the PDPC.

To exercise any of these rights, email privacy@devqo.io or visit our Data Subject Rights page. We will verify your identity before fulfilling the request.

10. Subprocessors

We use the following third parties to operate the Service:

(See the subprocessor table rendered below.)

We update this list when we add or remove providers. Subscribe to the legal changelog to be notified.

10a. AI features {#ai}

When an organization owner or admin explicitly enables AI features in workspace settings, the following content is processed by AI subprocessors to power features like description generation, summarization, semantic search, and AI suggestions:

• Issue title, description, labels, custom field values
• Comment text
• Document body
• Test case steps and expected results

Before sending to AI subprocessors, we automatically redact:

• Email addresses → [email]
• Phone numbers → [phone]
• Credit card-like number sequences → [card]

AI subprocessors:

Provider	Purpose	Location	Retention
Anthropic, PBC	LLM inference (Claude models)	United States	Zero retention by default per Anthropic policy
Voyage AI, Inc.	Embedding generation (semantic search)	United States	Zero retention per Voyage policy

Both providers contractually do not train their models on your content.

Your controls:

• AI features are off by default for every organization. They must be explicitly enabled by an owner or admin.
• Disabling AI features stops all future AI processing. Existing embeddings can be deleted on request.
• Per-feature toggles can be configured by your organization owner.
• A daily quota and cost ceiling applies — see your plan details.

Cross-border note: enabling AI features results in your data being transferred to the United States. We rely on Standard Contractual Clauses (SCCs) with both providers and they are bound to the same data-handling standards as our other subprocessors.

11. Changes to this policy

We may update this Privacy Policy. When we make material changes, we will:

• Update the version and effective date at the top of this page;
• Notify existing users by email and in-app banner;
• For material changes, require you to re-accept before continuing to use the Service.

Minor edits (typo fixes, wording clarifications) will not trigger re-consent.

12. Contact

Privacy or data-protection questions: privacy@devqo.io

General support: hello@devqo.io

PDPC (Thailand): pdpc.or.th