Privacy policy
This privacy policy explains how Devbuildstudio ApS, CVR DK 41 88 21 06, registered at Damstræde 91, 9220 Gistrup, Denmark (hereafter "Devbuildstudio", "we", "us"), processes personal data in connection with our website at devbuildstudio.com and our engineering services. It is written to comply with Regulation (EU) 2016/679 ("GDPR") and the Danish Data Protection Act (databeskyttelsesloven).
§ 1 Data controller
Devbuildstudio ApS is the data controller for personal data we collect via the website and through engagements with our clients. You can reach the controller at studio@devbuildstudio.com or by post at the address above. We do not have, and are not required to have, a designated Data Protection Officer.
§ 2 What we collect and why
We collect only what we need to operate the business. Specifically:
| Category | Data | Lawful basis | Retention |
|---|---|---|---|
| Brief / enquiry form | Name, email, phone, company, message text | Art. 6(1)(b) — pre-contractual steps | 24 months from last contact |
| Checkout (package builder) | Name, email, phone, country, billing address (collected by Stripe) | Art. 6(1)(b) — contract performance | 7 years (Danish bookkeeping law) |
| Active engagements | Contact data, access credentials provided by client, communications, deliverables | Art. 6(1)(b) — contract performance | For duration of engagement + 7 years for invoices |
| First-party analytics (opt-in) | Anonymous page-view counter, no IP retention | Art. 6(1)(a) — consent | Aggregated only; raw data discarded after 30 days |
| Session cookie | Session identifier, CSRF token | Strictly necessary — no consent required | Browser session |
§ 3 Sources
All personal data is collected directly from you. We do not buy lists, do not enrich data from third parties, do not scrape contact information, and do not maintain a "prospects" database. If you find yourself in our records it is because you wrote to us or signed a contract with us.
§ 4 Processors and third parties
We use the following data processors. Each is bound by a written data processing agreement (DPA):
- Stripe Payments Europe Ltd (Ireland) — payments and checkout. Stripe acts as an independent data controller for payment card data.
- Hetzner Online GmbH (Germany / Finland) — hosting. Data is stored on servers physically located within the EU.
- Cloudflare, Inc. (United States) — CDN, DDoS protection. Configured to use EU-only data centres where possible; Standard Contractual Clauses in place for any onward transfer.
- Fastmail Pty Ltd (Australia, EU servers) — email infrastructure. Standard Contractual Clauses in place.
We do not run third-party advertising, retargeting, or social-media trackers anywhere on this site. There is no Google Analytics, no Facebook Pixel, no LinkedIn Insight tag, no Hotjar, no session replay. The complete list is above.
§ 5 International transfers
Personal data is processed inside the European Economic Area (EEA) by default. Where a processor is established outside the EEA (currently Cloudflare and Fastmail), transfers are made under the European Commission's Standard Contractual Clauses (2021/914), supplemented where necessary with technical measures appropriate to the data category. We will provide a copy of the safeguards used on request.
§ 6 Your rights
Under the GDPR you have the following rights regarding personal data we hold about you:
- Right of access — to obtain a copy of the data we hold (Art. 15).
- Right to rectification — to have inaccurate data corrected (Art. 16).
- Right to erasure — "to be forgotten", where applicable (Art. 17).
- Right to restrict processing — pause our use of the data (Art. 18).
- Right to data portability — to receive the data in machine-readable form (Art. 20).
- Right to object — to processing based on legitimate interests (Art. 21).
- Right to withdraw consent — where processing is based on consent (Art. 7(3)).
To exercise any of these rights, email studio@devbuildstudio.com. We respond within 30 days. Note that erasure and portability rights are limited by Danish bookkeeping law (which requires invoices to be retained for 7 years) and may also be limited where we have an active engagement.
§ 7 Complaints
If you believe we have not handled your personal data correctly, you are entitled to lodge a complaint with the Danish Data Protection Agency (Datatilsynet), Carl Jacobsens Vej 35, 2500 Valby, Denmark. We would prefer that you write to us first so we can fix anything that is broken.
§ 8 Security
We host inside the EU, encrypt data in transit (TLS 1.3) and at rest (AES-256), keep secrets out of source control, audit access quarterly, and run nightly backups with monthly restore drills. The site does not store payment card data — that is handled exclusively by Stripe under PCI-DSS Level 1.
§ 9 Children
Our services are sold business-to-business. We do not knowingly process personal data of children under 13. If you believe a child has submitted data to us, please write and we will delete it.
§ 10 Changes
We will publish material changes to this policy on this page with a new effective date. We will not weaken your rights or repurpose previously collected data for new purposes without your consent.
§ 11 Contact for privacy matters
Privacy enquiries · studio@devbuildstudio.com
Postal address · Devbuildstudio ApS, Damstræde 91, 9220 Gistrup, Denmark
CVR · DK 41 88 21 06