Privacy & Data Processing
Last updated: June 2026. Contact: office@devaland.com.
Devaland ("we") operates Deal OS, a deal-operations and AI diligence platform. This notice explains what personal data we handle, why, and the choices you have. It describes our actual implementation — we don't run advertising or third-party analytics trackers.
Who is the controller
- Documents you upload into a workspace (CIMs, financials, etc.) may contain personal data. For these, your organisation is the data controller and Devaland acts as a processor on your instructions.
- Account and marketing data (the email you sign up or download a resource with, your name) — for these, Devaland is the controller.
What we collect and why
| Account data | Name, email, hashed password (bcrypt). Lawful basis: performance of our contract with you. Used to create your login and workspace. |
|---|---|
| Session metadata | IP address and browser user-agent on login, kept with your session for security and abuse prevention. Lawful basis: legitimate interest in securing the service. |
| Uploaded documents | Stored to provide the diligence features you request. Processed on your instruction as controller. We do not use your documents to train any model. |
| Billing data | Handled by Stripe; we store a Stripe customer ID and subscription status, not card numbers. Lawful basis: contract. |
| Marketing / lead data | If you download a free resource we store the email you provide to send it and occasional deal-ops insights. Lawful basis: consent — unsubscribe any time. |
AI processing
To generate a brief, relevant excerpts of the documents in that workspace are sent to Anthropic (our AI subprocessor) to produce cited output. Excerpts are processed to fulfil your request and are not used to train models. Every claim in a brief must quote your source document and is verified before you see it.
Subprocessors
We use a small number of vetted processors to run the service:
| Anthropic | AI generation of diligence briefs (document excerpts). |
|---|---|
| Stripe | Payment processing and invoicing. |
| Google Workspace | Transactional and account email (SMTP). |
| Hosting provider | Server hosting and encrypted backups (EU/US region as agreed). |
Cookies & tracking
We use one strictly necessary cookie, dealos_session,
to keep you signed in. We also store a light/dark theme preference in your browser's
local storage. We run no advertising cookies, no third-party analytics, and no
tracking pixels. Because we set no non-essential cookies, no consent banner is
required under the ePrivacy Directive / GDPR.
Retention
Account and workspace data is retained while your subscription is active. After cancellation we retain data for a short wind-down period so you can export it, then delete it on request or within our standard retention window. Backups roll off on a fixed schedule. Marketing data is kept until you unsubscribe.
Your rights
Subject to applicable law (including the GDPR), you can request access, a copy (export), correction, or deletion of your personal data, and you can object to or withdraw consent for marketing. To exercise any right, email office@devaland.com and we'll respond within the legally required timeframe. Where your organisation is the controller of workspace documents, we act on the controller's instructions for such requests.
Security
Traffic is encrypted in transit (TLS). Session cookies are HTTP-only and Secure. Each client workspace is isolated at the database and file level. Backups run nightly with periodic restore drills. We never log credential values.