Privacy Policy
Last updated: March 2026
1. Controller
DevFlow Software
Anita Faerber
Jacob-Pins-Weg 16, 33100 Paderborn, Germany
Email: info@dev-flow.tech
2. Overview
This privacy policy informs you about the processing of personal data when using the DevFlow web application (app.dev-flow.tech), website (dev-flow.tech), documentation (docs.dev-flow.tech), and MCP Server (npm package).
3. Legal Bases
- Art. 6(1)(a) GDPR — Consent
- Art. 6(1)(b) GDPR — Performance of a contract
- Art. 6(1)(f) GDPR — Legitimate interests
4. Processing Activities
4.1 User Account and Registration
Purpose: Providing the DevFlow service, account management
Legal basis: Art. 6(1)(b) GDPR
Data: Name, email address, profile picture (optional), organization membership
Retention: Until account deletion by the user
4.2 Authentication via WebAuthn / Passkeys
Purpose: Secure passwordless authentication
Legal basis: Art. 6(1)(b) GDPR
Data: Public key credential IDs, authenticator metadata
Note: Biometric data (fingerprint, face recognition) never leaves your device. DevFlow has no access to this data.
4.3 Time Tracking and Project Data
Purpose: Providing the core service (time tracking, project management)
Legal basis: Art. 6(1)(b) GDPR
Data: Time entries, project names, flow descriptions, tasks, calendar entries, timer sessions
4.4 Payment Processing via Stripe
Purpose: Processing subscription payments
Legal basis: Art. 6(1)(b) GDPR
Recipient: Stripe Inc., South San Francisco, CA, USA
Third-country transfer: USA — certified under EU-US Data Privacy Framework (DPF)
Note: Payment data (e.g., credit card numbers) is processed exclusively by Stripe and not stored on our servers.
4.5 Push Notifications
Purpose: Real-time notifications about flow changes, approvals, and reviews
Legal basis: Art. 6(1)(a) GDPR (consent via browser dialog)
Note: You can disable push notifications at any time in the settings or through your browser.
4.6 Transactional Emails
Purpose: Account confirmation, login links, invitations, notifications
Legal basis: Art. 6(1)(b) GDPR
Processing: Sent via self-hosted SMTP server
4.7 Server Logs
Purpose: Ensuring service operation, detecting misuse
Legal basis: Art. 6(1)(f) GDPR (legitimate interest)
Data: IP address, user agent, timestamp, requested URL
Retention: Maximum 14 days
4.8 MCP Server
Purpose: Integration into AI-powered development environments
Legal basis: Art. 6(1)(b) GDPR
Note: Data processing occurs on the user's local machine. The MCP server communicates with the DevFlow API using the token provided by the user.
4.9 AI-Powered Features
Purpose: Automatic generation of descriptions and summaries
Legal basis: Art. 6(1)(b) GDPR
Note: No automated decisions within the meaning of Art. 22 GDPR are made.
4.10 Cookies and Local Storage
We exclusively use technically necessary cookies and local storage:
| Storage | Purpose | Duration |
|---|---|---|
| JWT Access Token | Authentication | Session |
| JWT Refresh Token | Session renewal | 30 days |
| Theme setting | Display preference | Persistent |
| Language setting | Language preference | Persistent |
We do not use tracking cookies, analytics cookies, or marketing cookies. Our analytics tool (Plausible) operates without cookies.
4.11 Website Analytics
Purpose: Understanding website usage to improve our service
Legal basis: Art. 6(1)(f) GDPR (legitimate interest)
Tool: Plausible Analytics (Community Edition), self-hosted on our servers in Germany
Data: Page URL, referrer, country (derived from IP, not stored), device type, browser
Note: Plausible does not use cookies, does not collect personal data, and does not track individual users. All data is aggregated. No data is transferred to third parties. The analytics server is hosted on our own infrastructure at Hetzner (Germany).
5. Processors and Recipients
| Provider | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Server hosting & email | Germany / EU |
| Stripe Inc. | Payment processing | USA (EU-US DPF) |
6. Your Rights
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
- Right to withdraw consent (Art. 7(3) GDPR)
- Right to lodge a complaint (Art. 77 GDPR) with the supervisory authority: Landesbeauftragte fuer Datenschutz und Informationsfreiheit Nordrhein-Westfalen (www.ldi.nrw.de)
7. Exercising Your Rights
To exercise your rights, please contact us at info@dev-flow.tech. We will respond within one month.
8. Data Processing Agreement
If you process personal data of third parties (e.g., employees) through DevFlow, a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR is available for download: Download DPA (PDF)