Skip to content

Privacy Policy

How we collect, use, and protect your information.

Last updated: June 2026

1. Data We Collect

We collect only the information you voluntarily provide:

  • Contact form: name, email address, company name, and project description.
  • Newsletter: email address.

We do not collect sensitive personal data such as financial information, government identifiers, or health data through our website.

2. How We Use Your Data

  • To respond to your project inquiries and schedule discovery calls.
  • To send occasional newsletters about AI-accelerated engineering (only if you subscribe).
  • To improve our website and services.

We will never sell, rent, or share your personal data with third parties for marketing purposes.

3. Cookies & Tracking

Our website uses minimal cookies:

  • Session cookies: Required for form submissions and language preferences. These expire when you close your browser.
  • CSRF token: A security cookie to protect against cross-site request forgery.

We do not load third-party analytics or advertising trackers unless you grant consent via the cookie banner. See §4 below for details on Google Analytics 4 and how to opt out.

4. Third-Party Services

Our website integrates with the following third-party services:

  • Calendly: For scheduling discovery calls. When you use the scheduling widget, Calendly's own privacy policy applies.

All fonts and JavaScript libraries are served from our own servers — no third-party CDN requests, no IP-address leaks to font or library providers.

First-Party Error Monitoring

To improve reliability, our website uses a lightweight first-party error reporter that collects anonymous JavaScript error data. Specifically:

  • What is stored: error message, source file URL, line and column number, stack trace, browser user-agent string, and the URL path where the error occurred.
  • No personally identifiable information (PII) is captured — your name, email, or IP address are not stored as part of error records.
  • Error data is stored on our own servers and is not shared with any third party.
  • Error records are retained for up to 90 days and then automatically deleted.
  • You can disable this collection by using a browser extension that blocks JavaScript. Doing so will not affect your ability to use the website.

First-Party Telemetry

To understand how visitors interact with our website and improve the quality of our content, we collect anonymous interaction events using our own first-party telemetry system. Specifically:

  • What is stored: event name (e.g. pageview, cta_click), the URL path of the page, a session identifier stored in sessionStorage (NOT a cookie — it is erased when you close the tab), UTM parameters if present in the URL, browser language, and user-agent string.
  • What is NOT stored: your name, email address, IP address, any form content, or any other personally identifiable information. We enforce this rule server-side with a key blocklist that rejects events carrying PII fields.
  • All events are sent to our own servers only. No data is transmitted to any third-party service.
  • Event records are retained for up to 90 days and then deleted.
  • Do Not Track (DNT): if your browser has the Do Not Track setting enabled, event collection is fully disabled — no events are sent for any interaction during that session.

Google Analytics 4 & Google Ads (consent-gated)

If you click "Accept all" in the cookie banner, our website loads Google Tag Manager, which in turn loads Google Analytics 4 (GA4). We use GA4 to measure traffic sources and the effectiveness of our Google Ads campaigns. Specifically:

  • What is stored by Google: pageviews, click events, a Google-issued client ID (cookie), approximate geographic location derived from IP address (IP itself is truncated by Google before storage), device type, browser, and UTM parameters from inbound links.
  • What we send to Google Ads: a server-side conversion ping when you complete a Devvy discovery session, so we can measure which ads led to qualified inquiries.
  • Consent default: denied. We use Google Consent Mode v2 — until you click "Accept all", GA4 runs in cookie-less mode and Google receives only anonymous pings used solely for aggregate modeling. No personal identifiers leave your browser.
  • Withdraw consent at any time: click "Reject" in the cookie banner on your next visit, clear the 'devbox.consent.v1' entry in your browser's localStorage, or install Google's official GA opt-out add-on at tools.google.com/dlpage/gaoptout.
  • Legal basis: your explicit consent (GDPR Art. 6(1)(a) for EU visitors; LFPDPPP Art. 16 for Mexican visitors). Without consent, neither GTM nor GA4 is loaded.

5. Data Retention & Security

We retain your contact information only for as long as necessary to fulfill the purpose for which it was collected:

  • Contact form submissions are retained for up to 12 months after last communication.
  • Newsletter subscriptions are retained until you unsubscribe.

We protect your data using industry-standard security measures, including encrypted connections (HTTPS), secure server infrastructure, and restricted access controls.

6. Your Rights

You have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data.
  • Unsubscribe from our newsletter at any time.

To exercise any of these rights, contact us at the email below.

7. Contact

If you have questions about this privacy policy or want to exercise your data rights, contact us at:

jorge@devbox.com.mx

Ready to build your custom software?

Book a free discovery call. Tell us what software your business needs — we'll show you how DevBox builds it end-to-end.

We cap concurrent engagements at 4 so a senior architect reviews every line of code. Next available start: August 2026.

Book a Discovery Call Or connect on LinkedIn

Free consultation. No commitment.

Book a Discovery Call