Privacy Policy

Business name: DevSchool
Registered in: Bulgaria, European Union
Email: privacy@devschool.io

DevSchool is the data controller for personal data collected through our website and services. Where we engage third-party processors (e.g., payment processors, email providers), we ensure appropriate data processing agreements are in place.

Privacy / Data Protection Officer: If you have questions about how we process your personal data or wish to exercise your rights, contact our Privacy Officer at privacy@devschool.io. (For Quebec Law 25 purposes, this contact serves as our designated Privacy Officer.)

Brazil — DPO (Encarregado): In accordance with the LGPD (Lei Geral de Proteção de Dados), our Data Protection Officer (Encarregado) can be reached at privacy@devschool.io.

Argentina — AAIP Database Registration: In compliance with Argentina's Personal Data Protection Act (Ley 25.326), our personal data files are registered with the Agencia de Acceso a la Información Pública (AAIP) in the National Registry of Databases.

We collect the following categories of personal data:

• Identity data: Name, professional title, years of experience, country of residence
• Contact data: Email address, phone number (if provided)
• Professional data: Current and target salary, employment history, skills, career goals — provided voluntarily during intake or coaching
• Financial data: Payment transaction records (processed by third-party payment processors; we do not store full card details)
• Usage data: Pages visited, session duration, browser type, IP address, and referral source, collected via cookies and analytics tools
• Communications data: Emails, chat messages, and coaching session notes exchanged with our team
• Marketing preferences: Whether you have opted in to receive marketing communications

We do not intentionally collect special category (sensitive) data such as health information, racial or ethnic origin, political opinions, or biometric data. Please do not submit such information through our services.

Age requirement: Our services are intended exclusively for individuals aged 18 or older. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected such data, we will delete it promptly.

We process your personal data for the following purposes and on the following legal bases:

Where we rely on legitimate interests, we have assessed that our interests are not overridden by your interests or fundamental rights and freedoms. You have the right to object to such processing at any time (see Section 8).

We use cookies and similar technologies (pixels, local storage) to operate our website and understand how visitors use it.

• Strictly necessary cookies: Required for the website to function. No consent required.
• Analytics cookies: Help us understand visitor behaviour (e.g., page views, session duration). Activated only with your prior consent.
• Marketing / advertising cookies: Used to deliver relevant ads and measure campaign performance. Activated only with your prior consent.

You can manage or withdraw your cookie consent at any time via the cookie preferences banner on our website. Withdrawing consent does not affect the lawfulness of processing before withdrawal.

Quebec (Law 25): Granular, opt-in consent is required before any non-essential cookies are placed for Quebec residents. Our consent mechanism complies with this requirement.

We do not sell your personal data. We share personal data only in the following circumstances:

• Service providers (processors): Third-party companies that assist us in delivering services — including payment processors, email delivery platforms, scheduling tools, video conferencing software, and analytics providers. These parties process data only on our instructions and under appropriate data processing agreements.
• Legal compliance: When required by applicable law, court order, or governmental authority, or to protect the rights, property, or safety of DevSchool, our clients, or the public.
• Business transfers: In connection with a merger, acquisition, or sale of all or part of our business, subject to confidentiality obligations.
• With your consent: For any other purpose, with your explicit prior consent.

California (CCPA/CPRA): We do not sell or share personal information (as defined under the CCPA/CPRA) for cross-context behavioural advertising. If this practice changes, we will update this policy and add a "Do Not Sell or Share My Personal Information" mechanism before doing so.

DevSchool is based in Bulgaria (EU). Your personal data may be transferred to and processed by our service providers in countries outside the EU/EEA, including the United States, Canada, Brazil, and Argentina.

We ensure such transfers are protected by appropriate safeguards:

• EU → USA / Canada / other non-EEA countries: EU Standard Contractual Clauses (SCCs) approved by the European Commission (2021 versions) are in place with relevant processors.
• EU → Argentina: Argentina is recognised as providing adequate protection by EU adequacy decision (Disposition 60-E/2016), so no additional transfer mechanism is required.
• Brazil (LGPD) — transfers out of Brazil: Where your data originates in Brazil or is processed for Brazilian users, we apply ANPD-approved Standard Contractual Clauses for any onward international transfers, in compliance with the August 2025 ANPD SCC requirements.
• Canada (Quebec Law 25): Before any personal information of Quebec residents is communicated outside Quebec, we conduct a Privacy Impact Assessment (PIA) to evaluate the risks. Results of the PIA inform the safeguards we apply.

You may request a copy of the relevant transfer mechanisms by contacting privacy@devschool.io.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.

• Client and contract data: Retained for the duration of the service relationship and for 5 years thereafter for legal and tax compliance purposes.
• Marketing data: Retained until you withdraw consent or unsubscribe, whichever is earlier.
• Analytics / usage data: Retained in aggregated or pseudonymised form for up to 24 months.
• Coaching session notes: Retained for the duration of active enrollment plus 12 months, then securely deleted unless legally required to retain.

At the end of the applicable retention period, data is securely deleted or anonymised.

Depending on your location, you have the following rights regarding your personal data. To exercise any of these rights, contact us at privacy@devschool.io. We will respond within the applicable deadline and will not charge a fee for reasonable requests.

We may need to verify your identity before fulfilling a request. We will not discriminate against you for exercising any of these rights.

European Union / Bulgaria (GDPR)

You have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP) at cpdp.bg or with the data protection authority of your EU member state of habitual residence.

Our minimum service age is 18 years. We do not knowingly process personal data of individuals under 18.

United States (California — CCPA/CPRA)

California residents have the rights listed in Section 8 plus the right to limit the use of sensitive personal information and the right to opt out of sale or sharing. We do not sell or share personal information as defined under CCPA/CPRA.

You may designate an authorised agent to make a rights request on your behalf. Response deadline: 45 days (extendable by a further 45 days with notice).

Residents of other U.S. states with applicable privacy laws (Texas, Virginia, Colorado, Florida, Connecticut, etc.) may have similar rights. Please contact us to exercise them.

Canada (PIPEDA + Quebec Law 25)

Canadian residents may contact our Privacy Officer at privacy@devschool.io to access, correct, or withdraw consent for the use of their personal information.

Quebec residents additionally have the right to data portability (receive your data in a structured, commonly used technological format) and the right to de-indexation (removal of data from a technology product). Complaints may be filed with the Commission d'accès à l'information (CAI) at cai.gouv.qc.ca.

Brazil (LGPD)

Brazilian residents have the rights listed in Section 8 and may also request: confirmation of whether processing exists; anonymisation or blocking of unnecessary data; information about entities with which data has been shared; and information about the consequences of refusing consent.

Response deadline: 15 days (LGPD Art. 19). Complaints may be filed with the ANPD (Autoridade Nacional de Proteção de Dados) at gov.br/anpd.

Our DPO (Encarregado) contact for LGPD purposes: privacy@devschool.io.

Argentina (Ley 25.326)

Argentine residents have the right of access (free of charge, once per year), the right to rectification, update, and correction, and the right to suppression of inaccurate or illegally collected data.

Acknowledgment of requests: within 5 business days; full response within 15 business days. Complaints may be filed with the AAIP at argentina.gob.ar/aaip.

The Argentine constitutional right of habeas data entitles you to seek judicial enforcement of your data protection rights.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, alteration, or disclosure. These measures include encryption of data in transit (TLS), access controls, and regular security reviews.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority and affected individuals in accordance with applicable law:

• EU/Bulgaria (GDPR): CPDP notified within 72 hours; affected individuals notified without undue delay where there is a high risk.
• Canada (Quebec Law 25): CAI notified within 72 hours for incidents presenting a serious risk of harm; affected individuals notified as soon as reasonably possible.
• Brazil (LGPD): ANPD notified within a reasonable timeframe (ANPD guidance: 2 business days for initial notification); broader notification follows as required.
• USA: State breach notification laws vary; we will comply with the applicable law of each affected individual's state.

Our website may contain links to third-party websites or services (e.g., scheduling tools, community platforms, YouTube). We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any personal data.

We do not currently make decisions about you that produce legal or similarly significant effects based solely on automated processing (including profiling).

If we introduce such processing in the future, we will update this policy and provide you with information about the logic involved, the significance of the processing, and your right to request human review.

DevSchool is a Bulgarian entity. We have no legal presence, no appointed local representative, and no locally-certified data processing infrastructure in any country other than Bulgaria.

This Privacy Policy expressly addresses the requirements of the EU, USA, Canada, Brazil, and Argentina. For all other countries, the following applies:

• Our compliance baseline is GDPR. We apply EU General Data Protection Regulation (GDPR) standards as our global minimum framework for data handling. GDPR is widely regarded as one of the most comprehensive data protection frameworks in the world and sets a high baseline for how we collect, use, store, and protect personal data — regardless of where you are located.
• We do not claim local law compliance. We make no representation that our data practices satisfy the specific requirements of any national data protection law not expressly addressed in this Policy. You are responsible for determining whether your use of our services and the transfer of your data to Bulgaria is permitted under your local law.
• Where your data goes. Your personal data is stored and processed in Bulgaria (EU) and may be processed by our third-party service providers in other countries (see Section 6). We do not operate data centres or maintain local data residency in your country. If your local law requires data to remain within your country's borders, you should not use our services without first obtaining appropriate legal advice.
• Your acknowledgement. By providing your personal data and using our services from a jurisdiction not expressly covered in this Policy, you acknowledge that your data will be transferred to and processed in Bulgaria under EU law, and that DevSchool cannot guarantee compliance with your local data protection requirements.

If you have questions about how your data is handled or wish to exercise rights that your local law may grant you, contact us at privacy@devschool.io and we will make reasonable efforts to assist you within the GDPR framework.

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or technology. The "Last updated" date at the top of this page indicates when the policy was last revised.

Material changes will be communicated by email or a prominent notice on our website at least 14 days before taking effect. Your continued use of our services after the effective date constitutes acceptance of the updated policy.