Privacy Policy
Last update: 23/12/2025
1. Who Is the Data Controller?
ECO Impact Tech, S.L. (hereinafter "DEVERA" or "we"), with Tax ID B56263155 and registered address at Calle de la Travesía, S/N, Edificio La Terminal, ZIP Code 46024 Valencia (Spain), is the controller of your personal data.
DEVERA is the owner of the domain "devera.ai" as well as the website and platform (accessible at app.devera.ai), which is made available to its Clients and Users for automated Product Carbon Footprint (PCF) analysis services following the ISO 14067:2018 standard.
Contact: info@devera.ai
2. What Personal Data Do We Collect and Process?
2.1 Website Browsing Data
| Aspect | Details |
|---|---|
| Role of DEVERA | Data Controller |
| Data collected | Browsing metrics, IP address, location (country, region, city), usage preferences, language, time spent on page, device data (operating system, browser) |
| Method of collection | Through navigation within our website environment and cookies |
| Legal basis | User consent and our legitimate interest as data controllers |
| Retention period | Maximum of 18 months, unless the data subject withdraws consent |
| Disclosure | Data collected by technical cookies may be disclosed to our web hosting providers (Cloudflare) |
| International transfers | No transfers to third countries outside adequate safeguards are anticipated |
2.2 User Account Data
When you create an account on our platform, we collect:
| Aspect | Details |
|---|---|
| Data collected | Full name, email address, password (encrypted), company name (optional), profile picture (optional) |
| Method of collection | Directly from users during registration or via OAuth providers (Google, Microsoft) |
| Purpose | Account creation, authentication, service provision, and communication |
| Legal basis | Performance of a contract and user consent |
| Retention period | For the duration of the active account, plus any legally required retention period after deletion |
| Disclosure | Authentication providers (Google, Microsoft) if OAuth is used |
| International transfers | OAuth providers may process data in the US under appropriate safeguards (Standard Contractual Clauses) |
2.3 Payment and Billing Data
When you purchase credits:
| Aspect | Details |
|---|---|
| Data collected | Billing name, billing address, VAT number (if applicable), transaction history, credit balance |
| Payment card data | Processed directly by Stripe; DEVERA does not store or have access to full card numbers |
| Method of collection | Through Stripe's secure payment interface |
| Purpose | Payment processing, invoicing, and compliance with tax obligations |
| Legal basis | Performance of a contract and legal obligation |
| Retention period | Transaction records retained for 6 years as required by Spanish tax law |
| Disclosure | Stripe (payment processor) |
| International transfers | Stripe may process data in the US under appropriate safeguards |
For more information, see Stripe's Privacy Policy.
2.4 Product and Analysis Data (PCF Tool)
When you use our Product Carbon Footprint analysis tool:
| Aspect | Details |
|---|---|
| Data collected | Product information (name, description, ingredients/materials, weights, suppliers), manufacturing process data, transport information, packaging details, uploaded documents (Excel files, PDFs) |
| Method of collection | Directly from users through the platform interface or file uploads |
| Purpose | To calculate Product Carbon Footprint following ISO 14067:2018 methodology |
| Legal basis | Performance of a contract |
| Retention period | For the duration of the active account; deleted within 30 days of account closure |
| Disclosure | See Section 3 (AI Services) |
| International transfers | See Section 3 (AI Services) |
Important: We understand that product data may contain sensitive business information (formulations, supplier details, proprietary processes). We treat all product data as confidential and implement appropriate security measures to protect it.
2.5 Generated Reports and Analysis Results
| Aspect | Details |
|---|---|
| Data collected | PCF analysis reports, emission calculations, phase breakdowns, AI-generated insights, report versions |
| Method of collection | Generated by our platform based on user inputs |
| Purpose | To provide the contracted PCF analysis service |
| Legal basis | Performance of a contract |
| Retention period | For the duration of the active account; users may delete individual reports at any time |
| Disclosure | Reports may be shared publicly if the user enables the sharing feature |
2.6 Contact Form Data
| Aspect | Details |
|---|---|
| Data collected | Name, email address, company name, message content, inquiry type |
| Method of collection | Directly from users through contact forms |
| Purpose | To respond to inquiries and provide requested information |
| Legal basis | User consent and legitimate interest |
| Retention period | Maximum of 12 months after the inquiry is resolved |
| Disclosure | May be shared with our customer support tools |
2.7 API Access Data
| Aspect | Details |
|---|---|
| Data collected | API key identifiers, usage logs, request metadata (endpoints, timestamps, IP addresses) |
| Method of collection | Automatically when using the API |
| Purpose | Authentication, rate limiting, usage monitoring, and abuse prevention |
| Legal basis | Performance of a contract |
| Retention period | API keys retained while active; usage logs retained for 12 months |
| Disclosure | None |
2.8 Guest Analysis Data
| Aspect | Details |
|---|---|
| Data collected | IP address, browser fingerprint, analysis timestamp |
| Method of collection | Automatically during trial analysis |
| Purpose | To enforce the one-trial-per-user limit and prevent abuse |
| Legal basis | Legitimate interest |
| Retention period | 12 months |
| Disclosure | None |
3. Use of Artificial Intelligence Services
Our platform uses artificial intelligence services provided by Anthropic (Claude) to analyze product information and generate insights.
3.1 How AI Is Used
- Product Analysis: AI assists in matching product ingredients/materials with emission factor databases.
- Insights Generation: AI generates recommendations for reducing product carbon footprint.
- Data Processing: Product information you provide may be sent to Anthropic's API for processing.
3.2 Data Protection with AI Services
| Aspect | Details |
|---|---|
| Data sent to AI | Product descriptions, ingredient lists, and other product-related information necessary for analysis |
| Data NOT sent to AI | User credentials, payment information, personal contact details |
| Training prohibition | Per our agreement with our LLM system, your data is NOT used to train AI models |
| Data retention by AI provider | LLM retains API inputs/outputs for a limited period for abuse monitoring, then deletes them |
| International transfers | LLM processes data in the United States under appropriate safeguards |
4. Data Security Measures
We implement appropriate technical and organizational measures:
- Encryption in transit: All data encrypted using TLS/SSL protocols
- Encryption at rest: Personal data and product information encrypted
- Access controls: Strict role-based access controls
- Secure infrastructure: AWS in EU with industry-standard security certifications
- Password security: Hashed using bcrypt, never stored in plain text
- Regular security reviews
4.1 Infrastructure Location
- Primary servers: Amazon Web Services (AWS) EU region (eu-west-1 / eu-central-1)
- Database: Hosted within EU, encrypted at rest using AES-256
- CDN: Cloudflare with EU data processing options enabled
- Backups: Daily automated backups stored in AWS S3 (EU region) with 30-day retention
4.2 Data Residency
All User Data and Generated Reports are stored exclusively in EU data centers, except when processing requires transmission to AI services (see Section 3).
4.3 Certifications and Compliance
- AWS infrastructure operates under SOC 1, SOC 2, and ISO 27001
- GDPR-compliant data processing
- Data Processing Agreement (DPA) available upon request for enterprise customers
5. Data Retention Summary
| Data Category | Retention Period |
|---|---|
| Account data | Duration of active account + legally required period |
| Product/analysis data | Duration of active account; deleted within 30 days of account closure |
| Payment records | 6 years (Spanish tax law requirement) |
| Browsing data | Maximum 18 months |
| Contact inquiries | Maximum 12 months after resolution |
| Generated reports | Until user deletes them or closes account |
6. Where Do Your Data Come From?
- Directly from you: Through registration, contact forms, platform usage, and file uploads
- From OAuth providers: If you sign in with Google or Microsoft
- Automatically collected: Browsing data via cookies and similar technologies
7. Data Disclosure to Third Parties
| Recipient | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Billing information, transaction data |
| Anthropic | AI-powered analysis | Product information (anonymized where possible) |
| AWS | Cloud hosting | All platform data (encrypted) |
| Cloudflare | CDN and security | Browsing data, IP addresses |
| Google/Microsoft | OAuth authentication | Only if you choose OAuth login |
| Email service (AWS SES) | Transactional emails | Email address, name |
We do NOT sell your personal data to third parties.
8. International Data Transfers
We use EU-approved Standard Contractual Clauses (SCCs) with providers in the US. Countries where data may be processed: United States (Stripe, Anthropic, AWS).
9. Your Rights
Under the GDPR, you have the following rights:
| Right | Description |
|---|---|
| Access | Request a copy of your personal data |
| Rectification | Request correction of inaccurate data |
| Erasure | Request deletion ("right to be forgotten") |
| Restriction | Request limitation of processing |
| Objection | Object to processing based on legitimate interest |
| Portability | Request data in a portable format |
| Withdraw consent | Withdraw at any time |
How to Exercise Your Rights
- Email: info@devera.ai
- Account settings: Access, modify, and delete certain data directly
- Report deletion: Delete individual reports from your dashboard
- Account deletion: Request full deletion by contacting us
We will respond within one month as required by GDPR.
10. Cookies
Our website uses cookies. For full details, see our Cookie Policy.
Types of cookies used: Essential, Analytics, and Preference cookies.
11. Changes to This Policy
We will update the "Last updated" date and notify registered users via email if changes materially affect how we process their data.
12. Complaints
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD):
- Address: Calle Jorge Juan, 6, 28001 Madrid, Spain
- Phone: +34 901 100 099 / +34 91 266 35 17
- Website: https://www.aepd.es
13. Contact Us
ECO Impact Tech, S.L.
Email: info@devera.ai
Address: Calle de la Travesía, S/N, Edificio La Terminal, 46024 Valencia, Spain