DevFlow
Start free
Legal

Privacy Policy

Last updated: 1 April 2026

DevFlow Monitoring, Inc. (“DevFlow”) provides API observability tooling. This Privacy Policy explains what personal data we collect, how we use it, and the rights you have over it. If you have questions, email security@devflow.io.

1. Who we are

DevFlow Monitoring, Inc. is a Delaware corporation with offices in San Francisco, California and Lisbon, Portugal. For data we process on behalf of EEA, UK, and Swiss customers, our Lisbon entity (DevFlow Monitoring Europe Lda.) is the contracting party and the EU representative.

2. What we collect

We process two distinct categories of data:

  • Account data. Name, work email, employer, role. Provided by you when you sign up or are invited.
  • Customer monitoring data. Monitor configuration, response payloads up to 64 KB per check (configurable to 256 KB on Scale tier), incident logs, audit logs. You are the controller of this data; DevFlow is the processor.

3. How we use it

Account data is used to operate the product, send service notices, and (with consent) marketing emails you can opt out of with one click. Customer monitoring data is used solely to operate the monitoring service for you; we never use it to train models or sell to third parties.

4. Sub-processors

The current list is at /security. We send a 30-day notice before adding a new sub-processor; subscribe at the bottom of the security page.

5. Rights

GDPR, UK GDPR, CCPA, CPRA, VCDPA. Access, rectify, erase, port, restrict, object — exercise via the dashboard for account data, or by emailing security@devflow.io for monitoring-data requests. We will respond within 30 days.

6. Retention

See our data-retention doc for the per-tier table. Audit logs are retained 365 days on all paid tiers, 30 days on Free.

7. International transfers

We rely on Standard Contractual Clauses for transfers from the EEA and UK to the United States. The relevant SCC modules are part of our DPA, available on request.

8. Cookies

We use cookies for authentication, security, and basic product analytics (we run a self-hosted Plausible instance). No third-party advertising trackers, no Facebook or Google tracking pixels, no session replay tools.

9. Children

Our product is for engineering teams and is not directed to children under 18. We do not knowingly process personal data of minors.

10. Changes

Material changes will be notified by email at least 30 days in advance. The most recent revision date is at the top of this page.