Bookeeping Logo
Book a demo

Legal · privacy

Privacy Policy

Last updated: May 25, 2026

Introduction

This Privacy Policy explains how Devi AI LLC (“Devi”, “we”, “us”) collects, uses, shares, and protects personal data in connection with the Devi AI white-label agency program (the “Service”) — including the agency portal at agency.ddevi.com and client facing service ailogin.link, the branded Chrome extension we provision for your End Clients, and the supporting APIs.

Two distinct groups interact with the Service:

  • Agencies — marketing agencies, growth consultancies, and operators who subscribe to the Program, brand the Service, and resell it to their own customers.
  • End Clients — the customers an Agency provisions, who install the Agency-branded extension and sign in with a license key the Agency generates.

For personal data of End Clients processed through the Service, the Agency is the data controller and Devi is the data processor. For data about the Agency itself (the business and its administrators), Devi acts as the data controller. This is reflected in our Terms of Use and in the relevant sections below.

1. Data We Collect

1.1 From Agencies

When you sign up and operate your agency account, we collect:

  • Account and contact data: business name, administrator name, email address, phone number, country, address.
  • Brand assets you upload: logo, color palette, support email, support phone, custom domain.
  • Billing data: Stripe customer identifier, plan, invoice history, and the last four digits and brand of the card on file. Full card numbers are processed and stored by Stripe, not by Devi.
  • Configured secrets: the AI provider API key you connect (e.g., OpenAI). Secrets are encrypted at rest with envelope encryption; we do not display them in plaintext after submission.
  • Usage and product telemetry: portal page views, feature events, error logs, IP address, browser, operating system, approximate location derived from IP.
  • Support correspondence: messages you send us by email, chat, or in-product feedback.

1.2 From End Clients (processed on the Agency’s behalf)

When an End Client uses the branded extension, we process the minimum data needed to operate the Service:

  • License-key authentication: the license key issued by the Agency, the platforms enabled, and a session token.
  • Configuration: the Agency-defined platforms, groups, and keywords assigned to the End Client.
  • Lead metadata: short summaries, intent scores, and references that the AI extracts from posts the End Client is already authorized to view, in order to surface buyer-intent leads inside the extension UI.
  • Limited diagnostic logs: extension version, error reports, and rate-limit signals. We do not associate these with the End Client’s social-network identity beyond what the Agency configures.

We do not collect or store:

  • End Clients’ social-network passwords (they remain authenticated in their own browser session).
  • The full content of private inboxes, direct messages, or any post the End Client is not authorized to view.
  • Bulk archives of social-network content. Post content cached in the browser to power the extension is processed locally and discarded according to the schedule described in Section 3.

2. How We Use Data

We use the data described above to:

  • provide, operate, secure, and improve the Service;
  • authenticate users and license keys;
  • generate AI-assisted lead intelligence using the connected OpenAI key;
  • bill Agencies, prevent fraud, and meet tax and accounting obligations;
  • communicate service-related notices (billing, security, material changes to these policies);
  • send Agency-facing product updates and educational material (you can opt out at any time);
  • comply with legal obligations and respond to lawful requests.

We do not sell personal data, and we do not use End Client lead data to train shared machine-learning models for any other Agency.

3. Data Storage, Retention, and Deletion

  • Account, brand, and configuration data are retained for as long as your subscription is active and for a reasonable period afterwards for audit and legal-compliance purposes, then deleted or anonymized.
  • Lead metadata surfaced inside the extension is retained for up to 30 days by default and then automatically purged. Agencies may configure shorter retention.
  • Post content briefly cached in the browser for productivity (e.g., to avoid re-fetching) lives only in the End Client’s local browser storage and is automatically cleared on session end or within 30 days, whichever comes first.
  • Backups are encrypted and rotated on a standard schedule.
  • On termination of an Agency subscription, we will delete or anonymize Agency-controlled data within ninety (90) days, except where retention is required by law or to resolve a dispute.

4. Sharing and Disclosure

We share personal data only with the categories of recipients listed below, and only as needed to provide the Service:

  • Subprocessors we engage to operate the Service (see Section 6).
  • Payment processor (Stripe) for billing the Agency.
  • AI provider (OpenAI, via the key the Agency supplies) for inference on lead text.
  • Professional advisors such as auditors and lawyers, under confidentiality obligations.
  • Acquirers in connection with a merger, acquisition, or sale of substantially all of our assets.
  • Authorities when required to comply with applicable law, lawful process, or to protect rights, safety, and the integrity of the Service.

We do not sell or rent personal data, and we do not share it for cross-context behavioral advertising.

5. International Transfers

Devi is based in the United States. When personal data is transferred from outside the U.S. to Devi or its subprocessors, we rely on appropriate safeguards, including Standard Contractual Clauses where applicable.

6. Subprocessors

We use the following categories of subprocessors. The list is illustrative of the current stack and may change; we will update it before adding a new subprocessor that materially affects how Agency-controlled data is processed.

Subprocessor Purpose Region
MongoDB Atlas Primary database for accounts, configuration, and lead metadata United States
Amazon Web Services ( SES) Email & Others United States
Cloudflare (Storage, Workers) Object storage and CDN United States
Stripe Payment processing and billing Distributed
OpenAI (via the API key you connect) LLM inference for intent scoring and reply drafts Distributed
Microsoft Clarity Anonymous product-usage analytics Distributed

Each subprocessor is bound by a written agreement that imposes data-protection obligations consistent with this Privacy Policy.

7. Security

We take reasonable and appropriate technical and organizational measures to protect personal data, including:

  • TLS 1.2+ in transit and AES-256 at rest for stored secrets and backups.
  • Envelope encryption for connected API keys.
  • Role-based access control for the agency portal and internal admin tooling.
  • Audit logging of administrative actions.
  • Network isolation and least-privilege access to production infrastructure.
  • Periodic dependency and infrastructure reviews.

No system is perfectly secure. If you believe your account has been compromised, contact support@ddevi.com without delay.

8. Your Rights

Depending on where you are located, you may have rights to:

  • access the personal data we hold about you;
  • correct inaccurate or incomplete data;
  • request deletion of your data;
  • restrict or object to certain processing;
  • portability of data you have provided to us;
  • withdraw a consent you previously gave (without affecting prior processing); and
  • lodge a complaint with your local data-protection authority.

To exercise these rights with respect to Agency administrator data, email support@ddevi.com from the address on file.

For rights requests from End Clients, please contact your Agency first — the Agency is the data controller for that relationship. Devi will support Agencies in responding to verified End Client requests.

9. Cookies and Similar Technologies

The agency portal uses a small number of first-party cookies and local-storage items strictly necessary for sign-in sessions, CSRF protection, and remembering UI preferences. Aggregate product analytics may be collected through Microsoft Clarity to help us understand and improve the portal. The branded extension uses local browser storage only as described in Section 3.

10. Children

The Service is not directed to, and we do not knowingly collect personal data from, children under 18. If you believe a child has provided personal data to us, contact support@ddevi.com and we will delete it.

11. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be announced through the agency portal or by email at least fifteen (15) days before they take effect, and the “Last updated” date above will be revised. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

12. Contact

For questions about this Privacy Policy, our data practices, or to exercise your rights:

Devi AI LLC · State of Wyoming, USA