Privacy Policy

1. Overview

DevLoot ("we," "us," "our," or "Company") respects your privacy and is committed to protecting it. This Privacy Policy explains how we collect, use, disclose, and otherwise process your personal information when you use our marketplace ("Platform"), including through our website, mobile applications, and related services.

This Privacy Policy applies to all users of our Platform, including creators, customers, and visitors. We comply with applicable data protection regulations including GDPR, CCPA, and other relevant privacy laws.

2. Data We Collect

2.1 Information You Provide Directly

• Account Information: Name, email address, username, password, profile picture, and bio
• Profile Data: Geographic location, business information, website URL, and social media profiles
• Payment Information: Credit card details, billing address, and transaction history (processed securely via Stripe)
• Communication: Messages, support inquiries, feedback, and bug reports
• Creator Information: Tax ID, banking details, and payout preferences (for creators and vendors)
• Content: Product descriptions, images, files, documentation, and metadata

2.2 Information Collected Automatically

• Device Information: Device type, operating system, browser type, and unique identifiers
• Usage Data: Pages visited, features used, search queries, download history, and interaction patterns
• Connection Information: IP address, connection speed, and ISP information
• Location Data: General geographic location (country/city level) based on IP address
• Cookies and Similar Technologies: Session tokens, preference identifiers, and analytics tracking

2.3 Information from Third Parties

• Payment Processors: Transaction and fraud information from Stripe
• Analytics Services: Usage analytics from Google Analytics and similar tools
• Social Networks: Profile information if you connect social media accounts
• Public Sources: Publicly available information about your business or professional profile

3. How We Use Your Information

We use the information we collect for the following purposes:

• Platform Operation: Enabling your account, processing transactions, and delivering services
• Communication: Sending transactional emails, notifications, and customer support responses
• Marketing: Sending promotional emails and newsletters (with your consent; you can opt out anytime)
• Personalization: Tailoring your experience, recommendations, and content based on preferences
• Analytics: Understanding user behavior, improving features, and optimizing performance
• Security: Detecting fraud, preventing abuse, and protecting against malicious activity
• Legal Compliance: Complying with laws, regulations, and enforcing our agreements
• Dispute Resolution: Investigating and resolving disputes between users
• Payout Processing: For creators, processing revenue shares and payments via Stripe Connect

4. Third-Party Data Processors

We use the following third-party services that process your personal information:

4.1 Firebase (Google Cloud)

Purpose: Cloud hosting, database, authentication, and real-time services

Data Processed: Account information, user activity logs, uploaded content metadata, and authentication tokens

Firebase is a Google service subject to Google's privacy practices and data processing agreements. Data may be transferred to Google's servers. For more information, seeGoogle's Privacy Policy.

4.2 Stripe

Purpose: Payment processing, transaction handling, and payout management via Stripe Connect

Data Processed: Payment information, billing addresses, transaction history, and creator banking details

Stripe securely processes all payment data and is PCI-DSS compliant. DevLoot does not directly store credit card information. For details, seeStripe's Privacy Policy.

4.3 Google Analytics

Purpose: Website analytics and user behavior tracking

Data Processed: Page views, click patterns, device type, and general location

Google Analytics uses cookies and similar technologies. You can opt out usingGoogle Analytics' opt-out extension.

5. Data Sharing and Disclosure

5.1 When We Share Information

We may share your information in the following circumstances:

• Service Providers: Third parties who provide services on our behalf (payment processing, hosting, analytics)
• Business Partners: Partner platforms or services with your consent
• Legal Requirements: When required by law, court order, or governmental authority
• Protection of Rights: To enforce our agreements, prevent fraud, or protect user safety
• Business Transitions: In case of merger, acquisition, or sale of assets (with notice if legally required)

5.2 What We Don't Share

We do not sell, rent, or lease personal information to third parties for their marketing purposes. We do not share credit card information or banking details with anyone except payment processors necessary for transaction processing.

6. Your Rights and Choices

6.1 GDPR Rights (EU Users)

If you are located in the European Union, you have the following rights:

• Right to Access: Request a copy of your personal data we hold
• Right to Rectification: Correct inaccurate or incomplete information
• Right to Erasure: Request deletion of your data (subject to legal obligations)
• Right to Restrict Processing: Limit how we use your information
• Right to Data Portability: Receive your data in a structured, portable format
• Right to Object: Opt out of marketing communications and certain processing activities
• Right to Withdraw Consent: Withdraw consent at any time without affecting prior processing

6.2 CCPA Rights (California Users)

California residents have the following rights under CCPA:

• Right to Know: Request what personal information is collected, used, and shared
• Right to Delete: Request deletion of personal information collected
• Right to Opt-Out: Opt out of the sale or sharing of personal information
• Right to Non-Discrimination: We will not discriminate against you for exercising CCPA rights
• Right to Correct: Request correction of inaccurate personal information

6.3 How to Exercise Your Rights

To exercise any of these rights, please submit a request toprivacy@devloot.com with the subject line "Data Subject Request." Include sufficient information to identify yourself and specify which right you are exercising. We will respond within 30 days (or as required by applicable law).

7. Cookies and Tracking

We use cookies and similar tracking technologies to enhance your experience and analyze platform usage.

7.1 Types of Cookies

• Essential Cookies: Required for authentication, security, and basic functionality
• Preference Cookies: Store your preferences and settings
• Analytics Cookies: Track usage patterns to improve the Platform
• Marketing Cookies: Enable retargeting and marketing analytics (requires consent)

7.2 Cookie Management

Most browsers allow you to refuse cookies or alert you when cookies are being set. However, disabling cookies may affect Platform functionality. You can manage cookie preferences through our cookie consent banner when you first visit the Platform.

8. Data Retention

We retain personal information only as long as necessary for the purposes outlined in this Privacy Policy, or as required by law:

• Account Information: Retained while your account is active; deleted upon request after account deletion
• Transaction Records: Retained for 7 years to comply with tax and legal requirements
• Communication Logs: Retained for 2 years for dispute resolution purposes
• Analytics Data: Retained for up to 26 months (aggregated and anonymized)
• Cookies: Session cookies are deleted upon browser closure; persistent cookies expire as noted

Upon account deletion, we will erase personal information except where retention is legally required or necessary for legitimate business purposes (such as fraud prevention).

9. Data Security

We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, and destruction:

• SSL/TLS encryption for data in transit
• Encryption at rest for sensitive data stored in databases
• Regular security audits and penetration testing
• Restricted access to personal information on a need-to-know basis
• Employee training on data protection and privacy practices
• Incident response plans for potential security breaches

While we implement robust security measures, no system is completely secure. If we discover a security breach involving your personal information, we will notify you and relevant authorities as required by law.

10. Children's Privacy

The Platform is not intended for children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children under 13. If we become aware that we have collected information from a child under 13, we will promptly delete such information and terminate the child's account.

Parents or guardians who believe a child has provided information to DevLoot should contact us immediately atprivacy@devloot.com.

11. International Data Transfers

DevLoot is based in the United States. Your personal information may be transferred to, stored in, and processed in the United States or other countries where we operate. These countries may have data protection laws that differ from your home country.

When we transfer data from the EU to the United States, we rely on appropriate legal mechanisms such as Standard Contractual Clauses (SCCs) or adequacy decisions. By using our Platform, you consent to the transfer of your personal information to countries outside your country of residence, which may have different data protection rules.

For EU users, you have the right to request information about the safeguards we use for international transfers. Contactprivacy@devloot.com for more information.

12. AI-Assisted Disclosure on Listings

When a creator marks a listing as AI-assisted, that flag is stored on the product document alongside the rest of the listing metadata (name, description, pricing). It is displayed publicly on the product detail page and the quick-view modal.

What we store: a boolean flag (aiAssisted: true) on the creator's product document, together with the timestamp of the last edit. We do not store the specific AI tools used, the prompts, or any training-data references — those remain with the creator.

What we do not do: DevLoot does not run generative AI over buyer-submitted content (reviews, messages, support tickets) without consent, does not use buyer purchase history to train third-party foundation models, and does not sell buyer data to AI companies.

Buyer-filtering data: Browsing or filtering by AI-assisted listings in our marketplace is done client-side — the filter choice does not leave your device as a separate analytics event.

13. Contact Form Submissions

When you submit the contact form, we store your name, email address, subject, message, and submission category in our contact_submissions collection so our support team can respond. We do not store your IP address with the submission; IP addresses are used only transiently for rate-limiting the contact endpoint.

Retention: Contact submissions are retained for 24 months from the date of submission, after which they are deleted. Submissions about legal matters (DMCA, security reports, law-enforcement inquiries) may be retained longer if required by applicable law.

Forwarding: Depending on the category selected, submissions are routed to legal@devloot.com, security@devloot.com, support@devloot.com, or creators@devloot.com. We use only our own staff — we do not forward contact-form submissions to external ticketing or CRM systems without first notifying you.

14. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

For EU users, you also have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.

This Privacy Policy was last updated on March 15, 2026. We will notify you of any material changes at least 30 days in advance.