Privacy Policy

Introduction

Based on Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

This policy describes how DevMesh, operated by Kapás Bence egyéni vállalkozó (the "Company"), processes personal data.

Data controller details

• Data controller name: Kapás Bence
• Registered office: 4200 Hajdúszoboszló, Szívós utca 24, Hungary
• Mailing address: 8600 Siófok, Kenedy Ferenc utca 13 A/1, Hungary
• Email: privacy@devmesh.app
• Phone (non-recorded line): +36 30 390 6392
• Website: https://devmesh.app (not accessible for the blind and visually impaired)

The Company does not appoint a data protection officer.

General information

The Company processes the categories of personal data specified under the section on data subjects, purpose and duration of processing.

Profiling: the Company does not perform profiling-based data processing.

The Company uses cookies on its website.

Detailed information about the cookies used on this site — including specific vendors, purposes, and retention — is available in the Cookie Policy at /cookies.

Cookies used

• Analytics and tracking cookie
• Website tracking
• Login / user identifier session cookie

Most browsers include a "Help" function that explains how to disable cookies, accept new cookies, instruct the browser to set a new cookie or disable other cookies.

I. Legal basis of processing

Processing is necessary for the performance of a contract or on the basis of legal obligations.

Providing data is voluntary; the data subject is not obliged to give consent, however acknowledges that without providing the data, the Company cannot initiate or continue the business relationship.

II. Data subjects, purpose and duration of processing

Processing covers all partner / customer / client data (data subjects).

The Company processes personal data solely for the purpose (purpose limitation) of providing the services and payments specified in the engagement contract.

• Private individual client (family and given name, address, email, phone) — contract creation, contact. Retention: for framework contracts, 8 years after termination; for one-off engagements, 8 years after performance (accounting retention).
• Individual representing a corporate entrepreneur (name, email, phone) — contract creation, contact. Retention: for framework contracts, 3 months after termination or end of representation; for one-off engagements, 3 months after performance.
• Sole proprietor (name, registered seat, entrepreneur ID number, bank account number, email, phone) — contract creation, contact. Retention as above.
• Newsletter subscribers (name, email, subscription date) — information provision, contact. Retention: until withdrawal of consent; if a data accuracy request email receives no active response, 3 months from the date of that email.
• Users of the Company's open social media pages (Facebook, X, YouTube, Instagram, LinkedIn, etc. — voluntarily registered name and public profile picture) — information provision, contact. Retention and modification governed by the rules of the respective social network.
• Users of the Company's closed social media groups — additional information, contact. Retention from acceptance until leaving or exclusion; governed by the rules of the first pinned post.
• Blog comments on the Company's website (name, email) — enabling voluntary comments. Retention: until the data subject withdraws consent in writing.
• Blog notification subscribers (email) — voluntary notification of new comments on a given post.
• Registered users of any DevMesh online services or webshop (name, email, billing address, shipping address, phone, subscription date, device data generated during service use, cookies identifying the browser) — sales, information provision, contact. Retention: from registration until withdrawal.
• Person submitting a liability claim or complaint (name, address, ID document name and number) — legal handling of the claim or complaint. Retention: 5 years from the date the response is sent.

Providing data is a condition for delivering the services specified in the Company's contract; without providing them or in case of later deletion requests, the service cannot be provided.

III. Scope of data processors

The Company engages the following third-party processors to operate the DevMesh services. Each processor handles only the data needed for its purpose, under a data-processing agreement and within the controls described in their own privacy policies.

• Stripe Payments Europe, Ltd. (Ireland) — payment processing for subscriptions and one-off invoices. Receives: customer email, billing details, payment instrument data.
• Supabase, Inc. (United States) — application database, authentication, and session storage. Receives: account email, hashed credentials, app-level user data.
• Amazon Web Services EMEA SARL (Luxembourg) — hosting and storage infrastructure for the DevMesh web and API services. Receives: server logs, traffic metadata, encrypted user content at rest.
• Plausible Analytics (Plausible Insights OÜ, Estonia) — privacy-focused web analytics. Receives: aggregated, cookie-less page-view data.
• Microsoft Clarity (Microsoft Corporation, United States) — anonymized session analytics used to debug UX issues. Receives: interaction events and masked recordings.
• Google LLC (United States) — Google Tag Manager / gtag for marketing measurement and ad attribution where enabled. Receives: device, browser, and event metadata.
• Anthropic, PBC and OpenAI, LLC (United States) — large-language-model inference for AI-assisted features inside the DevMesh application. Receives: prompts the user submits to AI features and the resulting completions.
• Independent accountant (Hungary) — statutory bookkeeping and invoicing. Receives: invoice-level customer name and contact data.

IV. Data transfer and processing

Some processors listed above (Stripe, Supabase, AWS, Microsoft, Google, Anthropic, OpenAI) operate infrastructure outside the European Economic Area. Where required under GDPR Art. 44–49, transfers rely on the European Commission's Standard Contractual Clauses (SCCs) or an equivalent transfer mechanism published by the relevant processor.

V. Rights of data subjects

Right to information: upon request, the data controller must provide clear, easily accessible information about the key aspects of processing (who, what, for what, how, from when, until when).

Right of access: the individual may request information on whether their data is being processed and, if so, which data is processed.

Right to rectification: the data subject may indicate that the processed data is inaccurate and request what should be displayed instead. The controller is responsible for accuracy, so periodic verification is recommended.

Right to erasure: the data subject may request deletion at any time. If the controller has allowed third parties access to the data to be erased, it must inform all recipients to delete references and stored personal data.

Right to restriction: in certain cases the data subject may request restriction of processing, for example in a disputed situation or when processing is no longer necessary but the data subject still requests restriction.

Right to data portability: the data subject may request the data in a structured, commonly used, machine-readable format (e.g. .doc, .pdf) and transfer it to another controller without hindrance.

Right to object: the data subject may object to processing based on their situation. This typically occurs when no consent was given for the specific processing.

Right to withdraw consent: the data subject may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.

The data subject may exercise their rights by a statement to the data controller, orally or in writing, by post, email or via the website — preferably through the channel by which the data was provided.

VI. Complaints

If the data subject has a complaint about processing, we suggest first addressing the controller (the Company). The controller has 30 calendar days to investigate and respond. If the complaint persists, the data subject may turn to a court or the Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság) at the following contacts:

• Postal address: 1530 Budapest, Pf.: 5.
• Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
• Phone: +36 (1) 391-1400
• Fax: +36 (1) 391-1410
• Email: ugyfelszolgalat@naih.hu
• Website: http://naih.hu

VII. Changes

The Company may modify this policy; the current policy is always available on the Company's website. Continued use of DevMesh services after publication of an updated policy constitutes acceptance of the revised policy.