Skip to main content
[ Privacy ]

Privacy Policy

Last updated: 30 April 2026

1. Introduction

This Privacy Policy explains how the devx labs group ("devx labs," "we," "our," or "us") collects, uses, discloses, and protects personal information in connection with the website devxlabs.ai, our services, and our interactions with prospective and existing clients, partners, and visitors.

devx labs operates through two legal entities, each acting as the Data Fiduciary / Data Controller for a defined geography. The entity responsible for your personal information depends on where you are located (see Section 2 below). We are strongly committed to protecting any information we receive from or about you.

2. Who We Are — Applicable Entity by Geography

The following entity is responsible (as Data Fiduciary under India's Digital Personal Data Protection Act, 2023, or Data Controller under the GDPR, Singapore PDPA, or other applicable data protection law) for your personal information:

  • If you are located in India: Devx Consultancy Pvt. Ltd., a company incorporated under the laws of India, having its registered office at U-56, Sandhya Darshan Apartment, Surat, Gujarat, India – 395009 ("devx labs India").
  • If you are located anywhere outside India (including Singapore, South-East Asia, the Middle East, Europe, the United Kingdom, the United States, and the rest of the world): Devx Labs Pte. Ltd., a company incorporated under the laws of Singapore, having its registered office at AZ @ Paya Lebar, 140 Paya Lebar Road, #08-001, Singapore 409015 ("devx labs Singapore").

Together referred to as "devx labs," "we," "our," or "us." Where this Policy refers to the applicable entity, this means the entity determined by your location as above.

2.1 Our Role in Processing Your Personal Information

We act in two distinct capacities in relation to personal information:

  • As Data Fiduciary / Data Controller — in respect of personal information we collect directly through our website, marketing activities, recruitment, and our own business relationships. This Policy governs that processing.
  • As Data Processor — where we process personal information on behalf of our business clients under a services agreement. In those cases, our client is the Data Fiduciary / Data Controller, their privacy policy governs the underlying data, and we process it only per the client's instructions. Section 15 of this Policy sets out our commitments as Processor.

3. Definitions

"Personal Information" means any information relating to an identified or identifiable natural person, including name, email, phone number, IP address, online identifiers, and similar data.

"Services" means our website, our proprietary platforms (including cartx and retailOS where made available), consulting and implementation engagements, and related communications.

"Usage Data" means information collected automatically about how our Services are accessed and used, such as IP address, browser type, pages visited, session duration, and device identifiers.

"Cookies" means small text files stored on your device.

4. Information We Collect

4.1 Information you provide directly

  • Contact details submitted through our "Get in Touch" form, including your name, business email, company name, phone number, and the message/query you submit.
  • Information you share during sales calls, pitches, workshops, or commercial discussions, including role, organizational details, and project requirements.
  • Information submitted when you apply for a role with us, subscribe to our content, or register for an event we host.

4.2 Information collected automatically

  • Usage Data including IP address, browser type and version, operating system, referring URL, pages visited, time spent, and clickstream behavior.
  • Cookie and similar tracking data.
  • Approximate location derived from IP address (used in part to determine the applicable contracting entity — see Section 2).

4.3 Information from third parties

  • Information from publicly available sources or business-information databases (e.g. LinkedIn, corporate registries) used for B2B lead research and account planning.
  • Information from marketing platforms, analytics providers, and event partners.
  • Referrals or introductions made by our existing clients or partners.

5. How We Use Your Information

We use personal information for the following purposes, each supported by an appropriate legal basis under applicable law (your consent, performance of a contract, our legitimate business interests, or compliance with legal obligations):

  • To respond to enquiries submitted through our website and conduct sales conversations.
  • To provide, maintain, and improve our Services and our products.
  • To communicate with you about our services, case studies, thought leadership, events, and other updates we believe are relevant to your business.
  • To personalize your experience on our website and understand how visitors interact with our content.
  • To conduct research, analytics, and reporting to improve our offerings.
  • To manage vendor, partner, and supplier relationships.
  • To evaluate candidates for employment.
  • To detect, prevent, and address fraud, security issues, and technical problems.
  • To comply with legal obligations, defend legal claims, and manage regulatory matters.
  • To evaluate and conduct any actual or proposed merger, acquisition, restructuring, financing, or sale of assets.

Where GDPR, UK GDPR, or similar consent-or-lawful-basis-based frameworks apply, we rely on one or more of the following legal bases:

  • Consent — where you have expressly agreed (for example, to marketing emails or non-essential cookies).
  • Contract — where processing is necessary to take steps at your request before entering into a contract, or to perform a contract with you or your organization.
  • Legitimate interests — including direct B2B marketing to business contacts, securing our Services, improving our offerings, and conducting ordinary business operations, balanced against your rights.
  • Legal obligation — where we must process information to comply with applicable law.

Under the DPDP Act (India), we rely principally on consent and on "legitimate uses" as defined in Section 7 of the Act.

7. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate our website, analyze usage, and (where permitted) deliver relevant marketing. You can control or withdraw consent through your browser settings or by contacting us at the address in Section 19.

8. AI Governance — Our Commitments

As an AI-native firm, we recognize that our clients, prospects, and regulators expect clarity on how we handle data in the context of artificial intelligence. We commit to the following:

8.1 We do not train AI models on your data without explicit permission

We do not use personal information collected through this website — including contact form submissions, enquiries, and usage data — to train, fine-tune, or evaluate any machine-learning model, large language model, or similar AI system, unless you have given us explicit prior consent. For personal information processed on behalf of clients, the rules are set by our written engagement agreement (MSA and DPA), not by this Policy; any training use requires specific client authorization in writing.

8.2 AI systems we build for clients

When we design, build, or operate AI systems for clients that process personal data, we do so under the client's written instructions and under terms that govern data residency, model selection, retention, and human oversight. Those projects are governed by the relevant client engagement documents, not by this Policy.

8.3 Third-party AI sub-processors

Our Services may use third-party AI providers (such as foundational model providers and AI infrastructure providers). Where this involves processing personal data, we do so under written contracts requiring appropriate technical, organizational, and contractual protections. The current list of such sub-processors is made available to clients through our engagement documents.

8.4 Human oversight and explainability

For AI systems we build and operate for clients, we work with clients to implement appropriate human oversight, testing, and (where applicable) explainability mechanisms, consistent with emerging AI governance frameworks including the EU AI Act, the NIST AI Risk Management Framework, and sectoral guidance.

9. How We Share Your Information

We do not sell your personal information. We may share your personal information with the following categories of recipients, under appropriate contractual safeguards:

  • Service providers and processors who support our operations (e.g. cloud hosting, email delivery, CRM, analytics, marketing automation, customer support tools).
  • AI sub-processors as described in Section 8.3.
  • Professional advisors (lawyers, auditors, accountants) bound by professional confidentiality.
  • Business partners where necessary to deliver jointly-offered services, subject to confidentiality terms.
  • Our group affiliates (i.e. sharing between Devx Consultancy Pvt. Ltd. and Devx Labs Pte. Ltd.) for internal operational, commercial, and administrative purposes, subject to intra-group data transfer agreements where required.
  • Government authorities, regulators, or law enforcement where required by law, legal process, or to protect the rights, property, or safety of devx labs, our clients, or others.
  • Acquirers and advisors in connection with any actual or proposed corporate transaction such as a merger, financing, restructuring, or sale.

10. International Data Transfers

devx labs operates across jurisdictions and may transfer personal information internationally (including between Devx Consultancy Pvt. Ltd. in India and Devx Labs Pte. Ltd. in Singapore, and to service providers in other countries). Where personal information is transferred outside its originating jurisdiction, we take appropriate steps to ensure it remains protected, including through:

  • Standard Contractual Clauses, the UK International Data Transfer Agreement, or equivalent mechanisms for transfers from the EEA or UK.
  • Contractual clauses that meet the transfer requirements of the Singapore PDPA for transfers out of Singapore.
  • Compliance with any restrictions on cross-border transfers notified under Section 16 of the DPDP Act for transfers out of India.
  • Intra-group data transfer agreements between our India and Singapore entities.

11. Data Retention

We retain personal information only for as long as is reasonably necessary for the purposes for which it was collected, or as required by applicable law. Indicative retention periods:

  • Contact form enquiries and sales leads: up to 36 months from last interaction, unless an ongoing relationship exists.
  • Client and vendor records: for the duration of the engagement plus 7 years thereafter (or longer where law requires).
  • Recruitment data: up to 12 months for unsuccessful applicants, unless you consent to longer retention.
  • Marketing subscription data: until you unsubscribe, and for a reasonable period thereafter for suppression purposes.
  • Usage Data and aggregated analytics: typically 26 months in analytics tools, or longer in aggregated/anonymized form.

12. Security

We implement technical, administrative, and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These measures include access controls, encryption in transit and at rest where appropriate, secure cloud infrastructure, personnel training, vendor due diligence, and contractual obligations on our service providers. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

If you believe your information has been compromised in connection with our Services, please contact us immediately at himanshu.velvan@devxlabs.ai.

13. Your Rights

Depending on the law applicable to you, you may have some or all of the following rights in respect of your personal information:

  • Right to access — to request confirmation of whether we process your personal information and to obtain a copy.
  • Right to correction — to request correction of inaccurate or incomplete data.
  • Right to erasure — to request deletion of your personal information, subject to certain exceptions.
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
  • Right to object or restrict processing — particularly for direct marketing and certain legitimate interest processing.
  • Right to data portability — to receive your personal information in a structured, commonly used format.
  • Right to grievance redressal — under the DPDP Act, the right to raise grievances with our Grievance Officer and, if unresolved, with the Data Protection Board of India.
  • Right to lodge a complaint with a supervisory authority in your jurisdiction (including the Personal Data Protection Commission of Singapore, EU supervisory authorities, or the UK Information Commissioner's Office).
  • Right to nominate — under the DPDP Act, to nominate another individual to exercise your rights in the event of your death or incapacity.

To exercise any of these rights, please contact us at himanshu.velvan@devxlabs.ai. We may need to verify your identity before acting on your request.

14. Children's Privacy

Our Services are directed at businesses and are not intended for use by children. Under the DPDP Act, a "child" is any individual under 18 years of age, and the Act imposes strict conditions on processing children's personal data, including verifiable parental consent and a prohibition on behavioural monitoring or targeted advertising directed at children. We do not knowingly collect personal information from children. If you believe we may have inadvertently collected such information, please contact us and we will delete it promptly.

15. Processing on Behalf of Clients (Data Processor Role)

When devx labs processes personal information on behalf of a client — for example, in the course of building, operating, or supporting AI systems, marketing automation, customer-experience platforms, or enterprise applications for that client — we act as a Data Processor (or equivalent) and our client is the Data Fiduciary / Data Controller.

In that capacity, we commit to the following (supplemented by the more specific terms of our engagement agreements, including any Master Services Agreement ("MSA") and Data Processing Addendum ("DPA")):

  • We process client personal data only on documented, lawful instructions from the client, and only for the purposes set out in the MSA and DPA.
  • We implement appropriate technical and organizational measures ("TOMs") proportionate to the risk of processing, including access controls, encryption, secure development practices, logging, incident response procedures, and personnel training.
  • We ensure personnel authorized to process client personal data are bound by confidentiality obligations.
  • We engage sub-processors (including cloud providers, AI providers, and other service providers) only with the client's general or specific authorization as provided in the DPA, and under written contracts imposing data protection obligations no less protective than those agreed with the client.
  • We maintain a current list of sub-processors and provide it to clients on request, with reasonable advance notice of material changes so the client can object.
  • We assist the client, as reasonably required, with data subject rights requests, data protection impact assessments, and regulator consultations.
  • We notify the client without undue delay of any personal data breach affecting client data, as required by the DPA and applicable law.
  • On termination of the engagement, we delete or return client personal data as instructed, subject to retention required by law.
  • We submit to audits and certifications as provided in the DPA.

16. Third-Party Sites and Services

Our website and communications may contain links to third-party websites, social media platforms, or services that we do not operate. We are not responsible for the privacy practices of those third parties and encourage you to review their privacy policies before providing them with any personal information.

17. Automated Decision-Making

We do not use your personal information to make decisions that produce legal or similarly significant effects on you solely through automated means. Where automated decision-making is introduced, we will update this Policy and, where required, obtain consent or provide opt-out mechanisms.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will post the updated version on this page and update the "Last updated" date. Material changes will be communicated through appropriate channels where required by applicable law.

19. Grievance Officer, Data Protection Officer, and Contact

Grievance Officer (for DPDP Act purposes — India):

  • Name: Himanshu Velvan
  • Email: himanshu.velvan@devxlabs.ai
  • Postal address: Devx Consultancy Pvt. Ltd., U-56, Sandhya Darshan Apartment, Surat, Gujarat, India – 395009

Data Protection Officer / Representative (for PDPA and GDPR purposes — Singapore/Global):

  • Name: Yash Thakker
  • Email: yash@devxlabs.ai
  • Postal address: Devx Labs Pte. Ltd., AZ @ Paya Lebar, 140 Paya Lebar Road, #08-001, Singapore 409015
[ Related ]