Privacy Policy
Effective date: May 14, 2026
Who we are
DevReins is operated by Eric Rosenfeld. If you have questions about this policy, email support@devreins.ai.
What we collect
We collect the minimum information needed to operate the product:
- Email address - collected only if you sign up for the waitlist or early-access programme. We use a third-party email provider (ConvertKit or Buttondown) to store this.
- Anonymous usage analytics - page views and aggregate interaction events collected via Plausible Analytics or GoatCounter. These tools are cookie-free and collect no personally identifiable information. No cross-site tracking. No fingerprinting. Fully GDPR-compliant.
The DevReins viewer app itself (the self-hosted component you run on your own machine) sends no data to us. All tunnelling, file access, and agent communication happen entirely between your phone and your own server.
How we use it
- Your email is used solely to notify you when the product launches or ships major updates.
- Analytics data is used only in aggregate to understand which features are used. It is never sold or shared.
How long we keep it
Your email is retained until you unsubscribe. Every notification email includes a one-click unsubscribe link. To request immediate deletion, email support@devreins.ai and we will remove it within 7 days.
Retention periods
| Data type | How long we keep it | How to delete |
|---|---|---|
| Waitlist / early-access email | Until unsubscribe + 30-day grace | One-click unsubscribe or email us |
| Relay account (paid; planned for v1.1) | While subscription active; 30 days after cancellation | POST /api/account/delete or email us (once available) |
| Server logs (viewer) | 30 days rolling | Automatic (log rotation) |
| Relay logs (planned for v1.1; not collected today) | 7 days, 100 MB cap (planned) | Automatic (platform) |
| Push subscriptions | Until unsubscribe or 90 days inactive | POST /api/push/unregister |
| Backups (Fly.io snapshots) | 30 days | Automatic (platform) |
| Anonymous analytics | Aggregated - not tied to identity | N/A |
Full Retention Policy will be published in the public repository at launch.
Cookies
The DevReins landing site sets at most one cookie:
-
pp_consent- records your cookie banner choice (fulloressential). 1-year expiry,SameSite=Lax, first-party only. No tracking, no personal data.
On your first visit you'll see a small banner with two options: Essential only
(sets just the consent cookie) or Accept all (also loads our privacy-friendly
analytics script, Plausible, which itself sets no cookies). You can change your mind
anytime by clearing the pp_consent cookie in your browser - the banner
will reappear.
The DevReins viewer app you run on your own machine uses a separate single auth
cookie (pp_token) scoped to your dev box; it is not set by this site.
Your rights (GDPR / CCPA)
Regardless of where you live, you can: request a copy of the data we hold about you, ask us to correct, delete, or export it (we will send a CSV), or object to processing. We respond within 30 days for GDPR requests and within 45 days for CCPA requests. Email support@devreins.ai for any of these requests. You may withdraw consent at any time without penalty; withdrawal does not affect the lawfulness of processing prior to withdrawal. EU residents also have the right to lodge a complaint with your local data protection authority.
For California residents (CCPA / CPRA): We do not sell or share your personal information for cross-context behavioral advertising. We do not collect Sensitive Personal Information as defined under the CPRA. We will not deny you service, charge a different price, or provide a different quality of service if you exercise your CCPA rights. You may designate an authorized agent to make a request on your behalf with written authorization. Categories of personal information disclosed in the prior 12 months: email addresses (to ConvertKit or Buttondown for newsletter delivery); aggregated analytics events (to Plausible or GoatCounter).
For EU residents: Our lawful bases for processing are your consent (Art. 6(1)(a) GDPR) for waitlist email, and our legitimate interest (Art. 6(1)(f)) for cookie-free aggregate analytics. In the event of a personal data breach affecting your data we will notify the relevant supervisory authority within 72 hours of becoming aware (Art. 33) and will notify you without undue delay if the breach is likely to result in a high risk to your rights and freedoms (Art. 34).
Age: DevReins is a developer tool intended for users 16 and older. We do not knowingly collect information from children. If you believe a child has provided us information, email support@devreins.ai and we will delete it.
Third parties
- ConvertKit / Buttondown - email newsletter delivery. Your email address is shared with whichever provider we use for the waitlist.
- Plausible Analytics / GoatCounter - privacy-first analytics. No cookies. See their privacy policies for details.
- Cloudflare - DNS and CDN. Cloudflare may process connection metadata per their privacy policy.
We do not sell, rent, or share your personal data with any other third parties.
Security
Cellular access today uses TLS via a cloudflared tunnel that you configure on your own dev machine; traffic is encrypted in transit but is decrypted at Cloudflare's edge. An additional end-to-end encryption layer (AES-GCM-256 with X25519 key exchange) is implemented in the code but is dormant in v1.0 -- it will be enabled when the managed relay ships in v1.1. Your dev-machine access is authenticated with a shared bearer token stored locally on the dev box. We follow security best practices; however, no system is perfectly secure -- use a strong, unique token and do not share screenshots of your pair URL.
Changes to this policy
If we make material changes we will update the effective date above and, where appropriate, notify waitlist subscribers by email.