Privacy Policy

How we protect and handle your data

Version v1.0.2

Effective: 2025-01-07

Updated: 2025-12-07

Quick Navigation

Introduction

This Privacy Policy describes how Izinga Software Private Limited ("Company," "we," "us," or "our") collects, uses, and protects your personal information when you use DeviceLab ("Service"), our secure distributed mobile device testing platform.

Our Contact Information

Izinga Software Private Limited

Center for Innovation and Entrepreneurship,
Indian Institute of Information Technology,
Gachibowli, Hyderabad - 500 032, India

legal@devicelab.dev

Information We Collect

2.1 Account Information

When you create an account, we collect:

Name: Your full name from OAuth providers (Google, GitHub)
Email address: Your email address from OAuth providers
Company name: Derived from your email domain or OAuth provider information
Avatar URL: Profile picture URL from OAuth providers (we do not store the actual image)
OAuth identifiers: Necessary tokens for authentication

2.2 Device and Technical Information

To provide our testing services, we collect:

Device metadata: Device name, operating system, OS version, serial number
Node information: Operating system details, tool versions (Java, ADB, Appium, Maestro, etc.)
Test session data: Test job details, test case information, session metadata
Usage data: Service usage patterns, feature utilization

2.3 Optional Test Logs

Test logs: If you opt-in, we store test execution logs in Google Cloud Storage
Test results: Associated test outcomes and performance data

2.4 Payment Information

Transaction data: Payment history, subscription status, billing amounts
Razorpay data: We use Razorpay for payment processing but do not store credit card information

2.5 Automatically Collected Information

Cookies: Session cookies for authentication (30 days) and CSRF protection (1 hour)
Log data: Server logs, IP addresses, browser information, access times

Note: We do not currently use analytics cookies or tracking technologies like Google Analytics.

2.6 Security Monitoring

For security and fraud prevention purposes, we log unauthorized signin attempts when access is blocked, including:

Email address: The email used in the blocked signin attempt
Name: Your name from the OAuth provider (Google/GitHub)
Domain name: The email domain (e.g., gmail.com)
IP address: Your IP address for security monitoring
Browser information: User agent string for device/browser identification
Timestamp: When the attempt occurred

Legal Basis: Legitimate interest (GDPR Art. 6.1.f) for security, fraud prevention, and access control
Retention: 90 days, then automatically deleted
Purpose: Prevent unauthorized access, detect abuse patterns, and maintain platform security

How We Use Your Information

3.1 Service Provision

Providing and maintaining the DeviceLab testing platform
Authenticating your account and managing sessions
Facilitating device connections and test execution
Processing payments and managing subscriptions

3.2 Service Improvement

Analyzing usage patterns to improve our Service
Developing new features and capabilities
Monitoring system performance and reliability
Troubleshooting technical issues

3.3 Communication

Sending service-related notifications and updates
Responding to your inquiries and support requests
Providing important security or legal notices

3.4 Legal Compliance

Complying with applicable laws and regulations
Protecting our rights and preventing fraud
Responding to legal requests and court orders

Information Sharing and Disclosure

4.1 Third-Party Service Providers

We share information with trusted third-party providers who assist in operating our Service:

Google Analytics: For website and application analytics
Razorpay: For payment processing (transaction data only)
SendGrid: For email delivery services
Google Cloud Platform: For hosting and infrastructure
Monitoring tools: For system performance and security monitoring
Cloudflare TURN servers: For WebRTC relay connections (see section 4.5 below)

4.2 OAuth Providers

We receive limited information from OAuth providers (Google, GitHub) including name, email, and avatar URL as necessary for authentication.

4.3 Legal Requirements

We may disclose information when required by law, court order, or to protect our rights, property, or safety, or that of our users or the public.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, user information may be transferred as part of the business transaction.

4.5 WebRTC TURN Relay Servers

Our platform uses WebRTC technology for real-time device connections. When direct peer-to-peer connections are not possible due to network restrictions (firewalls, NATs), your test data may be routed through TURN relay servers:

⚠️ Important Privacy Notice

TURN relay servers are ALWAYS enabled by default to ensure reliable connections across all network environments. This means:

Your test data may be routed through Cloudflare TURN servers when direct P2P connection fails
WebRTC automatically selects the best connection path (Direct > STUN > TURN)
Connection type depends on BOTH your network AND the peer's network capabilities
TURN is used only when necessary as a fallback mechanism

ℹ️ Technical Details

When TURN is used:

Symmetric NAT configurations (common in corporate/mobile networks)
Restrictive firewalls that block direct UDP connections
Both peers behind incompatible NAT types
Carrier-grade NAT (CGNAT) or multiple NAT layers

Data that may transit TURN servers:

Device screen streaming data (video/images)
Test files transferred between nodes
Test automation commands and responses
HTTP proxy traffic for Appium tests

✓ Security Measures

End-to-end encryption: All WebRTC connections use DTLS/SRTP encryption, even when relayed through TURN
Temporary relay: TURN servers only relay encrypted packets and cannot decrypt your data
No data retention: Cloudflare TURN servers do not store relayed data
Short-lived credentials: TURN credentials expire after each session
Trusted provider: We use Cloudflare, a SOC 2 Type II certified provider

Data Storage and International Transfers

5.1 Storage Locations

Primary data: Stored in Google Cloud regions in the USA and Europe
Backup data: May be replicated across multiple regions for redundancy
Test logs: Stored in Google Cloud Storage (if opted-in)

5.2 International Transfers

Your data may be transferred to and processed in countries other than India, including the United States and European Union. We ensure appropriate safeguards are in place for such transfers.

5.3 Data Security

We implement appropriate technical and organizational measures to protect your data:

Encryption in transit and at rest
Access controls and authentication
Regular security monitoring and updates
Secure coding practices

Data Retention

6.1 Account Data

Core account information: Name, email, company name retained for 7 years, or longer if required by applicable law, for legal and business requirements
Device and session metadata: Retained for 1 year, then automatically deleted
Payment transaction data: Retained for 7 years for tax law compliance and legal purposes

6.2 Test Data

Test logs: If enabled, stored for 1 month then automatically deleted
Test session data: Retained for 1 year then automatically deleted

6.3 Backup Data

Log backups: Retained for 1 month
Other data backups: Retained for 1 year
Legal retention: Email addresses and basic account information may be retained longer for legal compliance

6.4 Account Deletion

Upon account cancellation:

Account becomes inactive immediately
Test logs deleted within 1 month
Other data deleted within 1 year
Some information may be retained longer for legal requirements

Your Rights and Choices

7.1 Data Access

You can access and download your account data and test history through your account dashboard or by contacting us at legal@devicelab.dev.

7.2 Data Correction

You can update your company name and other profile information through your account settings. Avatar URLs are refreshed from OAuth providers upon each login.

7.3 Data Deletion

You may request deletion of your personal account data. However, as a B2B platform, data ownership is divided:

Your Personal Data: Name, email, profile information - can be deleted upon request
Organization Data: Test results, jobs, devices, session history - belongs to your organization and remains
Financial Records: Payment transactions retained for 7 years per tax law (GDPR Art. 17.3b)

To request account deletion, contact legal@devicelab.dev. If you are the sole administrator of an organization, you must first transfer ownership before deleting your account.

7.4 Opt-Out Options

Test log storage: You can disable test log storage in your account settings
Marketing communications: Future opt-out features will be available in account settings
Analytics: You can disable cookies in your browser settings

7.5 Account Deactivation

You may deactivate your account at any time through your account settings or by contacting us.

7.6 Data Ownership in B2B Context

DeviceLab operates as a Business-to-Business (B2B) SaaS platform. Understanding data ownership is crucial:

Three Types of Data:

1. Your Personal Data (You Control)

Account credentials, profile information, preferences

✓ Can be deleted when you leave

2. Organization Data (Organization Controls)

Test sessions, devices, jobs, configurations created within the organization

→ Remains with organization when you leave

3. Financial/Legal Data (Legal Requirement)

Payment records, invoices, transaction history

⚠ Retained 7 years per tax law (overrides deletion rights)

When you work within an organization, your organization is the data controller for business data. DeviceLab acts as the data processor.

Cookies and Tracking Technologies

8.1 Cookies We Use

Essential cookies: Session cookies for user authentication and session management (required for service functionality) - Duration: 30 days
Security cookies: CSRF tokens for protection against cross-site request forgery attacks - Duration: 1 hour
Consent preferences: Stored in your browser's local storage to remember your privacy choices - Duration: Until you clear browser data

Analytics cookies: We do not currently use analytics cookies or tracking technologies like Google Analytics. If this changes in the future, we will update this policy and request your consent.

Your Control: When you first visit our site, you'll see a cookie consent banner. You can choose to accept all cookies (including analytics) or use essential cookies only. You can change your preferences at any time through your browser settings.

8.2 Cookie Management

You can control cookies through your browser settings, with the following important considerations:

⚠️ Essential Cookies Required

Essential cookies (session, CSRF) cannot be disabled without breaking core functionality. These cookies are required for:

Logging in via OAuth2 (Google/GitHub)
Staying logged in during your session
Security protection against attacks (CSRF)

✓ Optional Cookies (Your Choice)

Analytics cookies can be disabled without affecting functionality. You can choose "Essential Only" in the cookie banner to reject Google Analytics while still being able to use the service.

Children's Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we discover we have collected information from a child under 13, we will delete it immediately.

Regional Privacy Rights

10.1 European Union (GDPR)

If you are in the EU, you have additional rights including:

Right to access your personal data
Right to rectification of inaccurate data
Right to erasure ("right to be forgotten")
Right to restrict processing
Right to data portability
Right to object to processing
Right to withdraw consent

10.2 California (CCPA)

If you are a California resident, you have rights including:

Right to know what personal information is collected
Right to delete personal information
Right to opt-out of sale of personal information
Right to non-discrimination

10.3 India (DPDP Act)

Under India's Digital Personal Data Protection Act 2023, you have the following rights:

Right to access information about your personal data processing
Right to correction and erasure of your personal data
Right to grievance redressal
Right to nominate another person to exercise your rights

To exercise these rights, contact our Grievance Officer at legal@devicelab.dev.

Data Breach Notification

In the event of a data breach that may affect your personal information, we will notify affected users within 72 hours of becoming aware of the breach, or as required by applicable law. Notification will be provided via email to your registered email address and/or through the Service.

Changes to This Privacy Policy

12.1 Policy Updates

We may update this Privacy Policy from time to time. Updated versions will be posted on our website with a new "Last Updated" date.

12.2 Notification

It is your responsibility to review this Privacy Policy periodically. Continued use of our Service after changes constitutes acceptance of the updated policy.

12.3 Material Changes

For material changes that significantly affect your rights, we will provide at least 30 days' notice before the changes take effect through email or Service notifications.

Contact Information

13.1 Privacy Questions

For questions about this Privacy Policy or our data practices, contact us at:
Email: legal@devicelab.dev

13.2 Data Subject Requests

To exercise your privacy rights or request data access, correction, or deletion, contact us at legal@devicelab.dev with your request details.

13.3 Mailing Address

Izinga Software Private Limited

Center for Innovation and Entrepreneurship
Indian Institute of Information Technology
Gachibowli, Hyderabad - 500 032, India

Governing Law

This Privacy Policy is governed by the laws of India. Any disputes will be resolved in the courts of Hyderabad, Telangana, India.

By using DeviceLab, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your information as described herein.