Ƒ
Devboxes

Legal

Privacy Policy.

What Devboxes processes, where it runs, and what your rights are — in plain language.

Last updated: July 17, 2026

Beta service. Devboxes is in private beta. This policy describes how the beta works today; when the product changes, this page changes with it.

01

The short version

  • No ads, no tracking, no third-party analytics. Error monitoring runs on our own Sentry instance on German infrastructure — nothing is sent to an analytics company.
  • Hosted in Germany. Cloud sessions run on dedicated servers in Germany, not in the EU region of a US cloud.
  • Your code is processed to run your agents — nothing else. It is never used to train models, ours or anyone else’s.
  • Model providers see run content. When you dispatch a run, the AI model provider you connect (for example Anthropic) processes the code and instructions of that run.
  • Export and deletion are built in. You can take your data out or delete it from your account at any time.

02

Who is responsible (controller)

Devboxes is operated by Firat Özcan, a sole proprietor based in Germany. The postal address is listed in the Imprint.

For anything related to your data, write to privacy@devboxes.ai.

03

What we process, and why

Website and waitlist

Visiting devboxes.ai sets no cookies. If you join the waitlist, we store your email address, its confirmation status with timestamps, and which part of the site the signup came from. We use double opt-in: you are only on the list after you click the confirmation link we email you. Unconfirmed signups are deleted after 30 days.

Account data

You sign in with GitHub (OAuth). We receive your GitHub username, email address, and avatar, and use them to create and operate your account and organization membership.

Repositories and code

When you connect repositories and dispatch a run, the agent accesses the repository metadata and code it needs for the task. Cloud sessions run in Germany. Local runs keep your code on your machine; only the session event stream reaches our servers so you can follow and resume sessions from anywhere.

Run logs and transcripts

A session produces a transcript: prompts, commands, tool events, diffs, and links to the pull requests the agent opens. Transcripts stay available to you and your organization until they expire under your retention setting or you delete them.

Operational logs and error telemetry

Server logs (which include IP addresses) and error reports help us keep the service secure and working. Error monitoring uses a self-hosted Sentry instance running on German infrastructure — error data is not sent to Sentry, the company, or any other third party.

04

Legal bases (GDPR)

  • Contract performance (Art. 6(1)(b) GDPR) — everything needed to provide the service: your account, connected repositories, dispatched runs, and transcripts.
  • Consent (Art. 6(1)(a) GDPR) — the waitlist and product updates. You can withdraw consent at any time.
  • Legitimate interest (Art. 6(1)(f) GDPR) — security, abuse prevention, and keeping the service operational (server logs, error telemetry).

05

Where your data lives

The service runs on dedicated servers in Germany. Session data is encrypted at rest, and each session runs in its own container. Your code and transcripts are never used to train models.

06

Who else processes data (subprocessors)

We keep this list short on purpose. These are the third parties involved:

ProviderWhat it does with your data
Cloudflare DNS and CDN for devboxes.ai, storage of waitlist signups, and delivery of waitlist confirmation email.
GitHub Sign-in (OAuth) and the repository integration that lets agents read your repositories and open pull requests.
AI model providers The provider you connect (for example Anthropic) receives the code, instructions, and tool context of the runs you dispatch, under your own subscription or API key and that provider’s terms.

You choose which model provider to connect. Devboxes sends run content to that provider only when you dispatch a run.

07

How long we keep data

  • Runs and transcripts — until they expire under your retention setting or you delete them. Deleting your account or organization deletes its runs.
  • Account data — for as long as your account exists.
  • Waitlist — unconfirmed signups are deleted after 30 days; confirmed signups stay until you unsubscribe or ask us to remove you.
  • Operational logs and error reports — kept only as long as needed for security and debugging, then rotated out.

08

Your rights

Under the GDPR you have the right to access your personal data, to have it corrected or deleted, to restrict or object to its processing, to receive it in a portable format, and to withdraw any consent you have given. You also have the right to complain to a data protection supervisory authority.

Export and deletion are built into your account settings, so you usually will not need to ask. For everything else, email privacy@devboxes.ai.

09

Cookies

The app (app.devboxes.ai) uses cookies strictly to keep you signed in. There are no tracking, advertising, or third-party cookies anywhere. This website sets no cookies at all.

10

Changes to this policy

When the product changes in a way that affects your data, we update this page and the date at the top. For material changes we will notify you in the product or by email.