Home
DevStudioAl

GDPR Compliance Statement

Effective Date: February 2026  |  Last Updated: March 2026

DevStudioAl is committed to protecting your personal data and complying with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), UK GDPR (as retained under the Data Protection Act 2018), and the Albanian Law on Personal Data Protection (Law No. 9887/2008, as amended).

This page explains how DevStudioAl implements data protection principles and ensures that your information is handled transparently, securely, and lawfully.

Data Controller

DevStudioAl is the data controller for personal data collected through our website and services. As data controller, we determine the purposes and means of processing your personal data and are responsible for ensuring that processing complies with applicable law.

Contact:
Email: [email protected]

We have not appointed a Data Protection Officer (DPO) as we do not meet the threshold that makes this mandatory under GDPR. All data protection enquiries are handled directly by our team at the contact above.

What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union, enforceable since May 25, 2018. It gives individuals greater control over their personal data and harmonizes data protection standards across Europe. UK GDPR applies the same framework within Great Britain following Brexit. Albania's Law No. 9887/2008 follows comparable principles and is the primary domestic law governing our operations.

Key GDPR Principles:

  • Lawfulness, Fairness, and Transparency: Data must be processed lawfully and transparently
  • Purpose Limitation: Data collected for specific, explicit, and legitimate purposes only
  • Data Minimisation: Only data that is necessary for the stated purpose is collected
  • Accuracy: Personal data must be accurate and kept up to date
  • Storage Limitation: Data is retained only as long as necessary for its purpose
  • Integrity and Confidentiality: Data must be processed securely, protected against unauthorised access or loss
  • Accountability: We are responsible for, and must be able to demonstrate, compliance with all of the above

Data We Collect

DevStudioAl collects the following categories of personal data:

  • Contact Information: Name, email address, and company name when you contact us, request a quote, or engage our services.

  • Project Data: Technical requirements, specifications, and business information necessary to deliver our services.

  • Billing Information: Invoice addresses and payment details (processed securely through third-party payment providers; we do not store card numbers).

  • Website Usage Data: IP address, browser type, pages visited, and interaction data through server logs and, where consented to, analytics cookies.

  • Communication Records: Emails and other correspondence related to our business relationship.

Our Free Developer Tools

DevStudioAl operates three free developer tools. Each has a distinct approach to data:

  • DevPaste (paste.devstudioal.com): Content is encrypted in the user's browser using AES-256-GCM before transmission. The encryption key is embedded in the URL fragment and never sent to our server — we cannot read paste content. Pastes are subject to expiry and deletion. Server access logs (IP, timestamp) are retained for up to 90 days.

  • DevJSON (json.devstudioal.com): All JSON processing occurs entirely within your browser. No data you enter is transmitted to or stored on our servers. Only standard server access logs are recorded.

  • DevRegex (regex.devstudioal.com): All regex processing occurs entirely within your browser. No data you enter is transmitted to or stored on our servers. Only standard server access logs are recorded.

Legal Basis for Processing

We process personal data based on the following legal grounds:

  • Contract Performance (Art. 6(1)(b)): To deliver the services you have requested and fulfill our contractual obligations.

  • Consent (Art. 6(1)(a)): For marketing communications, newsletters, and non-essential analytics cookies. You can withdraw consent at any time.

  • Legitimate Interests (Art. 6(1)(f)): To improve our services, maintain website security, and manage our business operations, where these interests are not overridden by your rights.

  • Legal Obligation (Art. 6(1)(c)): To comply with tax, accounting, and other regulatory requirements under Albanian and applicable EU/UK law.

DevStudioAl as a Data Processor

When building websites and applications for clients, DevStudioAl may handle personal data belonging to our clients' own customers or users. In such cases, DevStudioAl acts as a data processor on behalf of the client, who is the data controller.

We process such data only on documented instructions from the client, under a Data Processing Agreement (DPA), and implement appropriate technical and organisational safeguards. We do not use client user data for any purpose beyond delivering the agreed services.

If you are a user of a website or application built by DevStudioAl on behalf of a client, please refer to that client's Privacy Policy for details of how your data is managed.

Data Retention

We retain personal data only for as long as necessary for the purpose it was collected:

  • Project data: Duration of project plus 7 years for legal and tax purposes
  • Client contact information: Duration of business relationship plus 3 years
  • Website analytics data: 26 months (where consent was given)
  • Marketing preferences: Until you unsubscribe or withdraw consent
  • Enquiry data (non-clients): 2 years from last contact
  • Server access logs (all tools and website): Up to 90 days

Third-Party Services

We work with carefully selected third-party providers. All providers acting as data processors on our behalf are bound by data processing agreements:

  • Analytics: Where analytics cookies are accepted by the user, anonymised usage data may be shared with our analytics provider. No analytics data is processed without consent.

  • Hosting: Our website and tools are hosted on servers operated by GDPR-compliant providers with appropriate data processing agreements in place.

  • Payment Processing: Payments are handled by secure third-party payment providers (such as PayPal or Stripe). We do not store payment card details. Each provider maintains their own GDPR compliance programme.

  • Email Services: Business communications are sent through GDPR-compliant email providers bound by appropriate data processing agreements.

We do not sell, rent, or share your personal data with third parties for their own marketing purposes.

Your Rights

Under GDPR, UK GDPR, and Albanian data protection law, you have the following rights:

  • Right of Access (Art. 15): Request a copy of all personal data we hold about you.

  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.

  • Right to Erasure (Art. 17): Request deletion of your data where it is no longer necessary for the purpose it was collected.

  • Right to Restriction (Art. 18): Request that we limit processing of your data in certain circumstances.

  • Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.

  • Right to Object (Art. 21): Object to processing carried out on the basis of legitimate interests or for direct marketing purposes.

  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.

How to Exercise Your Rights

To exercise any of your data rights, contact us at:

Email: [email protected]

We will respond within 30 days. For complex requests, we may extend this by a further 60 days, and will notify you within the initial 30-day period if an extension is needed.

Right to Lodge a Complaint: If you believe your data protection rights have been violated, you have the right to lodge a complaint with your relevant supervisory authority:

  • Albania: Commissioner for the Right to Information and Personal Data Protection — idp.al
  • UK: Information Commissioner's Office (ICO) — ico.org.uk
  • EU: Your national Data Protection Authority

Security Measures

DevStudioAl implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration, or disclosure:

  • SSL/TLS encryption for all data in transit
  • AES-256-GCM client-side encryption for DevPaste content
  • Encrypted storage for sensitive data at rest
  • Access controls and authentication mechanisms
  • Regular security reviews and vulnerability assessments
  • Data breach detection and incident response procedures

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, DevStudioAl will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.

Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected individuals directly without undue delay, describing the nature of the breach and the steps being taken to address it.

Cookies and Consent

Our website uses cookies. When you first visit, a consent banner allows you to Accept or Decline non-essential cookies. Essential cookies required for the website to function are always active and do not require consent.

  • Essential cookies: Required for basic site functionality (e.g. navigation preferences, session state). Always active.

  • Analytics cookies: Used to understand how visitors use our website. Only activated if you click Accept. Your choice is stored for 180 days and can be changed by clearing your browser data.

Your consent choice is stored in your browser's local storage and expires after 180 days, at which point you will be asked again. You can also manage and delete cookies at any time through your browser settings.

International Data Transfers

DevStudioAl operates across Albania, the UK, and Germany. Your data may be processed in these locations. All transfers are conducted lawfully:

  • EU/EEA transfers: Covered by GDPR and adequacy decisions or Standard Contractual Clauses (SCCs)
  • UK transfers: Covered by UK GDPR and the UK International Data Transfer Agreement (IDTA) where applicable
  • Albania: Transfers conducted under Albanian Law No. 9887/2008 with appropriate safeguards aligned with EU SCC frameworks

Updates to This Statement

We may update this GDPR Compliance Statement periodically to reflect changes in our practices or applicable law. Any changes will be posted on this page with a revised "Last Updated" date. We encourage you to review this page regularly.

Contact Us

For any questions about this statement, our data practices, or to exercise your rights, please contact us:

Email: [email protected]

We aim to respond to all data protection enquiries within 30 days.