Privacy Policy

1. Introduction

This Privacy Policy describes how Devora DM ("Devora Device Manager," "we," "us," or "our") collects, uses, stores, and protects information when you use our enterprise device management (EMM) platform and/or the Devora Agent mobile application. Devora DM offers two management modes: (1) Google EMM mode, built on top of the Android Management API provided by Google, and (2) Devora Cloud mode, where the Devora Agent app communicates directly with the Devora platform. Both modes are designed to help organizations manage their fleet of Android devices. We are committed to protecting the privacy of both our enterprise customers ("Customers") and the end users of managed devices ("End Users").

2. Information We Collect

Account Information: When you register, we collect your name, email address, username, and password (stored securely hashed). If you register through an affiliate link, we record the referral code.

Company & Organization Data: Information you provide about your organization, including company name, contact email, contact phone, and enterprise configuration settings.

Device Data (Google EMM mode): When devices are enrolled via Google EMM mode, we collect and process device information provided by the Android Management API, including but not limited to:

• Device identifiers (device name, serial number, IMEI where permitted)
• Device hardware and software information (model, manufacturer, OS version, build number, kernel version)
• Network information (Wi-Fi MAC address, IP addresses, network operator)
• Device state and compliance status (encryption status, security posture, policy compliance)
• Application inventory (installed applications, app versions)
• Location data (only when explicitly enabled by a device policy set by your organization's administrator)
• Battery level, storage capacity, and memory information

Device Data (Devora Cloud mode — Devora Agent app): When the Devora Agent app is installed and enrolled using a company code, the app collects and sends the following data directly to the Devora platform:

• Device identifiers (Android device ID, serial number) — Required to uniquely identify each device in the organization's fleet for asset tracking and inventory management
• Device hardware information (brand, model, manufacturer) — Required for IT administrators to identify device types, plan hardware lifecycle, and troubleshoot device-specific issues
• Device software information (Android version, SDK level) — Required to assess security patch levels, ensure OS compatibility, and plan software updates across the fleet
• Battery level and charging state — Required for monitoring device health, identifying devices that need servicing, and ensuring field devices remain operational
• Approximate location (when location permission is granted) — Required for enterprise asset tracking, locating lost or stolen company devices, and verifying device presence at authorized work sites

Permissions used by the Devora Agent app:

• Camera — Used solely for scanning QR codes during device enrollment. No photos or videos are captured, stored, or transmitted.
• Location (approximate) — Used for enterprise asset tracking and locating company-owned devices. Location is sent to the Devora platform only and is visible only to the organization's IT administrator. Location is not collected when the app is not enrolled.
• Internet / Network access — Required to communicate with the Devora platform for enrollment, heartbeat signals, receiving management commands, and reporting device status.
• Device Admin / Device Owner (when provisioned via QR) — Required to execute enterprise management commands such as lock, reboot, and factory reset as directed by the IT administrator.

The Devora Agent app does not collect: IMEI, contacts, call logs, SMS, browsing history, photos, files, microphone data, installed app lists, or any personal communications.

Policy & Configuration Data: Device management policies, enrollment configurations, Wi-Fi network settings, and application deployment configurations created by Customers.

Usage Data: We collect information about how Customers interact with the Devora DM dashboard, including pages visited, features used, and timestamps, to improve the service.

Payment Information: When you subscribe to a paid plan, payment details are processed by our payment provider (Razorpay). We store transaction records (amount, date, plan) but do not store full payment card details.

3. How We Use Your Information

We use collected information strictly for the following purposes:

• Provide the EMM service: Enroll devices, apply management policies, execute remote commands (lock, reboot, wipe), and monitor device compliance as directed by the Customer's administrator.
• Process transactions: Manage subscriptions, billing, and payment processing.
• Communicate: Send account-related notifications, support responses, and service updates.
• Improve the platform: Analyze usage patterns to optimize performance and user experience.
• Ensure security: Detect and prevent fraud, unauthorized access, and abuse.
• Comply with legal obligations: Respond to lawful requests from authorities.

We do NOT use device data or any information collected through the platform (including via the Android Management API and the Devora Agent app) for:

• Advertising, ad targeting, or building advertising profiles
• Selling, renting, or trading data to third parties
• Device financing, credit scoring, or payment enforcement
• Surveillance, user tracking, or monitoring unrelated to enterprise IT administration
• Any purpose unrelated to enterprise device management

4. End-User Transparency & Notification

Devora DM is an enterprise device management platform. As such:

• Enterprise Customers are responsible for informing their End Users that their devices are managed, what data is collected, and how it is used. We strongly recommend that Customers provide written notice to End Users before enrolling devices.
• Managed devices display a persistent notification (provided by Android) indicating the device is managed by an organization.
• No application will be pushed, preloaded, or auto-installed on managed devices without the express and informed prior consent of the Customer's authorized administrator. End Users should be informed by their organization about which applications are deployed.
• Location tracking is only active when explicitly enabled in a device policy by the Customer's administrator. End Users are notified by Android when location sharing is active.

5. Data Security

We implement industry-standard security measures to protect data at rest and in transit:

• All data transmission is encrypted using TLS/SSL
• Sensitive credentials (OAuth tokens, Wi-Fi passwords) are encrypted at rest using AES-256/Fernet encryption with dedicated encryption keys
• User passwords are stored using secure one-way hashing (bcrypt)
• Access to the platform requires authentication and is scoped by role (admin, user)
• Security headers (HSTS, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection) are enforced on all responses
• API access is rate-limited to prevent abuse

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We will notify affected Customers promptly in the event of a data breach.

6. Data Sharing & Third-Party Services

We do not sell, trade, or rent personal information or device data. We share data only as follows:

• Google (Android Management API): Device management operations are performed through Google's Android Management API. Device data flows through Google's infrastructure as part of the management protocol. Google's use of this data is governed by the Google Privacy Policy and the Android Management API Terms of Service.
• Payment processor (Razorpay): Payment details are processed by Razorpay in accordance with PCI-DSS standards. We do not store card details.
• Error monitoring (Sentry): We use Sentry to track and resolve technical errors. Sentry receives minimal technical data necessary for debugging; no personally identifiable information or device data is sent.
• Law enforcement: We may disclose information when required by law, court order, or governmental request.
• With your consent: We may share data with other third parties only with your explicit consent.

7. Data Retention & Deletion

We retain data as follows:

• Account data: Retained while your account is active. Deleted within 90 days of account termination upon request.
• Device data: Retained while the device is enrolled. When a device is unenrolled, unlinked, or wiped, its data is removed from our platform. In Devora Cloud mode, users or administrators can unlink a device at any time, which immediately de-registers it and stops all data collection. Aggregated, non-identifiable logs may be retained for service improvement.
• Payment records: Retained as required by applicable tax and financial regulations.
• Backup data: May be retained for a reasonable period for disaster recovery and legal compliance.

Customers may request deletion of all their data by contacting support. We will process deletion requests within 30 days.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access and receive a copy of your personal data
• Correct inaccurate data
• Request deletion of your data
• Object to or restrict processing of your data
• Data portability (receive your data in a structured, commonly used format)
• Withdraw consent at any time

End Users of managed devices should contact their organization's IT administrator to exercise rights related to device data, as Devora DM acts as a data processor on behalf of the Customer (data controller).

To exercise your rights as a Customer, contact us through the support section in the Devora DM dashboard or email us at the address in the Contact section below.

9. Data Processor & Controller Roles

Devora DM acts as a data processor on behalf of our enterprise Customers (data controllers) for device management data. The Customer determines the purposes and means of processing device data (which policies to apply, which devices to enroll, what data to collect). Devora DM processes this data solely on the Customer's instructions through the platform's features.

Devora DM acts as a data controller for account registration data, billing information, and platform usage analytics.

10. Cookies & Local Storage

Devora DM uses browser local storage to maintain your session (authentication tokens) and user preferences (theme settings, timezone). We do not use tracking cookies, third-party advertising cookies, or analytics cookies.

11. International Data Transfers

Devora DM's servers and Google's Android Management API infrastructure may process data in jurisdictions outside your country of residence. By using our service, you consent to the transfer of data to these locations. We ensure that appropriate safeguards are in place to protect your data in compliance with applicable data protection laws.

12. Children's Privacy

Devora DM is designed exclusively for business and enterprise use. It is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a minor, we will promptly delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by: (a) posting the updated policy with a new "Last updated" date; (b) sending an email notification to registered Customers; (c) displaying an in-app notification. Continued use of the service after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:

• Through the support section in the Devora DM dashboard
• Email: support@devoradm.com
• Website: https://devoradm.com