Privacy Policy

1. Data Protection at a Glance

General Information

The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any information that can be used to identify you personally. Detailed information on data protection can be found in this Privacy Policy.

Data Collection on This Website

Who is responsible for data collection on this website?
Data processing on this website is carried out by the website operator. You can find the operator's contact details in the section "Information about the controller" in this Privacy Policy.

How do we collect your data?
Some data is collected when you provide it to us. This may include data you enter when signing in with GitHub.

Other data is collected automatically by our server systems when you visit the website. This is limited to technical data that your browser automatically transmits, such as browser type, operating system, access time, and referrer URL. This collection is purely server-side. We do not use client-side tracking scripts, analytics cookies, or visitor IDs.

What do we use your data for?
Some data is collected to ensure the website is provided without errors. Server-side access data is used in aggregated form to understand website usage. If you use dev-drill, we process your exercise results and training progress to generate personalized AI-supported exercises. dev-drill does not analyze your GitHub commits, pull requests, or code reviews.

What rights do you have regarding your data?
You have the right at any time to receive information free of charge about the origin, recipients, and purpose of your stored personal data. You also have the right to request correction or deletion of this data. If you have given consent to data processing, you may revoke that consent at any time for the future. You also have the right, in certain circumstances, to request restriction of the processing of your personal data. In addition, you have the right to lodge a complaint with the competent supervisory authority.

You can contact us at any time if you have questions about data protection or your rights.

2. Information about the Controller

The controller responsible for data processing on this website is:

Sebastian Sigl
Roquettestr. 34
01157 Dresden
Germany

Email: hello@dev-drill.com

The controller is the natural or legal person who alone or jointly with others determines the purposes and means of processing personal data.

3. Data We Collect

Data You Provide

• Account data: GitHub username, user ID, email address (if shared), and profile image URL — collected via GitHub OAuth during signup.
• Training preferences: Preferred programming languages and roles — collected via the Settings page.
• Feedback: Exercise feedback (rating and optional comments) and general feedback messages — submitted voluntarily via in-app forms.
• Early access form: Name, email, role, and optional message — submitted voluntarily on the landing page.

Data Collected Automatically

• Server-side analytics (landing page): Page path, browser type (user-agent), and referrer URL — collected only after you give consent via our cookie banner. Raw events are retained for 6 months, then aggregated to daily counts.
• App analytics: Event name, timestamp, and anonymized properties — collected for authenticated users based on legitimate interest (Art. 6(1)(f) GDPR) for service improvement.
• Exercise and training data: Session history, exercise types attempted, scores, difficulty progression, and AI-generated exercise content — processed to provide the training service.
• LLM prompt logs: Prompts sent to AI providers, model responses, token usage, and latency metrics — retained for 90 days (full prompts), then anonymized.

Data We Do NOT Collect

• We do not analyze your GitHub commits, pull requests, or code reviews.
• We do not use client-side tracking scripts, analytics cookies, or visitor IDs.
• We do not serve ads or share data with advertising networks.

4. Cookie and Storage Usage

We use minimal first-party cookies and browser storage:

• Session cookie (session_user_id): HttpOnly, Secure. Required to keep you signed in. Deleted when you log out or after 30 days.
• Consent cookie (consent_preferences): Stores your analytics consent choice on the landing page. Expires after 12 months. You can change your preference at any time via the "Cookie Settings" link in the footer.
• OAuth state cookie (__Host-oauth_state): Short-lived (10 minutes) cookie to protect against CSRF during GitHub OAuth. Deleted after use.
• Terms acceptance cookie (__Host-terms_accepted): Short-lived (10 minutes) cookie to pass your terms acceptance through the OAuth flow. Deleted after use.

We do not use third-party cookies, marketing cookies, or client-side analytics scripts.

5. AI Processing

dev-drill uses AI to generate exercise content, evaluate your answers, and power the interactive teacher conversation feature. This section describes what data is sent to AI providers and how it is handled.

What Data Is Sent to AI Providers

• Exercise generation: Exercise type, difficulty level, knowledge area, and your training context (preferred languages, roles). No personal identity data is included in prompts.
• Answer evaluation: Your submitted answer, the exercise content, and difficulty level. Evaluated to produce a score and explanation.
• Teacher conversation: Your messages in the conversation and relevant course context. Conversations are streamed in real-time and not stored permanently.

Prompt Logging and Retention

Full prompts and model responses are logged for quality assurance and cost tracking. These logs are retained for 90 days, after which prompt content is automatically purged. Metadata (model, token usage, latency) may be retained longer in anonymized form.

AI Transparency

All AI-generated content in dev-drill is marked with a disclosure notice. AI-generated exercises, evaluations, and teacher responses may contain errors and should not be relied upon as professional engineering advice.

6. Third-Party Processors (Subprocessors)

We use the following third-party services that may process personal data on our behalf:

We will update this Privacy Policy and post a notice on our blog when subprocessors change. We encourage you to review this page periodically.

7. International Data Transfers

Some of our subprocessors are located outside the European Economic Area (EEA). Where data is transferred to countries without an adequacy decision by the European Commission, we rely on:

• Standard Contractual Clauses (SCCs) adopted by the European Commission, as implemented by the respective processor.
• EU-US Data Privacy Framework — applicable to providers that have certified under this framework (e.g., AWS, Vercel).

For OpenRouter, we verify that appropriate transfer mechanisms are in place. You may contact us for details on specific transfer safeguards.

8. Data Retention

We retain personal data only as long as necessary for the purposes described in this Policy:

• Account data: Until you delete your account.
• Training data (sessions, exercises, attempts): Until you delete your account.
• LLM prompt logs: 90 days (full prompt content), then anonymized. Metadata retained longer.
• Landing page analytics (raw): 6 months, then aggregated to daily counts and raw data deleted.
• App analytics events: 12 months.
• Feedback: Until you delete your account or 24 months, whichever is shorter.
• Subscription records: Until you delete your account.
• Terms acceptance records: Until you delete your account.
• Trial-abuse prevention: When you delete your account, a one-way cryptographic hash (SHA-256) of your email address is retained indefinitely to prevent repeated free-trial abuse. The hash cannot be reversed to recover your email address. Legal basis: legitimate interest (Art. 6(1)(f) GDPR) in preventing fraud.

Expired data is automatically purged via a scheduled cleanup job.

9. Your Rights (GDPR Art. 15-22)

Under the General Data Protection Regulation, you have the following rights:

• Right of access (Art. 15): You can request a copy of your personal data.
• Right to rectification (Art. 16): You can request correction of inaccurate data.
• Right to erasure (Art. 17): You can request deletion of your personal data. You can do this directly from the Settings page in the app, or by contacting us.
• Right to data portability (Art. 20): You can download your data in JSON format from the Settings page in the app.
• Right to restriction (Art. 18): You can request restriction of processing in certain circumstances.
• Right to object (Art. 21): You can object to processing based on legitimate interest.
• Right to withdraw consent (Art. 7): Where processing is based on consent, you can withdraw it at any time via the Cookie Settings link in the footer.

To exercise any of these rights, email hello@dev-drill.com. We will respond within 30 days. Please include your name, email address, and a description of your request.

Right to Lodge a Complaint

If you believe your data protection rights have been violated, you may lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence:

Saxon Data Protection and Transparency Commissioner
Devrientstraße 5
01067 Dresden

10. Legal Bases for Processing

• Consent (Art. 6(1)(a)): Landing page analytics (via cookie banner), GitHub OAuth authentication.
• Contract performance (Art. 6(1)(b)): Account creation, exercise generation, training data processing, subscription billing.
• Legal obligation (Art. 6(1)(c)): Retention obligations under tax or commercial law.
• Legitimate interest (Art. 6(1)(f)): App analytics for authenticated users, service improvement, security, and fraud prevention.

11. UK and Swiss Users

If you are accessing dev-drill from the United Kingdom, the UK GDPR applies and your rights are equivalent to those described above. The UK Information Commissioner's Office (ICO) is the relevant supervisory authority.

If you are accessing dev-drill from Switzerland, the Swiss Federal Act on Data Protection (FADP) applies and your rights are equivalent to those described above. The Swiss Federal Data Protection and Information Commissioner (FDPIC) is the relevant supervisory authority.

12. US Users

dev-drill is a service operated from Germany under EU data protection law. US residents may have additional rights under applicable state privacy laws. If you are a US resident with questions about your data, please contact us at hello@dev-drill.com.

13. SSL/TLS Encryption

For security reasons and to protect the transmission of confidential content, this site uses SSL/TLS encryption. You can recognize an encrypted connection by the browser address line changing from "http://" to "https://" and by the lock icon in your browser bar.

14. Children's Privacy

dev-drill is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you become aware that a child under 16 has provided us with personal data, please contact us and we will take steps to delete such information.

15. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. When we do, we will update the version number at the bottom of this page. We encourage you to review this page periodically.

When subprocessors change, we will update this Privacy Policy and post a notice on our blog.