devbio.me

1. Introduction

devbio.me (“devbio.me”, “we”, “us”, or “our”) lets developers ship a public bio at devbio.me/{you}, generate a printable resume, and (optionally) list a project on our verified-revenue marketplace. This Privacy Policy explains what we collect, how we use it, and the controls you have over your data.

We've tried to write this in plain language. Where we needed precise legal terms, we've kept them tight. If anything is unclear, email us at [email protected].

2. Information we collect

2.1 Information you provide

Account info. Name, email address, and profile picture from your Google or GitHub sign-in. We don't see your password.
Bio content. Everything you put on your public bio — name, tagline, about text, skills, projects, work experience, links, custom theme. Public by design once you publish.
Integration credentials. Read-only API keys you paste for Stripe, Polar, LemonSqueezy, or Dodo Payments; OAuth tokens for GitHub. Stored encrypted at rest using AES-256-GCM and decrypted only when we sync data.
Payment information. If you subscribe to Pro, billing details are collected and stored by Dodo Payments — never by us. We receive a customer id and subscription status; we never see your card number.
Uploaded files. Avatars, banner images, project screenshots, custom resume PDFs — stored on Cloudflare R2.
Vanity-redirect URLs. Whatever destination URLs you configure for /{you}/link/{key} redirects.

2.2 Information collected automatically

Usage events. Page views and link clicks on your bio, recorded for the analytics dashboard. Free plan: stored 0 days (drops on receipt). Pro plan: retained for 365 days, then aggregated.
Device + log data. Browser, OS, approximate location from IP (city-level), referrer, and access timestamps. Used for abuse detection and capacity planning.
Cookies. A session cookie for sign-in, a sidebar-state cookie for your dashboard layout preference, and a CSRF token. We do not run third- party advertising trackers.

2.3 Information from third parties

OAuth providers. Google and GitHub return your email, name, and profile photo on sign-in. GitHub may also return repo + org metadata once you connect the integration — public-repo data on Free, private-repo data on Pro.
Payment gateways. Aggregate metrics from connected accounts (active subscription count, MRR, customer count, 12-month revenue history). We never read individual customer PII from these endpoints — only aggregates.

3. How we use your information

Operate the public bio, resume PDF, marketplace, and dashboard.
Sync your connected GitHub + payment gateway data on a recurring schedule.
Process Pro-plan subscriptions and respond to support requests.
Detect abuse, prevent fraud, and rate-limit when needed.
Send transactional email (sign-in, billing, security). We do not send marketing email without your explicit opt-in.
Aggregate, anonymized usage telemetry to improve product decisions.

4. Who we share information with

We don't sell your data. We share only what each provider needs to perform its function:

Cloudflare R2 + Cloudflare network — uploaded media and edge caching.
MongoDB Atlas — primary data store for bios, users, integrations, analytics events.
Redis — short-lived cache for bio + user reads.
Dodo Payments — subscription billing. We pass your email + user id; Dodo stores card data.
Google + GitHub — sign-in OAuth. Each receives only what their flow requires.
Stripe / Polar / LemonSqueezy / Dodo (as your connected integrations) — read-only API calls we make on your behalf with the credentials you provide. We do not send these providers any data about you; we only read.
Legal compliance. If served with a valid subpoena, court order, or equivalent process we're obligated to comply, we will — and we'll attempt to notify you unless legally restricted.

5. Public-by-default surfaces

Some data is public by the nature of the product:

Your published bio at devbio.me/{you} and every endpoint under that path (resume, JSON feeds, vCard, OG images).
Marketplace listings — project name, description, tags, category, payment-provider MRR + 12-month history, optional asking price. Listings can be anonymised; the MRR figure stays public but identity is hidden.

You control these surfaces from the dashboard. Unpublishing the bio removes it from public access immediately and from caches within minutes.

6. Data security

OAuth tokens and integration API keys are encrypted at rest with AES-256-GCM (rotating-IV per record). TLS protects everything in transit. Access to the production database is limited to engineering on-call rotations and is logged. We follow the principle of least privilege for service accounts.

No system is perfectly secure. In the event of a breach affecting your data, we will notify you via email within 72 hours of confirming the breach's scope.

7. Data retention + deletion

Account + bio. Kept while your account is active. Deleted from primary storage within 30 days of account deletion; encrypted backups retain data for up to 90 days before being purged.
Integration credentials. Deleted immediately when you disconnect an integration. Snapshot data tied to the integration is also deleted.
Analytics events. 0 days on Free, 365 days on Pro, then aggregated to monthly totals (no per-visitor data remains).
Marketplace listings. Public while the underlying project + integration are live. Removed within 24 hours of unlinking or deletion.

To delete your account, go to /dashboard/settings or email [email protected].

8. Your rights

Depending on where you live, you may have the right to:

Access a copy of the personal data we hold about you.
Correct inaccurate or incomplete information.
Delete your data (subject to legal-retention obligations).
Object to or restrict certain processing.
Receive a portable copy (JSON export). The bio dashboard exposes a JSON download for your bio + projects + work history at any time.
Withdraw consent — for any processing based on consent.
Lodge a complaint with your local data-protection authority.

9. International transfers

Our infrastructure (Cloudflare, MongoDB Atlas) operates globally. Your data may be processed in any region those providers operate. We rely on Standard Contractual Clauses for cross-border transfers from the EEA / UK where required.

10. Children

devbio.me is not intended for users under 16. We do not knowingly collect personal data from anyone under 16. If you believe a minor has signed up, email [email protected] and we'll delete the account.

11. Changes to this policy

We'll post material changes here at least 14 days before they take effect. For account holders, we'll also send an email. Continued use after the effective date means you accept the updated policy.

12. Contact

Questions or requests? Email [email protected].

1. Introduction

We've tried to write this in plain language. Where we needed precise legal terms, we've kept them tight. If anything is unclear, email us at [email protected].

2. Information we collect

2.1 Information you provide

Account info. Name, email address, and profile picture from your Google or GitHub sign-in. We don't see your password.
Bio content. Everything you put on your public bio — name, tagline, about text, skills, projects, work experience, links, custom theme. Public by design once you publish.
Integration credentials. Read-only API keys you paste for Stripe, Polar, LemonSqueezy, or Dodo Payments; OAuth tokens for GitHub. Stored encrypted at rest using AES-256-GCM and decrypted only when we sync data.
Payment information. If you subscribe to Pro, billing details are collected and stored by Dodo Payments — never by us. We receive a customer id and subscription status; we never see your card number.
Uploaded files. Avatars, banner images, project screenshots, custom resume PDFs — stored on Cloudflare R2.
Vanity-redirect URLs. Whatever destination URLs you configure for /{you}/link/{key} redirects.

2.2 Information collected automatically

Usage events. Page views and link clicks on your bio, recorded for the analytics dashboard. Free plan: stored 0 days (drops on receipt). Pro plan: retained for 365 days, then aggregated.
Device + log data. Browser, OS, approximate location from IP (city-level), referrer, and access timestamps. Used for abuse detection and capacity planning.
Cookies. A session cookie for sign-in, a sidebar-state cookie for your dashboard layout preference, and a CSRF token. We do not run third- party advertising trackers.

2.3 Information from third parties

OAuth providers. Google and GitHub return your email, name, and profile photo on sign-in. GitHub may also return repo + org metadata once you connect the integration — public-repo data on Free, private-repo data on Pro.
Payment gateways. Aggregate metrics from connected accounts (active subscription count, MRR, customer count, 12-month revenue history). We never read individual customer PII from these endpoints — only aggregates.

3. How we use your information

Operate the public bio, resume PDF, marketplace, and dashboard.
Sync your connected GitHub + payment gateway data on a recurring schedule.
Process Pro-plan subscriptions and respond to support requests.
Detect abuse, prevent fraud, and rate-limit when needed.
Send transactional email (sign-in, billing, security). We do not send marketing email without your explicit opt-in.
Aggregate, anonymized usage telemetry to improve product decisions.

4. Who we share information with

We don't sell your data. We share only what each provider needs to perform its function:

Cloudflare R2 + Cloudflare network — uploaded media and edge caching.
MongoDB Atlas — primary data store for bios, users, integrations, analytics events.
Redis — short-lived cache for bio + user reads.
Dodo Payments — subscription billing. We pass your email + user id; Dodo stores card data.
Google + GitHub — sign-in OAuth. Each receives only what their flow requires.
Stripe / Polar / LemonSqueezy / Dodo (as your connected integrations) — read-only API calls we make on your behalf with the credentials you provide. We do not send these providers any data about you; we only read.
Legal compliance. If served with a valid subpoena, court order, or equivalent process we're obligated to comply, we will — and we'll attempt to notify you unless legally restricted.

5. Public-by-default surfaces

Some data is public by the nature of the product:

Your published bio at devbio.me/{you} and every endpoint under that path (resume, JSON feeds, vCard, OG images).
Marketplace listings — project name, description, tags, category, payment-provider MRR + 12-month history, optional asking price. Listings can be anonymised; the MRR figure stays public but identity is hidden.

You control these surfaces from the dashboard. Unpublishing the bio removes it from public access immediately and from caches within minutes.

6. Data security

No system is perfectly secure. In the event of a breach affecting your data, we will notify you via email within 72 hours of confirming the breach's scope.

7. Data retention + deletion

Account + bio. Kept while your account is active. Deleted from primary storage within 30 days of account deletion; encrypted backups retain data for up to 90 days before being purged.
Integration credentials. Deleted immediately when you disconnect an integration. Snapshot data tied to the integration is also deleted.
Analytics events. 0 days on Free, 365 days on Pro, then aggregated to monthly totals (no per-visitor data remains).
Marketplace listings. Public while the underlying project + integration are live. Removed within 24 hours of unlinking or deletion.

To delete your account, go to /dashboard/settings or email [email protected].

8. Your rights

Depending on where you live, you may have the right to:

Access a copy of the personal data we hold about you.
Correct inaccurate or incomplete information.
Delete your data (subject to legal-retention obligations).
Object to or restrict certain processing.
Receive a portable copy (JSON export). The bio dashboard exposes a JSON download for your bio + projects + work history at any time.
Withdraw consent — for any processing based on consent.
Lodge a complaint with your local data-protection authority.

9. International transfers

10. Children

11. Changes to this policy

We'll post material changes here at least 14 days before they take effect. For account holders, we'll also send an email. Continued use after the effective date means you accept the updated policy.

12. Contact

Questions or requests? Email [email protected].

Privacy policy

1. Introduction

2. Information we collect

2.1 Information you provide

2.2 Information collected automatically

2.3 Information from third parties

3. How we use your information

4. Who we share information with

5. Public-by-default surfaces

6. Data security

7. Data retention + deletion

8. Your rights

9. International transfers

10. Children

11. Changes to this policy

12. Contact

Privacy policy

1. Introduction

2. Information we collect

2.1 Information you provide

2.2 Information collected automatically

2.3 Information from third parties

3. How we use your information

4. Who we share information with

5. Public-by-default surfaces

6. Data security

7. Data retention + deletion

8. Your rights

9. International transfers

10. Children

11. Changes to this policy

12. Contact