Devolar — Intelligent Infrastructure Platform

1. Overview

Devolar operates an integrated infrastructure-as-a-service platform covering four principal domains: Internet of Things (IoT) device management, Voice over IP (VoIP) telephony, Automatic License Plate Recognition (ALPR), and closed-circuit television (CCTV) video management. Each of these domains involves the processing of different categories of personal data, some of which may be sensitive in nature (for example, biometric data derived from CCTV footage or vehicle location data derived from ALPR reads).

This policy applies to:

Visitors to devolar.net
Prospective and current customers and their authorised users
Individuals whose data is processed through the Devolar platform (e.g., individuals captured on CCTV, vehicles recognised by ALPR systems)
Suppliers, partners and other third parties who interact with us

Where Devolar processes personal data on behalf of a customer (acting as a data processor), the customer's own privacy policy and instructions govern that processing. This policy covers Devolar's activities as a data controller.

2. Data Controller

EntityUAB Devolar

RegistrationCompany registered in Lithuania

AddressŠiauliai, Lithuania

Emailprivacy@devolar.net

Websitedevolar.net

3. Data We Collect

3.1 Website visitors

When you visit devolar.net we may collect:

IP address, browser type and version, operating system
Pages visited, time spent, referring URL
Cookie identifiers (see our Cookie Policy)

3.2 Contact and lead data

When you complete our contact form, request a demo or subscribe to communications:

First and last name
Work email address and phone number
Company name and role
Content of your enquiry

3.3 Customer account data

For organisations that contract with Devolar, we process:

Authorised user names, email addresses and hashed passwords
Billing and invoicing information
Platform usage logs and audit trails
Support ticket content

3.4 IoT telemetry

Where IoT devices deployed by customers transmit data through Devolar infrastructure, we process that telemetry as a data processor under the customer's instructions. Telemetry that does not identify individuals is not personal data; however, where device data can be linked to an identifiable person (e.g., employee badge readers, personal GPS trackers), it is treated as personal data.

3.5 VoIP call data

Devolar's VoIP module processes:

Calling and called party numbers (CLI)
Call timestamps, duration and routing metadata
Voice recordings, where call recording is enabled by the customer
SMS message content, where the SMS gateway is used

Call recordings constitute personal data and are stored only for the retention period configured by the customer.

3.6 ALPR data

The ALPR module captures and processes:

Vehicle registration plate numbers
Timestamps and location of captures
Still images of vehicles and plates
Confidence scores and recognition metadata

Vehicle registration plate data is personal data under GDPR because plates can be linked to identifiable vehicle owners. Customers deploying ALPR systems are responsible for displaying appropriate signage and establishing their own legal basis for such processing.

3.7 CCTV footage

The CCTV module stores and manages video footage provided by customer-operated cameras. Video footage depicting identifiable individuals constitutes personal data (and may include special category data such as biometric data where AI analytics are applied). Devolar processes CCTV footage exclusively as a data processor acting on customer instructions.

4. How We Use Personal Data

Purpose

Data used

Legal basis

Providing and operating the Devolar platform

Account data, usage logs

Contract performance

Responding to enquiries and demos

Contact form data

Legitimate interest / pre-contract

Sending marketing communications

Email address, preferences

Consent or soft opt-in

Billing and invoicing

Billing contact, transaction data

Contract / legal obligation

Security monitoring and fraud prevention

IP address, login logs

Legitimate interest

Legal compliance and dispute resolution

All relevant data

Legal obligation / legitimate interest

Improving our products and services

Anonymised/aggregated usage data

Legitimate interest

5. Legal Basis for Processing

We rely on the following lawful bases under Article 6 GDPR:

Contract (Art. 6(1)(b)): Processing necessary to perform our contract with you or to take steps at your request prior to entering into a contract.
Legal obligation (Art. 6(1)(c)): Processing required to comply with EU or Lithuanian law (e.g., tax, accounting).
Legitimate interests (Art. 6(1)(f)): Processing for our legitimate business interests — such as network security, fraud prevention, and B2B marketing — where these are not overridden by your rights.
Consent (Art. 6(1)(a)): Where we rely on consent (e.g., optional cookies, marketing emails), you may withdraw consent at any time without affecting the lawfulness of prior processing.

Where Devolar or its customers process special category data (e.g., biometric data from CCTV AI analytics), the additional conditions in Article 9 GDPR apply, most commonly explicit consent or substantial public interest.

6. Data Sharing

We do not sell personal data. We may share personal data with:

Cloud infrastructure providers (e.g., hosting, storage) acting as sub-processors under Data Processing Agreements
Payment processors for billing purposes
Customer support and CRM tools used to manage enquiries
Analytics providers using anonymised or aggregated data only
Law enforcement or regulatory authorities where required by law or court order
Professional advisors (lawyers, accountants) under confidentiality obligations
Successor entities in the event of a merger, acquisition or asset sale

All third-party processors are subject to written Data Processing Agreements and are required to implement appropriate technical and organisational security measures.

7. Retention Periods

Data category

Retention period

Website analytics logs

13 months

Contact / lead data (no contract)

3 years from last contact

Customer account data

Duration of contract + 7 years

VoIP call detail records

As configured by customer (default 12 months)

VoIP call recordings

As configured by customer (default 90 days)

ALPR plate captures

As configured by customer (default 30 days)

CCTV footage

As configured by customer (default 30 days)

Financial records

10 years (Lithuanian accounting law)

After the applicable retention period, data is securely deleted or anonymised.

8. Your Rights

Under GDPR, you have the following rights regarding your personal data:

Right of access

Request a copy of the personal data we hold about you (Art. 15).

Right to rectification

Request correction of inaccurate or incomplete data (Art. 16).

Right to erasure

Request deletion of your data where there is no compelling reason to retain it (Art. 17).

Right to restriction

Request that we limit processing in certain circumstances (Art. 18).

Right to portability

Receive your data in a structured, machine-readable format (Art. 20).

Right to object

Object to processing based on legitimate interests or for direct marketing (Art. 21).

Right to withdraw consent

Where processing is based on consent, withdraw it at any time.

Right to lodge a complaint

Lodge a complaint with the State Data Protection Inspectorate of Lithuania (vdai.lrv.lt) or another supervisory authority.

To exercise any right, contact us at privacy@devolar.net. We will respond within 30 days. We may request identity verification before processing your request. Exercising your rights is free of charge unless requests are manifestly unfounded or excessive.

9. Security

Devolar implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, including:

Encryption in transit (TLS 1.2+) and at rest (AES-256)
Role-based access controls and principle of least privilege
Multi-factor authentication for administrative access
Regular penetration testing and vulnerability assessments
Intrusion detection and 24/7 security monitoring
Documented incident response procedures

In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay where required.

10. International Transfers

Devolar's primary infrastructure is located within the European Economic Area (EEA). Where data is transferred to third countries, we ensure an adequate level of protection through one of the following mechanisms:

An adequacy decision by the European Commission
Standard Contractual Clauses (SCCs) approved by the European Commission
Binding Corporate Rules where applicable

You may request details of the specific safeguards in place for any third-country transfer by contacting privacy@devolar.net.

11. Children

The Devolar platform is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@devolar.net and we will delete such data promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology or legal requirements. When we make material changes, we will notify customers by email and/or by posting a prominent notice on our website at least 14 days before the change takes effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of our services after the effective date constitutes acceptance of the updated policy.

13. Contact & Data Protection Officer

For any privacy-related questions, requests or concerns, please contact our Data Protection Officer:

Emailprivacy@devolar.net

PostData Protection Officer, UAB Devolar, Šiauliai, Lithuania

Supervisory authorityState Data Protection Inspectorate of Lithuania — vdai.lrv.lt