────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1. What We Collect
When you create an account we collect:
- ›Email address — used for authentication and account communications
- ›Name — optional, used to personalise your dashboard
- ›Hashed password — we never store your password in plain text
When you connect an AWS account we store:
- ›IAM Role ARN — the role you create in your AWS account for DevLeep to assume
- ›External ID — a unique identifier generated per account, used in the trust policy
- ›AWS region — the region where your labs are provisioned
During active labs we collect:
- ›Lab progress — which objectives you have completed, validation results
- ›Session metadata — start time, end time, terraform module used
- ›No terminal content — we do not log or store the commands you type in the terminal
2. What We Do Not Collect
- ✗Long-lived AWS access keys or secret keys
- ✗The contents of your terminal sessions
- ✗Any data from your AWS account other than what is necessary to provision and validate lab infrastructure
- ✗Payment card details — billing is handled entirely by Stripe
- ✗Behavioural tracking, advertising identifiers, or third-party analytics cookies
3. How We Use Your Data
- ›Authenticate your account and maintain your session
- ›Provision Terraform infrastructure in your AWS account when you start a lab
- ›Run automated validation checks against your lab environment
- ›Track your progress across labs and tracks
- ›Send transactional emails (account confirmation, password reset)
We do not sell, rent, or share your personal data with third parties for marketing purposes.
4. AWS Credentials
Your AWS connection uses cross-account IAM role assumption, not stored credentials. DevLeep never receives or stores your AWS Access Key ID or Secret Access Key.
The IAM role ARN and external ID we store are used solely to call sts:AssumeRole when you start a lab session. The resulting temporary credentials are scoped to that session and discarded when the lab ends.
You can disconnect your AWS account at any time from the Settings page. Disconnecting deletes the stored ARN and external ID from our database immediately.
5. Data Retention
- ›Active accounts — data is retained while your account is active
- ›Deleted accounts — all personal data is deleted within 30 days of account deletion
- ›Lab session data — retained for 90 days to allow progress review, then purged
- ›Logs — system logs are retained for 30 days for debugging, then deleted
6. Your Rights
You have the right to:
- ›Access a copy of the personal data we hold about you
- ›Correct inaccurate data
- ›Request deletion of your account and all associated data
- ›Export your lab progress data
- ›Disconnect your AWS account at any time
To exercise any of these rights, email privacy@devleep.com.