What we keep, what we don't, and why.

• Account info you give us at signup. Name, email, country, headline, stack.
• Behavioral signals from each challenge attempt. Token spend, files added or changed, final submission, time on task, idle gaps.
• Billing data when you upgrade. Card details are handled by our payment gateway. We never see them.
• Server logs. IP, user agent, request paths. Standard ops telemetry, retained 30 days.

The DevMesh VS Code extension is scoped to a single empty workspace folder you open for the attempt. Inside that folder it records:

• Tokens spent and which model spent them.
• Files added or changed inside the challenge workspace.
• Your final submission and the tests that ran on it.
• Time on task and idle gaps.

• Keystrokes outside the workspace.
• Your screen.
• Other open projects, files, or VS Code extensions.
• Clipboard contents.

• To score your attempts and rank the leaderboards.
• To run AI-coached submission reviews when you request them.
• To surface your profile to recruiters when you opt in to recruiter visibility.
• To send the few transactional emails you actually need: verification, billing receipts, recruiter messages.
• To detect abuse: cheating, scraping, scripted submissions.

Three categories, all narrow:

• Sub-processors we operate on top of. Resend for email delivery, our payment gateways for billing, our cloud provider for hosting and sandbox execution. They process the data we send them; they don't use it for anything else.
• Recruiters you opt into. When you toggle recruiter visibility on, your public profile and summary stats become visible to verified recruiters. Your code is only shared if you enrol in a company-sponsored challenge or accept a take-home assignment.
• Law enforcement under valid legal process. Subpoena, court order, equivalent. We notify you unless legally forbidden to.

We do not sell your data. Pro subscriptions and recruiter seats are the entire revenue model.

• Delete. From settings. We hard-delete personal data, anonymize leaderboard records, and remove your profile from search within 30 days.
• Export. Email [email protected] from the address on the account and we'll ship a JSON archive within seven days.
• Correct. Most fields are editable from settings. For anything stuck, email us.
• Object. You can opt out of recruiter visibility, marketing emails, or behavioural analysis (the last one disables coached reviews).

We use one first-party cookie or local-storage entry for your session token. We do not run third-party tracking pixels on the candidate-facing surface. Recruiter-facing analytics use first-party PostHog with IP truncation.

Primary data sits in a managed Postgres hosted in the region you signed up from. Sandbox containers spin up per challenge run and are destroyed at submission. Backups are encrypted at rest with 7-day retention.

DevMesh is not intended for users under 16. If you are a parent or guardian and believe your child created an account, email [email protected] and we will remove it.

When we change anything material we update the date at the top of this page and email account holders. The previous version stays available on request.

Email [email protected] or hit contact support.