Skip to content

Last updated: July 14, 2026

Privacy Policy

This policy explains what data devlo collects, why it is used, how it is protected, and which service providers may receive it.

1. Who we are

devlo is a B2B sales prospecting agency that helps companies define target markets, build account lists, run outbound campaigns, and track qualified meetings.

The controller for this website is devlo LLC, 500 4TH ST NW SUITE 102 #1591, Albuquerque, NM 87102, United States, registered in Switzerland under UID CHE-357.726.656. Data protection requests may be sent to privacy@devlo.ch.

This policy covers devlo.ch, the paid mirror devlosales.com, contact forms, consultation forms, internal paid acquisition workflows, and B2B services provided to clients.

2. Data we collect

  • Form data: first name, last name, email, phone, company, role, country, company size, message, and qualification information.
  • Technical data: IP address, user agent, device, browser, pages viewed, timestamps, referrer URL, and consent preferences.
  • Advertising attribution data: UTMs, gclid, gbraid, wbraid, landing page, current URL, paid host, referrer, session ID, and first-seen timestamp.
  • Client data: ICP criteria, targeting instructions, target accounts, B2B business contacts, campaign messages, results, replies, meetings, and CRM data required to deliver the service.
  • Google Ads API data for our own accounts: campaigns, ad groups, keywords, ads, budgets, conversions, reports, and click identifiers required for measurement.

3. Why we use data

  • To answer inbound requests and prepare consultations.
  • To provide B2B prospecting, qualification, reporting, and AI Sales Ops services.
  • To measure marketing performance through Google Ads, Google Analytics, and HubSpot.
  • To create, validate, audit, and measure devlo's own Google Ads campaigns through an internal controlled workflow.
  • To import offline conversions into Google Ads when click identifiers such as gclid, gbraid, or wbraid are available.
  • To secure the site, prevent abuse, maintain systems, and comply with legal obligations.

4. Sharing with third parties

We do not sell personal data. We share data only with providers required for website operations, client services, measurement, or compliance.

  • Google Ireland Limited and Google LLC (European Union and United States) for Google Ads, Google Analytics, and Google Tag Manager; Google provides standard contractual clauses and recognised Swiss transfer mechanisms where required.
  • HubSpot Ireland Limited and HubSpot, Inc. (European Union and United States) for forms and CRM; HubSpot's DPA incorporates standard contractual clauses adapted to the Swiss FADP.
  • TidyCal for meeting booking.
  • Vercel Inc. (United States and international subprocessors) for hosting; its DPA applies standard contractual clauses to transfers from Switzerland and requires security safeguards from subprocessors.
  • Google Workspace, Slack, and internal operations tools for collaboration and support.
  • lempire SAS / Lemlist (France and documented subprocessors) for consented advertising measurement; Clay, LinkedIn Sales Navigator, or comparable providers only where required for a contracted client campaign and under the applicable contractual safeguards.
  • Professional advisers, authorities, or courts when legally required.

5. Cookies, choices, and Google Consent Mode

On a first visit, Google analytics_storage, ad_storage, ad_user_data, and ad_personalization are denied by default. Google Analytics, Google Ads, Google Tag Manager, and Lemlist scripts are not loaded before a choice is made. This is Google Consent Mode v2 in Basic mode.

You can accept, reject, or separately choose audience measurement and advertising measurement. Accept and Reject are presented at the same level. Your choice is stored for 180 days in a strictly necessary cookie and can be changed at any time through Cookie settings in the footer.

  • Necessary: choice cookie, security, and the HubSpot form. The form loader and its Cloudflare security cookie may process the IP address to display and submit the form; devlo does not use them for advertising measurement.
  • Audience measurement: Google Analytics and internal tests. Enabled only when analytics_storage is granted.
  • Advertising measurement: Google Ads, Conversion Linker, attribution identifiers, Lemlist, and ad_user_data. Enabled only when you grant advertising measurement.
  • Enhanced conversions: after a confirmed form submission and only with advertising consent, email and, where provided in a valid international format, phone may be normalized and then hashed by the Google tag in the browser before transmission to match the conversion to an advertising interaction.
  • Ad personalization: not used; ad_personalization remains denied even when all purposes are accepted.
  • If you reject or withdraw consent, known non-essential cookies and browser storage are removed and future optional signals are blocked.

6. Google Ads API and Google data

devlo's Google Ads API workflow is used to manage and measure devlo's own advertising accounts. It is not a third-party self-serve platform and does not resell Google Ads API access.

We request only the access required for the intended functions: campaign management, validation, reporting, and conversion import. Enhanced conversions are restricted to visitors who grant advertising measurement; Customer Match is not used in this flow.

When we process data received from Google APIs, we comply with the Google API Services User Data Policy, including the Limited Use requirements: https://developers.google.com/terms/api-services-user-data-policy. Such data is used only to provide or improve authorized features, secure the service, comply with law, and follow applicable Google policies.

7. Protection and retention

  • The site uses HTTPS/TLS, access controls, secrets stored outside source code, and least-privilege access for people and systems. Data is encrypted at rest where provided by our hosting or SaaS platforms.
  • Form and CRM data is retained for up to 24 months after the last substantive interaction or the end of the contract, unless longer retention is required for invoicing, evidence, or law.
  • Advertising attribution identifiers and measurement data are retained for up to 24 months. Technical and security logs are retained for up to 90 days unless an incident requires longer retention.
  • Client campaign data is retained for up to 24 months after the contract ends, unless a different contract term, legal duty, or reasonable evidence need applies.
  • Verified deletion requests are handled within a target period of 30 days where law and contractual duties allow.

8. Your rights

Depending on your location, you may request access, correction, deletion, restriction, objection, or portability of your data. You may also withdraw consent for cookies and marketing communications where consent applies.

For individuals located in Australia, we also handle personal information with reference to the Australian Privacy Act 1988 and apply the Spam Act 2003 to commercial electronic messages where applicable.

To exercise these rights, contact privacy@devlo.ch. We may request reasonable information to verify your identity before processing a request.

9. International transfers and children

The providers identified above may process data in Switzerland, the European Union, the United Kingdom, the United States, and countries where their published subprocessors operate. For a country without a Swiss adequacy decision, we rely, depending on the provider and service, on standard contractual clauses recognised in Switzerland, a Swiss addendum, a recognised transfer framework, or another safeguard permitted by the FADP, together with supplementary contractual and security measures where required.

The safeguards for Google, HubSpot, and Vercel are the provider DPAs and transfer mechanisms identified in section 4. You may request the current provider list, processing countries, and available copies of the safeguards at privacy@devlo.ch.

Our services are intended for B2B companies and are not designed for children.