DevCard Concepts

Key terms you'll see throughout DevCard.

Fit Score
How well a candidate's skills, experience, and cognitive strengths align with a job's requirements. Uses structured ontology mapping, not keyword matching.
Confidence Score
How much verified evidence supports a fit score. More project details, linked accounts, and peer verification increase confidence.
Transferability
The ability for skills in one technology to apply to related technologies. For example, React experience transfers to Vue because they share component architecture patterns.
Cognitive Archetype
A developer's dominant problem-solving style, derived from patterns in their work history. Not a personality test — it reflects how they approach technical challenges.
Ontology
DevCard's structured knowledge graph of technologies, skills, and their relationships. It enables matching beyond keywords by understanding how skills connect and transfer.

Privacy

Private until you explicitly share.

DevCard is built around a simple posture: your profile is yours, scoped sharing is the only sharing, and we never enrich or rank you using external data without your explicit linkage.

Last updated: 2026-05-07. This page reflects current pre-launch posture. SOC 2 Type II audit planned for v50.0 GA.

Default privacy posture

Your DevCard profile is private by default. Nobody — not other developers, not recruiters, not the public — can see it until you take a deliberate action to share it.

A "share" is always scoped: a specific recipient, a specific role context, and a revocable link or token. There is no "open profile" mode that makes you discoverable to recruiters at large.

A public devcard.com/username URL is not granted automatically. It becomes available only when a profile reaches a serious threshold including peer verification, and only when you opt in to claim it.

What we collect

  • Account fundamentals — email, name, password hash, optional 2FA settings.
  • Career evidence you provide directly — uploaded resumes, project notes, role descriptions, task details, and any text you enter into the studio.
  • Structured extractions derived from your uploads — DevCard parses your inputs into ontology-aligned evidence assertions. Every assertion traces back to text you provided.
  • Verification responses — when a colleague you invite confirms a specific project claim, their bounded factual response is stored and attributed to the claim.
  • External account linkages you initiate — GitHub, LinkedIn, Stripe Verified, personal sites. Each is opt-in, surfaced visibly in your settings, and revocable.
  • Telemetry — only when you have explicitly opted in via /settings/privacy. Default is opt-out. Errors and analytics events from opted-out sessions are filtered before any external service receives them.

What we do not collect

  • No scraping. We do not crawl GitHub, LinkedIn, the open web, or any third-party source to build a shadow profile of you. Your record is built from what you explicitly add.
  • No hidden enrichment. We never augment, rank, or score you using external data unless you have explicitly linked the source. There are no secret signals feeding into your scorecard.
  • No surveillance. We do not track your behavior outside DevCard, sell ad-targeting data, or attempt to infer your activity on other platforms.
  • No prediction of replaceability. DevCard does not score whether AI can replace you, whether your career is in decline, or any "obsolescence risk" signal. Forward-effect framing only.
  • No data selling. Your record is not for sale to data brokers, ad networks, or any third party. Ever.

Sharing model

When you share a DevCard read or proof pack, you choose:

  • Who — a specific recipient or a magic-token link you control.
  • What — a specific proof pack, a specific role-match view, or a scoped subset of your evidence. Not your whole record by default.
  • How long — share tokens carry an explicit expiry (proof packs default to 30 days). You can revoke any share before expiry.

Recipients see the view you authorized — no more. They cannot enumerate your other projects, see other share recipients, or escalate access.

Verifier identity protection

When a colleague verifies a claim on your record, their identity is hidden by default. The verification still strengthens the claim — but the verifier's name only appears on a viewer surface when the verifier has explicitly disclosed it to that audience.

This protects verifiers from being asked to recommend you off-platform without consent, and protects you from a viewer attempting to back-channel a reference. If a verifier opts in to disclose, you and they both see that decision in your settings.

Your data rights

  • Right to delete — close your account at any time. Your record is purged. Anything shared via active tokens is invalidated.
  • Right to export — your record is exportable in structured form so you can take it with you. Your career evidence belongs to you.
  • Right to revoke — every share token, every external account linkage, and every verifier-identity disclosure is revocable from your settings.
  • Right to inspect — every score on your record traces to specific evidence assertions. You can see exactly what fed each number.

Data retention

Active account data is retained for as long as the account exists. When you delete your account, your record is purged from the primary database within 30 days.

Operational logs (request traces, error reports) are retained for 90 days for service reliability and security incident review. Personally identifiable information is filtered from error reports for opted-out users at the source.

Verification responses contributed by your colleagues remain associated with the claim they verified. If you delete your account, those responses are removed as part of the same purge.

Anonymous, irreversibly aggregated metrics (e.g., total verification counts) may be retained beyond account deletion. These contain no identifiers and cannot be linked back to you.

GDPR and CCPA posture (pre-launch)

DevCard is in pre-launch closed beta. Our default architecture aligns with GDPR and CCPA expectations: explicit consent for telemetry, right to delete, right to export, scoped sharing, no automated rejection decisions, and no data selling.

Formal Data Processing Agreements, regional data residency commitments, and a published Data Protection Officer are scoped for v50.0 GA alongside SOC 2 Type II.

If you are an EU or California resident and want a copy of your record or want it deleted ahead of in-product self-service, email privacy@devcard.com and we will respond within 30 days.

Questions or requests

Privacy questions, data requests, or concerns: privacy@devcard.com

See also: Security · Terms · Methodology