This page lists the third-party service providers ("sub-processors") Navos AI, Inc. engages to operate the navos.ai marketing website. It is maintained as an operational reference for data subjects, procurement teams running vendor diligence, and regulators. It supports our disclosure obligations under GDPR Art. 28(2) and Quebec Law 25 §17.
Each sub-processor below operates under a signed Data Processing Agreement (DPA) that limits processing to the documented purpose and requires equivalent security and privacy safeguards. Links to each sub-processor's public DPA are provided where available.
Our commitment to transparency
We give at least 30 days' advance notice before adding a new sub-processor that will process personal data you have shared with us via a form submission. Notice is sent to the email address you used when submitting the form. If you object to a new sub-processor, you may withdraw the personal data you shared with us by contacting our Privacy Officer at contact@navos.ai.
We review this list at least once a year, and whenever our stack materially changes. The Last updated date at the top of this page reflects the most recent review.
Core infrastructure
Sub-processor: Vercel Inc.
Purpose: hosting for navos.ai, edge runtime, request logs, Speed Insights (Core Web Vitals telemetry), Vercel Blob (hosting for blog hero images).
Data categories: request metadata (URL, user agent, country-level IP), Web Vitals beacons (page load time, device type), blob content (currently blog hero images only).
Location: United States (global edge network).
Adequacy basis: EU-US Data Privacy Framework (Vercel is DPF-certified), with Standard Contractual Clauses as fallback. Verify current DPF certification at dataprivacyframework.gov.
The following analytics sub-processors process data only after you grant explicit consent via the cookie banner on your first visit. See our Cookie Policy for the consent categories and withdrawal procedure.
Sub-processor: Google LLC / Google Ireland Limited
Purpose: Google Analytics 4 — aggregated site analytics for acquisition sources, pageviews, and Core Web Vitals field data.
Data categories: consent-gated event data, IP anonymised at the Google server, no cross-site tracking. Event retention set to 2 months (the GA4 minimum) per our Cookie Policy.
Location: United States and Ireland.
Adequacy basis: EU-US Data Privacy Framework (Google LLC is DPF-certified), with SCCs as fallback.
The following sub-processor operates on a cookieless, storage-less basis and therefore falls outside the consent requirement of ePrivacy Art. 5(3). We disclose it for transparency.
Sub-processor: Ahrefs Pte. Ltd.
Purpose: Ahrefs Web Analytics — aggregate traffic measurement (pageviews, referrers, country-level geography) to inform SEO and content decisions.
Data categories: URL, referrer, user agent, anonymised/truncated IP used only to derive country. No cookies, no localStorage, no browser fingerprinting, no persistent cross-session identifier.
Location: Singapore (Ahrefs Pte. Ltd. is headquartered in Singapore).
Adequacy basis: Standard Contractual Clauses for transfers outside the EEA, UK, and Quebec. Singapore's PDPA provides a comparable protection baseline.
Opt-out: because there is no on-device identifier to toggle, opt-out is via a browser-level block of analytics.ahrefs.com.
CRM and communications
Sub-processor: Apollo.io, Inc.
Purpose (dual role):
CRM (form submissions): stores the canonical record of contact, demo, careers, and other form submissions you send through navos.ai. No consent banner needed because the data is provided by you directly.
Website visitor identification (marketing consent only): Apollo's website tracker identifies your company (not you personally) via reverse-IP lookup if you accept the "marketing" consent category. Feeds internal sales prioritisation; we do not use this data for unsolicited individual outreach.
Data categories (CRM): contact name, email address, company name, form message content, first-touch attribution metadata.
Data categories (tracker): IP address (used for reverse lookup then discarded), company name derived from IP, page path, user agent. No individual identifiers.
Location: United States.
Adequacy basis: Standard Contractual Clauses, with EU-US DPF where Apollo is certified (verify at dataprivacyframework.gov).
DPA: Apollo's standard DPA is available on request via their sales team.
Withdrawal (tracker only): Apollo does not provide a way to fully unload its tracker script once loaded. If you revoke marketing consent mid-session, our banner clears Apollo cookies immediately, but the already-loaded tracker script keeps running in memory until you reload the page.
Sub-processor: Resend, Inc.
Purpose: transactional email. When you submit a form, Resend delivers a notification email to the Navos AI cofounders so we can respond.
Data categories: contact email address, notification email body (which reflects the form you submitted).
Location: European Union (Frankfurt region selected at sign-up).
Adequacy basis: data is processed and stored in the European Union. No cross-border transfer.
Product analytics (consent-gated, separate category)
Sub-processor: PostHog, Inc.
Purpose: product analytics and session replay for user experience diagnostics. We use PostHog to understand navigation patterns, identify UX friction, and debug specific user issues.
Data categories: consent-gated event data, super-properties (attribution metadata), and — only if you grant the separate "session recording" consent — anonymised session recordings. All form inputs are masked by default.
Location: European Union (PostHog EU Cloud — AWS eu-central-1, Frankfurt). Event data and recordings stay in the EU.
Adequacy basis (event data): processed and stored in the European Union. No cross-border transfer for event data or recordings.
Residual US touches: PostHog Inc. is a Delaware corporation. While event data and recordings stay in Frankfurt, billing and support metadata transit US systems under Standard Contractual Clauses. Compliant under post-Schrems II SCC rules. Disclosed here rather than claiming "zero US transfer" because accurate disclosure matters.
We group our sub-processors into four functional categories that reflect how they relate to your interactions with navos.ai:
Core infrastructure — required for the site to function (Vercel, Cloudflare). Technical metadata only.
Analytics (consent-gated) — processed only after you accept the analytics consent category (Google Analytics 4).
Cookieless analytics (no consent required) — runs without cookies, storage, or fingerprinting, outside the Art. 5(3) consent requirement (Ahrefs Web Analytics).
CRM and communications — processes data you proactively submit via forms (Apollo CRM, Resend).
Product analytics (separate consent) — processed only after you grant the session-recording consent category (PostHog).
Each category has a distinct legal basis and retention policy, described in our Privacy Policy.
Your rights and contact
If you have questions about any sub-processor on this list, want to request access to or deletion of your personal data, or believe we have processed your data outside the documented purposes, contact our Privacy Officer at contact@navos.ai. Full rights detail is in the Privacy Policy.
