Request Demo
Privacy

Privacy policy

Effective · Last updated

Who we are

The navos.ai marketing website is operated by Navos AI, Inc., a Delaware corporation with registered office at 1111B S Governors Ave, Ste 39989, Dover, DE 19904, United States. Navos AI, Inc. is the data controller for personal data processed through this site. References to "we," "us," or "Navos" mean Navos AI, Inc.

Scope of this policy

This policy covers the Navos marketing website at navos.ai — the public site you are reading right now. The Navos product platform (the authenticated application behind the login) is governed by a separate product privacy notice delivered inside the application and in the Master Services Agreement for that product. If you are a product customer looking for the platform privacy terms, request them from your account contact or at contact@navos.ai.

On the marketing website we only process personal data that you provide directly via a contact, demo, careers, or related form, plus consent-gated analytics and cookies as documented below.

What we collect and why

We collect two categories of personal data from marketing-site visitors, each with a specific purpose and legal basis:

1. Form submissions

When you submit a contact, demo, careers, or newsletter form, we collect the fields you provide (typically name, work email, company, and message), the submission timestamp, and the attribution context (page, referral source, UTM parameters) for that submission.

Purpose: responding to your enquiry, evaluating a potential commercial relationship, and for careers submissions, assessing your application. Legal basis: Art. 6(1)(b) GDPR (steps taken at your request prior to entering a contract) for demo and contact enquiries; Art. 6(1)(f) GDPR (legitimate interest in operating a B2B business and recruiting) for general contact and careers, balanced against your reasonable expectations when submitting a B2B form; and Art. 6(1)(a) GDPR (consent) for the newsletter.

2. Analytics, session replay, and reverse-IP identification

If you accept analytics cookies, we collect page views, navigation paths, session duration, device and country (aggregate), and session replay data. If you accept marketing cookies, we additionally enable reverse-IP company identification via Apollo, which associates your IP address with a likely employer to help us understand which companies are exploring the site.

Purpose: understanding how visitors use the site so we can improve it; for reverse-IP, identifying prospective business customers. Legal basis: Art. 6(1)(a) GDPR and Art. 5(3) of the ePrivacy Directive (2002/58/EC) — your explicit consent via the cookie banner. We do not rely on legitimate interest for analytics or marketing tracking.

We do not collect personal data from marketing-site visitors via any other channel. We do not build visitor profiles independently of the tools documented below.

Cookies and consent

The full cookie inventory — names, providers, purposes, and durations — is on our Cookie policy page. This section summarises the consent model.

Consent-first architecture. We implement Google Consent Mode v2 in advanced mode. All consent signals (analytics_storage, ad_storage, ad_user_data, ad_personalization) are set to denied by default before any Google script loads. The Google Analytics script (gtag.js) is loaded on every page, but it respects the denied state: no cookies are set, no identifiers are created, and no personal data is sent to Google until you explicitly accept via the consent banner on your first visit. PostHog follows the same gate — the script loads only after the "analytics" consent is granted.

Cookieless signals. Even when consent is denied, the Google Analytics script may send anonymous, aggregated signals (without cookies or identifiers) that Google uses for statistical modeling of overall traffic. These signals do not identify you and are not joined to any profile. You can prevent them entirely by declining consent and blocking the google-analytics.com domain at the browser level.

Proof of consent. Our consent management platform records the consent choices you make (timestamp, categories accepted, user-agent, and anonymised identifier) so that we can demonstrate compliance with Art. 7(1) GDPR if asked. The log is retained for the lifetime of the consent plus 12 months.

Withdrawing consent. You can withdraw your consent at any time by clicking "Cookie preferences" in the footer of any page. Withdrawal takes effect immediately: existing analytics cookies are cleared from your device, the denied state is restored, and no further data is sent. Withdrawal does not affect processing that already occurred while consent was in effect. You can also block Google Analytics entirely through your browser settings or the official Google Analytics opt-out browser add-on.

Sub-processors

The complete list of third parties that process marketing-site visitor data on our behalf is published at /legal/subprocessors, with locations, adequacy bases, and DPA references. In summary, the active sub-processors are:

  • Vercel Inc. (US) — hosting, edge runtime, request logs, Speed Insights, Blob storage.
  • Google LLC / Google Ireland Limited (US/IE) — Google Analytics 4 (consent-gated).
  • PostHog Inc. (EU Cloud, Frankfurt) — product analytics and session replay (consent-gated).
  • Resend, Inc. (US) — transactional email delivery for form-submission notifications.
  • Apollo.io, Inc. (US) — CRM for form submissions; reverse-IP company identification (consent-gated, marketing category only).
  • Cloudflare, Inc. (US) — DNS resolution for navos.ai.
  • Ahrefs Pte. Ltd. (Singapore) — cookieless Web Analytics; no consent required because no cookies, storage, or fingerprinting are used.

We give at least 30 days' advance notice before adding a new sub-processor. Product customers with a signed DPA can object to new sub-processors via the process in the DPA.

How long we keep data

  • Form submissions (name, email, company, message): retained in Apollo as CRM records for as long as the contact is commercially relevant, reviewed annually. Email-delivery logs in Resend: 30 days.
  • Google Analytics event data: 2 months server-side (default retention). GA cookies on your device: up to 2 years.
  • PostHog session replays: 30 days.
  • Consent logs: lifetime of the consent plus 12 months (required to demonstrate compliance).
  • Server logs (Vercel): 30 days, retained for security and abuse investigation.

You can request earlier deletion at any time — see Your rights.

International transfers

Navos AI, Inc. is a Delaware corporation and most of our sub-processors are US-based. Personal data you submit may therefore be transferred outside the EEA, the UK, and Quebec.

Transfer mechanisms. Transfers to Google LLC and other US-based recipients rely on the European Commission's adequacy decision of 10 July 2023 under the EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795). Google LLC is self-certified under the DPF; you can verify active certification at dataprivacyframework.gov. In the event the DPF is suspended or invalidated, transfers continue under the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) with supplementary technical and organisational measures. PostHog EU Cloud data stays in the EU and does not require a transfer mechanism.

Quebec Law 25 cross-border transfer notice. Quebec Law 25 §17 requires a Privacy Impact Assessment for every transfer of personal information outside Quebec. We maintain a PIA covering every sub-processor in our stack. Summary: we transfer personal information you provide on the marketing site to US-based sub-processors (Vercel, Google LLC, Apollo.io, Resend, Cloudflare) under the EU-US DPF adequacy decision and SCCs, to Singapore-based Ahrefs Pte. Ltd. (cookieless analytics, no personal identifiers) under SCCs, and to EU-based sub-processors (PostHog EU Cloud) where no transfer mechanism is required. Each transfer has a signed Data Processing Agreement, data-minimisation safeguards, and a documented retention period. We assess residual risk as acceptable for the non-sensitive contact data we process, and our Privacy Officer reviews this assessment annually. The full PIA is available on request.

Quebec data subjects have the right to object to cross-border transfer of their personal data. To object, contact contact@navos.ai. Upon a valid objection, we will stop processing your data in the objected-to sub-processor (typically resulting in deletion of your contact record) and confirm in writing within 30 days.

Security of your data

In accordance with Art. 32 GDPR and Quebec Law 25 §10, we maintain technical and organisational measures appropriate to the risk of the processing:

  • Encryption in transit (TLS 1.2+) for every page and every form submission.
  • Encryption at rest for data stored with our sub-processors (Vercel, Apollo, Resend, PostHog, Google all encrypt at rest by default).
  • Principle-of-least-privilege access controls: only employees with a documented need can access CRM records, and all access is logged.
  • Sub-processor vetting: each sub-processor is reviewed for SOC 2 Type II, ISO 27001, or equivalent certification before onboarding.
  • Annual review of access, retention, and vendor security posture by the Privacy Officer.

No security control is perfect. If you believe you have discovered a vulnerability, please report it to contact@navos.ai; we commit to acknowledge within 2 business days and will not pursue legal action against good-faith researchers.

Data breach notifications

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify:

  • Supervisory authorities within 72 hours of becoming aware, per Art. 33 GDPR and the equivalent timing requirements in UK GDPR and Quebec Law 25 §3.5.
  • Affected data subjects without undue delay where the breach is likely to result in a high risk to your rights and freedoms, per Art. 34 GDPR.

Notifications will describe the nature of the breach, the categories and approximate number of records involved, likely consequences, and the measures taken or proposed to address it.

Automated decisions and profiling

We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing on this marketing website, within the meaning of Art. 22 GDPR. Analytics segmentation and reverse-IP company identification are used in aggregate to understand site traffic and prospect interest; they do not determine pricing, access, or any outcome that materially affects you. The Navos product platform has its own automated-processing disclosure in its product privacy notice.

Children's data

Navos is a B2B service aimed at enterprise decision-makers. The marketing site is not directed at children, and we do not knowingly collect personal data from anyone under 16. If you believe a child has submitted personal data to us, please email contact@navos.ai and we will delete it promptly.

Do Not Sell or Share (California)

We do not sell personal information for money, and we do not share personal information for cross-context behavioural advertising as those terms are defined under the California Consumer Privacy Act (as amended by the CPRA). We do not operate retargeting pixels on this site. Consent-gated analytics and reverse-IP company identification are used for our own product and commercial purposes only, not to resell or syndicate data to third parties.

California residents may still exercise the rights listed below, including the right to limit the use of sensitive personal information (we do not process sensitive personal information on the marketing site) and the right to opt out of future changes should our practices ever change.

Your rights

Under GDPR, UK GDPR, Quebec Law 25, and CPRA, you have the right to:

  • Access: receive a copy of the personal data we hold about you.
  • Rectification: correct any inaccurate data.
  • Erasure: request deletion of your personal data (the "right to be forgotten").
  • Portability: receive your data in a structured, machine-readable format.
  • Restriction: pause processing while we investigate a concern.
  • Objection: object to specific processing activities, including cross-border transfers and processing based on legitimate interest.
  • Withdraw consent: at any time via the Cookie preferences control in the footer; withdrawal does not affect processing that already occurred.
  • Non-discrimination: California residents will not receive different service for exercising these rights.

To exercise any of these rights, email the Privacy Officer at contact@navos.ai. We acknowledge every request within 5 business days and respond substantively within the statutory deadline — 30 days under GDPR and UK GDPR (extendable by 2 months for complex requests), 30 days under Quebec Law 25, and 45 days under CPRA (extendable by 45 days). We may need to verify your identity before acting on a request; we will only use the information you provide to verify the request and will delete it afterwards.

How to complain

If you believe we have processed your personal data incorrectly, you have the right to complain. The fastest path is to email our Privacy Officer at contact@navos.ai. We aim to resolve every complaint within 30 days or provide a written explanation and expected resolution date if more time is required.

You may also complain directly to your supervisory authority:

Changes to this policy

We may update this policy from time to time to reflect changes in our practices, new sub-processors, or new legal requirements. The "Last updated" date at the top of this page reflects the most recent change. For material changes, we will take reasonable steps to notify affected contacts directly — for example, by email to active CRM contacts, or via a prominent notice on the site. Continued use of the site after an update constitutes acceptance of the updated policy to the extent permitted by law.

Prior versions of this policy are available on request from the Privacy Officer.

Privacy Officer and contact

Navos AI, Inc. has designated a Privacy Officer under Quebec Law 25 §3.1 (the "Person in Charge of Personal Information"). For privacy-related questions, data subject requests, complaints, security reports, and vulnerability disclosures, contact the Privacy Officer at contact@navos.ai. The shared inbox is monitored by the cofounder team.

Postal address: Navos AI, Inc., 1111B S Governors Ave, Ste 39989, Dover, DE 19904, United States.