Privacy Policy

How Navoo handles your data and protects your privacy.

Last updated: 3 February 2025

1. Who we are and scope

Navoo is an embedded, context-aware AI navigation assistant developed by SHIFTBASE LABS LTD, a company registered in England and Wales with its registered office at 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ. This Privacy Policy applies to: (a) your use of navooai.com and our web application; and (b) the Navoo embed service that customers integrate into their websites.

2. Data Controller vs Processor

Under the UK GDPR and EU GDPR, we act in two distinct roles:

  • Data Controller: For personal data we collect and process in relation to navooai.com (account registration, billing, contact forms, support). We determine the purposes and means of such processing.
  • Data Processor: For personal data processed on behalf of our customers who embed Navoo on their websites. The customer is the Data Controller; we act as their processor under Article 28 GDPR and process data only on their documented instructions.

3. Data we collect and process

navooai.com users (we are Controller)

  • Account data: email address, name, authentication details
  • Billing data: payment information via Stripe; subscription status
  • Contact form: name, email, subject, and message content
  • Usage data: site configuration, crawl settings, dashboard activity

End-users of embedded Navoo (we are Processor)

When visitors interact with Navoo on a customer's website, we process the following ephemerally—in memory only for the duration of the request:

  • User queries (e.g. "Where do I change my password?")
  • Page content: headings, links, buttons, form labels, and similar structural text extracted from the current page (max ~18,000 characters)
  • Current page URL

Important: This page content and user queries are not stored, not indexed, and not used for model training. They are used solely to generate real-time navigation guidance and discarded immediately after the response is sent.

4. How we use data

  • To provide, operate, and improve our service
  • To process billing and manage subscriptions
  • To respond to contact requests and support enquiries
  • To send service-related communications (e.g. account or billing updates)
  • AI processing: Page content and queries may be sent to OpenAI (gpt-4o-mini) to generate navigation guidance. OpenAI acts as our sub-processor; their privacy policy applies: openai.com/policies/privacy-policy
  • To comply with legal obligations

5. Ephemeral processing

Page content and user queries processed by the Navoo embed are held in-memory only for the duration of the API request. We do not log, cache, or persist this data. No database writes occur for this content.

6. Legal basis (GDPR)

  • Contract: Processing necessary to provide the service you have requested
  • Legitimate interest: Security, fraud prevention, service improvement, and analytics (where applicable)
  • Consent: Where we rely on consent, you may withdraw it at any time

7. Data retention

  • Account data: Retained while your account is active and for a reasonable period after closure for legal and accounting purposes
  • Ephemeral embed data: No retention—not stored
  • Contact messages: Up to 24 months or as needed to respond to your enquiry
  • Billing records: As required by applicable law (typically 7 years for tax purposes)

8. Your rights (UK GDPR / EU GDPR)

You have the right to:

  • Access your personal data
  • Rectification of inaccurate data
  • Erasure ("right to be forgotten")
  • Restriction of processing
  • Data portability
  • Object to processing based on legitimate interests
  • Withdraw consent where processing is based on consent

To exercise these rights, contact us at hi@navooai.com. You may also lodge a complaint with the Information Commissioner's Office (ICO) in the UK or your local data protection authority.

9. International transfers

Your data may be processed in the United Kingdom, European Economic Area, and the United States (e.g. via OpenAI, Stripe, and cloud infrastructure). We ensure appropriate safeguards, including adequacy decisions and Standard Contractual Clauses (SCCs) where required.

10. Security

We implement technical and organisational measures to protect your data, including encryption in transit and at rest where appropriate, access controls, and secure development practices.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised policy on this page and update the "Last updated" date. Material changes may be communicated via email or a prominent notice on our website.

Contact

For privacy-related enquiries or to exercise your rights, contact:

SHIFTBASE LABS LTD
71-75 Shelton Street
Covent Garden
London, United Kingdom, WC2H 9JQ
Email: hi@navooai.com