Last Updated: May 6, 2026
Privacy Policy
This Privacy Policy describes how Navigent.io ApS(CVR: 46285395), with registered address at Nørre Voldgade 70, 1358 København K, Denmark ("Navigent", "we", "us", or "our"), collects, uses, and protects personal data when you use the Navigent platform at navigent.io(the "Service").
1. Data Controller
Navigent operates in two distinct legal capacities depending on the type of personal data and the activity at issue.
Navigent is an independent Data Controller for: (a) account data (registration, billing, support), (b) usage data (analytics, telemetry, security logs), and (c) personal data we source from third-party data providers and enrich for the purpose of providing the lead generation service. For these processing activities, Navigent determines the purposes and means of processing on its own legal basis (typically contractual necessity, legitimate interest, or legal obligation).
The Customer is the Data Controllerfor the Customer's own outreach decisions, the design of the Customer's campaigns, and any contact lists that the Customer uploads to the Service. The Customer determines who is contacted, when, with what content, and on which lawful basis.
Navigent acts as Data Processoron behalf of the Customer when sending, scheduling, or tracking email campaigns through Navigent's infrastructure. This processor relationship is governed by our Data Processing Agreement, which forms part of the Terms of Service.
2. Data We Collect
2.1 Account Data
When you register, we collect: name, email address, company name, billing address, and payment information. This data is necessary for the performance of our contract with you (GDPR Article 6(1)(b)).
2.2 Usage Data
We automatically collect data about how you interact with the Service, including: pages visited, features used, timestamps, IP addresses, browser type, device information, and referral URLs. This processing is based on our legitimate interest in improving the Service (GDPR Article 6(1)(f)).
2.3 Customer Data
You may upload or input data into the Service, such as lead information, email templates, campaign content, and contact lists. We process this data solely on your instructions as Data Processor.
2.4 Communication Data
When you contact support or provide feedback, we collect the contents of your communications along with associated metadata.
2.5 Prospect Data
We source business contact data (names, business email addresses, phone numbers, job titles, company information) from our data partner Prospeo (Defastra Tech Inc., Canada) under a contractual data supply arrangement. We retain this data in a temporary cache for a maximum of 90 days, after which it is permanently deleted from our systems. We further enrich this data with publicly available company-level information (for example, website content, social profiles) sourced via Serper API. Our lawful basis for processing this data is legitimate interest (GDPR Art. 6(1)(f)) for the purpose of providing B2B lead generation services to our customers, as documented in our Legitimate Interest Assessment available on request to info@navigent.io.
3. How We Use Your Data
We use your personal data for the following purposes:
- Providing, operating, and maintaining the Service.
- Processing payments and managing subscriptions.
- Sending transactional communications (account confirmations, invoices, security alerts).
- Improving the Service, including analytics and feature development.
- Detecting and preventing fraud, abuse, and security incidents.
- Complying with legal obligations.
- Sourcing and enriching business contact data for the lead generation service (Section 2.5).
4. Sub-Processors
We engage the following third-party sub-processors to deliver the Service. Each sub-processor has been vetted for GDPR compliance:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing, subscription billing, invoicing | United States (EU SCCs) |
| Supabase, Inc. | Authentication, database hosting, file storage | EU (Frankfurt region) |
| OpenAI, LLC | AI-powered features: email generation, lead enrichment, context synthesis | United States (EU SCCs / DPA) |
| Google LLC | Calendar integration (Google Calendar API), OAuth authentication | United States (EU SCCs) |
| Vercel, Inc. | Application hosting and CDN | Global (EU SCCs) |
| Sentry (Functional Software, Inc.) | Error monitoring and performance tracking | United States (EU SCCs) |
| Defastra Tech Inc. (d/b/a Prospeo) | B2B contact data sourcing under independent controller arrangement | Canada (adequacy decision under GDPR Art. 45) |
| Serper.dev (Vottun Inc.) | Web search and company website enrichment (publicly available company data) | United States (EU SCCs) |
| Smartlead.ai (Smartlead, Inc.) | Email campaign delivery and engagement tracking | United States (EU SCCs) |
Where sub-processors are located outside the EU/EEA, transfers are safeguarded by Standard Contractual Clauses (SCCs) adopted by the European Commission, or other approved transfer mechanisms.
5. Legal Bases for Processing (GDPR Article 6)
- Contract Performance (Art. 6(1)(b)): Processing necessary to provide the Service you have subscribed to.
- Legitimate Interest (Art. 6(1)(f)): Analytics, fraud prevention, service improvement, and the sourcing and enrichment of B2B prospect data described in Section 2.5.
- Legal Obligation (Art. 6(1)(c)): Compliance with tax, accounting, and regulatory requirements.
- Consent (Art. 6(1)(a)): Where applicable, for optional marketing communications. You may withdraw consent at any time.
6. Data Retention
We retain your personal data for as long as your account is active or as needed to provide the Service. Upon account termination, we retain data for a maximum of 90 days to allow for data export, after which it is permanently deleted. Billing records are retained for up to 5 years to comply with Danish bookkeeping obligations (Bogføringsloven).
Prospect data sourced from third-party providers (see Section 2.5) is retained for a maximum of 90 days from the date of enrichment, after which it is permanently deleted from our active systems, backups, and logs in accordance with our data supply agreements.
7. Your Rights (GDPR Articles 15–22)
If you are located in the EU/EEA, you have the following rights:
- Access (Art. 15): Request a copy of the personal data we hold about you.
- Rectification (Art. 16): Request correction of inaccurate or incomplete data.
- Erasure (Art. 17):Request deletion of your personal data ("right to be forgotten").
- Restriction (Art. 18): Request restriction of processing under certain conditions.
- Portability (Art. 20): Receive your data in a structured, commonly-used, machine-readable format.
- Objection (Art. 21): Object to processing based on legitimate interest.
- Automated Decision-Making (Art. 22): Right not to be subject to decisions based solely on automated processing.
To exercise any of these rights, contact us at info@navigent.io. We will respond within 30 days.
If you are a prospect whose contact details appear in our system (i.e., you are not a Navigent customer but received an email sent by one of our customers using our platform), you may exercise your rights by contacting info@navigent.io. Note that for outreach campaigns, our customer is the Data Controller for the sending decision; we will assist in routing your request to the appropriate party. You may also visit our "How we got your data" page at navigent.io/legal/data-sources for a plain-language explanation.
8. Cookies & Tracking
Navigent uses essential cookies required for authentication and session management. We do not use third-party advertising trackers. Analytics cookies, if any, are deployed only with your prior consent via our cookie banner.
9. Security
We implement industry-standard technical and organizational measures to protect your data, including: encryption in transit (TLS 1.2+), encryption at rest (AES-256), access controls, regular security audits, and incident response procedures. Despite these measures, no method of transmission or storage is 100% secure.
10. Children's Privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child has provided personal data, we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 14 days before taking effect. The "Last Updated" date at the top of this page reflects the most recent revision.
12. Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet): www.datatilsynet.dk.
13. Contact
Navigent.io ApSNørre Voldgade 70
1358 København K, Denmark
CVR: 46285395
Email: info@navigent.io
Phone: +45 29843964
14. Legitimate Interest Assessment
We have conducted a Legitimate Interest Assessment (LIA) for our processing of prospect data, balancing our legitimate interest in providing B2B lead generation services against the rights and reasonable expectations of data subjects. Our assessment concluded that processing limited business contact data, with strict retention limits, transparency, and an absolute right to object, does not override the rights of data subjects in a B2B context. A summary of the LIA is available on request to info@navigent.io.