Last Updated: May 6, 2026

GDPR Compliance Statement

At Navigent (operated by Navigent.io ApS, CVR: 46285395), we are committed to protecting the personal data of our customers and their contacts in full compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").

This page provides an overview of our GDPR compliance framework. For detailed information, please refer to our Privacy Policy, Data Processing Agreement, Acceptable Use Policy, and Terms of Service.

1. Our Commitment

Navigent is a Danish company subject to GDPR and the Danish Data Protection Act (Databeskyttelsesloven). We have implemented comprehensive technical and organizational measures to ensure that all personal data processing carried out through our platform meets the requirements of the GDPR.

2. Data Controller vs. Data Processor

Navigent operates in three distinct capacities:

• As Independent Data Controller: For account data (registration, billing, support), usage data (analytics, telemetry, security logs), AND prospect data sourced from third-party data providers and enriched for the lead generation service. For these activities, Navigent determines the purposes and means of processing on its own legal basis.
• As Joint or Independent Data Controller (depending on Customer activity): For outreach campaigns Customer sends. The Customer determines targeting, content, and timing. Navigent supplies the data, the infrastructure, and the audit trail.
• As Data Processor:For the technical act of sending emails through Navigent's infrastructure on Customer's behalf, including delivery, bounce handling, and engagement tracking. We process this data solely on the Customer's documented instructions.

The processor relationship is formalized through our Data Processing Agreement (DPA), which is available to all customers and is incorporated into the Terms of Service.

3. Lawful Bases for Processing

We process personal data only where we have a lawful basis under GDPR Article 6:

• Legitimate Interest (Art. 6(1)(f)): The primary basis for sourcing, enriching, and making available B2B prospect data for the lead generation service. A summary of our Legitimate Interest Assessment (LIA) is available on request to info@navigent.io. Legitimate interest is also relied on for analytics, fraud prevention, and service improvement, where not overridden by your rights.
• Contractual Necessity (Art. 6(1)(b)): To provide the Service as agreed in our Terms of Service.
• Legal Obligation (Art. 6(1)(c)): To comply with tax, accounting, and regulatory requirements under Danish law.
• Consent (Art. 6(1)(a)): Where applicable, for optional processing such as marketing communications.

4. Your Rights as a Data Subject

Under the GDPR, individuals whose personal data we process have the following rights:

4.1 Right of Access (Article 15)

You have the right to request confirmation of whether we process your personal data and, if so, to obtain a copy of that data along with information about how it is processed.

4.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data or completion of incomplete data without undue delay.

4.3 Right to Erasure, "Right to Be Forgotten" (Article 17)

You have the right to request the deletion of your personal data where:

• The data is no longer necessary for the purpose it was collected.
• You withdraw consent and no other lawful basis applies.
• You object to processing and there are no overriding legitimate grounds.
• The data has been unlawfully processed.
• Deletion is required to comply with a legal obligation.

Upon receiving a valid erasure request, we will delete your personal data within 30 days and confirm the deletion in writing. Note: we may retain certain data where required by law (e.g., billing records under Danish bookkeeping regulations).

4.4 Right to Restriction of Processing (Article 18)

You may request that we restrict processing of your data while we verify its accuracy, assess a legitimate interest objection, or when processing is unlawful but you prefer restriction over erasure.

4.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON or CSV). Where technically feasible, we will transmit the data directly to another controller at your request.

To request a copy of your personal data in a machine-readable format, contact us at info@navigent.io. We will deliver the export within 30 days of verifying your identity, in line with Article 12(3).

4.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interest. Upon objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

4.7 Right Regarding Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. While Navigent uses AI to assist with email generation and lead scoring, final decisions regarding outreach are made by our customers, not by automated systems.

5. How to Exercise Your Rights

To exercise any of the above rights, you may:

• Send an email to info@navigent.io with the subject line "GDPR Request".
• Write to us at: Navigent.io ApS, Nørre Voldgade 70, 1358 København K, Denmark.
• If you are a prospect (your contact details appear in our system but you are not a Navigent customer, e.g., because you received a cold email from one of our customers), please contact info@navigent.io. You can also visit our How we got your data page for a plain-language explanation and quick suppression options.

We will verify your identity and respond to your request within 30 days. If the request is complex or we receive a large number of requests, we may extend this period by a further 60 days, notifying you of the extension within the initial 30-day period.

Note for contacts of our customers: If your personal data is processed by a Navigent customer (i.e., you are a lead or email recipient), the customer is the Data Controller for the sending decision. We will assist our customers in fulfilling such requests in accordance with our Data Processing Agreement.

6. International Data Transfers

Navigent primarily stores data within the EU (Supabase EU region, Frankfurt). Where data is transferred to sub-processors outside the EU/EEA, we ensure appropriate safeguards through Standard Contractual Clauses (SCCs), Transfer Impact Assessments, and supplementary technical measures (encryption, access controls).

Sub-processors with international transfers include:

• Stripe, Inc. (United States): payment processing, under EU SCCs.
• OpenAI, LLC(United States): AI processing, under EU SCCs and OpenAI's DPA.
• Google LLC (United States): calendar integration, under EU SCCs.
• Vercel, Inc. (Global): application hosting, under EU SCCs.
• Sentry (Functional Software, Inc.) (United States): error monitoring, under EU SCCs.
• Defastra Tech Inc. (d/b/a Prospeo) (Canada): B2B contact data sourcing, under the GDPR Art. 45 adequacy decision for Canada (PIPEDA).
• Serper.dev (United States): web search and company-level enrichment, under EU SCCs.
• Smartlead.ai (Smartlead, Inc.) (United States): email campaign delivery, under EU SCCs.

7. Security Measures

We implement robust security measures in accordance with GDPR Article 32, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Role-based access control (RBAC) with principle of least privilege.
• Multi-factor authentication for administrative access.
• Automated daily backups with point-in-time recovery.
• Regular security audits and vulnerability assessments.
• Incident response and breach notification procedures.

8. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will:

1. Notify the relevant supervisory authority (Datatilsynet) within 72 hours (GDPR Article 33).
2. Notify affected customers without undue delay so they can fulfill their own notification obligations.
3. Where the breach is likely to result in a high risk to individuals, communicate directly with the affected Data Subjects (GDPR Article 34).

9. Data Protection Contact

Given the current scale of operations, Navigent has not appointed a formal Data Protection Officer (DPO) under GDPR Article 37. We have appointed an internal data protection contact reachable at info@navigent.io. All data protection inquiries are handled by company leadership and the privacy contact jointly.

10. Supervisory Authority

Our lead supervisory authority is the Danish Data Protection Agency (Datatilsynet):

You have the right to lodge a complaint with Datatilsynet or with the supervisory authority in your EU/EEA Member State of residence.

11. Contact