NNavi

Legal

Privacy policy

This policy describes how Navi collects, processes, and protects your personal data, in compliance with the General Data Protection Regulation (GDPR) and the French Data Protection Act.

This is an informational English translation of our legal terms. The French version remains authoritative — applicable law is French and exclusive jurisdiction is the courts of Nanterre. In case of any discrepancy, the French text prevails.

Last updated: May 16, 2026

Legal noticeTerms of SalePrivacy policyGDPR

1. Data controller

Alexis Raitano (Sole proprietor (Entrepreneur individuel — French sole-proprietorship status), SIREN 897 833 729), with head office at 196 rue Germaine Tillion, 92000 Nanterre, is the controller for processing related to the marketing site https://navi.myffu.fr.

For data processed in the context of providing the Navi service to a customer (Shopify store), Navi acts as a processor within the meaning of the GDPR, on behalf of the customer (controller toward the visitors of their store).

Data Protection Officer (DPO): Alexis Raitano alexis.raitano@myffu.fr

2. Data collected

2.1 Marketing site visitors

When submitting a trial request via the form:

  • first and last name;
  • professional email address;
  • Shopify store URL;
  • phone number (optional);
  • monthly order volume (optional);
  • free-text message (optional).

2.2 Customers (dashboard users)

  • login credentials (email, password hashed via bcrypt rounds 10);
  • billing information (name, company name, address, payment card data — the latter is not retained by Navi; it is processed exclusively by Stripe);
  • store configuration: tone, instructions, knowledge base;
  • technical Shopify integration identifiers.

2.3 Visitors of our customers' stores

When a visitor converses with the Navi assistant deployed on one of our customers' stores:

  • content of messages exchanged;
  • where applicable, the visitor's email entered for order tracking purposes (identity verification via OTP);
  • technical identifiers (session ID, store identifier);
  • Shopify customer identifier (customer_id) where available, after identity verification;
  • data on the consulted order (order number, status), retrieved in read mode from Shopify for the specific needs of the conversation;
  • data on the cart created via the assistant (product references, quantities);
  • return requests submitted via the assistant (order reference, reason, items concerned).

3. Purposes and legal bases

PurposeLegal basis
Handle a trial request and follow up with the prospectPre-contractual measures at the prospect's request (art. 6.1.b GDPR)
Provide and operate the Navi servicePerformance of the contract (art. 6.1.b GDPR)
Billing and collectionLegal obligation and performance of the contract (art. 6.1.b and 6.1.c GDPR)
Service security, fraud and abuse preventionLegitimate interest (art. 6.1.f GDPR)
Service improvement and debuggingLegitimate interest (art. 6.1.f GDPR), with minimized data
Responding to data-subject requestsLegal obligation (art. 12 et seq. GDPR)

Conversations of store visitors are never used to train AI models, nor shared between customers.

4. Recipients and subprocessors

Data is accessible to authorized Navi personnel, strictly within the scope of their duties, as well as to the following subprocessors, who act on behalf of Navi:

SubprocessorRoleLocation
Vercel Inc.Marketing site hosting (navi.myffu.fr)United States
Railway Corp.Navi infrastructure hosting (widget, automations, vector store)United States
Supabase Inc.Database, authentication, and application storageEuropean Union (EU region)
Anthropic PBCClaude language model provider (response generation)United States
Resend, Inc.Transactional email delivery (notifications, OTP)United States
Shopify International LimitedRead access to the client's catalog, orders, and store data (Shopify integration)Ireland (European Union)
Stripe Payments Europe LimitedPayment processing (subscriptions and billing)Ireland (European Union)

Each subprocessor is bound to Navi by an agreement framing the processing (Data Processing Agreement) and provides sufficient guarantees within the meaning of article 28 of the GDPR.

5. Transfers outside the European Union

Some of our subprocessors are established in the United States (Vercel, Anthropic, Resend, Railway). Data transfers to these countries are governed by the Standard Contractual Clauses (SCCs) adopted by the European Commission, and where applicable by the Data Privacy Framework for certified subprocessors.

Data processed by Supabase, Shopify, and Stripe is hosted in the European Union.

6. Retention periods

DataDuration
Unconverted lead (trial request without subscription)3 years from last contact
Customer account and store configurationFor the duration of the contract, then 30 days after termination to allow export, then deletion
Store conversations with visitors12-month rolling window by default, configurable shorter on customer request
Technical and security logs12 months
Invoices and accounting records10 years (legal obligation, article L. 123-22 of the French Commercial Code)
Technical backupsAt most 90 days after deletion of active data

7. Security

Navi implements appropriate technical and organizational measures to protect data:

  • encryption of data in transit (TLS) and at rest;
  • strict isolation of customer data;
  • access control based on named accounts and minimum permissions;
  • logging of access to sensitive data;
  • strong password policy, two-factor authentication recommended for administrators;
  • regular backups and tested restoration procedure;
  • continuous evaluation of subprocessors and their GDPR guarantees.

8. Your rights

In accordance with articles 15 to 22 of the GDPR, you have the following rights over your data:

  • right of access and copy;
  • right to rectification of inaccurate or incomplete data;
  • right to erasure (« right to be forgotten »);
  • right to restriction of processing;
  • right to object to processing based on legitimate interest;
  • right to data portability;
  • right to issue directives concerning the fate of data after death;
  • right to withdraw your consent at any time, when processing is based on consent.

To exercise these rights, write to alexis.raitano@myffu.fr. A response will be provided within one month, extendable by two months if the request is complex.

If you consider that your rights are not respected, you may file a complaint with the CNIL (French Data Protection Authority): cnil.fr/fr/plaintes.

If you are a visitor of a customer store, your first point of contact is the merchant operating that store (Data Controller). We invite you to contact them directly, or to write to us so we can relay the request.

9. Cookies and local storage

The marketing site https://navi.myffu.fr currently sets no audience-measurement or marketing cookies. Only cookies strictly necessary to the operation of the site (technical preferences, security) may be used; these do not require prior consent.

If Navi were to introduce audience-measurement or marketing cookies, a consent banner compliant with article 82 of the French Data Protection Act would be put in place, and this policy would be updated.

On our customers' stores, the Navi widget may store a technical session identifier in the visitor browser's localStorage (opaque random string, with no personal data). This identifier ensures conversation continuity (resume where the visitor left off) and maintains the OTP-authenticated state after identity verification, for the duration of the session. localStorage is not a cookie in the technical sense (it is not automatically transmitted by the browser with every request) and does not require a consent banner under article 82 of the French Data Protection Act. It is mentioned here for transparency. The visitor can delete it at any time by clearing site data in their browser.

10. Updates

This policy may be updated, notably to reflect changes in the Service or in regulation. The date of the last update is shown at the top of the page.

Privacy policy · Navi