NNavi

Legal

GDPR commitments

How Navi implements the General Data Protection Regulation. This page complements the Privacy policy.

This is an informational English translation of our legal terms. The French version remains authoritative — applicable law is French and exclusive jurisdiction is the courts of Nanterre. In case of any discrepancy, the French text prevails.

Last updated: May 16, 2026

Legal noticeTerms of SalePrivacy policyGDPR

1. Our principles

  • Minimization — We collect only the data strictly necessary to deliver the Service.
  • EU-first hosting — Your business data (catalog, knowledge base, conversations, payments) is hosted in the European Union. Third-party services located outside the EU are covered by Standard Contractual Clauses.
  • Per-store isolation — Each customer's data is strictly isolated. One store's conversations are never accessible to another.
  • No cross-training — Your conversations are not used to train AI models.
  • Reversibility — You can export or delete your data at any time.

2. Roles under the GDPR

Depending on the type of processing, Navi acts in two distinct roles:

  • Data Controller for data collected on the marketing site (contact form, administrator accounts, billing).
  • Data Processor for data processed in the context of the Navi Service deployed on a customer's store: the customer is Data Controller toward the visitors of their store. Navi processes such data under the customer's documented instructions, pursuant to article 28 of the GDPR.

3. Subprocessors

To deliver the Service, Navi relies on the following subprocessors. All are bound by contract and provide sufficient guarantees within the meaning of the GDPR.

SubprocessorRoleLocationLegal basis
Vercel Inc.Marketing site hosting (navi.myffu.fr)United StatesEuropean Commission Standard Contractual Clauses (SCCs)
Railway Corp.Navi infrastructure hosting (widget, automations, vector store)United StatesEuropean Commission Standard Contractual Clauses (SCCs)
Supabase Inc.Database, authentication, and application storageEuropean Union (EU region)EU-based hosting
Anthropic PBCClaude language model provider (response generation)United StatesEuropean Commission Standard Contractual Clauses (SCCs)
Resend, Inc.Transactional email delivery (notifications, OTP)United StatesEuropean Commission Standard Contractual Clauses (SCCs)
Shopify International LimitedRead access to the client's catalog, orders, and store data (Shopify integration)Ireland (European Union)EU-based hosting
Stripe Payments Europe LimitedPayment processing (subscriptions and billing)Ireland (European Union)EU-based hosting

Any change to this list will be notified to customers in advance, giving them the opportunity to object where appropriate.

4. Security measures

  • administrator passwords hashed via bcrypt (rounds 10);
  • TLS encryption for all communications;
  • at-rest encryption for databases and backups;
  • strict per-tenant data isolation (multi-tenant isolation);
  • role-based access control (RBAC) with the principle of least privilege;
  • strong authentication recommended for administrator accounts;
  • access and administration logs retained and reviewed;
  • automated backups and tested restoration procedures;
  • vulnerability management policy and continuous security monitoring;
  • strict separation of environments (production / staging / development);
  • no customer data is used to train AI models.

5. How to exercise your rights

You may exercise your rights of access, rectification, erasure, objection, restriction, and portability by writing to:

Alexis Raitano, Navi DPO
Email: alexis.raitano@myffu.fr
Postal address: 196 rue Germaine Tillion, 92000 Nanterre

A response will be provided within one month (extendable by two months for complex requests). No fee will be charged, except for manifestly unfounded or excessive requests.

In case of unresolved disagreement, you may file a complaint with the French data protection authority (CNIL): cnil.fr/fr/plaintes.

6. Data breach

In the event of a personal data breach, Navi commits to:

  • notify affected customers without undue delay, and no later than 72 hours after becoming aware of the breach, in accordance with article 33 of the GDPR;
  • provide the information needed for the customer (Data Controller) to notify the CNIL and, where applicable, the affected data subjects;
  • document the incident, its causes, its consequences, and the remediation measures taken.

7. Data Processing Agreement (DPA)

Pursuant to article 28 of the GDPR, Navi has established a Data Processing Agreement that governs the processing of personal data on behalf of its customers (Data Controllers).

This DPA is incorporated as an Annex to the Terms of Sale. The Customer's acceptance of the Terms of Sale constitutes acceptance of the DPA annex. This arrangement, standard in SaaS contracts, ensures that every Navi Customer automatically benefits from a GDPR-compliant Data Processing Agreement, with no additional formality.

For Customers whose legal team would like the DPA as a standalone document (for transmission, archiving), a PDF version of the DPA can be downloaded here:

📄 Download the Navi DPA (PDF)

For any question relating to the DPA, write to alexis.raitano@myffu.fr.

GDPR commitments · Navi