Privacy Policy
Last updated: March 15, 2026
1. Introduction & Scope
This Privacy Policy explains how Navil ("we," "our," or "Navil") collects, uses, stores, and shares information when you use the Navil Cloud Service, APIs, and website at www.navil.ai (collectively, the "Service").
This policy applies to the Cloud Service only. The open-source Navil Gateway runs on your own infrastructure and processes data locally. Data processed by the Gateway on your servers is under your control and not covered by this policy — unless that data is transmitted to the Cloud Service (e.g., telemetry sync or threat intelligence contributions).
We are committed to protecting your privacy and handling your data transparently. We process the minimum data necessary to operate the Service and never sell personal information.
2. Information We Collect
2.1 Information You Provide
Account data: When you register, we collect your email address and organization name. Authentication is handled by our identity provider (Clerk). We do not collect or store passwords directly.
Billing data: Payment information is collected and processed entirely by Stripe. We never receive, store, or have access to your credit card numbers. We receive only a transaction reference, billing status, and the last four digits of your card for display purposes.
Support communications: If you contact us via email, we collect the content of your message, your email address, and any attachments you provide.
2.2 Information Collected Automatically
Usage telemetry: The Cloud Service collects operational metrics including request counts, tool invocation metadata (tool names, timestamps, agent identifiers), threat detection event types, and anomaly scores. This telemetry is used to operate the Service, generate threat intelligence, and improve anomaly detection accuracy.
Pseudonymized network data: IP addresses are SHA-256 hashed and truncated before storage. Raw IP addresses are never stored in our databases, logs, or backups. The hashing is one-way and irreversible — we cannot recover the original IP address from the stored hash.
Authentication session data: We use essential cookies from Clerk to maintain your authentication session. See Section 11 for details.
2.3 Information from Third Parties
Authentication data: Clerk provides us with your verified email address and authentication status when you sign in. If you use social login (e.g., Google, GitHub), Clerk may provide your display name and profile identifier. We do not receive your social login passwords.
2.4 Threat Intelligence Contributions (Community Tier)
If you are on the Community tier, the Gateway on your infrastructure contributes anonymized threat data to the Cloud Service. This is described in detail in Section 5. Threat intelligence contributions do not contain personal information.
3. Legal Basis for Processing
We process personal data under the following legal bases (GDPR Article 6):
Contract performance (Art. 6(1)(b)): We process account data and operational telemetry as necessary to provide the Service you signed up for — including authentication, dashboard access, threat detection, and billing.
Legitimate interest (Art. 6(1)(f)): We process usage data and anonymized telemetry to improve security detection accuracy, maintain and improve the Service, generate aggregated threat intelligence, and detect abuse of the Service. Our legitimate interests do not override your rights — we limit data collection to what is strictly necessary and pseudonymize data where possible.
Consent (Art. 6(1)(a)): Community tier users consent to contributing anonymized threat data at registration. This consent is specific, informed, and freely given — you may withdraw consent at any time by upgrading to the Pro tier or above (see Section 5.4). Withdrawal of consent does not affect the lawfulness of processing performed before withdrawal.
4. How We Use Your Data
We use the information we collect for the following purposes:
- Service operation: Authenticating users, serving dashboard data, processing API requests, enforcing rate limits, and managing Organizations.
- Security detection: Running anomaly detection algorithms, computing threat scores, generating alerts, and maintaining behavioral baselines for your Agents.
- Threat intelligence: Aggregating and anonymizing threat signals from Community tier participants to produce the Threat Intelligence Feed (see Section 5).
- Billing: Processing subscription payments, managing tier changes, and generating invoices through Stripe.
- Security notifications: Alerting you to detected threats, anomalous behavior, or security-relevant events in your deployment.
- Product improvement: Analyzing aggregated, anonymized usage patterns to improve detection accuracy, Service performance, and user experience. We do not use your data to train machine learning models that are sold to third parties.
- Legal compliance: Responding to lawful requests from authorities, enforcing our Terms of Service, and protecting the rights and safety of our users.
5. Threat Intelligence Sharing
This section describes Navil's give-to-get model for community threat intelligence. This is a core feature of the Service and we want you to understand exactly how it works.
5.1 What Community Tier Contributes
Community tier users contribute anonymized threat signals including: anomaly type classifications (e.g., "RECONNAISSANCE," "DATA_EXFILTRATION," "RUG_PULL"), tool sequence hashes (one-way, irreversible SHA-256 hashes of tool call sequences), severity scores, detection confidence levels, and timestamps.
All agent identities are replaced with one-way HMAC-SHA256 hashes using a per-deployment secret before any data leaves your infrastructure. The hashing is performed locally by the Gateway. We cannot recover original agent names, server names, or any identifying information from the hashed values.
5.2 What is NEVER Shared
The following categories of data are never included in threat intelligence contributions, under any circumstances:
- Payload content (request bodies, response bodies, tool arguments)
- API keys, tokens, credentials, or secrets
- Email addresses or usernames
- IP addresses (raw or hashed)
- File paths, server URLs, or hostnames
- Prompt content or natural language text
- Any personally identifiable information (PII)
These restrictions are enforced by a runtime field allowlist in the Gateway. If a banned field is detected in outgoing telemetry, a ValueError is raised and the data is not transmitted. You can audit this mechanism by inspecting navil/cloud/telemetry_sync.py in the open-source Gateway codebase.
5.3 How Aggregation Works
Individual contributions are aggregated across all Community tier participants before being distributed as the Threat Intelligence Feed. The feed contains pattern signatures, severity distributions, and detection rules — not individual telemetry events. No participant can identify another participant's contributions in the feed.
5.4 Opting Out
You may opt out of threat intelligence contributions at any time by upgrading to the Pro tier or above. Upgrading withdraws your consent for data contribution and switches your account to private telemetry mode. Community tier users who disable cloud sync locally lose access to the Threat Intelligence Feed, as the give-to-get model requires participation.
5.5 No Sale of Telemetry
Navil does not sell raw telemetry data. Threat intelligence is derived from aggregated, anonymized contributions and distributed solely to participating Navil users and paid subscribers. We do not share individual telemetry events with any third party.
6. Data Retention
We retain data for the minimum period necessary for the stated purpose:
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Telemetry events | 30 days | Automated deletion |
| Sync events (threat contributions) | 7 days | Automated deletion |
| Audit log entries | Duration of subscription | Deleted upon account termination (after 30-day export window) |
| Account data | Until deletion request | Purged within 30 days of request |
| Backups | 7-day rotation cycle | Overwritten automatically |
Anonymized, aggregated threat intelligence that has already been incorporated into the Threat Intelligence Feed cannot be attributed to your account and is not subject to individual deletion requests, as it constitutes anonymous data under GDPR Recital 26.
7. Data Location & International Transfers
7.1 Primary Infrastructure
All primary Service infrastructure is hosted in the European Union (Frankfurt, eu-central-1). This includes our PostgreSQL database (Supabase on AWS), Redis cache (Upstash), and backend API (Render).
7.2 US-Based Sub-Processors
Certain sub-processors are based in the United States. We rely on the following transfer mechanisms to ensure adequate protection:
- EU-US Data Privacy Framework (DPF): Clerk, Stripe, and Vercel are certified under the EU-US Data Privacy Framework, which has been recognized as providing adequate protection by the European Commission (Adequacy Decision of July 10, 2023).
- Standard Contractual Clauses (SCCs): As a supplementary safeguard, we maintain SCCs with all US-based sub-processors as a fallback mechanism in the event the DPF adequacy decision is invalidated.
7.3 Edge Hosting
Our frontend is hosted on Vercel's global edge CDN. Static assets may be served from edge nodes outside the EU for performance. No personal data is stored or processed at edge nodes — they serve only static frontend files.
8. Sub-Processors
We use the following sub-processors to operate the Service:
| Provider | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Supabase (AWS) | PostgreSQL database | EU (Frankfurt) | N/A (EU-based) |
| Upstash | Redis cache & rate limiting | EU (Frankfurt) | N/A (EU-based) |
| Render | Backend API hosting | EU (Frankfurt) | N/A (EU-based) |
| Clerk | Authentication & identity | US | EU-US DPF + SCCs |
| Stripe | Payment processing | US | EU-US DPF + SCCs |
| Vercel | Frontend hosting (edge CDN) | Global | EU-US DPF + SCCs |
Sub-processor changes: We will notify you of new sub-processors at least thirty (30) days before they begin processing your data. Notification will be sent via email to Organization Admins. If you object to a new sub-processor, you may terminate your account before the sub-processor begins processing, and we will provide a pro-rated refund for any prepaid, unused subscription fees.
9. Your Rights (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation:
Right of access (Art. 15): You may request a copy of the personal data we hold about you. You can export your data directly from the Settings page of the dashboard, or email legal@navil.ai.
Right to rectification (Art. 16): You may correct inaccurate personal data through your account Settings.
Right to erasure (Art. 17): You may delete your Organization and all associated data from the Settings page. Alternatively, email legal@navil.ai. Deletion is completed within 30 days.
Right to data portability (Art. 20): You may export your data in JSON format from the dashboard.
Right to restrict processing (Art. 18): You may request that we restrict processing of your personal data in certain circumstances. Contact legal@navil.ai.
Right to object (Art. 21): You may object to processing based on legitimate interest. Pro tier and above users may disable telemetry sharing entirely. Contact legal@navil.ai.
Right to withdraw consent (Art. 7(3)): Community tier users may withdraw consent for threat intelligence contributions by upgrading to a paid tier. Withdrawal does not affect the lawfulness of processing performed before withdrawal.
Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.
How to exercise your rights: Most rights can be exercised directly through the dashboard Settings. For rights that require manual processing, email legal@navil.ai. We will respond to all requests within 30 days. If a request is complex, we may extend this by an additional 60 days with notice.
10. CCPA Rights (California Residents)
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights:
Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, the purposes for collection, and the categories of third parties with whom we share it.
Right to delete: You may request deletion of your personal information, subject to certain exceptions (e.g., data necessary to complete a transaction or comply with legal obligations).
Right to opt-out of sale: We do not sell personal information. We do not sell, rent, or trade personal data to third parties for monetary consideration or other valuable consideration as defined by the CCPA.
Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights. Exercising your rights will not affect the quality or availability of the Service.
To exercise your CCPA rights, email legal@navil.ai or use the dashboard Settings.
11. Cookies & Tracking
We use essential cookies only. Specifically, we use Clerk's authentication session cookies to keep you signed in. These cookies are strictly necessary for the Service to function and do not require consent under GDPR Article 5(3) and the ePrivacy Directive.
We do not use:
- Tracking cookies
- Third-party analytics (no Google Analytics, no Mixpanel, no Amplitude)
- Advertising cookies or pixels
- Social media tracking widgets
- Fingerprinting or any other cross-site tracking technology
Because we use only strictly necessary cookies, no cookie consent banner is required.
12. Security Measures
We implement the following technical and organizational measures to protect your data:
- Encryption in transit: All data transmitted between your browser, the Gateway, and the Cloud Service is encrypted using TLS 1.3.
- Encryption at rest: All data at rest is encrypted using AES-256 via our cloud infrastructure providers (AWS, Upstash).
- IP pseudonymization: IP addresses are SHA-256 hashed and truncated before storage. Raw IPs are never persisted.
- Role-based access control: Internal access to production systems is restricted by role. Access is logged and auditable.
- Audit logging: All administrative actions, data access events, and security-relevant operations are logged with immutable audit trails.
- Regular security reviews: We conduct periodic security reviews of our infrastructure, dependencies, and access controls.
- Agent identity hashing: Agent identifiers in threat intelligence contributions are replaced with one-way HMAC-SHA256 hashes using per-deployment secrets. These cannot be reversed.
13. Children's Privacy
The Service is designed for businesses and developer teams. We do not direct the Service to children under the age of 16, and we do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 16, we will delete that information promptly. If you believe a child has provided us with personal data, please contact legal@navil.ai.
14. Data Breach Notification
In the event of a confirmed personal data breach that poses a risk to your rights and freedoms:
- We will notify affected users within 72 hours of confirming the breach, in compliance with GDPR Article 33.
- We will notify the relevant supervisory authority within 72 hours where required by law.
- Notification will include: a description of the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects.
- Notification will be sent via email to Organization Admins and displayed as a banner in the dashboard.
15. Data Processing Agreement (DPA)
We offer Data Processing Agreements for Team and Enterprise tier customers on request. Our DPA covers:
- Scope and purpose of data processing
- Sub-processor management and notification obligations
- Data deletion and return obligations upon termination
- Technical and organizational security measures
- Audit rights (for Enterprise tier)
- Breach notification procedures
- Standard Contractual Clauses (SCCs) for international transfers
To request a DPA, contact legal@navil.ai.
16. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated at least thirty (30) days in advance via email to Organization Admins and a notification banner in the dashboard.
The "Last updated" date at the top of this policy reflects the most recent revision. We encourage you to review this policy periodically. Continued use of the Service after the notice period constitutes acceptance of the updated policy.
17. Contact & Data Protection
For privacy inquiries, data subject requests, or DPA requests:
- Email: legal@navil.ai
- Web: www.navil.ai
EU Representative: To be appointed. If Navil is not established in the EU, Article 27 GDPR requires the appointment of an EU-based representative. This section will be updated once the representative is designated.
Data Protection Officer: Given the current scale of our operations, we have not appointed a formal Data Protection Officer. As our operations grow, we will appoint one if required under GDPR Article 37. In the interim, all data protection inquiries should be directed to legal@navil.ai.