Privacy Policy

1. Information we collect

The information we collect generally comes from what you provide directly, what you create or upload inside the product, and what is generated as part of the service operating normally.

• Account and contact information, such as your name, email address, sign-in credentials, time zone, language preferences, and company or brand information you provide.
• Workspace data, such as entry names, default URLs, routing rules by language, region, device, param, and experiments, QR design settings, vCard details, social links, folders, and archive state.
• Upload and asset data, such as avatars, images, attachments, filenames, file types, sizes, asset paths, and related metadata. These files may be stored in Tencent Cloud Object Storage (COS).
• Analytics and usage data, such as scans, visit timestamps, approximate region, device type, device OS, language, source dimensions, conversion events, and interactions with our website and product.
• Billing and transaction data, if and when checkout, subscriptions, invoicing, or refunds are enabled, such as order identifiers, payment status, subscription status, and tax-related data processed by or returned from Paddle, Creem, or other billing partners.
• Technical and security data, such as truncated, anonymized, or region-derived network signals, browser type, device data, cookies, local storage, request logs, error events, and abuse or security monitoring records.

2. How we use information

• To provide core features such as sign-in, entry creation, routing setup, QR downloads, analytics, and account settings.
• To store and deliver the avatars and public assets you upload, including loading images needed for public card pages through Tencent Cloud COS.
• To maintain service reliability, troubleshoot issues, detect abuse, protect accounts, and improve security.
• To understand usage patterns and improve the website, workspace, AI-assisted setup, routing experience, and reporting. We may use Google Analytics 4 for website and product analytics.
• To power AI-assisted entry creation, routing drafts, and content suggestions. When you use AI features, relevant prompts, content fragments, and generated output may be processed by DeepSeek and Qwen model services.
• To work with payment and billing partners, including Paddle, Creem, and other billing partners if and when billing is enabled, for transactions, invoicing, tax handling, fraud prevention, subscription management, refunds, and support workflows.
• To respond to support requests, compliance requests, privacy rights requests, DPA requests, and other commercial or legal communications.

3. Our role in processing data

In most cases, Naviora acts as a data controller for account administration, website operations, support, billing, service communications, security, and compliance.

If you are a business or team customer and we process personal data contained in the content, routing flows, or analytics you submit to the platform on your behalf, we may also act as a processor or similar service provider for that data. As the European Commission explains, the party deciding why and how personal data is processed is generally the controller, while a party acting only on instructions is generally the processor.

4. Legal bases for processing

Where required by applicable law, we rely on appropriate legal bases depending on the context, including contract performance, compliance with legal obligations, security and fraud prevention, responding to your requests, or our legitimate interests in operating, securing, and improving the service. Where consent is required, such as for certain analytics or marketing cookies, we will request it in an appropriate manner.

5. When we share information

We do not sell your personal information. We may share data with service providers acting on our instructions when necessary to operate the service.

• Tencent Cloud Object Storage (COS), which we use to store avatars, images, and other static assets. Tencent Cloud describes COS as an object storage service accessible over HTTP and HTTPS.
• Google Analytics 4, which we may use for website and product analytics. Google states that GA4 does not log or store individual IP addresses, and that for EU traffic IP address data is used only to derive geolocation and is then discarded.
• DeepSeek and Qwen, which we may use to support AI-assisted entry creation, routing drafts, and content suggestions. When you actively use AI features, relevant prompts, content fragments, and generated output may be sent to the applicable model service.
• Paddle, Creem, and other billing partners, if and when billing is enabled, which may act as merchant of record or related billing providers for payment processing, taxes, refunds, chargebacks, and customer billing records.
• Other infrastructure, monitoring, support, notification, and professional service providers that help us operate the service, communicate with users, run audits, or obtain legal advice.
• Authorities, counterparties, or advisors where disclosure is required by law, necessary to resolve disputes, or needed to protect Naviora, users, or the public.

6. Cookies, analytics, and tracking technologies

We may use essential cookies, similar local storage, and analytics tags to keep you signed in, remember interface preferences, protect the service, and improve the product. Where required by law, non-essential analytics or marketing cookies are used only with your consent. You can usually control cookies through your browser settings, but some functionality may be limited if you disable them.

7. Data retention

• We keep data only for as long as needed to fulfill the purposes described in this policy.
• Account information is generally retained while your account remains active. If you request deletion, we will process that request within a reasonable period, while retaining the minimum data needed for legal, billing, security, or audit purposes.
• Analytics and log data may be retained for different periods depending on technical needs and legal requirements, after which they may be deleted, anonymized, or aggregated.
• If billing features are enabled, order, invoice, tax, refund, and anti-fraud records may be retained longer where needed for accounting, tax, chargeback, or regulatory purposes.

8. Security

We use reasonable technical and organizational safeguards, including access controls, encrypted transport, backups, and security monitoring. No system can guarantee absolute security, so we cannot promise zero risk.

9. Your choices and rights

• Update or correct your account information.
• Request access, export, restriction, objection, or deletion of personal information where those rights apply.
• Withdraw consent where applicable, for example for optional analytics or marketing cookies.
• If you are in the EU, EEA, United Kingdom, or Switzerland, applicable data protection law generally gives you rights to be informed, access, rectification, erasure, restriction, portability, and objection.
• Contact a relevant supervisory authority if you believe your rights have been violated. We will respond within the timelines required by applicable law, typically within one month, subject to lawful extensions.

10. International transfers and DPA

Because Naviora may rely on infrastructure and service providers in multiple regions, your information may be processed outside the place where you are located. Where required, we rely on adequacy decisions, the European Commission's Standard Contractual Clauses, or other valid safeguards for cross-border transfers.

If you are a business customer subject to GDPR, UK GDPR, or similar laws and we process personal data on your behalf, you may contact us to request a Data Processing Addendum (DPA).

11. Children's privacy

Naviora is not designed primarily for children. If you believe a minor has provided personal information without appropriate authorization, please contact us and we will review the request promptly.

12. Updates to this policy

We may update this policy from time to time to reflect changes in the product, applicable laws, or how we operate. If a change is material, we will use a reasonable method to notify you, such as an in-product notice, website update, or email.