Privacy Policy

1. Roles under Data Protection Law

For the purposes of the EU General Data Protection Regulation (“GDPR”) and other applicable data protection laws:

• Customers act as Data Controllers for personal data processed through the Service for research purposes.
• Nava acts as a Data Processor when processing personal data on behalf of Customers in accordance with their instructions.
• Nava acts as an independent Data Controller for limited processing activities relating to account administration, billing, marketing, security, and compliance.

This role separation is fundamental to how personal data is handled within the Service.

2. Personal Data We Process

2.1 Customer and User Data

Nava may process the following categories of personal data relating to Customers and authorised users:

• Name
• Email address
• Organisation or company affiliation
• User role and access permissions
• Account and authentication data
• Billing and subscription metadata
• Usage data and platform interaction data
• Support and business communications

Payment details are processed securely by Stripe, Inc. and are not stored by or accessible to Nava.

2.2 Website and Communication Data

When you visit our website or communicate with us, we may process:

• Contact details provided voluntarily
• Business communications
• Technical and analytics data related to website usage

3. Purposes of Processing

Nava processes personal data for the following purposes:

• Providing, operating, and maintaining the Service
• Managing user accounts and access
• Enabling collaboration and workspace functionality
• Billing and subscription management
• Customer support and communications
• Improving platform functionality, performance, and security
• Marketing and business development (where permitted by law)
• Complying with legal and regulatory obligations

When Nava processes personal data as a Data Processor, the purposes of processing are determined by the Customer.

4. Legal Bases for Processing

Depending on the context, Nava relies on one or more of the following legal bases:

• Performance of a contract (Article 6(1)(b) GDPR)
• Legitimate interests (Article 6(1)(f) GDPR), such as operating and securing the Service
• Compliance with legal obligations (Article 6(1)(c) GDPR)
• Consent, where explicitly obtained

5. Participant Data

Personal data relating to interview participants (“Participant Data”) is processed by Nava solely on behalf of Customers and in accordance with their instructions.

Nava does not independently determine the purposes or means of processing Participant Data.

Participants should refer to the Participant Privacy Notice presented at the time of the interview for detailed information about such processing.

6. Data Retention

Personal data is retained only for as long as necessary to fulfil the purposes described in this Privacy Policy. The following default retention periods apply:

• Research data (interview recordings, transcripts, and synthesis outputs): retained for six (6) months following project completion or account termination, whichever occurs first, unless the Customer configures a shorter retention period.
• Account and user data (name, email, organisation, access permissions): retained for the duration of the customer relationship and deleted within thirty (30) days of account termination.
• Financial and billing data (invoices, transaction records, consumable purchase history): retained for seven (7) years after the end of the financial year in which the transaction occurred, as required by the Swedish Bookkeeping Act (Bokföringslagen 1999:1078).

Usage and analytics data: retained for up to twenty-four (24) months for the purpose of improving the Service, after which it is anonymised or deleted. Backup data containing personal data is deleted within ninety (90) days of deletion from the production environment.

If no activity occurs on an account for twelve (12) months, Nava may notify the account holder and, absent a response within thirty (30) days, delete or anonymise associated data.

Upon termination of the customer relationship, personal data is deleted or anonymised in accordance with these retention schedules, subject to legal obligations.

7. Data Sharing and Subprocessors

Nava may share personal data with trusted third-party service providers (“Subprocessors”) solely for the purpose of providing and supporting the Service, including:

• Hosting and infrastructure providers
• Authentication services
• Analytics providers
• Payment processors
• Communication and support tools
• Participant recruitment platforms (where applicable)

All Subprocessors are subject to contractual obligations ensuring appropriate data protection and security measures.

A current list of Subprocessors is made available by Nava.

8. International Data Transfers

Primary processing of personal data takes place within the European Union.

Where personal data is transferred outside the EU/EEA, Nava ensures that appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

9. Security Measures

Nava implements appropriate technical and organisational measures to protect personal data, including:

• Encryption in transit (TLS 1.2 or higher)
• Encryption at rest
• Role-based access control
• Logging and monitoring
• Incident response procedures
• Restricted internal access on a need-to-know basis

10. Data Subject Rights

Under applicable data protection laws, individuals may have the right to:

• Access their personal data
• Rectify inaccurate personal data
• Request erasure of personal data
• Restrict or object to processing
• Request data portability

Requests can be submitted to mattias@navainsights.io.

Where Nava processes personal data as a Data Processor, requests will be forwarded to the relevant Customer.

11. Cookies and Analytics

Nava uses cookies and similar technologies for website functionality, customer preference storage, and security.

Where the “Analytics” cookie preference is enabled, Nava uses PostHog (operated by PostHog Inc.) and Statsig (operated by Statsig, Inc.) as product analytics Subprocessors to understand aggregated usage patterns. Nava does not share interview content, transcripts, or report content with analytics providers; only pseudonymous usage events (such as page views, study creations, and feature interactions) are sent. IP addresses are not collected by Nava for analytics.

You can manage optional cookie preferences at any time by opening Cookie settings. Disabling Analytics stops all optional analytics data collection for your session.

12. Changes to this Privacy Policy

Nava may update this Privacy Policy from time to time.

Material changes will be communicated through the Service or via appropriate notice.