Privacy Policy

Last updated:

1. Who we are

Navanto Ltd (“Navanto”, “we”, “us”, or “our”) is the data controller for the personal data described in this policy, except where this policy says otherwise. We are a company registered in England and Wales (company number: 17073806), with our registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ.

You can contact us about privacy matters by email at support@navanto.co.uk.

This policy is in two parts. Part A covers visitors to this website. Part B covers customers and users of the Navanto application. Sections 8 onwards apply to both.

Part A — Visitors to this website

This part applies if you are browsing this website or have contacted us through it.

2. What data we collect and why

Enquiries and sales contact. When you contact us or express interest in Navanto, we collect your name, email address, company name, and any other information you choose to provide. We use this to respond to your enquiry and, where you have given consent or we have a legitimate interest, to keep you informed about Navanto. Our legal basis is legitimate interests (Article 6(1)(f) UK GDPR) or consent where explicitly given.

Website usage data. We may collect anonymised or pseudonymised information about how visitors use this website (such as pages visited and referral sources) to improve the site and understand our audience. Where this involves cookies or similar tracking technologies, we will ask for your consent before placing them. Our legal basis is consent (Article 6(1)(a) UK GDPR), or legitimate interests for strictly necessary analytics.

3. How long we keep website data

We retain personal data only for as long as necessary for the purpose it was collected. Enquiry and contact data is kept for up to 2 years from last contact, unless we have an ongoing relationship with you. Website analytics data is retained for up to 26 months.

Part B — Customers using the Navanto application

This part applies if you or your organisation uses the Navanto construction project management application.

4. Our role

When your organisation subscribes to Navanto:

  • For account data and technical/security data (described below), we act as data controller — we determine why and how this data is processed.
  • For customer content, we act as data processor on behalf of your organisation, which is the data controller. Processing of customer content is governed by the Data Processing Agreement (DPA) between Navanto and your organisation, in addition to this policy.

5. What data we process and why

  • Account data: identifiers and profile details such as name, email address, profile photo (if provided), role and the organisation you belong to.
  • Customer content: information, documents, images and other content you or your colleagues create or upload through the application, together with information the Service generates or derives from that content (such as persistent memory used by AI assistant features). This may include personal data about colleagues, contractors, clients and other third parties, and (depending on how you use the Service) commercially confidential information such as cost data, tender submissions, programme schedules, drawings and safety documentation.
  • Technical and security data: sign-in identifiers, IP address, browser information, activity logs, and a record of your acceptance of our Terms and Conditions.

Our lawful bases for processing this data are:

  • Contract (Article 6(1)(b) UK GDPR) — processing necessary to deliver the application to your organisation under our Terms and Conditions.
  • Legitimate interests (Article 6(1)(f) UK GDPR) — for security monitoring, audit logging, fraud prevention, and operating and maintaining the application.

For customer content, the lawful basis for processing is determined by your organisation as the controller and set out in the DPA.

6. Sub-processors, hosting and international data transfers

We use a small number of trusted third-party service providers (sub-processors) to deliver the application. These typically include:

  • A cloud infrastructure provider (currently Amazon Web Services), used to host the application and store data.
  • Authentication and content-delivery providers, who help sign you in and serve content to your browser.
  • Email and notification providers, used to send messages and notifications relating to your account or activity.
  • AI service providers, where features of the application use AI assistance. Inputs to those features are processed by the provider under their data processing terms and are not used to train any underlying AI model.

Hosting locations

  • The application infrastructure is hosted in the European Economic Area (currently AWS Europe — Ireland region, eu-west-1).
  • Files and other content uploaded to the Service (which may include personal data within customer content) are stored in the United States (currently AWS US East — Northern Virginia, us-east-1).
  • When you use the AI assistant features, the prompt and any retrieved context are sent to our AI service provider (currently Anthropic) for inference. Anthropic processes that data in the United States.
  • Some other sub-processors may also process personal data in the United States or other countries.

International transfers

Where personal data is transferred outside the United Kingdom (and, where relevant, the European Economic Area), we rely on appropriate transfer safeguards under UK data protection law. For transfers to the United States this means one or more of:

  • the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, in place with the relevant sub-processor; or
  • where the sub-processor is certified, the UK Extension to the EU-US Data Privacy Framework.

We carry out and document a Transfer Risk Assessment for transfers to countries that do not have a UK adequacy decision, and we apply additional technical and organisational measures (including encryption in transit and at rest) to protect data in transit and at the destination.

A current list of sub-processors and the categories of data each processes is available to customers on request and is described in the DPA.

7. How long we keep customer data

We retain account data and technical/security data for the duration of your organisation’s subscription. After the subscription ends, this data is deleted or anonymised within 90 days, except where we are required to retain it to comply with a legal obligation or to establish, exercise or defend legal claims.

Customer content is retained, returned or deleted in accordance with the DPA between Navanto and your organisation.

Audit records of Terms and Conditions acceptance are retained for as long as the related account exists, plus a reasonable period after closure.

Sections 8 onwards apply to both Part A and Part B.

8. Who we share your data with

We do not sell your personal data. We may share it with:

  • Trusted third-party service providers acting as data processors on our behalf (the sub-processors described in section 6, and email or CRM tools we use to handle enquiries), who are contractually bound to process data only on our instructions and in accordance with UK GDPR.
  • Authorities or other third parties where we are required to do so by law, regulation, court order or other legal process, or to protect the rights, property or safety of Navanto, our users or others.
  • Acquirers and their advisers in connection with a corporate transaction (such as a merger, acquisition or sale of assets), under appropriate confidentiality protections.

9. Your rights

Under UK data protection law, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete personal data
  • Request erasure of your personal data (“right to be forgotten”)
  • Object to or restrict our processing of your data
  • Receive your data in a portable format (data portability)
  • Withdraw consent at any time where processing is based on consent

If you are using the Navanto application as part of an organisation’s subscription, that organisation is the data controller for the customer content you create within the platform; please contact them in the first instance for requests relating to that content. To exercise rights against Navanto directly, please contact us at support@navanto.co.uk. We will respond within one calendar month, which may be extended by a further two months for complex or numerous requests (in which case we will let you know within the first month).

10. Cookies

See our Cookie Policy for details of the cookies used by this website and the Navanto application.

11. Complaints

If you are unhappy with how we handle your personal data, please contact us first so we can try to resolve the issue. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113.

12. Changes to this policy

We may update this policy from time to time. The “last updated” date at the top of this page will reflect any changes. If the changes are material, we will notify you and (where appropriate) ask application users to re-accept our Terms and Conditions on next sign-in.