Navly Navly
Last modification date: 22.10.25

Privacy Policy

Confidentiality and security are paramount values for NAVLY OÜ (hereafter, "Navly" or "We"), a company located at Harju maakond, Tallinn, Kesklinna linnaosa, Ahtri tn 12, 15551, registered in Estonia with registry code 17346300. Accordingly, we are committed to ensuring the privacy of the user (hereafter, the "User") at all times and not to collect unnecessary information.

Below, we provide all the necessary information about our Privacy Policy regarding personal data (hereafter, "Personal Data") that we collect from you, explaining what services Navly offers, who is responsible for processing your data, the purposes for data collection, legitimacy for processing, retention periods, data recipients, and your rights.

1. Navly Services

Navly is a digital marketplace and companion platform that provides structured guidance for navigating bureaucratic processes, progress tracking tools, gamification elements, and connections to trusted partner organizations.

In this context, our users include:

  • Individual Users: People navigating bureaucratic processes who use our platform for guidance and partner connections
  • Partner Organizations: Service providers (lawyers, consultants, relocation agencies, etc.) who offer services through our marketplace

Users may act as data subjects in different contexts depending on the type of processing involved and their relationship with Navly and partner organizations.

2. Responsible and In Charge of Processing Personal Data

Navly acts as a Data Controller under the General Data Protection Regulation 2016/679 ("GDPR") for most processing activities on our platform.

However, when you engage with Partner Organizations through our marketplace:

  • For marketplace facilitation: Navly acts as Data Controller for connecting you with partners and processing transactions
  • For partner services: Partner organizations act as independent Data Controllers for their own service delivery
  • For shared data: Both Navly and the partner may act as joint controllers when data is shared for service delivery

3. Personal Data

This privacy policy covers all data collected and used by us through navly.io and our mobile applications.

Personal Data of Individual Users:

The Personal Data we may process includes:

  • Identifying data: Name, username, profile information
  • Contact data: Email address, phone number (if provided)
  • Location data: City selection, country of residence
  • Profile data: Persona type (e.g., University Student), life situations, bureaucratic preferences
  • Platform activity: Progress through bureaucratic processes, completed steps, saved resources
  • Gamification data: Points earned, badges achieved, leaderboard participation preferences
  • Transaction data: Subscription details, marketplace transactions (processed via Stripe)
  • Communication data: Support requests, feedback, reviews of partner services

Personal Data of Partner Organizations:

For partner organizations, we process:

  • Organization data: Company name, registration details, certifications
  • Contact data: Business email, phone, address, website
  • Representative data: Names and contact details of authorized representatives
  • Service data: Services offered, pricing, availability, performance metrics
  • Business data: Subscription details, commission payments, booking history

Data Collection Methods:

You provide us with Personal Data:

  • Directly through registration forms and platform interactions
  • Through progress tracking and gamification features
  • Via partner service bookings and interactions
  • Through cookies and similar technologies (see our Cookie Policy)

Data Accuracy:

You guarantee that Personal Data provided is true and accurate. You commit to notifying us of any changes or modifications. Any loss or damage caused through communication of erroneous, inaccurate, or incomplete information will be your exclusive responsibility.

4. Purposes, Legitimacy, and Retention of Processing

Purpose of Processing:

  • Provide platform access and user authentication
  • Deliver personalized bureaucratic guidance based on location and persona
  • Track progress through bureaucratic processes and maintain gamification features
  • Facilitate connections with partner organizations
  • Process marketplace transactions and subscription payments
  • Provide customer support and platform improvements
  • Send relevant updates about processes, deadlines, and partner services
  • Analyze platform usage to improve services and user experience
  • Ensure platform security and prevent fraud
  • Comply with legal obligations and regulatory requirements

Legitimization:

  • Consent: Your explicit consent for personalized recommendations, marketing communications, and data sharing with partners
  • Contract performance: Processing necessary to provide platform services and execute partner service arrangements
  • Legitimate interests: Platform improvement, security, fraud prevention, and business operations
  • Legal obligations: Compliance with applicable laws and regulations

Retention Period:

We retain Personal Data for different periods depending on:

  • Active accounts: Data retained while your account is active and for reasonable business purposes
  • Inactive accounts: Data may be retained for up to 3 years after last activity
  • Transaction records: Financial data retained as required by law (typically 7 years)
  • Legal requirements: Some data retained to comply with legal or regulatory obligations
  • Dispute resolution: Data may be retained longer if needed for legal claims or disputes

When no longer needed, Personal Data will be securely deleted or anonymized so that you can no longer be identified.

5. Data Sharing with Partners

When you engage with Partner Organizations through our marketplace, you explicitly consent to sharing relevant information necessary for service delivery.

Information Shared with Partners:

  • Contact information (name, email, phone) for service delivery
  • Location and bureaucratic process requirements
  • Relevant progress information to help partners assist you effectively
  • Service preferences and specific requirements you've indicated

Partner Data Protection Requirements:

  • All partners must comply with GDPR and applicable data protection laws
  • Partners act as independent data controllers for their own services
  • Partners must have their own privacy policies and data protection measures
  • Data is shared only when you actively engage partner services
  • You can withdraw consent for data sharing with specific partners at any time

Data Never Sold:

We never sell your personal data to third parties. Data sharing with partners occurs only to facilitate services you have requested and with appropriate protections in place.

6. Recipients of Your Data

We inform you that Personal Data provided will be stored on secure servers and may be shared with:

  • Navly personnel: Employees and contractors who need access to provide platform services
  • Technical service providers: Hosting, maintenance, support, and platform infrastructure providers
  • Payment processors: Stripe and other financial service providers for transaction processing
  • Partner organizations: When you actively engage their services through our marketplace
  • Analytics providers: For platform improvement and usage analysis (data anonymized where possible)
  • Legal authorities: When required by law or to protect rights and safety

We ensure that any sharing of your personal information complies with applicable legislation and includes appropriate contractual protections.

7. Account Deletion and Data Retention

7.1 Account Deletion

You have the right to delete your Navly account at any time. Here's how the process works:

How to Delete Your Account:

  1. Email Request: Send deletion request to [email protected] with subject "Account Deletion Request"
  2. Verification: We may require identity verification to prevent unauthorized deletions
  3. Confirmation: You'll receive email confirmation before deletion is finalized

7.2 What Happens When You Delete Your Account

Immediate Effects:

  • Account access is immediately revoked
  • Profile and personal information removed from public view
  • Subscription billing stops (current period may complete)
  • Partner data sharing ceases

Data Deletion Timeline:

  • Personal Profile Data: Deleted within 30 days
  • Progress and Gamification Data: Deleted within 30 days
  • Communication History: Deleted within 90 days
  • Analytics Data: Anonymized within 30 days
  • Partner Interaction Data: Deleted within 30 days (partners handle their own data)

7.3 Data We May Retain

Even after account deletion, we may retain certain information for legitimate business and legal purposes:

Legal and Compliance Data (Up to 7 years):

  • Transaction records for tax and accounting purposes
  • Payment and subscription history
  • Records required for dispute resolution
  • Data necessary for legal compliance or court orders

Security and Fraud Prevention (Up to 2 years):

  • Records of Terms of Service violations
  • Security incident logs involving your account
  • Fraud prevention data

Anonymized Analytics (Indefinitely):

  • Usage patterns and platform improvement data (completely anonymized)
  • Statistical information that cannot be linked to you

7.4 Recovery Period

30-Day Recovery Window: After requesting account deletion, you have 30 days to reactivate your account before permanent deletion occurs. During this period:

  • Your account is deactivated but data is preserved
  • You can contact support to restore your account
  • After 30 days, deletion becomes permanent and irreversible

7.5 Partner Data Handling

When you delete your Navly account:

  • Partner Notification: Active linked partners are notified of your account deletion
  • Independent Control: Partners control their own copies of shared data according to their privacy policies
  • Service Completion: Ongoing partner services may continue with necessary data until completion
  • Partner Deletion: Contact partners directly to request deletion of data they hold

8. Your Rights Regarding Personal Data

You can withdraw consent at any time for processing based on consent. Withdrawal does not affect the lawfulness of processing before withdrawal or processing based on other legal grounds.

Your GDPR Rights:

  • Access: Request information about Personal Data we process about you
  • Rectification: Request correction of inaccurate or incomplete Personal Data
  • Erasure: Request deletion when data is no longer necessary or you withdraw consent
  • Restriction: Request limitation of processing in certain circumstances
  • Objection: Object to processing based on legitimate interests or direct marketing
  • Data portability: Request transfer of your data in a structured, machine-readable format
  • Withdraw consent: Withdraw consent for any consent-based processing

How to Exercise Your Rights:

Contact us through:

  • Email: [email protected] with reference "Personal Data Rights"
  • Through your account settings for certain rights
  • Postal address: Harju maakond, Tallinn, Kesklinna linnaosa, Ahtri tn 12, 15551 with reference "Personal Data Rights - Navly OÜ"

Complaints:

If you have concerns about our data processing, you can file a complaint with your local Data Protection Authority or the lead supervisory authority in [JURISDICTION].

9. Security of Your Personal Data

To safeguard your Personal Data, we have implemented comprehensive technical and organizational security measures:

  • Encryption: Data encrypted in transit and at rest
  • Access controls: Strict access limitations based on need-to-know principles
  • Regular security assessments: Ongoing monitoring and vulnerability testing
  • Secure infrastructure: Industry-standard hosting and security practices
  • Staff training: Regular privacy and security training for all personnel
  • Incident response: Procedures for handling and reporting security incidents

10. International Data Transfers

Some of our service providers may be located outside the European Economic Area (EEA). When we transfer Personal Data internationally, we ensure adequate protection through:

  • Adequacy decisions by the European Commission
  • Standard Contractual Clauses approved by the European Commission
  • Other appropriate safeguards recognized under GDPR

Key international transfers include:

  • Stripe (payment processing): Data may be transferred to the US with appropriate safeguards
  • Cloud infrastructure: Data stored with major cloud providers with GDPR compliance

11. Updates to Your Data and This Policy

It's important that you keep your Personal Data updated. Please inform us of any modifications to ensure data accuracy. We are not responsible for the veracity of outdated information.

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or services. We will notify you of material changes through:

  • Email notification to your registered address
  • Prominent notice on our platform
  • Updated "Last modified" date at the top of this policy

12. Third-Party Links and Services

Our platform may contain links to third-party websites or integrate with partner services. We are not responsible for the privacy practices of external websites or services. We encourage you to review their privacy policies before providing any Personal Data.

13. Contact Information

If you have questions about this Privacy Policy or our data practices:

14. Special Provisions for Minors

Our services are intended for users aged 18 and above. We do not knowingly collect Personal Data from individuals under 18. If you are under 18, please do not use our services or provide any Personal Data. If we become aware that we have collected Personal Data from someone under 18, we will take steps to delete such information promptly.