Skip to main content
N
NAVIKAA
Back to Home

Privacy Policy

Effective: March 22, 2026

Last updated: March 22, 2026

This Privacy Policy describes how Navikaa ("Navikaa", "we", "us", or "our") collects, uses, stores, and shares information about you when you use our AI-powered product management platform (the "Service"). Please read this policy carefully. By using the Service, you agree to the practices described here.

1. Who We Are

Navikaa is an AI-powered product platform designed to help product builders and teams create PRDs, user stories, competitive analyses, OKRs, release notes, and other product artefacts. For the purposes of applicable data protection law, Navikaa is the data controller of your personal data.

Contact: privacy@navikaa.ai

2. Data We Collect

2.1 Data you provide directly

  • Account data: Name, email address, and password (hashed by our authentication provider — never stored in plain text) when you register.
  • Profile data: Job title, company name, and preferences you set in your account.
  • Conversation content: Prompts, instructions, and text you enter into AI agents.
  • Uploaded documents: Files you attach to conversations for analysis or context. These are used only to provide the Service to you.
  • Feedback and support: Messages you send us via email or in-product feedback tools.

2.2 Data collected automatically

  • Usage data: Which agents and features you use, frequency, and session duration.
  • Technical data: IP address, browser type, operating system, and device identifiers.
  • Log data: Server access logs, error events, and performance data.
  • Session recordings: See Section 7 for full details on our error monitoring and session recording practices.

2.3 Data from third-party integrations

When you connect external tools (e.g., Atlassian Jira and Confluence, or Notion), we access only the data necessary to fulfil the specific agent task you have requested. See Section 6 for details on each integration.

3. How We Use Your Data

  • To provide the Service: Process your requests, run AI agents, and deliver outputs to you.
  • To maintain and improve the Service: Monitor performance, diagnose errors, and develop new features.
  • To manage your account: Authentication and account administration.
  • To communicate with you: Send service updates, security alerts, and journey share notifications. We do not send marketing emails without your explicit consent.
  • To ensure safety and compliance: Detect abuse, enforce our Terms of Service, and meet legal obligations.
  • To produce anonymised analytics: Aggregate, non-identifiable usage statistics to understand how the Service is used overall.

For users in the EU/EEA, we process your personal data on the following legal bases under GDPR:

  • Contractual necessity (Art. 6(1)(b)): Account management, AI agent execution, and delivering outputs.
  • Legitimate interests (Art. 6(1)(f)): Security monitoring, error logging, session recording to diagnose crashes (where our interests do not override your rights).
  • Legal obligation (Art. 6(1)(c)): Where we are required by law to retain or disclose data.
  • Consent (Art. 6(1)(a)): For optional communications such as product newsletters. You may withdraw consent at any time.

5. AI Agents and Your Content

  • We do not train AI models on your content. Your prompts, documents, and outputs are never used to fine-tune, train, or improve any AI model — ours or any third party's.
  • Content is processed in-context only. Your input is sent to our AI providers (Anthropic and, for selected tasks, Together AI) solely to generate the response you requested. These providers process data only to complete your request and do not use API-submitted data to train their models by default.
  • Outputs are yours. You retain full ownership of outputs generated for you by Navikaa's agents.
  • Honesty Protocol. When an agent cannot ground a response in your live data, it explicitly states this. We never silently substitute training data for live data.
  • You can delete your content. Conversations and documents can be deleted from your account at any time via Settings. Deletion is processed within 30 days.

6. Third-Party Integrations

6.1 Atlassian (Jira + Confluence)

  • What we access: Jira issues, sprints, backlog data, and Confluence pages — only when you invoke an agent that requires this data, or when you explicitly trigger a push action.
  • What we write: Only on your explicit action. Navikaa never autonomously writes to your Atlassian tools.
  • What we store: OAuth tokens (encrypted with AES-256-GCM at rest). Minimal page metadata (title, space name) for display. We do not store the content of your Jira issues or Confluence pages.
  • Revocation: Disconnect at any time from Settings → Connections. This immediately invalidates our stored tokens.

6.2 Notion

  • What we access: Notion page content and workspace metadata — only when you invoke an agent that reads from Notion, or when you explicitly trigger a push action to write agent output to a Notion page.
  • What we write: Only on your explicit action (the Push to Notion button). Navikaa appends content to the Notion page you designate. We never autonomously write to your Notion workspace.
  • What we store: OAuth access token (encrypted with AES-256-GCM at rest). Saved destination metadata (page ID, page title, workspace name) for the Notion Push Destinations feature. We do not store the content of your Notion pages.
  • Revocation: Disconnect at any time from Settings → Connections. This immediately invalidates our stored token. You may also revoke access from Notion's own settings at notion.so/settings/my-connections.

6.3 Other integrations

The same principles apply to all integrations: minimum necessary access, explicit user action for writes, no content storage beyond what is required to render the UI, and immediate revocability.

7. Error Monitoring and Session Recording

We use Sentry (Sentry.io, Inc., USA) for error monitoring and application reliability. You should be aware of the following:

  • Error data with PII: When an error occurs, Sentry receives diagnostic data that may include your IP address, request headers, and session cookies. This is used solely to diagnose and fix software errors.
  • Session recordings: Sentry's session replay feature is active in our web application. Approximately 10% of sessions are recorded as anonymised interaction replays, and 100% of sessions where an error occurs are recorded. These recordings capture mouse movements, clicks, and page interactions — they are used exclusively for debugging software problems. Sensitive form inputs (such as passwords) are masked and not captured.
  • Data transfer: Sentry servers are located in the United States. Transfers from the EU/EEA are covered by Standard Contractual Clauses.
  • Retention: Sentry retains error and replay data for 90 days by default.

8. Subprocessors

We use the following third-party subprocessors to operate the Service. All are contractually bound to appropriate data protection standards.

SubprocessorPurposeLocation
SupabaseAuthentication, database, and storageUSA / EU
AnthropicPrimary AI model inference (Claude)USA
VercelApplication hosting and global edge networkUSA / Global CDN
Together AISupplemental AI model inference for selected fast tasksUSA
OpenAIDocument embeddings for search (optional feature)USA
ResendTransactional email (e.g., journey share notifications)USA
SentryError monitoring and session replay (see Section 7)USA
AtlassianOAuth provider for Jira + Confluence integrations (when connected)USA / Australia
NotionOAuth provider for Notion integration — page reads and push writes (when connected)USA

We will update this table when we add or change subprocessors and notify users of material changes.

9. Data Retention

Data TypeRetention PeriodBasis
Account dataDuration of account + 30 days after deletionContractual
Conversation historyUntil you delete or account is closedUser control
Uploaded documentsUntil you delete or account is closedUser control
Integration OAuth tokensUntil you disconnect or delete your accountContractual
Server access logs90 daysLegitimate interests (security)
Sentry error events and replays90 days (Sentry default)Legitimate interests (reliability)
Anonymised usage analyticsUp to 3 yearsLegitimate interests (product improvement)
Support correspondence3 years from last interactionLegitimate interests

When you delete your account, personal data is deleted or anonymised within 30 days, except where a longer retention period is required by law.

10. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data. We may share data only in these limited circumstances:

  • Subprocessors: As listed in Section 8, solely to provide the Service.
  • Legal requirements: Where required by law, court order, or to protect rights, property, or safety.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you in advance.
  • With your consent: For any other purpose with your explicit consent.

11. Security

We implement the following measures to protect your data:

  • All data in transit is encrypted using TLS (HTTPS enforced for all connections).
  • MCP integration credentials (OAuth tokens, API keys) are encrypted at rest using AES-256-GCM before storage.
  • Passwords are hashed by our authentication provider (Supabase). We never store plain-text passwords.
  • Security headers are applied to all responses: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy.
  • MFA (two-factor authentication via TOTP) is available as an optional security feature for all accounts.
  • We conduct regular internal security reviews to identify and address vulnerabilities.

Despite these measures, no system is completely secure. In the event of a data breach affecting your rights and freedoms, we will notify you and the relevant regulatory authority as required by applicable law.

To report a security vulnerability or concern, please contact us atsecurity@navikaa.ai.We take all security reports seriously and will respond promptly.

12. Cookies and Tracking

Navikaa uses only the following types of cookies:

  • Strictly necessary cookies: Session authentication tokens required for you to log in and use the Service. These cannot be disabled without breaking the Service.
  • Preference cookies: Store your UI preferences (e.g., sidebar state). Functional only — do not track you across other sites.

We do not use advertising cookies, third-party tracking pixels, or cross-site tracking. We do not participate in ad networks or behavioural advertising of any kind.

Note on session recordings: Sentry's session replay (described in Section 7) is a separate diagnostic tool, not an analytics or advertising tool.

13. International Data Transfers

Most of our subprocessors are located in the United States. When we transfer personal data from the EU/EEA to the US, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or the EU–US Data Privacy Framework where applicable.

For transfers of Indian personal data outside India, we comply with the conditions set forth under the Digital Personal Data Protection Act (DPDPA) 2023.

14. Your Rights (GDPR — EU/EEA Users)

If you are located in the EU or EEA, you have the following rights under GDPR:

  • Right of access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your data, subject to legal retention obligations.
  • Right to restriction (Art. 18): Request that we limit processing of your data.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interests.
  • Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, email privacy@navikaa.ai. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.

15. Your Rights (CCPA/CPRA — California Users)

  • Right to know: Know what personal information we collect, use, and disclose. We do not sell your data.
  • Right to delete: Request deletion of personal information, subject to certain exceptions.
  • Right to correct: Request correction of inaccurate personal information.
  • Right to opt out of sale/sharing: We do not sell or share personal information for cross-context behavioural advertising.
  • Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, email privacy@navikaa.ai with subject "CCPA Request". We will respond within 45 days.

16. Your Rights (DPDPA — India)

Under India's Digital Personal Data Protection Act (DPDPA) 2023, you have the right to:

  • Information: Obtain information about the personal data we process and the purposes.
  • Correction and erasure: Request correction of inaccurate data and erasure of data no longer needed.
  • Grievance redressal: Have grievances addressed within 30 days.
  • Nomination: Nominate another individual to exercise your rights in the event of death or incapacity.

Contact: privacy@navikaa.ai

17. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected such data, please contact us immediately and we will delete it.

18. Changes to This Policy

When we make material changes to this policy, we will:

  • Update the "Last updated" date at the top of this page.
  • Display an in-app notification for active users.
  • For material changes affecting how we process your data, provide at least 14 days' notice before the changes take effect.

19. Contact Us

For privacy questions, data subject requests, or any concerns about how we handle your data:

  • Email: privacy@navikaa.ai
  • Response time: We aim to acknowledge requests within 2 business days and resolve them within 30 days.