Privacy Policy

Version date: 27 March 2026

This Privacy Policy explains how NavaTron B.V. handles personal data when we act as controller. We have written it in plain language, but it is intended to meet the GDPR and Dutch privacy-law requirements that apply to our business.

1. Who are we?

NavaTron B.V.
Octavio Pazlaan 5
2553 DM ’s-Gravenhage
The Netherlands
KvK: 97753408
VAT: NL868216008B01
privacy@navatron.com
hello@navatron.com

NavaTron is a Dutch B2B software company. This policy applies to:

navatron.com and related public website pages;
our sales, support, billing, and supplier communications;
account administration, security, and service management data for our products and services;
other situations where NavaTron decides why and how personal data is used.

NavaTron has not appointed a formal Data Protection Officer under Articles 37 to 39 GDPR. Privacy matters are handled by our privacy team at privacy@navatron.com.

2. When are we controller and when are we processor?

For website visits, demos, contracts, billing, support, marketing, and our own security logging, NavaTron usually acts as controller.

For customer content and personal data that a customer uploads or manages in our products on that customer’s instructions, NavaTron usually acts as processor. In that case, the customer is the controller and the applicable contract and DPA govern that processing.

In short:

for your relationship with NavaTron as a business contact, user, supplier, or website visitor, this policy applies;
for personal data that a customer controls inside the product, the customer’s own privacy notice and the DPA are more important than this public policy.

3. What personal data do we use?

Depending on the relationship, we may use:

contact details, such as name, company, job title, email address, phone number, and business address;
account details, such as login identifiers, password hash, role information, and account settings;
contract and billing details, such as company name, VAT number, invoice contact, invoices, payment status, and order history;
communication details, such as emails, support requests, demo requests, meeting notes, and attachments you send us;
technical and usage details, such as IP address, browser type, device data, timestamps, page views, service telemetry, and error logs;
security details, such as login events, audit trails, and abuse-prevention signals;
cookie and consent details, such as your cookie choice and related metadata.

We may receive this data directly from you, from your employer or organisation, from implementation or reseller partners, from payment or invoicing providers, or from other NavaTron group entities where needed for administration or contracting.

Some data is necessary to enter into or perform a contract with you. If you do not provide that data, we may be unable to respond, create an account, or provide the service.

4. Why do we use personal data?

Below is a summary of the main controller-side purposes and legal bases.

What we do	Typical data	Legal basis	Why we do it
Run, secure, and improve our website and services	technical data, security logs, cookie preferences	legitimate interests	to keep our systems working, secure, and up to date
Respond to contact requests, demo requests, and sales enquiries	contact data, company details, correspondence	pre-contractual steps or legitimate interests	to answer your request and discuss our services
Create and manage accounts	account data, role data, business contact data	performance of contract	to give users access and manage subscriptions
Deliver services, support, onboarding, and implementation	contact data, support data, service metadata	performance of contract	to provide the agreed service and support
Invoice customers and keep financial records	billing and payment data	performance of contract and legal obligation	to charge for services and meet accounting and tax obligations
Send service messages, security notices, and contract communications	account and contact data	performance of contract and legitimate interests	to keep customers informed about matters that affect the service
Send B2B marketing messages	name, business email, company, product interest	legitimate interests	to tell business contacts about relevant NavaTron products and services
Use analytics cookies and similar tools	cookie identifiers, browser and usage data	consent	to understand website use and improve the site
Prevent abuse, investigate incidents, and defend legal claims	logs, account data, records linked to a dispute	legitimate interests	to protect NavaTron, our customers, and our legal position
Comply with laws and requests from authorities	billing records, legal correspondence, transaction data	legal obligation	to meet legal, tax, and regulatory duties

For existing customers, electronic marketing may also rely on the soft opt-in rule in Article 11.7(3) of the Dutch Telecommunicatiewet where the legal conditions for that rule are met. Every marketing message includes an unsubscribe option.

We do not use personal data covered by this policy for solely automated decisions that produce legal effects or similarly significant effects on individuals.

5. Cookies and website analytics

We use strictly necessary cookies to make the website work and remember your cookie choice.

We use analytics and behaviour tools, including Microsoft Clarity and Google Analytics, only after you have given consent through our cookie banner. We do not currently use advertising or cross-site marketing cookies on navatron.com.

You can change your choice at any time through Cookie Settings in the footer of the website. You can also use your browser settings. More detail is available in our Cookie Policy.

We do not sell personal data.

We may share personal data with:

hosting, infrastructure, email, payment, invoicing, analytics, and support providers that act for us under a contract;
implementation partners or subcontractors that help us deliver services to customers;
professional advisers such as lawyers, auditors, accountants, insurers, and tax advisers;
regulators, courts, law-enforcement bodies, or other authorities where disclosure is legally required;
other NavaTron group entities where this is needed for administration, contracting, or governance.

Our current processor and sub-processor list is available on the Sub-Processors page.

7. International transfers

NavaTron is based in the Netherlands. Where personal data is transferred outside the EEA, we use a valid transfer mechanism under the GDPR, such as:

an adequacy decision of the European Commission;
the Standard Contractual Clauses; or
another transfer mechanism permitted by law.

8. How long do we keep personal data?

We keep personal data only for as long as needed for the purpose for which it was collected, unless a longer period is required or allowed by law.

Our normal controller-side retention periods are:

Data set	Standard retention period
Contact and sales enquiry data	up to 24 months after the last meaningful contact
Marketing suppression records	as long as needed to honour an opt-out
Customer account administration data	during the contract and up to 24 months after it ends, unless a longer period is needed for legal or security reasons
Invoices, accounting, and tax records	7 years, or longer if Dutch tax law requires
Support records	up to 3 years after closure, unless longer retention is needed for recurring issues, legal claims, or security investigations
Website security logs	usually 30 days, unless longer retention is needed for a specific incident or legal obligation
Website analytics data	according to the relevant consented tool settings, subject to review
Cookie consent records	up to 1 year from the consent date or until consent is changed or withdrawn

If NavaTron acts as processor, retention of customer-controlled data is mainly determined by the customer contract, the DPA, and the customer’s instructions.

9. How do we protect personal data?

We use technical and organisational measures designed to protect personal data, including as appropriate:

encryption in transit and at rest;
access controls and role-based permissions;
logging and security monitoring;
backup and recovery measures;
vulnerability management and patching;
confidentiality obligations for staff and contractors.

You can read more on our public Security Policy.

10. What rights do you have?

If NavaTron is the controller for your data, you may have the right to:

access your personal data;
correct inaccurate data;
have data deleted in certain cases;
restrict processing in certain cases;
receive data in a portable format where the law gives that right;
object to processing based on legitimate interests;
object at any time to direct marketing;
withdraw consent where processing is based on consent.

To exercise a right, contact privacy@navatron.com. We may ask for information needed to verify your identity and authority. We normally respond within one month.

If NavaTron is acting only as processor for the data in question, we will usually forward your request to the relevant customer or ask you to contact that customer directly.

11. Complaints

If you have a privacy concern, please contact us first at privacy@navatron.com. We will do our best to resolve it.

You also have the right to lodge a complaint with a supervisory authority. In the Netherlands, that authority is the Autoriteit Persoonsgegevens: https://autoriteitpersoonsgegevens.nl.

12. Changes and contact

We may update this Privacy Policy from time to time if our services, the law, or our processing practices change. We will publish the updated version on this page and change the version date above. If a change materially affects the way we use personal data, we may also give additional notice where appropriate.

For privacy questions, rights requests, or complaints, contact:

NavaTron B.V.
Privacy Team
Octavio Pazlaan 5
2553 DM ’s-Gravenhage
The Netherlands
privacy@navatron.com