Privacy Notice for Navigator

Complete transparency about how we process your personal data

Language: EN DE ES

Version: 1.5  |  Effective Date: December 2, 2025  |  View Change Log

1. Data Controllers and Service Tiers

Navigator offers different service tiers operated by two separate legal entities. The applicable data controller depends on which service tier you use:

1.1 Starter Tier (Fully Automated Service — EUR/USD 299)

The Starter tier is a fully automated service with no human consultant involvement. Weekly reports are generated automatically by AI. This tier is operated by:

Caimito Services LLC
A Delaware Limited Liability Company
2810 N Church St #26668
Wilmington, Delaware 19802-4447
United States

Privacy Contact: privacy@caimito.net
General Contact: info@caimito.net

1.2 Developer Advocate and Higher Tiers (Consultant-Supported Services)

All service tiers that include a personal consultant (Developer Advocate and above) are operated by an EU-based entity:

Caimito Agile Life S.L.
A Spanish Limited Company (Sociedad Limitada)
A3200 km 9.5
14448 Conquista, Córdoba
Spain

Privacy Contact: privacy@caimito.net
General Contact: info@caimito.net

For these tiers, Caimito Agile Life S.L. is the data controller. As an EU-based entity, GDPR applies directly and no EU representative is required.

1.3 Why Two Entities?

This structure reflects the nature of each service:

  • Automated tier: Fully software-based, no human interaction, operated by the US technology company.
  • Consultant tiers: Include human consulting services delivered by professionals based in the EU, operated by the Spanish consulting company.

Both entities are part of the Caimito group and share this privacy notice to ensure consistent data protection standards across all service tiers.

2. EU Representative (for Starter Tier)

Because the Starter tier is operated by Caimito Services LLC (a US entity) and is offered to users in the European Union, an EU representative has been appointed pursuant to Article 27 of the GDPR.

The EU representative for Caimito Services LLC regarding the Starter tier is:

Caimito Agile Life S.L.
A3200 km 9.5
14448 Conquista, Córdoba
Spain

EU Representative Contact: eu-representative@caimito.net

Scope: This EU representative appointment applies only to the fully automated Starter tier operated by Caimito Services LLC. The consultant-supported tiers (Developer Advocate and above) are operated directly by Caimito Agile Life S.L., an EU controller, and do not require a separate EU representative.

EU residents using the Starter tier may contact the EU representative for any matters relating to the processing of their personal data, including exercising their rights under GDPR.

3. Categories of Personal Data We Process

2.1 Account Data

When you create an account, we process:

  • Email address (required for authentication and communication)
  • First name and last name (for display and identification)
  • User role (Consultant, Customer Admin, or Member)
  • Account creation and last login timestamps

2.2 Organisational Data

For customer organisations, we process:

  • Organisation name and description
  • Business address (street, postal code, city, country)
  • VAT identification number (where applicable)
  • Preferred language for communications
  • Team member associations and roles

2.3 Log Entry and Report Content

The core function of Navigator involves processing:

  • Daily log entries created by users (work notes, observations, reflections)
  • Weekly reports and AI-generated summaries
  • Translations of log entries and reports
  • Historical log archives

2.4 Billing and Invoice Data

For commercial relationships, we process:

  • Billing name and address
  • Invoice details and payment references
  • Product subscriptions and purchase history
  • Banking/payment information for invoicing (IBAN, bank name)

2.5 Time Tracking Data (Optional)

When time tracking features are used:

  • Hours worked and project descriptions
  • Associated client or project references
  • Billable vs. non-billable classifications

2.6 System and Login Metadata

For security and operational purposes, we process:

  • Authentication timestamps
  • Session management data (via secure cookies)
  • Server access logs (IP addresses, request timestamps) for security monitoring

4. Legal Bases for Processing

We process your personal data under the following legal bases as required by GDPR Article 6:

4.1 Contractual Necessity (Article 6(1)(b))

Most processing is necessary to provide the services you have contracted for, including:

  • Account management and authentication
  • Log entry storage and weekly report generation
  • Billing, invoicing, and customer support
  • Consultant services, time tracking, and project management (for supported tiers)

4.2 Legitimate Interests (Article 6(1)(f))

We process certain data based on our legitimate interests in:

  • Platform security, abuse prevention, and fraud detection
  • Quality assurance of consulting services
  • Essential service communications

These interests do not override your fundamental rights. You may object at any time.

4.3 Legal Obligation (Article 6(1)(c))

We retain invoices and billing records as required by tax law (typically 6–10 years depending on jurisdiction).

4.4 Consent (Article 6(1)(a))

We rely on consent only for optional features:

  • AI-assisted text polishing and translation (sends selected text to OpenAI)

You may withdraw consent at any time by discontinuing use of these features or contacting us at privacy@caimito.net.

5. AI-Assisted Text Processing

Navigator uses artificial intelligence to generate weekly summary reports from daily log entries and to provide text polishing and translation features. AI processing is optional and user-initiated—data is only sent when you explicitly trigger an AI feature.

4.1 AI Provider

We use OpenAI, L.L.C. (San Francisco, California, USA) as our AI processing provider:

  • Service: OpenAI API (GPT models)
  • Role: Data processor acting under our instructions
  • Agreement: OpenAI Data Processing Addendum (DPA)

4.2 What Data Is Sent

  • Only the specific text content you select for processing (log entries, drafts)
  • For weekly reports: the log entries from the reporting period
  • No account credentials, email addresses, or metadata are sent

4.3 Purpose of Processing

  • Weekly reports: Summarising daily log entries into actionable insights
  • Text polishing: Improving clarity and readability of written content
  • Translation: Converting content between supported languages

4.4 Data Retention by AI Provider

OpenAI's API data usage policy states that API inputs and outputs are not used to train models and are retained for a maximum of 30 days for abuse monitoring, after which they are deleted. For details, see OpenAI Enterprise Privacy and their API Data Usage Policies.

4.5 Location of Processing

OpenAI processes data in the United States. For transfers from the EEA/UK/Switzerland, we rely on:

  • EU-U.S. Data Privacy Framework (OpenAI is a certified participant)
  • Standard Contractual Clauses incorporated into OpenAI's DPA
  • Encryption in transit (TLS) for all API communications

4.6 EU AI Act Transparency

Regulation 2024/1689 Compliance: Our AI usage is classified as limited-risk. AI-generated summaries are clearly marked and serve as advisory insights only. They do not evaluate individual employee performance, make automated HR decisions, or replace human judgment. Consultants review and can edit or reject AI-generated content before release.

6. International Data Transfers

Your personal data may be transferred to and processed in the United States, where Caimito Services LLC is located and where our infrastructure providers operate.

5.1 Transfer Mechanisms

For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, we rely on:

  • EU-U.S. Data Privacy Framework (DPF): Where our service providers are certified under the DPF
  • Standard Contractual Clauses (SCCs): EU Commission-approved clauses incorporated into our processor agreements
  • Supplementary measures: Technical and organisational safeguards including encryption in transit and at rest

5.2 Countries Involved

Data may be processed in:

  • United States (primary infrastructure and controller location)
  • European Union (where regional infrastructure is deployed)

7. Data Retention

We retain personal data only as long as necessary for the purposes described, or as required by law:

  • Active account data: Retained while your account is active; deleted 30 days after account closure (except billing records)
  • Log entries and weekly reports: Retained while your organisation's subscription is active; exportable on request
  • Time tracking data: Retained while your organisation's subscription is active; exportable on request
  • Invoices and billing records: Retained for 10 years after creation (tax/legal requirements); not deleted during account termination
  • Authentication tokens: Magic link tokens deleted after use or expiry (2 hours); JWT session cookies expire after 7 days
  • AI chat conversations: Automatically deleted daily; chat history is not retained beyond 24 hours
  • Server logs: Retained for up to 90 days for security monitoring, then automatically deleted

7.1 Who Controls Deletion

Data deletion is controlled as follows:

  • Individual users: May edit or delete their own log entries at any time
  • Customer Admins: Responsible for managing organisational data and may request bulk deletion of organisation data
  • Account termination: Users or Customer Admins may request account/organisation termination by contacting privacy@caimito.net

7.2 Post-Termination Handling

Upon account or organisation termination:

  • You have 30 days to request an export of your data in a machine-readable format
  • After 30 days, the following data will be permanently deleted: user profiles, log entries, weekly reports, time tracking entries, and organisation data
  • The following data will be retained for legal compliance: invoices and billing records (10 years per tax law)
  • When an organisation terminates, all associated member accounts and their data are included in the termination process

8. Recipients and Subprocessors

We share personal data only with the following categories of recipients, acting as data processors under our instructions. For the complete and current list, see our Subprocessor & Vendor List.

7.1 AI Service Provider

  • OpenAI, L.L.C. – Processes log entry content for weekly report generation and translation features. Subject to their data processing agreement and API data usage policies.

7.2 Self-Hosted Operations

Apart from OpenAI, Navigator does not engage any third-party subprocessors. All other platform operations—including hosting, database storage, authentication, and email delivery—are operated directly by Navigator on infrastructure we control.

We do not sell, rent, or share your personal data with third parties for their own marketing purposes. All data you provide and generate belongs to your organisation as represented by the customer administrator. No third-party analytics, tracking, advertising, or social media services are used.

9. Your Rights Under GDPR

If you are in the European Economic Area, United Kingdom, or Switzerland, you have the following rights:

  • Right of Access (Article 15): Request a copy of your personal data. You can access most data directly through your account dashboard.
  • Right to Rectification (Article 16): Correct inaccurate data via your account settings or by contacting us.
  • Right to Erasure (Article 17): Request deletion of your data, subject to legal retention requirements.
  • Right to Restriction (Article 18): Request that we limit processing of your data in certain circumstances.
  • Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format.
  • Right to Object (Article 21): Object to processing based on legitimate interests.
  • Right to Withdraw Consent (Article 7): Withdraw consent at any time where processing is based on consent.

8.1 How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@caimito.net. We will respond within 30 days of receiving your request. If your request is complex or we receive many requests, we may extend this by up to 60 additional days (we will inform you if this is necessary).

For verification purposes, we may ask you to confirm your identity via your registered email address.

10. Right to Lodge a Complaint

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with a supervisory authority.

For EU residents: You may contact the Data Protection Authority in your country of residence. A list of EU DPAs is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

For German residents: The competent authority is the data protection authority of your federal state (Landesdatenschutzbeauftragter).

We encourage you to contact us first at privacy@caimito.net so we can address your concerns directly.

11. Cookies and Similar Technologies

Navigator uses only strictly necessary cookies required for the service to function. These cookies are essential for authentication and security—without them, the service cannot operate. No consent is required for strictly necessary cookies under ePrivacy Directive Article 5(3).

10.1 Cookies We Use

Cookie Name Purpose Duration Security Flags
jwt Session authentication – maintains your logged-in state and verifies your identity on each request 7 days HttpOnly: Yes
Secure: Yes (HTTPS only)
SameSite: Lax
Path: /
JSESSIONID Language preference and temporary form state during sign-up flows Session (deleted when browser closes) HttpOnly: Yes
Secure: Yes (HTTPS only)
Path: /

10.2 Classification

All cookies used by Navigator are classified as strictly necessary. They are required for:

  • Authenticating users and maintaining secure sessions
  • Preventing unauthorized access to your account
  • Preserving your language selection during sign-up

10.3 What We Do NOT Use

Navigator does not use:

  • Analytics cookies (no Google Analytics, Matomo, or similar)
  • Advertising or marketing cookies
  • Third-party tracking cookies
  • Social media tracking pixels or widgets
  • Cross-site tracking technologies
  • Fingerprinting or any other user-identification techniques beyond authentication

10.4 No Consent Banner Required

Because Navigator uses only strictly necessary cookies that are essential for the service to function, no cookie consent popup or banner is required under GDPR Article 6(1)(f) and ePrivacy Directive Article 5(3). This transparency disclosure serves as your complete cookie information.

13. Data Security

We implement appropriate technical and organisational measures to protect your personal data:

  • Encryption in transit (TLS/HTTPS for all connections)
  • Encryption at rest for stored data
  • Passwordless authentication reducing credential theft risk
  • Role-based access controls limiting data visibility
  • Regular security updates and monitoring
  • Secure cloud infrastructure with industry-standard certifications

No method of transmission or storage is 100% secure. If you have concerns about a security issue, please contact us immediately at privacy@caimito.net.

14. Children's Privacy

Navigator is a professional service not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately and we will delete it.

15. Changes to This Privacy Notice

We may update this privacy notice to reflect changes in our practices or legal requirements. Material changes will be communicated via email to organisation administrators. The effective date indicates when this version became active.

Continued use of Navigator after changes take effect constitutes acceptance of the updated notice. We encourage you to review this notice periodically.

16. Contact Information

For questions about this privacy notice or to exercise your data protection rights:

Privacy Contact:
Email: privacy@caimito.net

General Inquiries:
Email: info@caimito.net

Postal Address:
Caimito Services LLC
2810 N Church St #26668
Wilmington, Delaware 19802-4447
United States

17. Reporting Illegal or Abusive Content

We take the safety of our platform seriously. If you encounter any illegal, abusive, or harmful content on Navigator, or if you believe your personal data has been misused, please report it immediately.

Abuse Reports: abuse@caimito.net
Privacy Concerns: privacy@caimito.net

For complete details on our abuse reporting procedures, what to report, and how we respond, please see Section 20 of our Terms and Conditions.

Zero Tolerance: Navigator maintains a zero-tolerance policy for illegal content, including child sexual abuse material (CSAM). Confirmed illegal content will result in immediate action and reporting to authorities.

Current Version: 1.5  |  Effective: December 2, 2025