Privacy Policy

DEFINITIONS

The Parties to this Privacy Policy hereby unconditionally agree that unless the context otherwise requires, the terms listed below when used in this Privacy Policy shall have the meanings attached to them and these terms shall be interpreted accordingly. In addition to the terms defined below, the meanings of the terms defined in the Terms of Use executed between the Customer, the End User and the Company shall be made applicable mutatis mutandis to this Privacy Policy:

• "Public Information" shall mean any information that is available to anyone on or off our Services and can be seen or accessed through online search engines, APIs, and offline media, such as on TV.
• "Collected Information" shall have the meaning ascribed to it in Clause 3.1.
• "Team" shall mean a designated group of people inside the Customer's organisation that carry out a specific function together.
• "End User" shall mean the individual employee/consultant/authorised representative of the Customer that makes use of Portal.

In this Terms of Use, except to the extent that the context otherwise requires:

• References to a statute, ordinance or other Law shall be deemed to include any references to a statute, ordinance or other Law as amended or replaced;
• The headings are inserted for convenience only and shall not affect the construction of this Terms of Use;
• The masculine gender includes the feminine gender and vice versa.

DATA COLLECTION

The Company shall collect and store the following information ("Collected Information"):

• Activities of all the End Users on the Portal.
• Device information of the End User.
• Information from the third party partners.
• Activities of end users on related services (NavigateAIF for Outlook add-in, NavigateAIF for Gmail chrome extension etc.)

The Company shall use Collected Information for the following reasons:

• Provide, improve, develop NavigateAIF Service and/or NavigateAIF.
• Communicate with the Customer and the End User more effectively.
• To promote safety and security.
• For better End User experience and research/data analytics.

The Company reserves the right to share personally identifiable "Non-Aggregated Collected Information" only in instances of legal requirement, judicial proceedings, or violations of Terms of Use. The Company shall not sell any Non-Aggregated Collected Information to any third party.

Each End User specifically allows the Company access to content in relation to their mailer accounts (Gmail or Outlook) for the purpose of streamlined dissemination of information within the Team.

GOOGLE USER DATA ACCESS AND USE

NavigateAIF's Compliance Calendar feature accesses and uses Google user data through the Google Calendar API. Specifically, the application requests the following scope:

• Google Calendar Access: The application requests permission to see, edit, share, and permanently delete all calendars you can access using Google Calendar (https://www.googleapis.com/auth/calendar).

The Compliance Calendar uses this access to:

• Create and manage compliance-related calendar events in your Google Calendar.
• Read existing calendar events to avoid scheduling conflicts and provide integrated compliance tracking.
• Update calendar events when compliance deadlines or regulatory requirements change.
• Delete calendar events when compliance obligations are completed or modified.

Limited Use Disclosure: NavigateAIF's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements. Google user data accessed through the Compliance Calendar feature is used solely to provide and improve the compliance tracking functionality and is not used for any other purpose.

DATA SHARING, TRANSFER, AND DISCLOSURE

Google User Data Sharing:

NavigateAIF does NOT share, transfer, sell, or disclose Google user data (including Google Calendar data) to any third parties, except in the following limited circumstances:

• No Third-Party Sharing: Google Calendar data accessed through the Compliance Calendar feature is not shared with, sold to, or disclosed to any third-party service providers, partners, or external entities for any purpose.
• Internal Use Only: Google user data is processed internally within NavigateAIF's secure infrastructure solely to provide the Compliance Calendar functionality to the End User.
• Within Organization: Calendar data may be visible to other authorized End Users within the same Customer organization (Team) as configured by the Customer's administrator, solely for the purpose of collaborative compliance tracking within that organization.
• Legal Requirements: Google user data may be disclosed if required by law, court order, or governmental regulation, or to protect the rights, property, or safety of NavigateAIF, its users, or the public. In such cases, we will make reasonable efforts to notify affected users unless prohibited by law.
• Service Providers: We use Amazon Web Services (AWS) as our cloud infrastructure provider to host and process data. AWS has access to encrypted data solely for the purpose of providing hosting infrastructure and does not have access to decrypt or use Google user data for any other purpose. AWS is bound by strict confidentiality obligations and data processing agreements.

Data Transfer:

• Google user data is stored and processed on servers located in secure data centers. Data may be transferred across geographical boundaries as necessary to provide the services, but remains subject to the same security and privacy protections outlined in this policy.
• No transfer of Google user data occurs to any third-party applications or services outside of NavigateAIF's controlled infrastructure.

General Data Sharing:

• Non-Google user data may be shared with third-party service providers (such as analytics tools, email service providers) who assist us in operating our platform, conducting our business, or servicing users, provided that those parties agree to keep this information confidential.
• Aggregated, anonymized data that cannot identify individual users may be shared for research, analytics, or business purposes.

DATA PROTECTION AND SECURITY

The Company implements industry-standard security measures to protect all user data, including Google user data accessed through our services:

• Encryption: All data transmitted between the End User's device and NavigateAIF servers is encrypted using TLS/SSL protocols. Sensitive data stored in our databases is encrypted at rest using AES-256 encryption.
• Access Controls: Access to user data, including Google user data, is restricted to authorized personnel only on a need-to-know basis. All access is logged and monitored for security purposes.
• Authentication: The Company uses OAuth 2.0 protocol for secure authentication with Google services. User credentials are never stored on our servers.
• Regular Security Audits: The Company conducts regular security assessments and vulnerability testing to ensure the ongoing protection of user data.
• Secure Infrastructure: All data is stored on secure cloud infrastructure with enterprise-grade security controls, including firewalls, intrusion detection systems, and regular security patches.
• Data Segregation: Customer data is logically segregated to prevent unauthorized cross-access between different organizations using the platform.

DATA RETENTION AND DELETION

Google User Data Retention:

• Google Calendar data accessed through the Compliance Calendar feature is retained only for as long as necessary to provide the compliance tracking service.
• Calendar event data synchronized with our platform is retained in our systems only while the End User maintains an active account and the Compliance Calendar feature is enabled.
• The Company does not store complete copies of the End User's Google Calendar. We only retain metadata and references necessary to maintain synchronization and provide compliance tracking functionality.

General Data Retention:

• Collected Information is retained for the duration of the Customer's active subscription to NavigateAIF services.
• Upon termination of services or account closure, personal data will be deleted within 90 days, except where retention is required by applicable law or regulation.
• Aggregated and anonymized data that cannot be used to identify individual users may be retained indefinitely for analytical and research purposes.

User Rights and Data Deletion:

• End Users may revoke NavigateAIF's access to their Google Calendar at any time through their Google Account permissions settings (https://myaccount.google.com/permissions).
• Upon revocation of access, the Company will cease accessing the End User's Google Calendar and will delete all associated calendar data within 30 days.
• End Users may request deletion of their personal data by contacting the Company at the contact information provided on our website.
• Upon receiving a deletion request, the Company will delete the End User's personal data within 30 days, subject to legal retention requirements.
• Customers may request deletion of all data associated with their organization by submitting a formal request through their account administrator.

COOKIES

Essential: Cookies necessary to enable or enhance functionality, such as recalling recent actions or account settings.

Non-essential: NavigateAIF uses Google Analytics' cookies to analyze usage. If the End User has Cookies disabled in their browser, these will be blocked.

The Customer and/or the End User acknowledges that the Company reserves the right to amend and revise this Policy at any time, and covenants to abide by such amended Policy.