Summary
Nava is committed to protecting your privacy. We collect only the data needed to run the platform, never sell it to third parties, and store everything in compliance with the EU General Data Protection Regulation (GDPR). Read on for the full details.
1. Who We Are
Nava ("we", "us", "our") is the operator of the Nava mobile application and related services. If you have any questions about this policy or how we handle your data, contact us at privacy@nava.app.
2. Data We Collect
2.1 Account Information
When you register, we collect your name, email address, username, password (hashed), and the role you sign up as (Owner, Tenant, Buyer, or Seller). If you register via Google or Apple Sign-In, we receive your name and email from those providers.
2.2 Profile Data
You may optionally upload a profile photo, add a bio, and upload identity or tenancy documents. These are stored securely on encrypted S3-compatible storage.
2.3 Property & Tenancy Data
Owners and property managers provide property details (address, size, type, images). We link tenant accounts to properties via a private relationship — this linkage is never publicly visible.
2.4 Financial Data
Nava does not store your card details. Payment card information is handled entirely by Stripe, a PCI-DSS Level 1 certified payment processor. We store only wallet balances, transaction records, and Stripe payment intent IDs for reconciliation purposes.
2.5 Communications
Messages sent in private or group chats are stored in our database to enable message history. We do not read your messages except where required by law or to investigate a reported abuse incident.
2.6 Device & Technical Data
We collect device tokens to deliver push notifications, your IP address, device type, and app version for security and debugging. We also log API requests for fraud detection and uptime monitoring.
2.7 Usage Data
We collect anonymous analytics on feature usage (e.g. how often certain screens are visited) to improve the product. This data is aggregated and never tied to your identity.
3. How We Use Your Data
- To provide the service — create your account, manage properties, process wallet payments, send bills, deliver push notifications, and enable chat.
- To comply with legal obligations — including GDPR data subject requests, tax reporting, and fraud prevention.
- To communicate with you — transactional emails (password resets, bill notifications, e-signature requests). We do not send marketing emails without your explicit consent.
- To improve the product — aggregated, anonymised usage data helps us prioritise features and fix bugs.
- To protect the platform — audit logs, IP logging, and rate limiting are used to detect and prevent abuse.
4. Legal Basis for Processing (GDPR)
- Contract performance — processing is necessary to provide the service you signed up for.
- Legitimate interests — fraud prevention, security, and improving our services.
- Legal obligation — compliance with applicable law (e.g. AML, tax).
- Consent — for optional features such as marketing communications or analytics beyond what is strictly necessary.
5. Data Sharing
We do not sell your personal data. We share data only with:
- Stripe — payment processing. Stripe's privacy policy applies to data they receive.
- BoldSign — e-signature provider for lease agreements.
- Firebase (Google) — push notification delivery via Firebase Cloud Messaging.
- Amazon Web Services / S3-compatible storage — for secure file storage.
- Law enforcement or regulators — only when legally required and after verification of the request.
All sub-processors are bound by data processing agreements consistent with GDPR requirements.
6. Data Retention
- Account data is retained for as long as your account is active.
- Financial records (transactions, top-ups, bills) are retained for 7 years to comply with financial regulations.
- Audit logs are retained for 2 years.
- Push notification tokens are deleted when you log out or uninstall the app.
- Upon account deletion, your personal data is anonymised or deleted within 30 days, except where retention is required by law.
7. Your Rights (GDPR)
If you are in the EU or EEA, you have the following rights:
- Right of access — request a copy of the data we hold about you.
- Right to rectification — ask us to correct inaccurate data.
- Right to erasure — request deletion of your account and personal data.
- Right to data portability — export your data in a machine-readable format (available in-app under Settings → Export My Data).
- Right to object — object to processing based on legitimate interests.
- Right to restrict processing — ask us to limit how we use your data.
- Right to withdraw consent — where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, email privacy@nava.app or use the in-app data tools under Settings → Privacy. We will respond within 30 days.
8. Cookies
The Nava mobile app does not use cookies. Our web portal uses strictly necessary session cookies to keep you logged in. We do not use advertising or tracking cookies. You can clear session cookies at any time by logging out.
9. Security
All data is transmitted over TLS 1.2+. Data at rest is AES-256 encrypted. Access to production systems is restricted to authorised personnel only, with multi-factor authentication required. We conduct regular security reviews and maintain audit logs of all sensitive operations.
10. Children's Privacy
Nava is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, contact us immediately at privacy@nava.app.
11. Changes to This Policy
We may update this policy from time to time. When we make significant changes, we will notify you via the app or email at least 14 days before the change takes effect. The "Last updated" date at the top of this page reflects the most recent revision.
12. Contact & Complaints
For privacy questions: privacy@nava.app
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. In Ireland, that is the Data Protection Commission (DPC).