This page lists the third-party service providers ("sub-processors") Navos AI, Inc. ("Company," "we," "us," "our") engages to operate the navos.ai marketing website. It is maintained as an operational reference for data subjects, procurement teams running vendor diligence, and regulators.
Each sub-processor below operates under a signed Data Processing Agreement (DPA) that limits processing to the documented purpose and requires equivalent security and privacy safeguards. Links to each sub-processor's public DPA are provided where available.
Our commitment to transparency
We give at least 30 days' advance notice before adding a new sub-processor that will process personal data you have shared with us via a form submission. Notice is sent to the email address you used when submitting the form. If you object to a new sub-processor, you may withdraw the personal data you shared with us by contacting our Privacy Officer at contact@navos.ai.
We review this list at least once a year, and whenever our stack materially changes. The Last updated date at the top of this page reflects the most recent review.
Current sub-processors
Note: the stack listed below reflects the launch-day state of navos.ai. The pre-launch stack included Formspree (form submission delivery) which is being replaced as part of our launch plan. Once Formspree is decommissioned, this list will be updated and the Last updated date will be bumped.
Core infrastructure
Sub-processor: Vercel Inc.
Purpose: Hosting for navos.ai, edge runtime, request logs, Speed Insights (Core Web Vitals telemetry), Vercel Blob (hosting for blog hero images).
Data categories: Request metadata (URL, user agent, country-level IP), Web Vitals beacons (page load time, device type), blob content (currently blog hero images only).
Location: United States (global edge network).
Adequacy basis: EU-US Data Privacy Framework (Vercel is DPF-certified). Verify current certification at dataprivacyframework.gov.
DPA: vercel.com/legal/dpa
Sub-processor: Cloudflare, Inc.
Purpose: DNS resolution for the navos.ai domain.
Data categories: DNS query metadata only. Cloudflare does not see request bodies because navos.ai does not use Cloudflare as a proxy, WAF, or CDN.
Location: United States (global anycast).
Adequacy basis: EU-US Data Privacy Framework (Cloudflare is DPF-certified).
DPA: cloudflare.com/cloudflare-customer-dpa
Analytics (consent-gated)
The following analytics sub-processors process data only after you grant explicit consent via the cookie banner on your first visit. See our Cookie Policy for the consent categories and withdrawal procedure.
Sub-processor: Google LLC / Google Ireland Limited
Purpose: Google Analytics 4 — aggregated site analytics for acquisition sources, pageviews, and Core Web Vitals field data.
Data categories: Consent-gated event data, IP anonymized at the Google server, no cross-site tracking. Data retention is set to 14 months per our Cookie Policy.
Location: United States and Ireland.
Adequacy basis: EU-US Data Privacy Framework (Google LLC is DPF-certified).
DPA: Accepted by us in the GA4 Admin console per Google's Data Processing Terms.
CRM and communications
Sub-processor: Apollo.io, Inc.
Purpose (dual role):
- CRM (form submissions): stores the canonical record of contact, demo, careers, and other form submissions you send through navos.ai. Gated by the form action itself — no consent banner needed because the data is provided by you directly.
- Website visitor identification (marketing consent only): Apollo's website tracker identifies your company (not you personally) via reverse-IP lookup if you accept the "marketing" consent category. This data feeds our internal sales prioritization so we can see which of our target accounts are touching the site. We do not use this data for unsolicited individual outreach.
Data categories (CRM role): Contact name, email address, company name, form message content, first-touch attribution metadata (how you heard about us, referring URL, UTM parameters).
Data categories (tracker role): IP address (used for reverse-lookup then discarded), company name derived from IP, page path, user-agent. No individual identifiers.
Location: United States.
Adequacy basis: EU-US Data Privacy Framework (verify Apollo's current certification at dataprivacyframework.gov).
DPA: Apollo's standard DPA is available upon request via their sales team.
Withdrawal (tracker role only): Apollo does not provide a way to fully unload its tracker script once loaded. If you revoke marketing consent mid-session, our consent banner clears Apollo cookies immediately, but the already-loaded tracker script continues running in memory until you reload the page or close the tab.
Sub-processor: Resend, Inc.
Purpose: Transactional email. When you submit a form, Resend delivers a notification email to the Navos AI cofounders so we can respond to your inquiry.
Data categories: Contact email address, notification email body (which reflects the form you submitted).
Location: European Union (Frankfurt region selected at signup).
Adequacy basis: Data is processed and stored in the European Union. No cross-border transfer.
DPA: resend.com/legal/dpa
Product analytics (consent-gated, separate consent category)
Sub-processor: PostHog, Inc.
Purpose: Product analytics and session replay for user experience diagnostics. We use PostHog to understand navigation patterns, identify UX friction, and debug specific user issues.
Data categories: Consent-gated event data, super-properties (attribution metadata), and — only if you grant the separate "session-recording" consent — anonymized session recordings. All form inputs are masked by default in session recordings.
Location: European Union (PostHog EU Cloud — AWS eu-central-1, Frankfurt). Event data and session recordings remain in the EU.
Adequacy basis (event data): Data is processed and stored in the European Union. No cross-border transfer for event data or session recordings.
Honest disclosure — residual US touches: PostHog, Inc. is a Delaware corporation. While event data and session recordings stay in Frankfurt, billing metadata and support session metadata transit US systems under Standard Contractual Clauses. This is compliant under post-Schrems II SCC rules. We disclose it here rather than claiming "zero US transfer," because accurate disclosure matters more than marketing claims.
DPA: posthog.com/dpa
How we categorize processing
We group our sub-processors into four functional categories, reflecting how they relate to your interactions with navos.ai:
- Core infrastructure — required for the site to function (Vercel, Cloudflare). Processes only technical metadata.
- Analytics (consent-gated) — processes data only after you explicitly accept the analytics consent category (Google Analytics 4).
- CRM and communications — processes data you proactively submit via forms (Apollo, Resend).
- Product analytics (separate consent category) — processes data only after you grant the session-recording consent category, which is explicitly separate from the analytics category (PostHog).
Each category has a distinct legal basis and retention policy, described in our Privacy Policy.
Your rights and contact
If you have questions about any sub-processor on this list, want to request access to or deletion of your personal data, or believe we have processed your data outside the documented purposes, please contact our Privacy Officer:
Privacy Officer, Navos AI, Inc.
contact@navos.ai
You also have the right to lodge a complaint with your supervisory authority. For EU data subjects, the list of national DPAs is at edpb.europa.eu/about-edpb/about-edpb/members_en. For Quebec data subjects, the Commission d'accès à l'information du Québec. For UK data subjects, the Information Commissioner's Office.
Entity
Navos AI, Inc.
1111B S Governors Ave, Ste 39989
Dover, DE 19904
United States
