Privacy Policy

Last updated: May 19, 2026

1. Who we are

Navira ("we", "us") operates the navira.life platform that helps immigrants navigate settlement in the United States and Canada. This policy explains what personal data we collect, how we use it, and the rights you have over it.

2. Data we collect

  • Account data: email address, hashed password, account creation timestamp, and (optionally) language preference, country of origin, current city, and immigration status.
  • Two-factor authentication: when you enable 2FA we store an encrypted TOTP secret on your user record. We never see your authenticator-app code.
  • Document Vault: files you upload (passports, IDs, immigration letters, etc.) are stored encrypted at rest using AES-128-CBC + HMAC-SHA256 (Fernet) with a key held only in the application environment.
  • Usage data: checklist progress, AI tool inputs you submit, feedback you send us, and a security audit log of authentication events and vault accesses.
  • Technical data: request IP, user-agent, and session cookie identifiers, used for security and abuse prevention.

3. How we use your data

We use your data to (a) provide the service you signed up for, (b) authenticate you and protect your account from abuse, (c) personalise checklists and resources to your country/status, (d) bill you if you subscribe to a paid plan, and (e) meet our legal obligations.

4. AI processing

When you use AI-powered features (Legal Assistant, Resume Refiner, Dojo, Landlord Letter), the text you submit is sent to OpenAI for inference. We do not send your vault documents, your password, or your full account profile. Inputs and outputs are not used by OpenAI to train its models under our API agreement. ElevenLabs receives only the short text snippets you ask to be read aloud.

5. Legal basis (GDPR) and notices (CCPA)

We process your data on the basis of contract (delivering the service you requested), legitimate interest (security, fraud prevention), consent (optional fields you choose to fill in), and legal obligation. California residents have additional rights under CCPA and we do not sell personal information.

6. Your rights

  • Right of access: download a machine-readable copy of everything we hold about you from Settings โ†’ Privacy โ†’ Export my data.
  • Right to erasure: delete your account and all associated data from Settings โ†’ Delete account. Audit log rows are retained with your user id nulled out (see Data Retention Policy).
  • Right to rectification: edit your profile and localisation fields at any time in Settings.
  • Right to object/restrict: contact privacy@navira.life.

7. Sharing & sub-processors

We share data only with the sub-processors required to run the service. The current list is published at /subprocessors and is updated when it changes.

8. Retention

See our Data Retention Policy for category-by-category retention windows.

9. Security

Passwords are stored using PBKDF2-SHA256. The Document Vault is encrypted at rest. Sessions are signed, HTTPS-only, and HttpOnly. 2FA via TOTP is available to every account. We log security-relevant events to an append-only audit table.

10. International transfers

The platform is hosted in North America. Sub-processors may process data in the United States; transfers from other regions rely on Standard Contractual Clauses or the equivalent legal mechanism for that processor.

11. Children

Navira is not directed at children under 13 and we do not knowingly collect their data.

12. Changes to this policy

Material changes will be announced in-app at least 14 days before they take effect.

Questions about this policy? Email privacy@navira.life.