Skip to content

Privacy policy

Last updated: April 28, 2026

Overview

Navis Docs is an open-source, privacy-conscious knowledge and standard operating procedure (SOP) management platform. This policy explains what data we collect when you use the cloud-hosted service, how we use it, and who we share it with.

For self-hosted deployments, all data remains on your own infrastructure. This policy applies only to the Navis Docs cloud service.

What We Collect

Account data

When you create an account we store:

  • Email address and a normalised canonical form of it
  • Display name
  • Profile picture (Google OAuth sign-in only)
  • Email verification status and account creation date

Authentication data

We support two sign-in methods. Depending on which you use, we store additional data:

  • Google OAuth: OAuth tokens (access token, refresh token, ID token) are stored in our database to maintain your session and are provided by Google at sign-in.
  • Email one-time password (OTP): A 5-digit code is emailed to you via Resend. We store only a cryptographic hash of the code — the plaintext code is never stored and cannot be recovered by us.

Organisation data

When you create or belong to an organisation we store its name, URL slug, your role within it, your subscription plan, and Stripe billing identifiers.

If your organisation enables AI features, an encrypted copy of your Anthropic or OpenAI API key is stored in our database.

Address book

The address book feature allows your organisation to store contact records (name, email, phone, postal address, website). This data is entered and managed entirely by your organisation. See the User-Managed Contact Data section for your responsibilities as the data controller.

Activity data

We record the following to power in-app features:

  • Which procedures you have marked as favourites
  • Which procedures and news posts you have read (used to show read-state indicators in the UI)
  • Audit log entries: actor, action, timestamp, and a JSON snapshot of the changed record — used for your organisation’s compliance features

AI chat content

When you use the AI assistant, your messages and the relevant knowledge base context are sent to Anthropic’s API for processing. See the AI Features and Data Processing section for details.

How We Use Your Data

We use the data we collect exclusively to:

  • Authenticate you and maintain your session
  • Provide and improve the Navis Docs service
  • Send transactional emails (OTP codes, team invitations, billing notifications)
  • Process subscription billing via Stripe
  • Enforce rate limits to protect service availability
  • Power AI assistant responses when the feature is enabled

We will never sell your data or use it for advertising. Your organisation’s knowledge base content and documents are yours.

Cookies and Local Storage

Navis Docs uses a small number of cookies and browser storage mechanisms, described below.

Cookies

  • Session cookie — an encrypted JWT cookie set by Auth.js to keep you signed in. This cookie is essential for the service to function and cannot be opted out of while you are logged in.
  • sidebar_state — stores whether the application sidebar is open or collapsed. This is a UI-only preference with a 7-day expiry and contains no personal data.

Browser storage (not cookies)

  • sessionStorage— AI chat message history is stored per team in your browser’s sessionStorage. This data is never sent to our servers or any analytics vendor; it exists only in your browser tab and is cleared when the tab is closed.
  • localStorage — your theme preference (light or dark) is stored in localStorage by the theme provider. This data never leaves your device.

AI Features and Data Processing

When you use the AI assistant, your messages and the relevant sections of your knowledge base are sent to Anthropic for processing via their API. Anthropic does not use API request data to train their models.

AI features are only active if your organisation has configured an API key. If no key has been configured, no data is sent to Anthropic.

AI chat messages are not stored on our servers. They are persisted temporarily in your browser’s sessionStorage (see above) and cleared when you close the tab.

Third-Party Subprocessors

We share data with the following third-party processors in order to provide the service:

SubprocessorPurposeData received
GoogleOAuth authenticationAccount ID, email, display name, profile picture
ResendTransactional email (OTP codes, invitations)Recipient email address
StripeBilling and subscription managementEmail address, organisation name, subscription metadata
AnthropicAI assistant responsesChat message content and knowledge base context (only when AI is enabled)
SupabaseFile storageUploaded files (document imports, images, audit exports)
UpstashRate limitingUser ID and IP address (used to enforce request-rate limits)

IP Addresses

IP addresses are used by Upstash Redis to enforce rate limits on incoming requests. They are not stored in our primary database and are not used for analytics, tracking, or any purpose other than preventing abuse.

User-Managed Contact Data

If your organisation uses the address book feature to store contact details for third parties (customers, suppliers, or other contacts), you are acting as the data controller for that information. You are responsible for ensuring you have an appropriate legal basis to store those details and that doing so complies with any applicable privacy laws in your jurisdiction.

Navis Docs processes this data on your behalf as a data processor and will not use it for any purpose beyond providing the service to your organisation.

Data Ownership

You retain all rights to your organisation’s knowledge base, documents, and SOPs. We will never sell or share your content with third parties. We act only as a processor of that data on your behalf.

For self-hosted Navis Docs instances, all data remains exclusively on your own servers and under your full control.

GDPR and Privacy Regulations

Navis Docs is designed with privacy regulations in mind, including the GDPR, CCPA, and the UK GDPR:

  • We collect only the data necessary to provide the service
  • We do not track users across different websites or services
  • We do not sell personal data or share it with advertisers
  • You may request deletion of your account and associated personal data by contacting us at hello@navisdocs.com

Security Measures

For the cloud service, we implement appropriate technical and organisational security measures to protect your data. These include encrypted storage of sensitive values (such as API keys), hashed storage of OTP codes, and HTTPS for all data in transit.

For self-hosted instances, security is the responsibility of your infrastructure administrators.

Open Source Transparency

As an open-source project, our code is publicly available for independent review. This includes our data collection mechanisms, which you can audit to verify the claims in this policy.

View our GitHub repository →

Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or for legal reasons. We will post the updated policy on this page with a revised date. For material changes, we will notify users by email where possible.

Contact Us

If you have questions about this policy or our data practices, please contact us at: hello@navisdocs.com