Privacy Policy | AI Navi

1. Introduction and Data Controller Identity

This Privacy Policy governs the collection, processing, and protection of personal data by ainavi.co.uk ("we", "us", or "our"). We are committed to protecting your privacy in accordance with:

UK General Data Protection Regulation (UK GDPR)
Data Protection Act 2018 (DPA 2018)
Data (Use and Access) Act 2025 (DUAA)
Privacy and Electronic Communications Regulations 2003 (PECR)
EU AI Act 2024/1689 (Regulation EU 2024/1689) – applicable obligations
ICO Guidance on AI and Data Protection (updated under DUAA 2025)

Data Controller:

Legal Entity	[Your Legal Entity Name] — PLEASE COMPLETE
Registered in	United Kingdom
Company Number	[Your Company Number, if applicable]
Registered Address	[Your Registered Business Address]
ICO Registration No.	[Your ICO Registration Number — required if processing personal data]
Data Protection Contact	admin@ainavi.co.uk

Note: If you process personal data as a business, you are likely required to register with the ICO. Please ensure your registration is current at ico.org.uk.

2. Definitions

Personal Data: Any information relating to an identified or identifiable individual (e.g. name, ID number, location data, online identifiers).
Special Category Data: Sensitive data including racial/ethnic origin, health data, biometric data, etc., subject to heightened protection under UK GDPR Article 9.
Processing: Any operation performed on personal data (collection, recording, storage, use, disclosure, deletion).
Data Controller: The entity determining purposes and means of processing — that is us.
Data Processor: A third party processing data strictly on our behalf.
Automated Decision-Making (ADM): Processing that produces decisions based solely on automated means, including profiling.
AI System: A machine-based system using AI techniques that can generate outputs such as predictions, recommendations, or decisions, as defined in EU AI Act Article 3.

3. Data We Collect

3.1 Data You Provide Directly

We collect information when you:

Register an account (username, contact details — passwords are stored in hashed form only)
Complete forms (contact requests, surveys, applications)
Make purchases (billing address; payment details are processed via secure third-party gateways — we do not store card data)
Subscribe to newsletters (email preferences, consent records)
Interact with AI features (prompts, queries, feedback you submit)
Participate in interactive features (comments, reviews)

3.2 Data Collected Automatically

Technical Data: IP address, browser type and version, device characteristics, operating system
Usage Data: Pages visited, time spent, navigation paths, clickstream data, referring URLs
Cookie Data: As described in Part 3 (Cookie Policy) of this document
Location Data: Approximate geographic location derived from IP address only — we do not collect precise GPS data
AI Interaction Logs: Where you use AI-powered features, we may log interactions to ensure safety, quality, and legal compliance

3.3 Data From Third Parties

We may receive data from analytics providers (Google Analytics), advertising networks (Google Ads, Meta Pixel — only with your consent), payment processors (Stripe, PayPal), and social media platforms (only when you choose to connect them). All third-party data sharing is governed by contracts including appropriate data processing agreements.

4. Lawful Bases and Processing Purposes

We process your data under the following UK GDPR Article 6 lawful bases:

Purpose	Lawful Basis	Examples
Service delivery	Contractual necessity	Account creation, order processing, support
Marketing communications	Consent (opt-in required)	Email newsletters, promotional content
Website analytics	Legitimate interest	Improving user experience and security
Legal compliance	Legal obligation	Fraud prevention, HMRC tax reporting
AI feature operation	Legitimate interest / Contract	AI recommendations, personalisation
AI safety monitoring	Legal obligation / Legitimate interest	EU AI Act compliance, harm prevention

Where we rely on legitimate interests, we have conducted a Legitimate Interests Assessment (LIA) and determined that our interests do not override your fundamental rights. You have the right to object to processing on this basis at any time.

Special Category Data: We do not intentionally collect special category data. If you choose to share such data, we will seek explicit consent (UK GDPR Article 9(2)(a)) before processing.

5. AI-Specific Data Processing Disclosures

In compliance with the EU AI Act and ICO AI Guidance, we disclose the following about our use of AI:

5.1 AI Systems We Use

Where we use AI systems that process your data, we will identify these clearly in the relevant section of our Website. Our AI features are classified under the EU AI Act risk framework. We do not currently operate any High-Risk AI Systems as defined in Annex III of the EU AI Act without implementing the full compliance requirements applicable to those systems.

5.2 Automated Decision-Making

Where any automated decision-making (including profiling) produces legal or similarly significant effects on you, we will:

Inform you clearly that such processing is taking place
Explain the logic, significance, and likely consequences
Provide you with the right to request human review of the decision
Allow you to contest the decision and express your point of view

These rights are provided under UK GDPR Article 22 and as updated by the Data (Use and Access) Act 2025, which modified some exemptions to automated decision-making rules. We will not make decisions solely by automated means that have significant effects on you in areas such as creditworthiness, employment, or access to services without meaningful human oversight.

5.3 AI Training Data

We will not use your personal data to train AI or machine learning models without your explicit, separately obtained consent. If we intend to use any data for AI training purposes, we will inform you and obtain your consent in advance.

5.4 AI-Generated Outputs and Accuracy

AI-generated content or recommendations presented on this Website may contain inaccuracies. We take steps to monitor output quality and correct errors, but we cannot guarantee the accuracy of AI outputs. You should treat AI-generated content as a starting point, not a definitive answer, and independently verify important information.

6. Data Sharing and International Transfers

6.1 Categories of Recipients

IT Service Providers: Hosting companies, cloud storage providers (under data processing agreements)
Marketing Platforms: Email service providers (e.g. Mailchimp) — only with your consent for marketing
Payment Processors: Stripe, PayPal (we do not store card details; these processors are PCI-DSS compliant)
Analytics Providers: Google Analytics (data shared only where consent is given for performance cookies)
AI Service Providers: Third-party AI APIs or platforms we use to deliver features — listed in our AI Transparency Notice (Part 4)
Professional Advisors: Accountants, lawyers (under confidentiality obligations)
Law Enforcement / Regulators: Where required by law, court order, or regulatory direction

6.2 International Transfers

Where data is transferred outside the UK or EU/EEA, we implement appropriate safeguards including:

UK Adequacy Regulations — for transfers to countries with an adequacy decision
Standard Contractual Clauses (SCCs) — for other transfers
Transfer Risk Assessments (TRAs) — conducted where required by ICO guidance
Binding Corporate Rules (BCRs) — where applicable for group transfers

You may request a copy of the safeguards we use for international transfers by contacting admin@ainavi.co.uk.

7. Data Retention

Data Type	Retention Period	Rationale
Account data	3 years after last activity	Customer relationship management
Financial records	7 years	Legal obligation (HMRC)
Marketing consents	2 years after last interaction	Consent renewal per PECR
Website analytics	26 months (anonymised thereafter)	Business intelligence
AI interaction logs	12 months (then anonymised)	Safety monitoring, quality assurance
Cookie consent records	3 years	PECR compliance evidence

At the end of each retention period, personal data is securely deleted or anonymised. We review retention schedules annually.

8. Your Rights Under UK GDPR and DUAA 2025

You have the following rights. To exercise any of them, contact us at admin@ainavi.co.uk. We will respond within 30 calendar days (extendable by up to two further months for complex requests, with notice given):

Right	Description
Access (Subject Access Request)	Obtain a copy of your personal data and information about how it is processed
Rectification	Correct inaccurate or incomplete data we hold about you
Erasure (Right to be Forgotten)	Request deletion of your data (subject to legal retention requirements)
Restriction of Processing	Limit how we process your data in certain circumstances
Data Portability	Receive your data in a structured, machine-readable format
Object to Processing	Stop processing for direct marketing or legitimate interests
Withdraw Consent	Withdraw consent at any time (without affecting prior lawful processing)
Human Review of AI Decisions	Request human review of any automated decision with significant effects on you
Complaint to the ICO	Lodge a complaint at ico.org.uk or 0303 123 1113

To exercise your rights, submit a request to admin@ainavi.co.uk with proof of identity and details of your request. There is no charge for most requests. We may decline requests that are manifestly unfounded or excessive.

9. Security Measures

We implement appropriate technical and organisational security measures including:

Technical: Encryption in transit (TLS 1.3), encryption at rest for sensitive data, firewalls, regular security assessments
Organisational: Staff training, role-based access controls, data minimisation, need-to-know policies
Procedural: Incident response plan, regular backups, Data Protection Impact Assessments (DPIAs) for high-risk processing
AI-Specific: Output monitoring, human oversight mechanisms for AI systems, regular bias audits where applicable

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, notify affected individuals without undue delay.

10. Children's Data Protection

We do not knowingly collect personal data from children under 13 without verifiable parental or guardian consent. Where our services are directed at or likely to be accessed by children, we apply the ICO's Children's Code (Age Appropriate Design Code) standards. If you believe we have collected data about a child without appropriate consent, please contact us immediately at admin@ainavi.co.uk.

11. Data Protection Impact Assessments (DPIAs)

In line with UK GDPR Article 35 and ICO guidance, we conduct DPIAs before introducing new processing activities likely to result in high risk to individuals — including the deployment of new AI features, large-scale data processing, or systematic profiling. Records of our DPIAs are maintained and made available to the ICO on request.

12. Policy Updates

We will post policy changes on this page with a new "Last Updated" date. For material changes affecting your rights, we will notify users via email where we hold your contact details. Previous versions are archived and available on request.

13. Contact and Complaints

For data protection queries or to exercise your rights:

Email	admin@ainavi.co.uk
Supervisory Authority	Information Commissioner's Office (ICO)
ICO Website	ico.org.uk
ICO Helpline	0303 123 1113

EU/EEA residents may also contact the relevant data protection authority in their Member State.

Part 3: Cookie Policy

Last Updated: March 2026

This Cookie Policy explains how ainavi.co.uk uses cookies and similar tracking technologies on our Website, in compliance with the Privacy and Electronic Communications Regulations (PECR) and the ICO's guidance on cookies and similar technologies (updated under DUAA 2025).

1. What Are Cookies?

Cookies are small text files placed on your device when you visit a website. They help websites function correctly, remember your preferences, and provide information to website owners. Similar technologies include web beacons, pixel tags, and local storage objects.

2. How We Use Cookies

Category	Purpose	Examples	Consent Required
Essential / Strictly Necessary	Core website functionality, security, user sessions	Session cookies, login security, CSRF protection	No — these cannot be turned off
Performance / Analytics	Understanding how users interact with the site to improve it	Google Analytics (IP anonymisation enabled)	Yes — opt-in required
Functional	Remembering your preferences for an enhanced experience	Language preferences, display settings	Yes — opt-in required
Targeting / Advertising	Showing relevant advertising and measuring ad effectiveness	Google Ads, Meta Pixel (Facebook)	Yes — opt-in required
AI Feature Cookies	Supporting AI-powered features and personalisation	AI session context, recommendation preferences	Yes — opt-in required

3. Consent Management

In accordance with PECR and ICO guidance, we operate a cookie consent mechanism that:

Requires a clear, affirmative action ("opt-in") before setting any non-essential cookies
Presents equally prominent Accept and Reject options — we do not use dark patterns
Provides granular controls by cookie category
Allows you to change your preferences at any time via the Cookie Settings link in our website footer
Records a timestamp and reference for your consent, retained for 3 years as evidence of compliance
Does not use pre-ticked boxes, nudging language, or consent walls that deny access if you decline

Note: Withdrawing consent for non-essential cookies will not affect your ability to use the core features of our Website. Some features powered by third-party services may be unavailable if you decline those cookies.

4. Third-Party Cookies

Some cookies on our Website are set by third-party services. We have no direct control over these cookies. Third-party providers include:

Google Analytics — analytics; see Google's Privacy Policy at policies.google.com/privacy
Google Ads — advertising (consent required); see Google's Privacy Policy
Meta (Facebook) Pixel — advertising (consent required); see Meta's Data Policy
Stripe / PayPal — payment processing (essential for transactions)

Where third-party cookies involve transfers outside the UK, appropriate safeguards (see Privacy Policy Section 6.2) are in place.

5. Managing and Deleting Cookies

In addition to our consent tool, you can manage cookies through your browser settings. Most browsers allow you to:

View, block, or delete cookies
Set preferences for specific websites
Enable "Do Not Track" signals

Note that disabling all cookies, including essential ones, may prevent parts of our Website from functioning correctly. For guidance on managing cookies in your browser, visit aboutcookies.org.

6. Cookie Policy Updates

We will update this Cookie Policy when we add new cookies or change how we use existing ones. Material changes will be reflected in an updated "Last Updated" date and, where your consent is affected, you will be presented with a refreshed consent notice.

Part 4: AI Transparency Notice

Last Updated: March 2026

This Notice is provided in compliance with EU AI Act (Regulation 2024/1689), UK GDPR Article 22, ICO Guidance on AI and Data Protection, and the Data (Use and Access) Act 2025. It discloses how artificial intelligence is used on this Website and what rights you have in relation to AI-driven processes.

1. Our Use of AI

ainavi.co.uk is an AI navigation and information website. We use artificial intelligence in the following ways:

AI Feature	Description	EU AI Act Risk Classification	Personal Data Used
AI Content Recommendations	Suggesting relevant content based on browsing behaviour	Minimal Risk	Usage data, preferences (with consent)
AI Chatbot / Assistant	Answering user questions and providing navigation assistance	Limited Risk (transparency obligations apply)	Queries submitted; no sensitive data stored
Automated Content Generation	AI-assisted generation of informational content	Minimal Risk	None (content-level only)
Analytics & Personalisation	Understanding user needs to improve the service	Minimal Risk	Anonymised usage data

We do not currently operate any AI system classified as High-Risk under EU AI Act Annex III (such as AI in recruitment, credit scoring, law enforcement, or critical infrastructure) without the full compliance measures those classifications require.

2. Prohibited AI Practices — Our Commitments

As required by EU AI Act Article 5 (applicable from 2 February 2025), we confirm that we do not use and will never use:

AI systems that use subliminal or deceptive techniques to manipulate user behaviour in harmful ways
AI systems that exploit vulnerabilities of individuals based on age, disability, or socio-economic circumstances
AI-powered social scoring systems that evaluate or classify people in ways that could cause harm
Real-time remote biometric identification systems in publicly accessible spaces
AI systems that make inferences about protected characteristics (race, political opinions, religion, biometric data) for profiling
AI-generated deepfakes presented as real without clear disclosure

3. AI Transparency Obligations (EU AI Act Article 50)

For AI systems that interact directly with users (such as chatbots or AI assistants), we comply with Article 50 transparency obligations:

You will always be clearly informed when you are interacting with an AI system rather than a human.
AI-generated text, images, audio, or video content will be labelled or disclosed as AI-generated where this is material to your understanding.
We will not deploy AI systems designed to pass as human without clear disclosure.

4. Third-Party AI Services

We may use third-party AI APIs or platforms to deliver features on this Website. Where we do so:

We have entered into appropriate data processing agreements with those providers.
We have assessed their compliance with relevant data protection and AI regulations.
We will update this notice if we add new AI services that process your personal data.

Current third-party AI providers used: [List specific AI APIs/services used — e.g., OpenAI, Anthropic, Google AI — PLEASE COMPLETE].

5. AI and Data Protection

Our use of AI complies with the following data protection principles as applied to AI by the ICO:

Lawfulness, Fairness, and Transparency: We disclose AI use clearly and only process data for AI on a valid lawful basis.
Purpose Limitation: Data collected for one purpose will not be repurposed for AI training without your consent.
Data Minimisation: We use the minimum data necessary for AI features to function.
Accuracy: We monitor AI outputs for accuracy and take steps to correct errors affecting individuals.
Bias Mitigation: We assess our AI systems for potential discriminatory outcomes and take corrective action where disparities are identified.
Human Oversight: Meaningful human oversight is maintained for AI decisions that could significantly affect you.

6. Your Rights in Relation to AI

In addition to the rights listed in the Privacy Policy (Part 2), you have the following specific rights in relation to AI processing:

Right to be Informed: You have the right to know when and how AI is being used in relation to you.
Right to Human Review: For any automated decision that produces significant effects, you may request that the decision be reviewed by a human with genuine authority to overturn it.
Right to Explanation: You may request a meaningful explanation of how an AI decision affecting you was made.
Right to Contest: You may contest AI-based decisions that you believe are wrong or unfair.
Right to Object: You may object to automated profiling at any time.

To exercise these rights, please contact admin@ainavi.co.uk with the subject line "AI Rights Request".

7. AI Governance

We are committed to responsible AI governance:

We conduct AI impact assessments before deploying new AI systems or significantly changing existing ones.
We maintain records of AI systems in use, their purposes, and the data they process.
We review this AI Transparency Notice at least annually and after any material change to our AI use.
We monitor developments in UK and EU AI regulation and update our practices accordingly.

8. Contact for AI-Related Queries

For questions about our use of AI, to exercise AI-related rights, or to report concerns about AI outputs:

Email	admin@ainavi.co.uk
Subject Line	AI Transparency / AI Rights Request
Response Time	30 calendar days

You may also raise concerns with the Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113.

Appendix: Compliance Reference Summary

This appendix provides a quick-reference overview of the key legislation and guidance reflected in this document.

Law / Regulation	Jurisdiction	Key Obligations Addressed	Status
UK GDPR	United Kingdom	Lawful bases, rights, DPIAs, security	In force
Data Protection Act 2018	United Kingdom	Supplements UK GDPR; enforcement	In force
Data (Use and Access) Act 2025	United Kingdom	ADM reforms, research provisions, AI code of practice	In force (phased: Jun 2025–Jun 2026)
PECR 2003	United Kingdom	Cookies, electronic marketing, consent	In force
EU AI Act 2024/1689	EU/EEA (extra-territorial for UK sites serving EU users)	Prohibited practices (Feb 2025), GPAI obligations (Aug 2025), High-risk (Aug 2026)	Phased implementation
Consumer Rights Act 2015	United Kingdom	Liability limitations, unfair terms	In force
Copyright, Designs & Patents Act 1988	United Kingdom	IP ownership, AI-generated content	In force

Legal Disclaimer

This document has been prepared to incorporate current UK and EU data protection and AI regulatory requirements as of March 2026. It is provided for guidance purposes and does not constitute legal advice. Laws and regulatory guidance are subject to change. You should seek independent legal advice to ensure this document is appropriate for your specific circumstances, business model, and technical infrastructure.