GDPR & Data Protection

1. What is GDPR/UK-GDPR?

The General Data Protection Regulation (GDPR) and UK-GDPR are data protection laws that give you control over your personal data. Navvico Ltd is committed to protecting your privacy and ensuring compliance with these regulations.

Data Controller

Company: Navvico Ltd
Address: 123 Business Street, London, SW1A 1AA, United Kingdom
Email: privacy@navvico.com
Website: https://navvico.com
Data Protection Contact: privacy@navvico.com

2. Data Protection Principles

We process personal data in accordance with the following principles:

Lawfulness, Fairness & Transparency

We process data lawfully, fairly, and transparently, with clear information about how we use your data.

Purpose Limitation

We collect data for specified, explicit, and legitimate purposes and do not process it in ways incompatible with those purposes.

Data Minimisation

We only collect and process data that is adequate, relevant, and limited to what is necessary.

Accuracy

We take reasonable steps to ensure data is accurate and up-to-date, and correct or delete inaccurate data.

Storage Limitation

We keep data only for as long as necessary for the purposes for which it was collected.

Integrity & Confidentiality

We implement appropriate security measures to protect data against unauthorised access, alteration, or disclosure.

3. Lawful Bases for Processing

We process personal data based on the following lawful bases:

Contract Performance

Processing necessary to provide our route optimization services and fulfill our contractual obligations to you.

Legitimate Interests

Product improvement, fraud prevention, and business analytics to enhance our services and protect our business.

Consent

Marketing communications and non-essential cookies where you have given explicit consent.

Legal Obligation

Processing required to comply with legal obligations such as tax reporting and regulatory requirements.

4. Your Rights Under GDPR/UK-GDPR

You have the following rights regarding your personal data:

Right of Access

Request copies of your personal data and information about how we process it.

Make Request

Right of Rectification

Correct inaccurate or incomplete personal data we hold about you.

Update Data

Right of Erasure

Request deletion of your personal data in certain circumstances.

Request Deletion

Right of Restriction

Limit how we process your data in certain circumstances.

Request Restriction

Right of Portability

Receive your data in a structured, machine-readable format.

Request Data

Right to Object

Object to processing based on legitimate interests or for marketing purposes.

Object to Processing

Identity Verification: We may need to verify your identity before processing certain requests to protect your data security.

5. How to Make a Subject Access Request (SAR)

You can request access to your personal data by following these steps:

Submit Your Request

Email: privacy@navvico.com
Post: 123 Business Street, London, SW1A 1AA, United Kingdom
Include "Subject Access Request" in the subject line

What to Include

Your full name and contact details
Description of the data you're requesting
Time period (if specific)
Preferred format for receiving data

SAR Checklist

Response Timeframes

We respond within 1 month
May extend by 2 months for complex requests
We'll inform you of any delays

What You'll Receive

Copy of your personal data
Information about processing purposes
Details of data sources and recipients
Retention periods and your rights

6. Complaints

If you have concerns about how we handle your personal data, you can:

Contact Us First

Email: privacy@navvico.com

We aim to resolve complaints within 30 days.

UK ICO

Website: ico.org.uk

Phone: 0303 123 1113

EU Residents: If you're in the EU, you can also contact your local supervisory authority for data protection matters.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

Technical Measures

Encryption in transit (TLS 1.3) and at rest (AES-256)
Secure authentication and access controls
Regular security updates and patches
Network security and firewalls
Secure data backup and recovery

Organizational Measures

Staff training on data protection
Access controls and role-based permissions
Regular security audits and assessments
Incident response procedures
Data protection by design and default

8. International Transfers

Where we transfer personal data outside the UK/EU, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs): Approved contractual terms for international transfers
Adequacy Decisions: Transfers to countries with adequate data protection
Binding Corporate Rules: Internal data protection policies for multinational companies
Certification Schemes: Approved certification mechanisms

We will update this section if we add any international data transfers.

9. Records and Assessments

Data Protection Impact Assessment (DPIA)

We conduct DPIAs for high-risk processing activities, such as:

Large-scale processing of personal data
Systematic monitoring of individuals
Processing of special category data
Automated decision-making with legal effects

Records of Processing Activities (RoPA)

We maintain detailed records of our processing activities, including:

Purposes of processing
Categories of data subjects and personal data
Recipients of personal data
Retention periods and security measures

Data Breach Handling

In the event of a data breach, we will:

Notify the ICO within 72 hours (where required)
Inform affected individuals without undue delay (where high risk)
Document all breaches and remedial actions taken
Review and improve security measures as needed

10. Related Policies

For more detailed information about our data practices, please also read:

Privacy Policy Cookie Policy Terms of Service

11. Contact Us

If you have any questions about data protection or wish to exercise your rights, please contact us:

General Data Protection Inquiries