Privacy Policy

1. Who is the data controller

Naviho is operated by Naviho Ltd, a company registered in England and Wales, part of HM-D Group. Naviho Ltd is the data controller for personal data collected through this website and the Compliance Check.

Contact us about anything in this policy: info@naviho.com.

2. What we collect

When you run the free Compliance Check, we collect:

• Postcode of the property
• First line of the address (if you pick a result from the EPC register)
• Property type (house, flat, HMO, serviced accommodation, holiday let)
• HMO licence status
• Number of tenants
• Number of households
• Your email address
• Your answers to 11 compliance status questions: Gas Safety Certificate, EICR, current EPC, written tenancy agreement, deposit protected, Right to Rent check, landlord insurance, smoke and carbon monoxide alarms, habitation and condition standards, possession-process awareness, and complaints procedure

If you buy the GBP 29 Premium Compliance Report, Stripe collects payment details on our behalf. We never see your card number. Stripe sends us only a payment confirmation and the email you used at checkout.

3. Why we are allowed to use it (lawful basis)

Our lawful basis under Article 6(1)(a) UK GDPR is your explicit consent, given via the consent checkbox on the Compliance Check form. You can withdraw consent at any time by emailing info@naviho.com and we will delete your record.

If you buy a Premium Report, we also process the data under Article 6(1)(b) (performance of a contract) for the duration needed to deliver the report.

4. Where your data goes

We try to keep your data inside the EU/UK adequacy framework. Here is the full list of places it touches:

• Supabase (PostgreSQL, EU region) - this is where your health check record is stored.
• Naviho AWS Lambda (London, eu-west-2) - runs the compliance scoring logic.
• Amazon Bedrock (EU cross-region inference) - generates the structured score. The Bedrock EU profile keeps inference inside EU regions.
• UK Government Get-Energy-Performance-Data register (api.get-energy-performance-data.communities.gov.uk) - we send the postcode you give us to look up matching EPC records so you can pick the right property.
• Anthropic Claude (Claude Haiku 4.5) - for paying Premium Report customers only, used to generate the personalised remediation report. We use Anthropic EU processing where available, with US standard contractual clauses for the residual case.
• Resend (eu-west-1, Ireland) - delivers your report and follow-up emails.
• Stripe (UK / Ireland) - processes payments for the Premium Report.
• Google Workspace - any reply you send to a Naviho email lands in our info@naviho.com inbox, hosted in Google Workspace.

We do not sell your data. We do not share it with advertising networks. We do not run advertising or behavioural tracking on this site.

5. How long we keep it

We keep your health check record for 24 months from the date you submit it. We use this period for compliance audit purposes and to be able to answer questions about a report we generated for you. After 24 months, the record is deleted from our database.

Emails themselves are retained in Google Workspace according to its standard mailbox retention. You can ask us to delete any thread by emailing info@naviho.com.

6. Your rights under UK GDPR

You have the following rights, and we will action all of them at no cost:

• Access - get a copy of the data we hold on you.
• Rectification - have us correct anything that is wrong.
• Erasure - have us delete your record.
• Restriction - tell us to stop using your data while a question is resolved.
• Portability - get your data in a structured machine-readable format.
• Objection - object to a specific use of your data.
• No automated decision-making with legal effect - the compliance score is informational only. It does not produce a legal or similarly significant effect on you. The decisions about your property remain yours as the landlord.

To exercise any of these rights, email info@naviho.com. We aim to respond within 7 days and to action requests within 30 days.

7. Complaints

If you think we have handled your data badly, please tell us first so we can put it right. If you are still not happy, you can complain to the UK Information Commissioner's Office (ICO), the supervisory authority for data protection in the UK: ico.org.uk.

8. Children

Naviho is a service for landlords, tenants, and investors. It is not directed at children. We do not knowingly collect personal data from anyone under 18. If you believe a child has submitted data to us, email info@naviho.com and we will delete the record.

9. Cookies

See our separate Cookies Notice for what runs in your browser. Short answer: very little, and no advertising trackers.

10. Changes to this policy

If we change how we handle your data, we will update this page and update the "Last updated" date at the top. For material changes that affect existing customers, we will email you at least 14 days before the change takes effect.