1. Data Fiduciary
The Data Fiduciary in respect of personal data processed through this website is:
| Legal name | Navi Consulting LLP |
| LLPIN | AAV-9372 |
| Registered office | 102, Chandramani CHS Ltd, Hanuman Road, Vile Parle (East), Mumbai 400 057, Maharashtra, India |
| param@gonavi.tech | |
| Telephone | +91 22 2613 8393 |
Navi Consulting LLP is not, at the date of this notice, classified as a "Significant Data Fiduciary" under section 10 of the Digital Personal Data Protection Act, 2023. We are nevertheless a small Data Fiduciary; the obligations described in this notice are those that apply to us in that capacity.
2. Scope of this notice
This notice applies to personal data we collect when you:
- visit
gonavi.techor any of its sub-pages; - submit the contact form on the website;
- send us an email or call the numbers published on the website; or
- connect with our pages on LinkedIn, Facebook, or Instagram (limited to the data you choose to send us through those platforms).
It does not cover personal data we process in the course of a paid client engagement, which is governed by the engagement letter and any separate data-processing terms agreed with the client.
3. Personal data we collect
3.1 Data you provide directly
When you submit the contact form we ask you to provide:
- Name (required)
- Email address (required)
- Organisation (optional)
- Telephone number (optional)
- Engagement category (selected from a fixed list)
- Message text — the description of your enquiry, which may contain such further personal data as you choose to include.
If you write to us by email or call us, we collect the information you choose to share through those channels.
3.2 Data collected automatically
When you submit the contact form, our hosting provider records the following technical metadata for security, audit, and abuse-prevention purposes:
- IP address from which the submission originated;
- Country derived from that IP address;
- User-Agent string sent by your browser;
- HTTP Referer header (where supplied by your browser);
- Timestamp of the request.
We do not run any web-analytics service, advertising pixel, social-media tracking pixel, or behavioural-profiling code on this website.
4. Purposes of processing
| Personal data | Purpose |
|---|---|
| Name, email, organisation, telephone, engagement category, message | To respond to your enquiry, evaluate whether we can assist, and (if you ask us to) send you a proposal or schedule a meeting. |
| IP address, country, User-Agent, Referer, timestamp | To prevent abuse of the contact form (spam, automated submissions, denial-of-service), to verify the CAPTCHA challenge, and to maintain security audit logs. |
| Email correspondence content | To carry on the engagement-evaluation conversation you initiated. |
5. Lawful basis
We process your personal data on the following lawful bases under the Digital Personal Data Protection Act, 2023:
- Consent (section 6) — when you tick the consent box on the contact form, you give us your free, specific, informed, unconditional, and unambiguous consent to process the data you have submitted for the specified purpose, in the manner described above. You may withdraw this consent at any time by writing to param@gonavi.tech.
- Legitimate use (section 7(a)) — for the additional purpose of preventing abuse of our website and maintaining security audit logs.
6. Sub-processors and recipients
To deliver this website and the contact-form workflow, we engage the following named sub-processors. We have entered into terms with each sub-processor that, taken together, are intended to discharge our obligations under section 8 of the Act. The list below is exhaustive at the date of this notice.
| Sub-processor | Function |
|---|---|
| Cloudflare, Inc. | Hosting of gonavi.tech on Cloudflare Pages; DNS resolution; serverless execution of the contact-form endpoint; provision of the privacy-preserving Turnstile CAPTCHA service used to defeat automated form submissions. |
| Resend (Resend, Inc.) | Transactional email delivery of contact-form submissions to our mailbox. |
| Microsoft Corporation | Hosting of the param@gonavi.tech mailbox on Microsoft 365 / Exchange Online, where contact-form submissions and any subsequent correspondence with you are stored. |
We do not sell, rent, trade, or share your personal data with any other third party for any other purpose. We do not use your personal data to train any artificial-intelligence or machine-learning system, ours or anyone else's.
7. Cookies and trackers
This website does not set any first-party cookies of its own. The Cloudflare Turnstile CAPTCHA, which loads only when the contact form is rendered, may set short-lived cookies strictly necessary to complete the CAPTCHA challenge. We do not use cookies for analytics, advertising, profiling, or any other non-essential purpose.
8. Retention periods
| Category | Retention |
|---|---|
| Contact-form submissions delivered to our mailbox | Retained for so long as the matter to which they relate remains live, and thereafter for up to 36 months for engagement-history reference, after which they are deleted unless retention is required to comply with law, defend a legal claim, or perform a contract. |
| Security and abuse-prevention logs (IP address, User-Agent, timestamp held by Cloudflare) | Retained in line with Cloudflare's standard log-retention practice and not separately retained by us. |
| Email correspondence after the matter has concluded | Up to 36 months from the date of the last substantive communication. |
You may at any time ask us to delete personal data we hold about you, subject to the exceptions set out in section 12(3) of the Act and rule 9 of the Digital Personal Data Protection Rules, 2025.
9. Cross-border transfers
Some of the sub-processors named in section 6 are headquartered outside India and may store or process personal data on infrastructure located outside India. The Central Government has not, at the date of this notice, restricted any of these jurisdictions under section 16 of the Act. We will update this notice and seek fresh consent if and when any such restriction is notified.
10. Security measures
Navi Consulting LLP is certified to ISO/IEC 27001:2022 (Information Security Management) and ISO/IEC 20000-1:2018 (Service Management) by InterCert Inc., USA, under the accreditation of United Accreditation Foundation (UAF). The technical and organisational measures we apply to personal data processed through this website include, in particular:
- HTTPS-only delivery with HSTS preload, automated certificate management, and TLS 1.2+ enforced;
- DNSSEC-signed authoritative DNS;
- DMARC, SPF, DKIM, MTA-STS, and TLS-RPT on the email domain;
- Server-side validation, sanitisation, length-capping, and CAPTCHA verification on the contact-form endpoint;
- Strict Content-Security-Policy, X-Frame-Options, Referrer-Policy, and Permissions-Policy HTTP response headers;
- No persistent storage of contact-form submissions on the website infrastructure.
No system can be guaranteed against compromise. Where we become aware of a personal-data breach affecting you, we will notify the Data Protection Board of India and you, in the manner and within the time limits prescribed by the Rules.
11. Your rights as a Data Principal
Under Chapter III of the Digital Personal Data Protection Act, 2023, you have the following rights in respect of personal data we hold about you:
- Right to access a summary of the personal data being processed and the processing activities undertaken (section 11);
- Right to correction, completion, updating, and erasure of personal data (section 12);
- Right of grievance redressal against us (section 13);
- Right to nominate another individual to exercise your rights in the event of your death or incapacity (section 14);
- Right to withdraw consent at any time (section 6(4)).
To exercise any of these rights, please write to param@gonavi.tech with the subject line "Data Principal Request". We will respond within the time limits prescribed by the Rules.
12. Children's data
This website is directed at organisations and adult professionals. We do not knowingly collect personal data from any individual under the age of 18 years. If you are aware that a child has submitted personal data to us, please write to param@gonavi.tech and we will delete it.
13. Grievance redressal
For any question, concern, complaint, or request relating to your personal data or to this notice, please contact:
- Officer responsible for grievance redressal
- Param Pravin Shah, Designated Partner
- param@gonavi.tech
- Postal address
- Navi Consulting LLP, 102, Chandramani CHS Ltd, Hanuman Road, Vile Parle (East), Mumbai 400 057, Maharashtra, India
- Telephone
- +91 22 2613 8393
- Acknowledgement
- We acknowledge grievances in writing within seven working days of receipt and resolve them within the timeframes prescribed by the Rules.
14. Changes to this notice
We may update this notice from time to time. The version number, last-updated date, and effective-from date at the top of the notice will reflect each change. Material changes will be brought to your attention by an in-page notice or, where you have an active correspondence with us, by email.
This notice is published in English. A version in another language listed in the Eighth Schedule to the Constitution of India will be made available on request.