Privacy Policy
Last updated: April 28, 2026
AISupplyNav ("we," "us," "our") is operated by KCENAV.AI. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services at aisupplynav.ai. We are committed to protecting your data — especially the sensitive supply chain information you entrust to us.
1. Information We Collect
Information You Provide
- Account information: Email address used for magic-link authentication.
- Company profile data: Company name, industry, size, and supply chain details shared through our chat interface or assessment tools.
- Assessment responses: Answers to health assessments, risk questionnaires, and procurement benchmarking inputs.
- Chat conversations: Messages exchanged with our AI intake specialist and advisory tools.
- Payment information: Processed by Stripe. We do not store credit card numbers, CVVs, or bank account details on our servers.
Information Collected Automatically
- Usage data: Pages visited, features used, session duration, and interaction patterns (stored in our
page_views and analytics tables).
- Device data: Browser type, operating system, screen resolution, and IP address.
- Cookies: Session identifiers and authentication tokens. See our Cookie Policy for details.
Supply Chain Data Sensitivity
We understand that supplier names, pricing, lead times, inventory levels, and procurement data are competitively sensitive. We treat all supply chain data you share with the same confidentiality as personally identifiable information — it is never disclosed to competitors, used for benchmarking against your interests, or shared with third parties except as described in this policy.
2. How We Use Your Information
- Service delivery: Generating health assessments, risk reports, demand forecasts, and procurement recommendations.
- AI processing: Sending relevant context to AI models to produce actionable supply chain intelligence. See our AI Use Policy for specifics.
- Account management: Authentication, session management, and subscription administration.
- Service improvement: Analyzing usage patterns to improve features and user experience.
- Communication: Transactional emails (magic links, assessment results, subscription updates). No marketing emails without explicit opt-in.
- Compliance: Meeting legal obligations, responding to lawful requests, and enforcing our Terms of Service.
3. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA) and United Kingdom, we process personal data under these legal bases:
| Purpose | Legal Basis |
|---|
| Service delivery, assessments | Performance of contract (Art. 6(1)(b)) |
| Account authentication | Performance of contract (Art. 6(1)(b)) |
| Analytics & service improvement | Legitimate interest (Art. 6(1)(f)) |
| Payment processing | Performance of contract (Art. 6(1)(b)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
4. Third-Party Services & Data Sharing
We share data only with the following categories of service providers, under data processing agreements:
| Provider | Purpose | Data Shared |
|---|
| Stripe | Payment processing | Email, subscription details |
| AI model providers (multi-model) | Supply chain analysis | Anonymized context from your queries |
| Neon (PostgreSQL) | Database hosting | All application data (encrypted at rest) |
| Render | Application hosting | Application logs, request data |
We do not:
- Sell your personal data to anyone.
- Share your data with advertising networks.
- Allow third-party AI providers to train on your data. See our AI Use Policy.
- Disclose your supply chain data to competitors or industry aggregators.
5. Cookies & Tracking
We use a minimal set of cookies. For a complete breakdown, see our Cookie & Tracking Notice.
| Cookie | Type | Purpose | Duration |
|---|
session_id | Essential | Session tracking | 30 days |
user_id | Essential | Authentication state | 30 days |
We do not use third-party advertising trackers. Analytics are first-party only, stored in our own database.
6. Data Retention
- Account data: Retained while your account is active plus 30 days after deletion request.
- Assessment data: Retained for the life of your account to enable longitudinal supply chain analysis.
- Chat conversations: Retained for 12 months after last interaction, then anonymized.
- Analytics data: Aggregated after 90 days; raw data deleted after 12 months.
- Payment records: Retained as required by tax law (typically 7 years).
You can request early deletion at any time (see "Your Rights" below).
7. Data Security
- All data stored in encrypted PostgreSQL databases (AES-256) hosted in the United States.
- All connections use TLS 1.2+ encryption in transit.
- Authentication via time-limited magic links (15-minute expiry, single-use).
- Signed, HTTP-only, secure cookies with SameSite policy.
- No plaintext storage of passwords or payment credentials.
- Regular security reviews of application infrastructure.
8. Your Rights (GDPR — EEA/UK)
If you are in the European Economic Area or United Kingdom, you have the right to:
- Access: Request a copy of data we hold about you.
- Rectification: Correct inaccurate personal data.
- Erasure: Request deletion of your personal data ("right to be forgotten").
- Restriction: Request we limit processing of your data.
- Portability: Receive your data in a machine-readable format.
- Objection: Object to processing based on legitimate interest.
- Withdraw consent: Where processing is based on consent, withdraw at any time.
We will respond to all GDPR requests within 30 days. You also have the right to lodge a complaint with your local data protection authority.
9. Your Rights (CCPA — California)
California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to Know: What personal information we collect, use, and disclose.
- Right to Delete: Request deletion of personal information we hold.
- Right to Opt-Out of Sale: We do not sell personal information. No opt-out is necessary.
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Limit Use of Sensitive Data: Request we limit the use of sensitive personal information.
To exercise your rights, email privacy@kcenav.ai or use the chat widget on our homepage. We will verify your identity before processing requests.
10. Additional U.S. State Privacy Rights
Residents of Colorado, Connecticut, Virginia, Utah, and other states with comprehensive privacy laws have similar rights to access, delete, correct, and opt out of data processing. Contact us at privacy@kcenav.ai to exercise these rights.
11. International Data Transfers
Our servers are located in the United States. If you access our services from outside the US, your data will be transferred to and processed in the US. For EEA/UK users, we rely on Standard Contractual Clauses (SCCs) as the legal mechanism for international data transfers.
12. Children's Privacy
AISupplyNav is a B2B service designed for business professionals. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it promptly.
13. Changes to This Policy
We may update this policy periodically. Material changes will be communicated via email to active account holders and posted on this page with an updated "Last updated" date. Continued use of our services after changes constitutes acceptance of the updated policy.
For privacy inquiries, data requests, or complaints: