SyannaUI Technologies Private LimitedData controller & platform operator
1. Introduction and identity of the data controller
This Privacy Policy (“Policy”) governs the collection, processing, storage, use, disclosure, and protection of personal data by SyannaUI Technologies Private Limited, a company incorporated under the Companies Act, 2013, with its registered office at Bangalore, Karnataka, India(“Company”, “we”, “us”, or “our”).
The Company operates the NAVOX AI platform accessible at www.navox.ai (“Platform”). The product name under which services are offered is NAVOX AI.
For the purposes of applicable data protection legislation, including the Digital Personal Data Protection Act, 2023 of India (“DPDP Act”), the Company acts as a Data Fiduciary in respect of personal data processed through the Platform. For users located in the European Economic Area or the United Kingdom, the Company acts as Data Controller within the meaning of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the UK General Data Protection Regulation (“UK GDPR”), respectively.
We recognise that privacy is a fundamental right. NAVOX AI is designed to collect only the data needed to provide flight search assistance, to operate transparently, and to give you meaningful choices. This Policy explains in plain and precise terms what data we collect, why we collect it, how we protect it, and what your rights are.
2. Scope of this Policy
This Policy applies to:
- all users who access or use the Platform on any device;
- all visitors to www.navox.ai;
- any individuals who contact us by email, support channels, or any other means.
This Policy does not apply to third-party applications, services, or websites that may be linked from the Platform (for example airline or booking sites). We encourage you to review the privacy policies of any third parties with whom you interact.
By using the Platform, you acknowledge that you have read, understood, and agreed to this Policy. If you do not agree to this Policy, you must discontinue use of the Platform immediately.
3. Categories of personal data we collect
We follow the principle of data minimisation: we collect only what is necessary to deliver and operate the Platform. The categories of personal data we currently collect are set out below.
3.1 Trip and search data
When you use chat or manual search, we process information you provide, including:
- origin, destination, and airport preferences;
- travel dates, passenger counts, and cabin class;
- chat messages and search queries used to interpret your trip requirements;
- optional filters (for example airline, price, or departure-time preferences).
3.2 Technical and device data
We collect limited technical data necessary for the Platform to function, including:
- IP address, browser type, device type, and operating system;
- timestamps, request metadata, and diagnostic or error logs;
- aggregated or anonymised usage data to maintain reliability and security.
3.3 Browser storage
The Platform may store limited data in your browser (for example cookie consent, display preferences, or draft trip handoff between pages) as described in our Cookie Policy. This data remains on your device unless transmitted as part of a search request.
3.4 Contact and support data
If you contact us, we process your email address, message content, and any information you choose to provide in order to respond to your enquiry.
3.5 Data we do not collect
We expressly confirm that we do not currently collect:
- precise geolocation from your device (unless you voluntarily type a place name in search);
- government identity documents, passport numbers, or payment card details through the Platform;
- biometric data;
- advertising profiles or cross-site behavioural tracking for marketing purposes;
- account passwords or PINs (the Platform does not require a registered account today).
4. Legal bases for processing personal data
We process personal data only where a valid legal basis exists. The applicable legal bases vary depending on your jurisdiction.
4.1 Indian users — Digital Personal Data Protection Act, 2023
For users located in India, we rely on the following lawful grounds under the DPDP Act:
- Consent — where you submit trip details or chat messages, or accept cookies where consent is required.
- Legitimate use — processing technical and operational data necessary to provide the contracted service, maintain security, and prevent abuse.
4.2 European Economic Area and UK users — GDPR and UK GDPR
For users located in the EEA or the UK, we rely on the following legal bases:
- Article 6(1)(b) GDPR — Performance of a contract: processing is necessary to provide the NAVOX AI service under our Terms.
- Article 6(1)(f) GDPR — Legitimate interests: processing of technical and security data is necessary for our legitimate interests in maintaining Platform security and preventing fraud, provided those interests are not overridden by your rights.
- Article 6(1)(a) GDPR — Consent: where we rely on consent (for example non-essential cookies), you may withdraw it at any time.
4.3 United States users
For users in the United States, we process personal data as described in this Policy. Users in California have additional rights under the California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”), which are set out in Section 20 of this Policy.
5. Purposes of processing
We use personal data solely for the following specified purposes:
- providing AI-assisted flight search and fare comparison;
- retrieving live fare snapshots from third-party travel data providers;
- formatting, ranking, and displaying search results;
- responding to support requests and customer service enquiries;
- maintaining the security, integrity, and performance of the Platform;
- detecting and preventing fraud, abuse, and prohibited conduct;
- complying with applicable legal obligations;
- improving the Platform using aggregated, anonymised technical data.
We do not process personal data for behavioural advertising. We do not sell personal data. We do not profile users for marketing.
6. Children’s privacy
6.1 Minimum age of use
The Platform is available to users aged 13 years and above. Users under the age of 13 are strictly prohibited from using the Platform.
6.2 Users aged 13 to 17 — Indian users (DPDP Act)
Under the DPDP Act, 2023, a “child” is defined as any individual below the age of 18 years. We are required to obtain verifiable parental or guardian consent before processing personal data of users aged under 18 years who are resident in India. By using the Platform, users aged 13 to 17 resident in India confirm that their parent or legal guardian has reviewed and consented to this Policy. We reserve the right to verify this consent and to restrict access where such consent cannot be verified.
6.3 Users under 13 — COPPA compliance (US users)
We do not knowingly collect personal information from children under the age of 13 years in the United States. If we become aware that we have inadvertently collected personal information from a child under 13 without verifiable parental consent, we will take immediate steps to delete such data. Parents or guardians who believe we may hold data about a child under 13 may contact us at privacy@silentum.app.
6.4 Age verification
While we do not employ technical age verification at first use, use of the Platform by persons under 13 is strictly prohibited. We encourage parents and guardians to monitor their children’s device usage.
7. Data sharing and disclosure
We do not sell, rent, or trade personal data. Disclosure of personal data is limited to the following circumstances:
7.1 Service providers and data processors
We engage trusted third-party service providers who process personal data on our behalf and strictly in accordance with our instructions, for purposes including:
- cloud hosting and infrastructure;
- AI model providers used to interpret chat and search intent;
- travel data providers used to retrieve fare and schedule information;
- optional translation or analytics services where enabled.
All such providers are bound by contractual obligations requiring them to maintain appropriate data protection standards.
7.2 Legal obligations
We may disclose personal data where required to do so by applicable law, court order, or the direction of a competent regulatory or governmental authority. We will, where legally permissible, notify affected users of any such disclosure request.
7.3 Protection of rights
We may disclose personal data where necessary to prevent, investigate, or take action in respect of illegal activity, suspected fraud, or a threat to the safety of any person.
7.4 Business transfers
In the event of a merger, acquisition, restructuring, or sale of all or substantially all of our assets, personal data may be transferred to the acquiring entity, subject to the same protections as described in this Policy. We will provide notice prior to any such transfer where practicable.
7.5 Aggregated and anonymised data
We may share aggregated, anonymised, or de-identified statistical data with third parties for research or analytical purposes. Such data cannot reasonably be used to identify any individual.
8. International data transfers
NAVOX AI may be accessed globally. Where personal data is transferred outside the country of origin, we take appropriate safeguards to ensure continued protection of your data.
8.1 Transfers from India
Cross-border data transfers from India are governed by the DPDP Act, 2023 and any rules notified by the Central Government thereunder. We will comply with applicable transfer restrictions and ensure that personal data transferred outside India is afforded equivalent protection.
8.2 Transfers from the European Economic Area
Where personal data is transferred from the EEA to a third country that is not subject to an adequacy decision by the European Commission, we will implement appropriate safeguards as required by Chapter V of the GDPR, including Standard Contractual Clauses (“SCCs”) as adopted by the European Commission. A copy of the applicable transfer mechanism may be requested by contacting us at privacy@silentum.app.
8.3 Transfers from the United Kingdom
Transfers of personal data from the United Kingdom to third countries are governed by the UK International Data Transfer Agreement (“IDTA”) or equivalent mechanism as approved by the UK Information Commissioner’s Office. We will ensure that appropriate safeguards are in place for any such transfers.
9. Data retention
We retain personal data only for as long as is necessary for the purposes described in this Policy, or as required by applicable law.
- Search and chat inputs — processed to fulfil your request; server logs may be retained for a limited period for security and troubleshooting.
- Browser storage — retained on your device until you clear it or until it expires as described in our Cookie Policy.
- Support correspondence — retained as long as needed to resolve your enquiry and for a reasonable period thereafter.
- Technical and error log data — retained in aggregated or anonymised form for up to 12 months for security and operational purposes.
- Legal hold data — where we are subject to a legal obligation to retain data, we will do so notwithstanding a deletion request until the legal hold is lifted.
You may clear browser storage associated with the Platform through your browser settings. If we introduce registered accounts in the future, account deletion procedures will be described at that time.
10. Security of personal data
We implement technical and organisational measures designed to protect personal data against unauthorised access, accidental loss, destruction, or disclosure. These measures include:
- Transport Layer Security (TLS) for data transmission;
- access controls limiting employee and contractor access to personal data;
- secure hosting and infrastructure practices;
- monitoring and logging designed to detect abuse and security incidents;
- periodic review of security practices as our operations evolve.
While we employ robust security measures, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security but will endeavour to use commercially reasonable means to protect your personal data and will notify you and applicable regulatory authorities in the event of a data breach as required by law.
11. Cookies and tracking technologies
Our website may use essential cookies and browser storage necessary for the Platform to function. We do not use advertising or cross-site tracking cookies as described in our Cookie Policy, available at https://www.navox.ai/cookies. Where consent is required by applicable law, we will obtain it through our cookie banner.
12. Your rights as a data principal or data subject
Depending on your jurisdiction, you have certain rights in relation to your personal data. We will respond to any valid request within the timeframes prescribed by applicable law, and in no event later than 30 days from the date of receipt.
12.1 Rights under the DPDP Act (Indian users)
As a Data Principal under the DPDP Act, you have the right to:
- Access — obtain a summary of the personal data we hold about you and the purposes for which it is processed;
- Correction and erasure — require us to correct inaccurate data and to erase personal data where we are no longer required to retain it;
- Grievance redressal — raise a grievance with our Grievance Officer (Section 22);
- Nomination — nominate another individual to exercise your rights in the event of your death or incapacity;
- Withdraw consent — withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
12.2 Rights under GDPR and UK GDPR (EEA and UK users)
As a Data Subject under the GDPR or UK GDPR, you have the right to:
- access (Article 15);
- rectification (Article 16);
- erasure (Article 17);
- restriction (Article 18);
- data portability (Article 20);
- objection (Article 21);
- withdraw consent (Article 7(3));
- lodge a complaint with the supervisory authority in your EU Member State or with the UK Information Commissioner’s Office (ICO) at www.ico.org.uk.
12.3 How to exercise your rights
To exercise any of the above rights, please contact our Privacy team at privacy@silentum.app. We will verify your identity before processing any request. We do not charge a fee for the exercise of data rights, except where requests are manifestly unfounded or excessive.
13. Automated decision-making and profiling
The Platform uses artificial intelligence to interpret natural-language requests, suggest airports, and format search parameters. These tools assist your search but do not make binding travel or booking decisions on your behalf — you review results and complete any purchase on a third-party site.
We do not make decisions about you solely by automated means that produce legal or similarly significant effects. We do not profile users for commercial, behavioural, or advertising purposes.
14. Third-party services and integrations
The Platform currently relies on third-party services to operate, including:
- AI model providers to interpret chat and search intent;
- travel data providers to retrieve fare and schedule information;
- cloud hosting and infrastructure providers;
- optional translation services where enabled on a deployment.
We do not use third-party advertising trackers such as Google Analytics or Meta Pixel for behavioural marketing on the Platform as described in our Cookie Policy.
When you follow links to airline or booking websites, those sites process your data under their own privacy policies. We will update this Policy prior to introducing any new category of third-party processing that materially changes how we handle personal data, and where required by law, we will obtain fresh consent.
15. Communications from us
We do not send marketing or promotional communications by default. We will only contact you in connection with:
- responses to support enquiries you initiate;
- important legal or security notices relating to your use of the Platform;
- updates to this Privacy Policy or our Terms as required by applicable law.
If we introduce optional marketing communications in the future, we will obtain your separate, express consent.
16. Data minimisation and privacy by design
NAVOX AI is built on privacy-by-design principles consistent with Article 25 of the GDPR and the DPDP Act. This means:
- Data minimisation — we collect only the minimum data necessary to provide flight search assistance;
- Purpose limitation — we use data only for the purposes stated in this Policy;
- Storage limitation — data is not held beyond the periods described in Section 9;
- Security by design — safeguards are embedded in how the Platform is operated, not added as an afterthought.
We conduct privacy reviews in connection with new features or processing activities involving personal data.
17. Incident response and data breach notification
In the event of a personal data breach, we will take the following steps:
- Internal response — assess scope and severity, contain the incident, and remediate the cause as quickly as practicable;
- Regulatory notification — notify the relevant supervisory authority within 72 hours where required by applicable law, including the Data Protection Board of India under the DPDP Act where applicable;
- User notification — notify you without undue delay where a breach is likely to result in high risk to your rights and freedoms, in clear, plain language.
Notifications will include the nature of the breach, likely consequences, measures taken or proposed, and contact details for further information.
18. Governing law and jurisdiction (privacy)
This Policy is governed by and construed in accordance with the laws of the Republic of India, including the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023, as amended from time to time.
For users in the EEA and UK, applicable provisions of the GDPR and UK GDPR are incorporated as mandatory overlay requirements. For users in the United States, applicable provisions of CCPA/CPRA are incorporated as mandatory overlay requirements.
Any dispute arising under this Policy shall be subject to the exclusive jurisdiction of the courts at Bangalore, Karnataka, India, save where mandatory consumer protection law in your jurisdiction requires otherwise.
19. Information Technology Act, 2000 and SPDI Rules compliance
As an Indian data fiduciary, we comply with the Information Technology Act, 2000 (as amended) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”).
To the extent any personal data collected by us falls within the definition of Sensitive Personal Data or Information under the SPDI Rules, we will comply with the heightened obligations applicable thereto, including obtaining express consent prior to collection where required.
We maintain an information security programme as required by Rule 8 of the SPDI Rules and are committed to IS/ISO/IEC 27001 standards as applicable to our operations.
20. California privacy rights (CCPA / CPRA)
This section applies to residents of the State of California, United States, and supplements the rest of this Policy.
NAVOX AI does not sell your personal information. NAVOX AI does not share personal information for cross-context behavioural advertising.
California residents have the following rights:
- Right to Know — request disclosure of what personal information we have collected, the sources, the business purpose, and any third parties to whom it has been disclosed;
- Right to Delete — request deletion of personal information, subject to certain exceptions;
- Right to Correct — request correction of inaccurate personal information;
- Right to Non-Discrimination — we will not discriminate against you for exercising your privacy rights.
To submit a verifiable consumer request, please email privacy@silentum.app. We will respond within 45 days of receipt, with a possible extension of a further 45 days where reasonably necessary.
21. Other applicable jurisdictions
We endeavour to comply with applicable privacy and data protection laws in all jurisdictions in which the Platform operates. To the extent users are located in jurisdictions with specific data protection regimes not expressly addressed in this Policy (including but not limited to Brazil (LGPD), Canada (PIPEDA), Australia (Privacy Act 1988), or Singapore (PDPA)), we will apply data protection principles consistent with the highest applicable standard set out in this Policy and respond in good faith to any lawful data subject or data principal request made under such regimes.
22. Grievance Officer — India
In compliance with the Information Technology Act, 2000 and the DPDP Act, 2023, the details of the Company’s designated Grievance Officer are as follows:
Name: Grievance Officer, SyannaUI Technologies Private Limited
Email: privacy@silentum.app
Address: SyannaUI Technologies Private Limited, Bangalore, Karnataka, India
The Grievance Officer shall acknowledge your complaint within 48 hours and endeavour to resolve it within 30 days of receipt. Where a complaint relates to the processing of personal data, you may escalate unresolved complaints to the Data Protection Board of India once established under the DPDP Act.
23. Contact details for privacy requests
For all privacy-related enquiries, requests, and complaints, you may contact us as follows:
Email: privacy@silentum.app
Legal correspondence: SyannaUI Technologies Private Limited, Bangalore, Karnataka, India
We will respond to all requests within the timeframes required by applicable law and in no event later than 30 days from receipt.
24. Third-party links and embedded content
The Platform may contain links to third-party websites, applications, or services (including airlines and booking providers). We are not responsible for the privacy practices of any third party. We encourage you to review the privacy policies of any third-party services you interact with.
Where the Platform integrates third-party libraries or services necessary for operation (such as hosting or AI APIs), we select such providers carefully and require appropriate confidentiality and data protection obligations. No such integrations involve sharing personal data for advertising purposes.
25. Amendments to this Policy
We may amend this Policy from time to time to reflect changes in applicable law, regulatory guidance, or our data processing practices. Material changes will be communicated via the Website and, where we hold your contact details, by email, not less than 14 days prior to the change taking effect, unless a shorter notice period is required by applicable law.
The most current version of this Policy will always be available at https://www.navox.ai/privacy. The date of the most recent revision is shown at the top of this document.
Your continued use of the Platform following the effective date of any amendment constitutes your acceptance of the revised Policy. If you do not accept a material change, you must discontinue use of the Platform.
Previous versions of this Policy are available upon request by emailing privacy@silentum.app.
This Privacy Policy was prepared by SyannaUI Technologies Private Limited. For questions, contact privacy@silentum.app.