Sign inStart Free Trial
Features
Smart Sequences
Automate multi-step outreach
Unified Inbox
Manage all conversations
Multi-Sender
Send from multiple accounts
Multichannel Outreach
LinkedIn + email combined
Account Safety
Stay within LinkedIn limits
Analytics
Track every metric
Email Finder
Find verified emails for leads
Integrations
Connect your CRM and tools
Competitor FollowersNew
Import competitor's followers
API & WebhooksNew
Build custom integrations

Last updated: March 2026

Privacy Policy

We are committed to protecting your privacy and handling your personal data in a transparent and secure manner.

Cold Navigator ("we", "us", or "our") operates the website coldnavigator.com and provides a B2B SaaS platform for LinkedIn outreach, email outreach, and sales automation (the "Service").

This Privacy Policy explains how we collect, use, store, share, and protect your personal data. It applies to all users of the Service, including visitors to our website, registered users, and any individuals whose data is processed through the Service.

We are committed to compliance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the Turkish Personal Data Protection Law (KVKK, Law No. 6698), the California Consumer Privacy Act (CCPA/CPRA), and other applicable privacy laws.

1. Who We Are

Cold Navigator is operated by a legal entity with operations in:

  • Republic of Turkiye
  • United Kingdom

Our primary application servers and databases are hosted in Frankfurt, Germany (EU), on infrastructure provided by leading cloud providers.

Data Protection Contact: For any questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us at: support@coldnavigator.com

2. Information We Collect

We collect and process the following categories of personal data:

a. Information You Provide to Us

  • Account information: Name, email address, password (hashed, never stored in plain text), company name, and job title.
  • Billing information: Payment details are processed directly by Dodo Payments, our PCI DSS-compliant payment processor. We do not store credit card numbers or full payment details.
  • Support communications: Messages, emails, and any information you provide when contacting our support team.
  • User-generated content: Campaign configurations, message templates, lead lists, tags, and notes you create within the Service.

b. Information Collected Automatically

  • Device and browser information: IP address, browser type and version, operating system, device type, and screen resolution.
  • Usage data: Pages visited, features used, click patterns, session duration, and referral URLs.
  • Log data: Server logs including timestamps, request URLs, response codes, and error information.
  • Cookies and similar technologies: As described in our Cookie Policy.

c. Third-Party Account Data

When you connect third-party services to the platform, we may process:

  • LinkedIn account data: Account identifiers, connection status, profile metadata, and campaign-related activity. LinkedIn session credentials are encrypted using AES-256-GCM encryption and are never stored in plain text or exposed to our frontend application.
  • Email account data (Gmail/Outlook): OAuth access tokens and refresh tokens (encrypted at rest using AES-256-GCM), email address, and display name. We access your email account only to send emails on your behalf and do not read or store your inbox contents.
  • CRM integration data (e.g. HubSpot): Contact records and status information synchronized between the Service and your CRM, using OAuth-based authentication.

d. Lead Data Processed on Your Behalf

As a data processor acting on your instructions, we process lead data that you import or create within the Service, which may include:

  • Names, job titles, company names, and LinkedIn profile URLs.
  • Email addresses and phone numbers.
  • Campaign enrollment status and interaction history.
  • Custom fields and tags you define.

You are the data controller for this information and are responsible for ensuring you have a lawful basis to collect and process it.

3. How We Use Your Information

We use your personal data for the following purposes:

  • Service delivery: To provide, operate, and maintain the Service, including executing campaigns, managing leads, and facilitating communications.
  • Account management: To create and manage your account, authenticate your identity, and process subscriptions.
  • Payment processing: To process payments and manage billing through Dodo Payments.
  • Security and fraud prevention: To protect the Service and our users from unauthorized access, abuse, and fraudulent activity, including rate limiting, access controls, and monitoring.
  • Service improvement: To analyze usage patterns, diagnose technical issues, and improve Service performance and features.
  • Communications: To send you service-related notices, security alerts, billing notifications, and (with your consent) marketing communications.
  • Legal compliance: To comply with applicable laws, regulations, and legal processes.

4. Legal Basis for Processing (GDPR/UK GDPR)

We process personal data under the following legal bases:

  • Performance of a contract (Article 6(1)(b)): Processing necessary to deliver the Service and fulfill our contractual obligations to you.
  • Legitimate interests (Article 6(1)(f)): Processing necessary for our legitimate interests, including security, fraud prevention, service improvement, and analytics, where these interests are not overridden by your rights.
  • Legal obligation (Article 6(1)(c)): Processing necessary to comply with applicable laws and regulations.
  • Consent (Article 6(1)(a)): Where you have given explicit consent, such as for marketing communications or non-essential cookies. You may withdraw consent at any time.

Legal Basis Under KVKK

For processing activities subject to Turkish law, we rely on the legal bases set forth in Article 5 of KVKK, including: explicit consent, performance of a contract, legitimate interests, and legal obligations.

5. Data Storage and Security

We implement industry-standard technical and organizational measures to protect your data:

  • Hosting: Primary application servers and databases are hosted in Frankfurt, Germany (EU), within SOC 2 and ISO 27001 certified infrastructure.
  • Encryption at rest: Sensitive data, including LinkedIn credentials, OAuth tokens, 2FA secrets, and proxy credentials, is encrypted using AES-256-GCM with authenticated encryption.
  • Encryption in transit: All data transmitted between your browser and our servers is protected using TLS 1.2 or higher (HTTPS enforced).
  • Access controls: Role-based access control (RBAC) with five permission levels (owner, admin, manager, member, viewer). Row-level security (RLS) policies enforce data isolation between workspaces at the database level.
  • Authentication: JWT-based authentication with secure session management. Support for multi-factor authentication.
  • Rate limiting: Multiple layers of rate limiting to protect against brute-force attacks and abuse (authentication: 10 requests per 15 minutes; global: 300 requests per minute).
  • Security headers: HTTP Strict Transport Security (HSTS), Content Security Policy (CSP), and other security headers enforced via Helmet.js.
  • Monitoring: Centralized logging and monitoring for security incident detection and response.
  • Personnel: Access to personal data is limited to authorized personnel on a need-to-know basis. All personnel with access are bound by confidentiality obligations.

6. Email Finder and Email Sender — Data Processing and Minimization

Cold Navigator is designed as a productivity and automation platform, not as a data collection service. We follow strict data minimization principles for email-related features.

Email Finder Feature

  • Processes publicly available business contact information based on user input (name, company domain, LinkedIn profile data).
  • Only publicly accessible or user-provided information is used to generate potential email addresses.
  • Cold Navigator does not access private, confidential, or restricted databases.
  • Results are generated in real time and are not retained after the session ends.
  • We do not create, maintain, or sell any database of discovered email addresses.

Email Sender Feature

  • Emails are sent through the user's own connected email account (Gmail/Outlook via OAuth). Cold Navigator does not send emails from its own infrastructure.
  • Email content, recipient addresses, and delivery metadata are processed temporarily for technical delivery purposes.
  • We do not permanently store email content, analyze message bodies, or use email data for purposes other than providing the feature.
  • Delivery status information (sent, bounced, opened, clicked) may be retained for campaign reporting purposes and is associated with your account.

User Responsibility

You are the data controller for all recipient data and email content processed through these features. You are responsible for ensuring you have a lawful basis to contact recipients and that your use complies with applicable laws (GDPR, KVKK, CAN-SPAM, CASL, etc.).

7. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data to third parties. We may share data with the following categories of trusted service providers, solely for the purposes described in this policy:

Sub-processors

CategoryPurposeLocation
Cloud infrastructure providerApplication hosting and infrastructureEU (Frankfurt, Germany)
Database and authentication providerDatabase hosting, user authentication, and real-time servicesEU (Frankfurt, Germany)
Dodo PaymentsPayment processing and subscription managementEU
Transactional email providerSystem notifications and transactional email deliveryUnited States
Website analytics providerWebsite traffic analysis and usage trackingUnited States
User experience analytics providerUser experience analysis and session insightsEU
Security and CDN providerContent delivery, DDoS protection, and bot preventionGlobal

Each sub-processor is bound by written data processing agreements imposing obligations no less protective than those in our Data Processing Addendum.

We may update the list of sub-processors from time to time. Material changes will be communicated with at least 14 days' notice.

Other Disclosures

We may also disclose personal data:

  • To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
  • To protect the rights, property, or safety of Cold Navigator, our users, or the public.
  • In connection with a merger, acquisition, or sale of assets, subject to the receiving party agreeing to protect your data consistent with this policy.

8. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence. Our primary data processing takes place in:

  • Frankfurt, Germany (EU) — Primary database and application servers
  • Turkiye — Business operations
  • United States — Certain sub-processors (analytics, transactional email)

Where data is transferred outside the EEA, UK, or Turkiye, we ensure appropriate safeguards through:

  • EU Commission adequacy decisions, where applicable.
  • Standard Contractual Clauses (SCCs) adopted under the GDPR (Commission Implementing Decision 2021/914).
  • UK International Data Transfer Addendum (UK IDTA), where applicable.
  • Other legal mechanisms recognized under KVKK and applicable data protection laws.

9. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

  • Account data: Retained for the duration of your account and for 30 days after account closure to facilitate data export requests.
  • Billing data: Retained as required by applicable tax and accounting laws (typically 5-7 years).
  • Usage and log data: Retained for up to 12 months for analytics and security purposes, then anonymized or deleted.
  • Email Finder results: Not retained; generated in real time and discarded after the session.
  • Email Sender data: Delivery metadata retained for campaign reporting during your subscription. Email content processed temporarily and not permanently stored.
  • Support communications: Retained for the duration of your account plus 12 months.
  • Marketing consent records: Retained for as long as necessary to demonstrate compliance.

You may request deletion of your account and associated data at any time by contacting us at support@coldnavigator.com. Upon deletion, data is permanently removed within 30 days, except where retention is required by law.

10. Your Rights

a. GDPR / UK GDPR Rights (EEA/UK Residents)

If you are located in the EEA or UK, you have the following rights:

  • Right of access (Article 15): Request a copy of your personal data.
  • Right to rectification (Article 16): Request correction of inaccurate or incomplete data.
  • Right to erasure (Article 17): Request deletion of your personal data ("right to be forgotten").
  • Right to restriction (Article 18): Request that we limit the processing of your data.
  • Right to data portability (Article 20): Receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Article 21): Object to processing based on legitimate interests or for direct marketing.
  • Right to withdraw consent (Article 7): Where processing is based on consent, withdraw at any time without affecting prior processing.
  • Right to lodge a complaint: You may file a complaint with your local data protection authority.

b. KVKK Rights (Turkiye Residents)

If you are located in Turkiye, you have rights under Article 11 of KVKK, including:

  • Learning whether your personal data is processed.
  • Requesting information about the processing.
  • Learning the purpose of processing and whether data is used in accordance with its purpose.
  • Knowing the third parties to whom your data has been transferred.
  • Requesting correction of incomplete or inaccurate data.
  • Requesting deletion or destruction of your data under conditions set by law.
  • Objecting to results obtained exclusively through automated systems that are against your interests.
  • Requesting compensation for damages arising from unlawful processing.

c. CCPA/CPRA Rights (California Residents)

If you are a California resident, you have the following rights under the CCPA/CPRA:

  • Right to know: Request information about the categories and specific pieces of personal information we have collected.
  • Right to delete: Request deletion of personal information we have collected.
  • Right to correct: Request correction of inaccurate personal information.
  • Right to opt-out of sale/sharing: We do not sell personal information or share it for cross-context behavioral advertising.
  • Right to non-discrimination: We will not discriminate against you for exercising your rights.

California residents may also designate an authorized agent to submit requests on their behalf.

d. Exercising Your Rights

To exercise any of the above rights, contact us at support@coldnavigator.com. We will respond to verified requests within 30 days (or within the timeframe required by applicable law). We may request additional information to verify your identity before processing your request.

11. Cookies and Tracking Technologies

We use cookies and similar technologies as described in our Cookie Policy. Key points:

  • Essential cookies are used for authentication and security (no consent required).
  • Analytics and marketing cookies are used only with your consent.
  • You can manage cookie preferences through our cookie consent banner or your browser settings.

12. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete it promptly.

13. Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices, content, or security of those websites. We encourage you to review the privacy policies of any third-party services you access.

14. LinkedIn and Third-Party Platform Compliance

Cold Navigator is an independent platform and is not affiliated with, endorsed by, or sponsored by LinkedIn Corporation, Google, Microsoft, or any other third-party platform. Users are responsible for ensuring their use of the Service complies with the terms, policies, and guidelines of any third-party platforms they connect to the Service.

15. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will:

  • Notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach (as required by GDPR Article 33).
  • Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34).
  • For customers covered by our DPA, notify the Customer without undue delay to enable the Customer to fulfill their own breach notification obligations.

16. Do Not Track

Some browsers offer a "Do Not Track" (DNT) signal. At this time, our Service does not respond to DNT signals. However, you can control tracking through our cookie consent banner and browser settings.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. For material changes, we will provide notice via email or through the Service at least 14 days before the changes take effect.

Continued use of the Service after changes constitutes acceptance of the revised policy.

18. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices:

Email: support@coldnavigator.com