Back to Home
GRAVY

Gravy Technologies Limited - Privacy Policy

Last Updated: 27 November 2025

Who We Are

Gravy Technologies Limited ("we", "us", "our", or "Gravy") is a company registered in England and Wales (Company No. 16715096) with its registered office at 88 Pentney Road, London, SW12 0NY, United Kingdom.

We are the data controller for the purposes of the personal data we collect through our app and services.

Questions about this Privacy Policy or how we handle your personal data:

Email: ali@gravyme.com

Data Protection Officer: Ali Tabba (ali@gravyme.com)

Personal Data We Collect

We collect and process the following personal data when you use Gravy.

Information You Provide

  • Phone number for account authentication
  • Name and email address (optional)
  • Country or region (UK or USA)
  • Financial goals and preferences you set in the app
  • If you choose to use ancillary financial features in future (for example, a wallet, card, or savings product), we may collect additional identification and verification information required by law (for example, proof of identity, address history, or tax status)

Financial and Account Data (via authorised third-party APIs)

When you link your bank accounts or financial providers through secure, open-banking connections, we access:

  • Account details such as institution name, account type, balance, currency, and last four digits
  • Transaction data such as amounts, dates, merchant names, categories, and locations
  • Institution identifiers such as bank name and codes

Some transactions may indirectly reveal special category data (for example, donations to political organisations or payments to health providers). We process such data only to provide the Gravy service, such as categorising spending and generating insights, and we do not use it for marketing or profiling.

Data Generated During Use

  • Voice recordings if you use the AI voice assistant, stored temporarily
  • Conversation history with our AI assistant
  • Goal progress and app interaction data
  • Device tokens for push notifications
  • Usage analytics such as features used and session times

How We Use Your Data

We use your data to:

  • Create and manage your account
  • Connect to and display your financial accounts
  • Generate personalised AI-powered insights
  • Track and show progress towards your financial goals
  • Send relevant notifications and updates
  • Improve performance, safety, and user experience
  • Detect and prevent fraud or unauthorised activity
  • Comply with legal and regulatory obligations

From time to time we may receive a fee or commission if you choose to take up a financial product or offer shown within Gravy. These payments never influence what we show you or the insights we provide. Recommendations are always based on what is relevant to you.

No sale or monetisation of personal data. We do not sell your personal data or transfer it to third parties for their own marketing or monetisation purposes.

Anonymised analytics and research. We may use anonymised and aggregated data to analyse financial trends, spending behaviour, and market patterns. This information cannot identify you and may be shared with trusted partners or used to improve our services. We will not allow third parties to target you based on your identifiable transaction history.

Legal Bases for Processing (UK GDPR)

We process your personal data under the following legal bases:

  • Consent for features such as linking accounts, using voice input, or receiving notifications
  • Contractual necessity to provide our core services and maintain your account
  • Legitimate interests to enhance and secure our platform, prevent fraud, and improve user experience
  • Legal obligation to comply with financial regulations, tax laws, or anti-money-laundering requirements

Who We Share Your Data With

We share your data only with:

  • Regulated financial data connectivity providers for secure account connections and payments
  • Cloud hosting and storage services for secure processing in UK or EU regions
  • Identity verification and fraud-prevention services for KYC, AML, sanctions, and PEP checks
  • Payments and messaging providers for authentication, SMS, email, and push notifications
  • Customer support tooling for ticketing and chat
  • Security and observability platforms for logging, monitoring, and alerting
  • Analytics and crash-diagnostics tools that use aggregated or de-identified data
  • Regulators and law enforcement where legally required
  • Professional advisers under strict confidentiality

All providers are contractually required to safeguard your data and process it only under our instruction.

We may share aggregated, anonymised data that cannot identify you with partners for market research or performance insights.

Data Retention

When you delete your account, we remove your personal data from active systems within 30 days and from backups within 90 days, except where we must retain limited records for legal or fraud-prevention purposes.

Data TypeRetention Period
Account, goals, and transaction dataFor the life of your account
Voice recordingsDeleted within 24 hours after processing
Conversation historyRetained until you delete your account
BackupsDeleted within 90 days after account deletion
Regulatory dataUp to 7 years where legally required

Automated Decision-Making and Profiling

Our AI and algorithms analyse transaction and goal data to categorise spending, evaluate progress, suggest relevant insights, and enhance transaction descriptions. These processes do not have any legal or similarly significant effect on you. Our algorithms are not influenced by advertising or payments and exist only to improve your experience. You may request human review of any automated output at any time.

Data Security

We maintain appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or misuse. These include encryption, access controls, and secure hosting environments.

We regularly review our security practices and work only with service providers that meet recognised security and compliance standards.

If a personal data breach occurs that may affect you, we will notify the relevant authorities and contact you without undue delay where required by law.

Your Rights (UK GDPR)

You have the right to access, rectify, erase, restrict, object, and port your data, to withdraw consent, and to request human review of automated decisions.

You remain in control of your data. You can disconnect linked accounts, delete your profile, or stop data processing at any time.

Identity verification. We may verify your identity before acting on a request, for example by sending a code to your registered phone or email or by requesting limited additional information.

Contact ali@gravyme.com to exercise your rights. We respond within one month and may extend by up to two further months for complex requests.

If you are unhappy with our handling of your data, you may contact the Information Commissioner's Office: 0303 123 1113 or https://ico.org.uk/make-a-complaint

If something does not look right with your data, please email ali@gravyme.com and we will do our best to put it right quickly.

Children's Privacy

Gravy is not intended for anyone under 18. We do not knowingly collect data from minors. If you believe a child's data has been submitted, contact ali@gravyme.com and we will delete it promptly.

Cookies and Online Advertising

We use cookies and similar tools on https://www.gravyme.com to:

  • Keep our website secure and functional
  • Understand general site usage
  • Improve our marketing effectiveness

Cookie categories we use:

  • Strictly Necessary cookies for security and login
  • Performance or Analytics cookies to understand usage
  • Functionality cookies to remember preferences

You can disable cookies in your browser at any time. If we use advertising technologies in future, we will update this policy and provide appropriate choices.

Additional Information for United States Residents

Scope

This section applies to US residents. Some information we process is covered by the Gramm-Leach-Bliley Act (GLBA). Where GLBA applies, state privacy laws such as the California Consumer Privacy Act (CCPA/CPRA) do not. For other personal data including analytics and marketing, state privacy rights apply.

Categories of Data Collected

  • Identifiers such as phone, email, and device ID
  • Customer records such as profile and settings
  • Commercial information such as in-app actions and subscriptions
  • Technical activity such as log data, analytics, and cookies
  • Geolocation (approximate only)
  • Inferences such as AI-generated insights
  • Financial information such as bank and transaction data
  • Sensitive information such as authentication data and account numbers used solely for security and service provision

Sale, Sharing, and Targeted Advertising

We do not sell personal information or share it for cross-context behavioural advertising. If this changes, we will provide a clear "Do Not Sell or Share My Personal Information" option and respect Global Privacy Control signals.

Your US State Privacy Rights

Subject to verification and legal exceptions, you may request access, deletion, and correction of personal information and, where applicable, opt out of sale or sharing. We will not discriminate against you for exercising your privacy rights.

How to exercise your rights: Email ali@gravyme.com with the subject "US Privacy Request." We may verify your identity by sending a code to your registered email or phone or through your account.

Authorised agents and appeals: You may appoint an authorised agent to submit requests on your behalf. If we decline a request, you may appeal within 45 days and we will respond with our decision and the reason.

Response times: We aim to respond within 45 days and may extend once by an additional 45 days where permitted.

GLBA and FTC Safeguards

We maintain a written information-security programme consistent with the FTC Safeguards Rule, including encryption, access controls, vendor due diligence, and incident-response procedures.

Changes to This Policy

We may update this Privacy Policy from time to time. Material updates will be notified via email or in-app message at least 30 days before they take effect. Minor updates will be reflected by revising the Last Updated date above.

Your continued use of Gravy after any change constitutes acceptance of the revised policy.

Contact Us

Email: ali@gravyme.com

Address: 88 Pentney Road, London, SW12 0NY, United Kingdom

Response time: within 5 business days for general queries, and within one month for formal data requests.