Back to Home
GRAVY

Privacy Policy

Last Updated: October 6, 2025
Effective Date: October 6, 2025

Introduction

Gravy Technologies Limited ("we" or "us") is a company registered in England and Wales whose registered office is at 88 Pentney Road, London, SW12 0NY, United Kingdom and whose registered number is 16715096. We are committed to protecting and respecting your privacy.

We are the data controller for the purposes of the personal data we collect via our mobile app and services.

If you have any questions about this privacy policy or how we handle your personal data, please contact us at ali@gravyme.com.

Data Protection Officer: Ali Tabba - ali@gravyme.com

Personal Data We Collect

When you use Gravy, we collect and process the following personal data:

Information You Provide

  • Phone number (for account authentication)
  • Name and email address (optional)
  • Country/region (UK or USA)
  • Financial goals you choose to set

Banking and Financial Data (via Plaid)

When you connect your bank account(s), we access through Plaid:

  • Account information (names, types, last four digits, balances, currency)
  • Transaction data (amounts, dates, merchant names, categories, locations)
  • Institution details (your bank's name and identifiers)

Important: You provide explicit consent to Plaid to share this data with us when you connect your accounts. Plaid is a regulated financial data aggregation service.

Data Generated During Use

  • Voice recordings when using the AI voice assistant (stored temporarily)
  • Conversation history with our AI assistant
  • Goal progress tracking data
  • Device push notification tokens
  • App usage data (features used, session times)
  • AI-generated financial analyses and insights

How We Use Your Data

Your personal data is used to:

  • Provide and manage your account and our services
  • Connect to your bank accounts and display financial information
  • Generate personalized AI-powered financial insights and analysis
  • Track progress toward your financial goals
  • Send push notifications about your finances
  • Provide our AI assistant for financial questions
  • Meet legal and regulatory requirements (e.g., KYC checks, AML compliance)
  • Improve and customize our app and services
  • Monitor for and prevent fraud and financial crime

Legal Basis for Processing

We process your personal data based on:

Consent: Banking data access via Plaid, voice recordings, and push notifications. You can withdraw consent at any time by disconnecting accounts, disabling notifications, or stopping use of voice features.

Contractual Necessity: To provide our services, we need to process your phone number, transaction data, goal data, and usage data. Without this data, we cannot provide the Gravy service to you.

Legitimate Interests: To improve our services, ensure security, prevent fraud, and maintain our technical operations. We have balanced these interests against your rights and freedoms.

Legal Obligation: To comply with financial regulations, anti-money laundering laws, and other legal requirements.

Who We Share Your Data With

We share your personal data with the following categories of third parties:

Essential Service Providers

  • Banking Partners: Plaid Inc. for secure data transmission, account connectivity, and payment processing
  • Cloud Infrastructure: Amazon Web Services (AWS) for secure data storage and processing (EU-West-2, London)
  • AI Services: OpenAI and Cerebras for generating financial insights, transaction analysis, and powering our AI assistant
  • Authentication: Twilio Inc. for SMS verification and phone number authentication
  • Push Notifications: Expo (650 Industries, Inc.) for sending app notifications

Regulatory and Legal

  • Financial Conduct Authority (FCA) for regulatory compliance and reporting
  • HM Revenue & Customs (HMRC) for tax reporting obligations where applicable
  • Law enforcement when legally required by court order or statutory obligation

Business Operations

  • Customer support platforms for managing inquiries
  • Analytics providers (anonymised data only) for service improvement
  • Legal and professional advisors (under confidentiality obligations)

All third-party providers are contractually bound to protect your data and use it only for specified purposes.

International Data Transfers

Your primary data is stored in Amazon Web Services data centers in the United Kingdom (EU-West-2 region).

We transfer personal data to the United States for processing by Plaid, OpenAI, Cerebras, Twilio, and Expo. The United States is not subject to an adequacy decision by the UK ICO. We rely on Standard Contractual Clauses (UK IDTA) and data processing agreements that require our processors to protect your data in accordance with UK GDPR standards.

You can obtain a copy of these safeguards by contacting us at ali@gravyme.com.

Data Retention

We retain your personal data for as long as necessary to provide our service and fulfill the purposes described in this policy.

While Your Account is Active

  • Transaction data, banking connections, and goal data: Account lifetime
  • Conversation history: Account lifetime (you can request deletion)
  • Financial analyses: Regenerated periodically; historical data retained for trend analysis
  • Voice recordings: Deleted within 24 hours after processing

After Account Deletion

  • Immediate deletion: All personal data permanently deleted from production systems within 30 days
  • Backup retention: Data in backups deleted within 90 days
  • Legal obligations: We may retain limited data for up to 7 years if required by financial regulations

Automated Decision-Making and Profiling

We use AI and automated systems to:

Transaction Classification for Goals

Our AI automatically determines which transactions count toward your financial goals. The AI analyzes transaction details (merchant names, amounts, categories) against your goal conditions and assigns a confidence score. This affects progress indicators and may trigger notifications. You can manually override any AI classifications.

Financial Insights and Recommendations

AI generates personalized insights about your spending patterns and may suggest financial goals. These are advisory only and have no legal or binding effect. You remain in full control of all financial decisions.

Merchant Enhancement

AI improves transaction display by parsing merchant names and generating descriptions. This is purely presentational with no impact on financial calculations.

Your Rights: You can request human review of any automated decision, express your viewpoint, and contest decisions by contacting ali@gravyme.com. None of our automated processing produces legal effects or similarly significant effects prohibited under UK GDPR.

Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption: All data encrypted in transit (TLS/HTTPS) and at rest (AWS RDS encryption)
  • Secure infrastructure: Data stored in isolated, private AWS infrastructure (VPC)
  • Access controls: Role-based access limits who can access your data
  • Security monitoring: Continuous monitoring for threats and anomalies
  • Third-party security: Our service providers maintain SOC 2 Type II and ISO 27001 certifications

In the unlikely event of a data breach that poses a risk to you, we will notify the ICO within 72 hours and notify you without undue delay.

Your Rights

Under UK GDPR, you have the following rights:

Right to Access: Request a copy of your personal data. You can view most data in the app (transactions, goals, conversations) or contact us for a complete copy.

Right to Rectification: Correct inaccurate data by updating your name and email in app settings. Transaction data reflects your bank records and cannot be edited.

Right to Erasure: Delete your account in app settings (Settings → Account → Delete Account) or contact us at ali@gravyme.com. All associated data will be permanently deleted.

Right to Restriction: Request we limit processing while verifying data accuracy or establishing our legitimate interests.

Right to Data Portability: Request your data in a structured, machine-readable format.

Right to Object: Object to processing based on legitimate interests or opt out of push notifications in app settings.

Right to Withdraw Consent: Withdraw consent at any time by disconnecting bank accounts, disabling notifications, or stopping use of voice features.

Rights Related to Automated Decisions: Request human review of any significant automated decision.

How to Exercise Your Rights

Contact us at ali@gravyme.com or use in-app settings. We will respond within one month of receipt (may be extended to three months for complex requests with notification).

In most cases, you will not pay a fee. However, if your request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse to comply.

Making a Complaint

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with the Information Commissioner's Office:

Website: https://ico.org.uk/make-a-complaint/
Phone: 0303 123 1113
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom

We encourage you to contact us first at ali@gravyme.com so we can try to resolve your concerns directly.

Required Information

To create and use a Gravy account, you must provide:

  • Phone number: Required by law for financial service authentication and by our Terms of Service
  • SMS verification code: Required to verify your identity

Consequence: You cannot create an account or use Gravy without a verified phone number.

To use specific features:

  • Bank connection (via Plaid): Required for transaction tracking and financial insights
  • Push notification token: Required to receive alerts (app works without notifications)
  • Microphone permission: Required for voice assistant (text assistant still available)

Name, email, specific goals, and AI conversations are optional.

Children's Privacy

Gravy is not intended for anyone under 18 years old. We do not knowingly collect personal data from children. If you are under 18, please do not use Gravy. If we learn we have collected data from a child under 18, we will delete it immediately. If you believe we have collected data from a child, contact us at ali@gravyme.com.

Changes to This Policy

We may update this privacy policy from time to time. For material changes, we will notify you via push notification and/or email at least 30 days before changes take effect. For minor changes, we will update the "Last Updated" date above.

Your continued use of Gravy after changes take effect constitutes acceptance of the updated policy.

Contact Us

Email: ali@gravyme.com
Address: 88 Pentney Road, London, SW12 0NY, United Kingdom
Data Protection Officer: Ali Tabba - ali@gravyme.com

Response time: We aim to respond to all inquiries within 5 business days, and to data subject rights requests within one month as required by UK GDPR.

Cookies Policy

We use cookies and similar technologies on our website (https://gravyme.com/).

Strictly Necessary Cookies: Essential for website operation, login, and accessing features.

Analytical/Performance Cookies: Help us understand how visitors use our website using Google Analytics.

You can block cookies via your browser settings, but this may impact website functionality. By continuing to use our website, you consent to cookies as described unless you have opted out via your browser settings.

For cookie questions, contact ali@gravyme.com.

Document Version: 2.0
Effective Date: October 6, 2025