Back to Home
GRAVY

Gravy Technologies Limited - Privacy Policy

Last Updated: 15 March 2026

About This Policy

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and what rights you have when you use the Gravy mobile app, web app, website, and related services.

This policy applies whether you are browsing our website, creating an account, linking bank accounts, connecting an investment provider, subscribing to Gravy Pro, using AI-powered features, or contacting support.

Why Gravy Uses AI

Gravy is designed to help you understand and act on your finances, not just display raw account data. We use AI to answer your questions, explain spending patterns, categorise and enrich transactions, surface relevant insights, and help you track progress toward your goals.

That means we need to process some of the account, transaction, profile, and conversation data you choose to share with Gravy through AI systems and trusted providers acting on our behalf. We only do this to operate Gravy and deliver the features you choose to use.

Who We Are

Gravy Technologies Limited ("we", "us", "our", or "Gravy") is a company registered in England and Wales (Company No. 16715096) with its registered office at 88 Pentney Road, London, SW12 0NY, United Kingdom.

We are the data controller for the personal data we collect through our app and services.

Questions about this Privacy Policy or how we handle your personal data:

Email: ali@gravyme.com

Data Protection Officer: Ali Tabba (ali@gravyme.com)

The Main Ways We Collect Data

We collect personal data:

  • directly from you when you create an account, sign in, set goals, add labels or notes, complete onboarding, subscribe, or contact us
  • from authentication providers when you choose Sign in with Apple or Sign in with Google
  • from financial and investment providers you choose to connect, including Yapily Connect
  • automatically from your device, browser, and app usage when you use Gravy or receive notifications
  • from app stores and subscription providers in connection with Gravy Pro purchases and renewals

Personal Data We Collect

Information you give us directly

  • name and email address
  • Apple, Google, or email one-time-code login details
  • country, region, locale, and account preferences
  • financial goals, budgets, notes, labels, and settings you create in the app
  • support requests, feedback, and other communications you send us
  • if you choose future regulated products or features, additional verification or compliance information required by law, such as proof of identity, address history, or tax status

Information from authentication providers

If you sign in with Apple or Google, we may receive:

  • your name and email address, where shared by that provider
  • provider user identifiers and token data needed to verify your login

Financial and investment data from providers you connect

When you connect accounts through Yapily Connect or another authorised provider, we may receive:

  • account details such as institution name, account type, balance, currency, and masked account identifiers
  • transaction details such as amounts, dates, merchant names, categories, references, and location data attached to transactions
  • institution identifiers, consent status, and technical connection metadata needed to maintain or renew account access
  • for payment or variable recurring payment features you actively authorise, payment instructions and related consent or mandate information

Some financial data may indirectly reveal sensitive information, for example donations to political organisations, payments to health providers, or union-related transactions. We process this only where necessary to provide the Gravy service, such as categorising spending, generating insights, or carrying out a payment instruction you have authorised. We do not use it for advertising or sale.

Information we collect automatically when you use Gravy

  • device and app information, such as device model, operating system, app version, locale, timezone, and push-notification token
  • usage and diagnostics data, such as screen views, feature usage, session timing, performance events, and error logs
  • website data, such as cookie or device identifiers, browser metadata, pages visited, and general traffic information
  • approximate regional information inferred from your device settings, connected institution country, or browser or network context where needed for localisation, fraud prevention, or compliance

Information created when you use AI-powered features

  • conversation history with our AI assistant
  • prompts, outputs, and feedback
  • transaction context, goal context, and financial summaries used to generate answers or insights
  • categorisations, summaries, tags, and recommendations generated by our models and workflows

How We Use Your Data

We use your data to:

  • create and manage your account
  • authenticate you and protect account security
  • connect, refresh, and display your bank and investment accounts
  • provide budgeting, net worth, goal-tracking, subscription, and financial-insight features
  • send one-time login codes, transactional emails, and push notifications
  • provide AI responses, transaction categorisation, enrichment, and personalised insights
  • manage subscriptions, billing status, entitlements, and purchase verification
  • detect fraud, misuse, suspicious activity, and service abuse
  • debug, monitor, improve, and secure our services
  • comply with legal, regulatory, tax, and record-keeping obligations

No sale or monetisation of personal data. We do not sell your personal data or transfer it to third parties for their own marketing or monetisation purposes.

No cross-context behavioural advertising. We do not share your personal data for cross-context behavioural advertising.

Aggregated and de-identified analytics. We may use aggregated or de-identified information to understand financial trends, improve our products, and analyse performance. We do not allow third parties to target you based on your identifiable transaction history.

Legal Bases for Processing (UK GDPR)

We process your personal data under the following legal bases:

  • Consent where you choose to link accounts, enable notifications, use a payment feature, or otherwise opt in to a specific processing activity
  • Contractual necessity where processing is needed to provide the Gravy services you asked us to provide
  • Legitimate interests where we need to improve, secure, operate, and defend our services in a proportionate way
  • Legal obligation where we must comply with financial, tax, anti-money-laundering, fraud-prevention, or other legal requirements

Who We Share Your Data With

We share personal data only where needed to operate Gravy, and only under contracts, confidentiality duties, or other legal safeguards.

The table below describes the main third parties and provider categories we currently use.

Provider or categoryWhy we use themData they may process
Yapily Connect LtdTo connect UK bank accounts, refresh balances and transactions, manage open-banking consent, and support payment or variable recurring payment flows you authoriseidentifiers needed to start bank authorisation, linked account details, balances, transactions, institution data, consent metadata, and payment or mandate metadata
Amazon Web ServicesTo host our backend, databases, storage, queues, secrets, logging, and security infrastructureaccount data, connected financial data, AI conversation data, support messages, operational logs, and backups
OpenRouter and AI model providers currently used through it, such as OpenAI and GoogleTo generate assistant responses, financial insights, categorisation, and enrichmentprompts, conversation content, transaction descriptions, goal context, and limited account or profile context needed for the task
PostHogTo run product analytics, feature flags, diagnostics, and error trackingdevice and app metadata, usage events, screen views, feature-flag context, and limited diagnostic data
ResendTo deliver login codes and service emailsemail address, message content, and delivery metadata
ExpoTo deliver push notificationsdevice push token, notification content, and delivery metadata
RevenueCatTo manage subscriptions and verify purchasesuser ID, subscription status, product identifiers, and app-store transaction metadata
Apple and GoogleTo support sign-in and app-store infrastructure when you choose those methodsidentity tokens, provider identifiers, name and email returned by those providers, and purchase metadata where relevant
Professional advisers, auditors, regulators, courts, and law enforcementTo meet legal, compliance, audit, or enforcement obligationsrelevant data required for the specific request or obligation

This list reflects our main providers and categories as of 15 March 2026. We may update it over time as our suppliers or product features change.

Where a third party processes personal data on our behalf, we require it to use privacy and security protections at least equivalent to our own and to process that data only for the services it provides to Gravy.

AI-Powered Features

Many core features in Gravy use artificial intelligence to provide assistant responses, financial insights, transaction categorisation, enrichment, summaries, and related functionality.

To provide these features, we may send relevant personal data to our AI-routing infrastructure and to third-party model providers acting on our behalf. We aim to minimise what is shared and to redact or reduce personal data where reasonably possible.

We use contractual, technical, and organisational safeguards when selecting and operating these providers. Where we use third-party AI providers for Gravy features, we require them to act solely on our behalf and to apply privacy and security protections equivalent to our own.

Because Gravy includes core AI-led features, if you do not want your data to be processed for AI-powered features, you should not use Gravy. You may also contact ali@gravyme.com if you want to withdraw consent or request deletion of related data, subject to legal and operational limitations.

International Data Transfers

Some of our service providers operate in the United Kingdom, the European Economic Area, the United States, or other jurisdictions.

Where personal data is transferred outside the UK or EEA, we use appropriate safeguards, which may include contractual protections, access controls, encryption, and vendor due-diligence measures designed to maintain an appropriate level of protection.

Data Retention and Deletion

We keep personal data only for as long as we need it for the purposes described in this policy, unless a longer retention period is required or permitted by law.

When you delete your account, we aim to remove your personal data from active systems within 30 days and from backups within 90 days, except where we must retain limited records for legal, tax, audit, security, or fraud-prevention reasons.

Data typeHow long we keep it
Account profile, settings, goals, and linked-account metadataFor the life of your account
Bank, transaction, and investment dataFor the life of your account, and longer only where limited retention is required for security, compliance, or dispute handling
AI conversation historyFor the life of your account unless earlier deletion is supported and requested, subject to limited security or legal retention
Authentication records and security logsFor as long as reasonably necessary for login, security, fraud prevention, and audit purposes
BackupsDeleted or overwritten within 90 days after account deletion
Regulatory or compliance recordsUp to 7 years where law requires it

Automated Decision-Making and Profiling

Our models and rules analyse transaction and goal data to categorise spending, enrich descriptions, assess progress, and generate relevant suggestions. These processes are intended to support your experience and do not produce solely automated decisions with legal or similarly significant effects on you.

Data Security

We maintain appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, misuse, or alteration. These measures include encryption, access controls, secure hosting, logging, vendor due diligence, and ongoing security review.

If a personal data breach occurs that is likely to affect your rights and freedoms, we will notify the relevant authorities and affected users where required by law.

Your Rights (UK GDPR)

Subject to legal exceptions, you have the right to:

  • access the personal data we hold about you
  • correct inaccurate or incomplete data
  • request deletion of your data
  • restrict or object to certain processing
  • request portability of data you provided to us
  • withdraw consent where processing relies on consent

You can also disconnect linked accounts, stop using the service, or delete your profile.

Identity verification. We may verify your identity before acting on a request, for example by sending a code to your registered email address, using your account session, or asking for limited additional information.

Contact ali@gravyme.com to exercise your rights. We usually respond within one month and may extend by up to two further months for complex requests.

If you are unhappy with our handling of your data, you may contact the Information Commissioner's Office: 0303 123 1113 or https://ico.org.uk/make-a-complaint

Cookies and Similar Technologies

We use cookies and similar technologies on https://www.gravyme.com to:

  • keep the website secure and functional
  • understand general site usage and performance
  • remember preferences and improve user experience
  • measure the effectiveness of marketing activity at an aggregated level

Cookie categories we use:

  • Strictly Necessary cookies for security, routing, and core website functionality
  • Performance or Analytics cookies to understand website usage and improve performance
  • Functionality cookies to remember settings and preferences

You can control or disable cookies through your browser settings. If we introduce additional advertising technologies in future, we will update this policy and provide any required choices.

Children's Privacy

Gravy is not intended for anyone under 18. We do not knowingly collect personal data from children. If you believe a child's data has been submitted to us, contact ali@gravyme.com and we will investigate and delete it where appropriate.

Additional Information for United States Residents

Scope

This section applies to US residents. Some information we process is covered by the Gramm-Leach-Bliley Act (GLBA). Where GLBA applies, certain state privacy laws, including the California Consumer Privacy Act (CCPA/CPRA), may not apply to that data. For other personal data, including analytics and website data, state privacy rights may apply.

Categories of data collected

Depending on how you use Gravy, we may collect:

  • identifiers such as name, email address, device ID, account IDs, and provider IDs
  • customer records such as profile information, settings, support messages, and subscription status
  • commercial information such as purchases, renewals, and in-app actions
  • internet or other electronic activity information such as log data, analytics, cookies, and screen or feature usage
  • geographic indicators such as country, region, locale, and timezone
  • inferences such as AI-generated insights, categorisations, and recommendations
  • financial information such as linked bank-account, transaction, balance, investment, and payment-consent data
  • sensitive information such as authentication data, account credentials you provide for connected providers, and account numbers used solely for security and service provision

Sale, sharing, and targeted advertising

We do not sell personal information or share it for cross-context behavioural advertising. If that changes, we will update this policy and provide any required opt-out rights and disclosures.

Your US state privacy rights

Subject to verification and legal exceptions, you may request access to, correction of, or deletion of personal information. Where applicable, you may also have the right to appeal a denied request or to opt out of certain types of processing.

How to exercise your rights: Email ali@gravyme.com with the subject "US Privacy Request." We may verify your identity through your registered email address, your account, or limited additional information.

Authorised agents and appeals: You may appoint an authorised agent to submit requests on your behalf where state law permits. If we decline a request, we will explain why and, where required, how to appeal.

Response times: We aim to respond within 45 days and may extend once by an additional 45 days where permitted.

GLBA and FTC safeguards

We maintain a written information-security programme designed to align with the FTC Safeguards Rule, including encryption, access controls, vendor due diligence, and incident-response procedures.

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified through the app, by email, or by another appropriate channel before they take effect where required by law. Minor updates will be reflected by updating the date at the top of this policy.

Contact Us

Email: ali@gravyme.com

Address: 88 Pentney Road, London, SW12 0NY, United Kingdom

Response time: within 5 business days for general queries, and within one month for formal data requests.