Privacy Policy

This policy applies to Gravy websites, Gravy Desktop, authentication flows, hosted connector services, support channels, release downloads, and related services we provide. It does not apply to websites, financial institutions, identity providers, model providers, app stores, or other third-party services that have their own privacy notices.

Gravy is built for personal financial work. That means the service can process sensitive information such as financial account data, transaction data, investment data, email metadata and content you choose to connect, authentication data, and device diagnostics.

We collect information in the following categories:

• Account and profile information, such as your name, email address, authentication identifiers, organization membership, and settings.
• Financial connection information, such as institution names, accounts, balances, transactions, holdings, statements, categories, merchant data, connection status, and provider tokens or references.
• Inbox and document connection information, including Gmail or other inbox data you authorize Gravy to read, such as message metadata, message bodies, attachments, receipts, statements, alerts, and labels needed to provide requested features.
• Desktop app and device information, such as app version, operating system, install identifier, local runtime status, diagnostic logs, crash data, network status, and configuration values.
• AI interaction information, such as messages, prompts, agent task state, generated outputs, tool calls, selected connectors, and contextual data you ask Gravy to use.
• Website and usage information, such as pages visited, download events, approximate location derived from IP address, browser type, referral source, cookie identifiers, and analytics events.
• Communications and support information, including messages you send us, feedback, bug reports, survey answers, and records of support interactions.
• Billing information if we offer paid services, such as plan, invoices, payment status, and limited payment metadata. Payment card details are expected to be handled by a payment processor rather than stored directly by Gravy.

We collect information from:

• you, when you create an account, use Gravy, or contact us;
• connected financial providers, banks, brokerages, data aggregators, and open banking providers you authorize;
• connected inbox, document, and productivity providers, including Google services such as Gmail when you grant access;
• authentication, security, cloud infrastructure, analytics, and support providers that help us operate the service;
• your device and local runtime when Gravy Desktop runs, syncs, or reports diagnostics.

We use information to:

• provide, maintain, personalize, and improve Gravy;
• authenticate users, secure accounts, prevent fraud, and enforce access controls;
• connect to banks, brokerages, inboxes, and other sources you choose;
• normalize, categorize, reconcile, search, summarize, and explain connected financial and inbox information;
• operate AI features, including agent messages, generated views, background tasks, and requested automations;
• debug errors, monitor reliability, measure performance, and support product development;
• communicate with you about the service, security, support, policy changes, and product updates;
• comply with legal obligations, resolve disputes, and enforce our terms.

Gravy may send prompts, messages, tool results, and selected context to AI model providers or hosted model infrastructure so the agent can respond to your requests. We aim to send only the context needed for the requested task, but that context may include personal information or sensitive financial and inbox content if the task requires it.

Gravy does not train AI models on your data — ever. That includes your messages to the agent, your connected financial accounts, your transactions, your inbox content, and any context the agent uses to answer you. We do not repurpose connected financial data, inbox content, prompts, or generated outputs for product analytics. Optional product analytics and diagnostics use narrow event metadata, such as app version, connection status, provider type, and redacted error fingerprints. Model providers Gravy calls operate under enterprise contracts that forbid them from using what Gravy sends for training or retention beyond what's needed to return the response.

If you connect Gmail or another Google service, Gravy will use Google user data only to provide and improve the user-facing features you request, such as finding receipts, statements, alerts, or other financial context for your Gravy. Gravy's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We do not sell Google user data, use it for advertising, or allow humans to read it — with three narrow exceptions: when you ask us to help, when access is necessary to investigate a security or abuse incident, or when required by law.

We do not use Google user data to determine creditworthiness, make lending decisions, serve ads, retarget users, sell to data brokers, provide information to information resellers, or train generalized AI or machine learning models. We transfer Google user data only as needed to provide or improve visible user-facing Gravy features with your consent, maintain security, comply with law, or as otherwise permitted by the Google API Services User Data Policy. If Google user data would be transferred as part of a merger, acquisition, reorganization, or sale of assets, we will obtain explicit prior consent where required by Google policy.

We may share information with:

• service providers that host infrastructure, authenticate users, deliver support, send email, process payments, monitor reliability, and secure the service;
• financial data aggregators, open banking providers, institutions, and connector providers when needed to create or maintain a connection you requested;
• AI model and tool providers when needed to process your request or operate a feature you use;
• professional advisors, auditors, insurers, regulators, law enforcement, or courts when reasonably necessary;
• counterparties in a merger, financing, acquisition, reorganization, bankruptcy, or sale of assets, subject to appropriate protections;
• other parties with your direction or consent.

We do not sell personal information. We also do not share personal information for cross-context behavioral advertising as those terms are commonly used in US state privacy laws.

We may use cookies, local storage, pixels, and similar technologies to operate the website, remember preferences, measure downloads, understand site performance, and protect against abuse. Browser controls can usually block or delete cookies, but some features may not work correctly without required cookies.

Where consent is required, Gravy uses a self-hosted consent service to record cookie choices and keeps measurement tools off or cookieless until the required choice is made. You can change analytics and diagnostics choices in the website consent controls or inside Gravy Desktop settings.

We keep personal information for as long as needed to provide Gravy, comply with legal obligations, resolve disputes, enforce agreements, maintain security, and operate backups. Retention periods vary by data type. For example, account and connection records may be kept while your account is active, diagnostic logs may be shorter lived, and legal or security records may be retained longer.

If you delete your account or disconnect a provider, we will begin deleting or de-identifying related data unless retention is required for legal, security, backup, or legitimate business reasons. Connected providers may keep their own records under their own policies.

We use administrative, technical, and organizational safeguards designed to protect personal information, including encryption in transit, encryption at rest where we store data, access controls, environment separation, logging, monitoring, and vendor review. Google user data and OAuth tokens are protected with TLS in transit and encryption at rest where stored. No service can guarantee perfect security. You are responsible for protecting your device, account credentials, and any recovery methods.

Depending on your location, you may have rights to:

• access, correct, delete, or export personal information;
• object to or restrict certain processing;
• withdraw consent where processing is based on consent;
• opt out of certain sales, sharing, targeted advertising, or profiling if those activities apply;
• appeal a privacy rights decision.

You can also disconnect banks, inboxes, and other providers inside the product or through the provider's own authorization settings. To make a privacy request, contact us at privacy@gravy.financial. We may need to verify your identity before fulfilling a request.

California law treats many categories of data as personal information, including identifiers, online identifiers, internet activity, geolocation, commercial information, inferences, financial account information, and the contents of certain communications. Gravy may collect these categories as described above.

Gravy may collect sensitive personal information, including financial account data, account login-related data, precise content from connected communications, and authentication data. We use sensitive personal information only to provide the service, secure it, comply with law, and for other permitted purposes. We do not use sensitive personal information to infer characteristics unrelated to providing Gravy.

Where UK or EEA data protection law applies, our legal bases may include performance of a contract, legitimate interests, consent, and compliance with legal obligations. You may have the right to complain to your local data protection authority. If we transfer personal data internationally, we use appropriate safeguards where required.

Gravy is not intended for children under 13, or under the age required by local law to use online services without parental consent. We do not knowingly collect personal information from children.

We may update this Privacy Policy from time to time. If changes are material, we will take reasonable steps to notify you, such as through the service or by email. Continued use of Gravy after an update means the updated policy applies.

Questions can be sent to privacy@gravy.financial. These terms should be read together with our Terms of Service.