Privacy Policy

Effective Date: 07/08/2025

Introduction

  1. 1.1. About Gravv

Gravv ("we", "us", or "our") is a financial technology company based in the United States. We provide account and wallet infrastructure to merchants who use our platform to offer pay-in and pay-out services to their own end users across various jurisdictions. Our services are designed to support compliant and efficient payment flows, while upholding strong data protection standards.

  1. 1.2. Scope of This Policy

This Privacy Policy describes how Gravv collects, uses, discloses, and protects personal data when:

  1. a. You visit our website or use our platform;
  2. b. You interact with us as a merchant client or representative;
  3. c. You are an end user whose data is processed by us on behalf of a merchant;
  4. d. We process data in the context of providing payment and account infrastructure services.

This policy applies globally, including where applicable laws such as the California Consumer Privacy Act (CCPA), the EU and UK General Data Protection Regulation (GDPR), and other relevant data privacy laws apply. It does not apply to third-party platforms or services not controlled by Gravv.

  1. 1.3. Definitions

For the purposes of this Privacy Policy:

"Merchant" means a business or organization that uses Gravv’s services to offer wallets or payment services to their customers.

"End User" means an individual who is a customer, client, or user of a Merchant, whose personal data may be processed through the Gravv platform.

"Personal Data" means any information that relates to an identified or identifiable individual.

“Data Controller” (also referred to as “Business” under U.S. state laws) means the person or entity that determines the purposes and means of processing Personal Information. Merchants are Data Controllers of their End Users’ data.

“Data Processor” (also referred to as “Service Provider” or “Processor”) means the person or entity that processes Personal Information on behalf of a Data Controller. Gravv acts as a Data Processor for Merchants with respect to End User data.

“Processing” means any operation performed on Personal Information, whether automated or not, including collection, use, disclosure, storage, transmission, or deletion.

“Services” means the account, wallet, payment processing, and related infrastructure and support services provided by Gravv to its Merchants.

  1. 1.4. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, you may contact us at:

Attn: Data Protection Officer

Gravv Inc.

30 N Gould St, Sheridan, WY 82801

United States

Email: privacy@gravv.io

Information We Collect

We collect different types of personal data depending on your relationship with Gravv, the services you access, and applicable legal requirements.

  1. 2.1. Information You Provide

We collect information that you or your organization voluntarily provide to us, including:

  1. a. Business registration documents and KYC/KYB information;
  2. b. Contact information (e.g., name, business email, phone number);
  3. c. Billing and payment details;
  4. d. Credentials for platform access (e.g., usernames, role assignments);
  5. e. Communications with our support team or account managers.

For end users of our merchants, we may collect data such as:

  1. a. Full name;
  2. b. Email address or phone number;
  3. c. Bank account or wallet identifiers;
  4. d. Government-issued identification (where required for compliance purposes).

This data is collected directly from the merchant or from the end user through merchant-integrated interfaces.

  1. 2.2. Information We Collect Automatically

When you interact with our platform or website, we automatically collect certain data through cookies and tracking technologies. This may include:

  1. a. IP address;
  2. b. Device type and browser information;
  3. c. Log data such as access times and page views;
  4. d. Geolocation data (based on IP);
  5. e. Session behavior and interaction analytics.

This information is used to ensure platform integrity, perform analytics, detect fraud, and enhance user experience.

  1. 2.3. Information We Receive from Third Parties

We may receive personal data about you from:

  1. a. Identity verification providers;
  2. b. Financial institutions and payment processors;
  3. c. Regulatory or law enforcement bodies (where required);
  4. d. Public records or commercial data providers;
  5. e. Merchants, where they collect and transmit data about their users to us.

We only use third-party data where legally permitted and consistent with our service obligations.

  1. 2.4. Cookies and Tracking Technologies

We use cookies and similar technologies to improve your experience on our website and application, analyze usage trends and personalize content and advertisements. This section explains what these technologies are and how we use them.

  1. 2.4.1. What Are Cookies?

Cookies are small data files stored on your browser or device that help websites remember information about your visit. We use both session cookies (which expire when you close your browser) and persistent cookies (which stay on your device until deleted or expired).

  1. 2.4.2. Types of Cookies We Use
  1. a. Strictly Necessary Cookies: These cookies are essential to provide you with services you have requested, such as logging in or accessing secure areas of the platform.
  2. b. Performance Cookies: These collect anonymized data about how users interact with our services, helping us improve functionality and performance.
  3. c. Functionality Cookies: These remember your preferences (e.g., language or region) to enhance your experience.
  4. d. Targeting/Advertising Cookies: These cookies track your browsing habits to deliver personalized ads and measure ad performance. We may work with third-party partners for this purpose.
  1. 2.4.3. Third-Party Cookies

We may allow trusted third parties to place cookies on our website or platform to support analytics, advertising, or social media integrations. These cookies are subject to the respective third parties’ privacy policies.

  1. 2.4.4. Your Choices

You can control or delete cookies through your browser settings. Most browsers allow you to:

  1. a. View what cookies are stored
  2. b. Delete cookies
  3. c. Block cookies from specific websites
  4. d. Block all cookies

Please note that if you disable cookies, some features of the Gravv platform may not function properly.

How We Use Your Information

We use the personal data we collect for a variety of lawful business purposes, as outlined below:

  1. 3.1. Providing and Managing Services

We use personal data to operate, maintain, and deliver our services, including:

  1. a. Setting up and managing merchant accounts;
  2. b. Facilitating payment transactions (pay-ins and pay-outs);
  3. c. Performing identity verification and KYC/KYB checks;
  4. d. Providing technical support and responding to service inquiries;
  5. e. Maintaining records of user interactions, platform usage, and transaction history.
  1. 3.2. Fraud Prevention and Security

We use personal data to protect our platform, users, and partners by:

  1. a. Detecting, investigating, and preventing fraud or abuse;
  2. b. Monitoring account activity and access behaviors;
  3. c. Authenticating users and verifying identities;
  4. d. Enforcing our Terms of Service and other agreements.
  1. 3.3. Compliance with Law

We process personal data to comply with applicable legal and regulatory obligations, including:

  1. a. Anti-money laundering (AML) and counter-terrorism financing (CTF) regulations;
  2. b. Know Your Customer (KYC) and Know Your Business (KYB) requirements;
  3. c. Tax, audit, and financial reporting obligations;
  4. d. Responding to lawful requests from courts, law enforcement, or regulators.
  1. 3.4. Communications

We use personal data to:

  1. a. Communicate with merchants and users regarding service updates, maintenance, and support;
  2. b. Send administrative notices, policy updates, and legal disclosures;
  3. c. Respond to inquiries or complaints;
  4. d. Send marketing communications (where permitted and with the option to opt out).
  1. 3.5. Aggregated and Anonymized Data

We may use data that has been aggregated or anonymized such that it no longer identifies any individual to:

  1. a. Analyze platform usage and performance trends;
  2. b. Improve our services and develop new features;
  3. c. Produce business insights and reporting;
  4. d. Share market-level trends with partners or the public.

Legal Bases for Processing (Where Applicable)

Where applicable laws (such as the GDPR or UK GDPR) require a legal basis for processing personal data, we rely on the following:

  1. 4.1. Consent

We may process your personal data based on your consent, particularly in relation to:

  1. a. The use of non-essential cookies and analytics tools;
  2. b. Sending marketing emails or promotional content;
  3. c. Collecting certain sensitive data or documents (where required).

Where consent is the basis, you have the right to withdraw it at any time.

  1. 4.2. Contractual Necessity

We process personal data to perform our contractual obligations, including:

  1. a. Delivering services to our merchant clients;
  2. b. Facilitating transactions initiated by merchants or their end users;
  3. c. Providing customer support, billing, and account management.

Without this processing, we may be unable to provide certain services.

  1. 4.3. Legal Obligation

We process personal data where necessary to meet our legal obligations, such as:

  1. a. Compliance with financial services and AML/CTF regulations;
  2. b. Responding to regulatory audits and information requests;
  3. c. Recordkeeping for tax and accounting purposes.
  1. 4.4. Legitimate Interests

We also process personal data where it is in our legitimate interests to do so and where such interests are not overridden by your rights. These include:

  1. a. Improving and securing our platform;
  2. b. Preventing fraudulent activity;
  3. c. Communicating with merchants about service functionality;
  4. d. Enforcing our rights and defending legal claims.

Where we rely on legitimate interests, we assess the impact on individuals and implement safeguards where needed.

How We Share Your Information

We do not sell your personal data. However, we may share personal data in the following circumstances to enable the proper functioning of our services and fulfill our legal obligations:

  1. 5.1. With Our Merchants

If you are an end user transacting with a merchant who uses Gravv’s platform, certain personal data (such as name, contact information, and transaction details) may be shared with that merchant to facilitate the transaction, fulfill the merchant’s obligations, and enable customer support. Merchants are independently responsible for how they use such information.

  1. 5.2. With Service Providers

We engage third-party service providers to perform functions on our behalf. These may include:

  1. a. Payment processors, banking and infrastructure partners;
  2. b. Identity verification and fraud detection services;
  3. c. Cloud storage providers and IT infrastructure partners;
  4. d. Customer support and communications tools;
  5. e. Legal, auditing, or accounting firms.

These providers are contractually bound to protect the data and use it only for the specific services they provide to Gravv.

  1. 5.3. With Affiliates and Subsidiaries

We may share personal data with our affiliated companies and subsidiaries where necessary for internal administrative purposes, service delivery, risk management, and compliance oversight.

  1. 5.4. For Legal Reasons

We may disclose personal data if required to do so by law or in good faith belief that such action is necessary to:

  1. a. Comply with a legal obligation or regulatory request;
  2. b. Respond to a subpoena, court order, or legal process;
  3. c. Investigate suspected or actual fraud or illegal activity;
  4. d. Protect our rights, property, or safety, or that of our users, merchants, or others.
  1. 5.5. In Corporate Transactions

If Gravv is involved in a merger, acquisition, asset sale, restructuring, or financing, personal data may be shared or transferred as part of that transaction, subject to appropriate confidentiality safeguards.

End User Data Processing (B2B2C Context)

Gravv operates as a service provider to merchant clients who, in turn, provide services to their own customers. In this context, Gravv may process personal data about end users (e.g., a merchant’s customers) on behalf of the merchant.

  1. 6.1. Role of Merchant as Data Controller

When a merchant uses Gravv to process payments or manage end-user interactions, the merchant acts as the “data controller” and determines the purposes and means of processing end-user data. The merchant is solely responsible for ensuring its collection and use of personal data complies with applicable laws.

  1. 6.2. Gravv’s Role as Data Processor

In this context, Gravv acts as a “data processor” or “service provider.” We process end-user personal data only on the merchant’s behalf and in accordance with their written instructions, subject to our contractual obligations and regulatory requirements.

We do not use end-user data for our own purposes, except as necessary to provide the contracted services, ensure security, comply with applicable laws, or as otherwise permitted by our agreement with the merchant.

  1. 6.3. Responsibilities of the Merchant

Merchants using Gravv’s services are responsible for:

  1. a. Obtaining all necessary consents and disclosures from end users;
  2. b. Providing a lawful basis for processing;
  3. c. Ensuring compliance with privacy laws applicable to their business;
  4. d. Handling end-user rights requests, such as access or deletion.

Gravv provides reasonable assistance to merchants in fulfilling these obligations, as required by law or contract.

  1. 6.4. Merchant Instructions and Restrictions

Gravv will only process end-user personal data in accordance with the documented instructions provided by the merchant, unless required to do otherwise by applicable law. Merchants must not instruct Gravv to process personal data in a manner that violates data protection laws or regulations. Gravv reserves the right to suspend or terminate services where continued processing would violate such laws.

International Data Transfers

Gravv is headquartered in the United States and provides services globally. As a result, your personal data may be transferred to, stored in, or processed in countries other than your own.

  1. 7.1. Transfers Outside the U.S.

If you are located outside the United States, please note that your data will be transferred to and processed in the United States, where our primary servers and operations are located. The data protection laws in these jurisdictions may differ from those in your country, and may not offer the same level of protection.

  1. 7.2. EU–U.S. and UK–U.S. Data Bridge Compliance

For data transfers from the European Economic Area (EEA), United Kingdom, and Switzerland, Gravv relies on the EU–U.S. Data Privacy Framework, the UK Extension to the EU–U.S. Data Privacy Framework, and the Swiss–U.S. Data Privacy Framework, as applicable. We adhere to the principles and commitments under these frameworks where certified, and for non-certified transfers, we use alternative legal mechanisms as outlined below.

  1. 7.3. Safeguards for Global Transfers

Where required, we implement appropriate safeguards to protect your data during international transfers. These may include:

  1. a. Standard Contractual Clauses approved by the European Commission or UK Information Commissioner’s Office;
  2. b. Data Processing Agreements that include required contractual protections;
  3. c. Transfer Impact Assessments to evaluate risk exposure in destination countries;
  4. d. Technical and organizational security measures to maintain data integrity.

We continually monitor developments in international data transfer regulations and update our practices as necessary to remain compliant.

Your Rights and Choices

Depending on your location and applicable data protection laws, you may have certain rights and choices regarding your personal data.

  1. 8.1. Access, Correction, and Deletion

You may have the right to:

  1. a. Request access to the personal data we hold about you;
  2. b. Request correction of inaccurate or incomplete data;
  3. c. Request deletion of your personal data, subject to legal and contractual retention obligations.
  1. 8.2. Objection and Restriction

You may object to our processing of your personal data, particularly where we rely on legitimate interests. You may also request that we restrict further processing under certain conditions, such as during the verification of a correction request.

  1. 8.3. Data Portability

In jurisdictions where it is required, you may request a copy of your personal data in a structured, commonly used, and machine-readable format, and you may have the right to transmit that data to another controller where technically feasible.

  1. 8.4. Opt-Out of Marketing Communications

You can opt out of receiving marketing or promotional emails from Gravv at any time by following the unsubscribe instructions in those emails or by contacting us. Even if you opt out of marketing, you will continue to receive service-related communications.

  1. 8.5. Rights Under CCPA and Other State Laws

If you are a resident of California or certain other U.S. states with similar laws (e.g., Colorado, Virginia, Connecticut), you may have specific rights under applicable state privacy laws, including:

  1. a. The right to know what personal data we collect, use, and share;
  2. b. The right to request deletion of your personal data;
  3. c. The right to opt out of the sale or sharing of personal data (note: Gravv does not sell your data);
  4. d. The right to limit the use of sensitive personal data;
  5. e. The right not to be discriminated against for exercising your rights.

To exercise any of these rights, you may contact us at the details provided in the “Contact Us” section or via support@gravv.io

  1. 8.6. Rights Under GDPR

If you are in the EEA, UK, or another jurisdiction subject to the General Data Protection Regulation (GDPR), you have the following rights:

  1. a. Right of access;
  2. b. Right to rectification;
  3. c. Right to erasure (“right to be forgotten”);
  4. d. Right to restriction of processing;
  5. e. Right to data portability;
  6. f. Right to object to processing;
  7. g. Right to lodge a complaint with your local data protection authority.

If we are processing your data based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal.

Data Retention

  1. 9.1. Retention Period

We retain your personal data for as long as is necessary to provide our services, comply with our legal obligations, resolve disputes, enforce our agreements, and support our legitimate business interests. This means your data may be retained for the duration of your use of Gravv and for a defined period after account closure, subject to applicable laws.

  1. 9.2. Criteria for Retention

The length of time we retain your data depends on:

  1. a. The nature of the data;
  2. b. The purposes for which it was collected;
  3. c. Whether we are subject to legal or regulatory obligations requiring retention (e.g., anti-money laundering, tax, or financial regulations);
  4. d. Whether retention is advisable in light of our legal position (e.g., for dispute resolution or audit purposes).
  1. 9.3. Secure Deletion

When personal data is no longer necessary, we securely delete or anonymize it. Where deletion is not technically feasible (e.g., in backup archives), we isolate such data and protect it from further processing until deletion becomes possible.


Security Measures

  1. 10.1. Technical and Organizational Measures

Gravv takes the security of your information seriously. We implement appropriate technical and organizational safeguards to protect your data from unauthorized access, loss, misuse, alteration, or destruction. These measures include:

  1. a. Encryption of data in transit and at rest;
  2. b. Firewalls and intrusion detection systems;
  3. c. Access controls and role-based permissions;
  4. d. Multi-factor authentication;
  5. e. Regular security assessments and audits;
  6. f. Staff training on data protection and security best practices.

While no system is completely secure, we continuously assess and improve our security framework to respond to emerging threats and regulatory requirements.

Breach Notification

In the event of a data breach that compromises your personal data, we will notify you and the appropriate supervisory authorities without undue delay, where required by applicable law. Notifications will include information about the nature of the breach, the likely consequences, and the steps we are taking to mitigate harm.


Children’s Privacy

Gravv’s services are intended for use by businesses and individuals over the age of 18. We do not knowingly collect or solicit personal data from children under the age of 13 (or under 16 where required by applicable law). If we learn that we have collected personal data from a child without verifiable parental consent, we will delete it promptly. If you believe that a child has provided us with personal data, please contact us using the information in the "How to Contact Us" section or by email at support@gravv.xyz


Changes to This Privacy Policy

We may update this Privacy Policy from time to time in response to legal, technical, or business developments. When we update it, we will revise the “Last Updated” date at the top of the policy. We encourage you to review this Privacy Policy periodically to stay informed about our practices.


How to Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, you may contact us through the following channels:

Email: privacy@gravv.xyz

Mailing Address:

Gravv Inc

30 N Gould St, Sheridan, WY 82801

United States

Note: If you are located in a jurisdiction with a data protection authority, you also have the right to lodge a complaint with your local authority.