Privacy Policy (Data Controller Role)
Table of Contents
- Introduction
- Scope and Application
- Definitions
- Legal Framework
- Data Controller Responsibility
- Categories of Personal Data Collected
- Sources of Personal Data
- Purposes and Legal Bases of Processing
- Data Sharing and Disclosure
- International Data Transfers
- Retention of Personal Data
- Security Measures
- Your Rights as a Data Subject
- Automated Decision-Making and Profiling
- Cookies and Tracking Technologies
- Contact Information
- Changes to this Policy
1. Introduction
Gr4vy, Inc. (“Gr4vy”, “we”, “our”, or “us”) is committed to safeguarding the personal data of individuals with whom it interacts in its capacity as a data controller. This includes individuals such as suppliers, employees, job applicants, and business contacts — but excludes data subjects whose data we process on behalf of our clients.
This Privacy Policy explains how Gr4vy collects, uses, shares, and protects personal data in compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, and applicable data protection laws.
2. Scope and Application
This Privacy Policy applies to personal data processed by Gr4vy as a controller, including:
2.1 Prospective and current suppliers, contractors, and partners.
2.2 Job applicants and employees.
2.3 Website visitors and users of our online platforms.
2.4 Business contacts at client organisations (e.g., for contract negotiation or marketing), excluding data processed on behalf of clients.
This Policy does not cover processing where Gr4vy acts as a data processor on behalf of its clients. For such processing, please refer to our Privacy Policy for Client’s End Users (the Processor Role).
3. Definitions
For the purposes of this Privacy Policy, the following terms shall have the meanings set out below:
“Personal Data” means any information relating to an identified or identifiable natural person (“data subject”).
“Processing” means any operation performed on personal data, whether or not by automated means, including collection, storage, use, disclosure, or erasure.
“Controller” means the natural or legal person which determines the purposes and means of the processing of personal data. For the purposes of this Policy, Gr4vy acts as a controller.
“Processor” means a natural or legal person that processes personal data on behalf of a controller.
“Data Subject” means an identified or identifiable natural person whose personal data is processed.
“DPO” means Data Protection Officer, the individual designated by Gr4vy to oversee data protection compliance.
“EEA” means the European Economic Area, comprising the EU Member States plus Iceland, Liechtenstein, and Norway.
4. Legal Framework
4.1 Gr4vy processes personal data in accordance with:
4.1.1 The EU GDPR and the UK GDPR.
4.1.2 National data protection laws where Gr4vy operates.
4.1.3 Relevant guidance issued by the European Data Protection Board (“EDPB”) and UK Information Commissioner’s Office (“ICO”).
5. Data Controller Responsibility
5.1 Gr4vy determines the purposes and means of processing personal data and is responsible for ensuring that such processing is lawful, fair, and transparent.
5.2 Gr4vy implements appropriate technical and organisational measures to ensure and demonstrate compliance with applicable data protection laws, consistent with the principle of accountability under Article 5(2) GDPR.
6. Categories of Personal Data Collected
6.1 Identification data: name, job title, company, and contact details (e.g., email, phone).
6.2 Account data: usernames, login credentials, service usage data.1
6.3 Business data: transaction history, contractual and billing information.
6.4 Recruitment data: CVs, employment history, references, background checks.
6.5 Website usage data: IP address, device ID, browser type, location, cookies.
6.6 Communications data: emails, support queries, marketing preferences.
1This refers to Gr4vy’s own business contacts or employees — not end users of the platform.
7. Sources of Personal Data
7.1 Directly from you, when you complete a form, sign a contract, apply for a role, or communicate with us.
7.2 Automatically through our websites and platforms (e.g., cookies, usage logs).
7.3 From third parties, such as background check providers, job boards, public sources, or referrals.
8. Purposes and Legal Bases of Processing
We process personal data for the following purposes and based on the associated legal grounds:
| Purpose | Legal Basis |
| Contract performance | Art. 6(1)(b) GDPR: Necessary for a contract or pre-contractual steps |
| Recruitment and hiring | Art. 6(1)(b), Art. 6(1)(f): Legitimate interest in evaluating candidates |
| Business contract management | Art. 6(1)(b) and (f): Performance of services; legitimate interest |
| Supplier and partner management | Art. 6(1)(b) and (f): Contractual relationships; business operations |
| Marketing and communications | Art. 6(1)(a) or (f): Consent or legitimate interest in outreach |
| Legal compliance | Art. 6(1)(c): Compliance with legal obligations (e.g. tax, AML) |
| Website analytics and security | Art. 6(1)(f): Legitimate interest in improving services and protecting systems |
Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing based on consent before its withdrawal.
9. Data Sharing and Disclosure
9.1 Service providers (e.g., IT, payroll, cloud hosting).
9.2 Legal, regulatory, or governmental authorities (where legally required).
9.3 Professional advisors (e.g., auditors, legal counsel).
9.4 Affiliates or group entities (if applicable).
9.5 Potential buyers or investors in connection with business transactions.
All such disclosures are subject to appropriate contractual and confidentiality safeguards.
10. International Data Transfers
If personal data is transferred outside the EEA or UK, Gr4vy ensures such transfers are made:
10.1 To countries with an adequacy decision by the European Commission or UK Secretary of State.
10.2 Pursuant to Standard Contractual Clauses (SCCs) or the UK International Data Transfer Addendum (IDTA).
10.3 Subject to a Transfer Risk Assessment and supplementary safeguards, where necessary.
11. Retention of Personal Data
11.1 Gr4vy retains personal data only as long as necessary for the purposes for which it was collected, or to comply with legal, regulatory, or contractual requirements.
11.2 Retention periods vary based on data type and purpose but follow documented internal retention schedules.
12. Security Measures
12.1 Data encryption (in transit and at rest).
12.2 Access controls and authentication mechanisms.
12.3 Regular system monitoring and vulnerability testing.
12.4 Staff training and confidentiality undertakings.
12.5 Incident response and breach notification procedures.
13. Your Rights as a Data Subject
13.1 Right of Access — You have the right to request confirmation of whether we hold personal data about you, and to access a copy of that data, along with information about how and why we process it.
13.2 Right to Rectification — You have the right to ask us to correct any inaccurate or incomplete personal data we hold about you.
13.3 Right to Erasure (“Right to be Forgotten”) — In certain circumstances, you have the right to request the deletion of your personal data, such as when it is no longer necessary for the purposes for which it was collected, or if you withdraw your consent.
13.4 Right to Restriction of Processing — You have the right to request that we restrict the processing of your personal data in certain cases, for example, while we are verifying the accuracy of your data or assessing an objection you have raised.
13.5 Right to Data Portability — Where our processing is based on your consent or on a contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to have that data transferred to another controller.
13.6 Right to Object — You have the right to object to our processing of your personal data where we rely on legitimate interests as the legal basis. If you object, we must stop processing unless we can demonstrate compelling legitimate grounds. You also have the absolute right to object to processing for direct marketing purposes at any time.
13.7 Right to Withdraw Consent — If we process your personal data on the basis of your consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of any processing carried out before you withdrew your consent.
13.8 Right to Lodge a Complaint — You have the right to lodge a complaint with a data protection authority if you believe that we have infringed your rights or mishandled your personal data. You can contact the authority in your country of residence, place of work, or where the alleged infringement occurred.
13.9 Right Not to Be Subject to Automated Decision-Making — You have the right not to be subject to a decision based solely on automated processing (including profiling), which produces legal effects concerning you or similarly significantly affects you. We do not currently carry out such processing, but if we do in the future, we will inform you and ensure that appropriate safeguards are in place.
14. Automated Decision-Making and Profiling
14.1 Gr4vy does not use personal data for automated decision-making that produces legal or similarly significant effects, unless explicitly stated and lawful safeguards are in place.
15. Cookies and Tracking Technologies
We use cookies and similar technologies on our websites to:
15.1 Understand site usage and improve functionality.
15.2 Provide analytics and performance data.
15.3 Deliver personalised content or marketing (subject to consent).
You can manage cookie preferences via your browser settings or our cookie banner.
16. Contact Information
16.1 If you have questions about this Privacy Policy or wish to exercise your rights, please contact:
Data Protection Officer (DPO)
Gr4vy Inc.
Email: dpo@gr4vy.com
16.2 EU Representative / UK Representative (Article 27 GDPR):
Details available upon request.
17. Changes to this Policy
We may update this Policy periodically to reflect changes in law, guidance, or our processing practices. Significant changes will be notified on our website or via other appropriate channels.