Updated September 7, 2023

Privacy Policy


At Gr4vy, we take Privacy seriously. Please read this Privacy Policy to learn how we treat data that pertains to Customers and Customers’ businesses as detailed below (“Customer Data”). 

“Customer Data” means any information that identifies or relates to a particular individual and also includes information referred to as “personally identifiable information” or “personal information” under applicable data privacy laws, rules or regulations pertaining to Customer and Customer’s business as detailed under “Customer Data” – “Categories of Customer Data We Collect”).

By using or accessing our Services in any manner, you acknowledge that you accept the practices and policies outlined below, and you hereby consent that we will collect, use and share information as described in this Privacy Policy. 

Remember that the use of Gr4vy’s Services is at all times subject to our Terms of Use, which incorporates this Privacy Policy. Any terms we use in this Policy without defining them have the definitions given to them in the Terms of Use. 

You may print a copy of this Privacy Policy. If you have a disability, you may access this Privacy Policy in an alternative format by contacting legal@gr4vy.com


What this Privacy Policy Covers

This Privacy Policy covers how we treat Customer Data that we gather when our Services are accessed and/or used by but not limited to you and/or your Buyers. This Privacy Policy does not cover the practices of companies we don’t own or control or people we don’t manage.


Customer Data

Categories of Customer Data We Collect

This chart details the categories of Customer Data that we may collect:

  • Payment method data
    • Card number
    • Expiry date
    • Scheme
    • Last 4 digits
    • Name on card
    • Sort code and bank account number
    • Email address or other unique ID associated to the payment method used
  • Transactional data
    • Item purchased
    • Amount
    • currency
  • Buyer billing details
    • Display name
    • External ID
    • Shipping address
    • Billing address
    • Email address
    • Phone number
    • Tax ID
  • Additionally, the following data is collected but not stored.
    • User IP
    • User agent
    • Browser feature support
    • Card security code

No Customer Data is transferred outside Gr4vy, except for where it is sent directly to the Payment Service Providers and other services configured by you for orchestration. This includes Gr4vy’s central data storage.

Sources of Data

We collect Customer Data from the following categories of sources:


  • When you provide such information directly to us.
  • When you voluntarily provide information in free-form text boxes through the Services or through responses to surveys or questionnaires.
  • When you send us an email or otherwise contact us.  
  • When you use the Services, such information is collected automatically.

Third Parties:

  • We may receive additional personal information from any Payment Service Provider and other services configured by you for orchestration.
  • We may use analytics providers to analyze how you interact and engage with the Services, or third parties may help us provide you with customer support.


Our Commercial or Business Purposes for Collecting Data

Providing, Customizing and Improving the Services

  • Providing support and assistance for the Services.
  • Improving the Services, including testing, research, internal analytics and product development.
  • Carrying out other business purposes stated when collecting Customer Data or as otherwise set forth in applicable data privacy laws, such as the European General Data Protection Regulation (“GDPR”) or the California Consumer Privacy Act (the “CCPA”).

Meeting Legal Requirements and Enforcing Legal Terms

  • Fulfilling our legal obligations under applicable law, regulation, court order or other legal process, such as preventing, detecting and investigating security incidents and potentially illegal or prohibited activities.
  • Protecting the rights, property or safety of Gr4vy or another party.
  • Resolving disputes.

We will not collect additional categories of Data or use the Data we collected for materially different, unrelated or incompatible purposes without providing you notice.


How We Share Data

We disclose Data to the categories of service providers and other parties listed in this section. Depending on state laws that may be applicable to you, some of these disclosures may constitute a “sale” of personal data. For more information, please refer to the state-specific laws.

Service Providers. These parties help us provide the Services or perform business functions on our behalf. They include:

  • Hosting and technology providers.
  • Security and fraud prevention providers.
  • Financial services.

Our payment processing partners collect your voluntarily-provided payment card information necessary to process payments. We additionally may share the voluntarily provided payment card data with other financial services to provide additional payment features like 3-D Secure and Network Tokenization.

Please see processing partners’ terms of service and privacy policy for information on their use and storage of Data.

Analytics Partners. These parties provide analytics on usage of the Services. They include:

  • Companies that track how users interact with the Services.

Parties You Authorize, Access or Authenticate

  • Third parties you access through the services.


Business Transfers

All Data that we collect may be transferred to a third party if we undergo a merger, acquisition, bankruptcy or other transaction in which that third party assumes control of our business (in whole or in part). Should one of these events occur, we will make reasonable efforts to notify you before your information becomes subject to different privacy and security policies and practices.

Data that is Not Personal Data

We may create aggregated, de-identified or anonymized data from the Data we collect, including by removing information that makes the data personally identifiable to a particular user. We may use such aggregated, de-identified or anonymized data in any way and we may share it with third parties for our lawful business purposes, including to analyze, build and improve the Services and promote our business (including machine learning), provided that we will not share such data in a manner that could identify you or your Buyers.  


Data Processing Agreement

To provide the Services to you and your Buyers, Gr4vy needs to process Data as outlined in this Data Privacy Policy. To enable us to do so, Gr4vy and you enter into the Data Processing Agreement (DPA) attached hereto as Exhibit 1.

Data Security and Retention

We seek to protect Data from unauthorized access, use and disclosure using appropriate physical, technical, organizational and administrative security measures based on the type of Data and how we are processing such Data. We retain Data about you and your Buyers for as long as necessary to provide you with our Services. In some cases we retain Customer Data for longer, if doing so is necessary to comply with our legal obligations, resolve disputes or collect fees owed, or is otherwise permitted or required by applicable law, rule or regulation. We may further retain information in an anonymous or aggregated form where that information would not identify you or your Buyers personally.

Changes to this Privacy Policy

We’re constantly trying to improve our Services, so we may need to change this Privacy Policy from time to time, but we will alert you to any such changes by placing a notice on the Gr4vy website, by sending you an email and/or by some other means. Please note that if you’ve opted not to receive legal notice emails from us (or you haven’t provided us with your email address), those legal notices will still govern your use of the Services, and you are still responsible for reading and understanding them. If you use the Services after any changes to the Privacy Policy have been posted, that means you agree to all of the changes. Use of information we collect is subject to the Privacy Policy in effect at the time such information is collected.

Contact Information

If you have any questions or comments about this Privacy Policy, the ways in which we collect and use your Customer Data or your choices and rights regarding such collection and use, please do not hesitate to contact us at:

  • Website: www.gr4vy.com 
  • Email: legal@gr4vy.com
  • Address: 303 Twin Dolphin Drive, 6th Floor, Redwood City, California 94065

If you are located in the European Union, you may use the following information to contact our Data Protection Officer and our European Union-Based  Member Representative:

Please contact Gr4vy at  legal@gr4vy.com and we will provide you with our EU member representative’s contact information.

Data Processing Agreement
The Parties agree on the data processing agreement (DPA) in Exhibit 1


Exhibit 1: Data Processing Agreement (DPA)

  1. Introduction. 
    1. The Data Processing Agreement (“DPA”) forms part of the Privacy Policy if and to the extent it applies. In the event of conflict between this DPA and the Privacy Policy, this DPA shall prevail. The Parties hereby agree to the terms upon which the Customer (hereinafter “Controller”) will provide Gr4vy (hereinafter, “Processor”) with Personal Data and the Processor shall Process the Personal Data.
    2. This DPA shall apply from the date of acceptance of the Privacy Policy or the use of the Vault Services whichever occurs first and until such time that Processor ceases to Process Personal Data on behalf of the Controller. 
    3. Capitalized and defined terms shall have the meaning set forth in the Agreement unless otherwise defined herein.
  2. Purposes of Processing. Processor shall, in accordance with the Agreement, provide the Controller with the Services.
  3. Definitions. All capitalized terms not otherwise defined herein shall have the respective meaning given to such terms in the Agreement or the GDPR.

“Agreement” means the current Agreement between Controller and Processor in which these annexed Data Protection Agreement form an integral part.

“Data Protection Act”means the data protection laws and regulations at all times valid and applicable within the country where Processor is registered, including but not limited to GDPR.

GDPR Regulation (EU) No 679/2016 (the ”General Data Protection Regulation” or the “GDPR”).

“Fraud Database Service Provider” means a government body or other third party service provider that checks whether an identity document has been previously identified to them as fraudulent (subject to Clause 8 on Sub-processing)

“Personal Data” means any personal data or sensitive personal data as defined in the Data Protection Act, which are subject to, or intended to be subject to, Processing by the Processor for, or on behalf of the Controller as per the Controller’s instructions.

“Process” or “Processing” means the processing, as defined in the GDPR, of Personal Data.

“Services” means the services provided by the Processor to the Controller as defined in the Terms of Use Cloud Vault Services.

  1. Instructions. Processor shall only be entitled to Process the Personal Data for the purposes set out in Article 2 above, and in accordance with the Controller’s written instructions, and in any event in compliance with applicable laws and legal obligations. Processor may not Process the Personal Data for a longer period than what is necessary for the fulfillment of its undertakings under the Terms of Use Cloud Vault Services.
  2. Restricted access. Processor shall not give access to the Personal Data by any third party with the exception when: (i) the Services include the sending of identity documents to a Fraud Database Service Provider (subject to Clause 8 on Sub-processing); (ii) the Fraud Database Service Provider may retain identity documents that are suspected to be fraudulent for the purpose of identifying fraud in the future; and (iii) any identity documents retained by a Fraud Database Service Provider shall not be treated as Personal Data or Confidential Information by Gr4vy. Processor shall take adequate measures to prevent unlawful or accidental access to Personal Data by any third person.
  3. Security. 
    1. The Processor shall take Appropriate Technical and Organizational Measures to protect the Personal Data while considering the technical options that are available, the costs to implement the measures, the specific risks that are present with the current Processing of Personal Data, and the sensitivity of the Personal Data that is Processed.  Such measures shall at least:
      • Protect the Personal Data against accidental or unlawful destruction, accidental loss or alteration, unauthorized or unlawful storage, processing, access or disclosure (including by use of pseudonymisation and encryption for data in transit and at rest, where possible);
      • Treat and safeguard the Personal Data as strictly private and confidential;
      • Restore the availability and access to Personal Data in a timely manner in accordance with Processor’s back-up policy, in the event of a physical or technical incident;
      • At all times having in place and adhering to a suitable, written data protection policy with respect to the  Processing of Personal Data.
    2. Furthermore, Processor shall not without prior written notice cause or permit the Personal Data to be Processed outside the European Economic Area or such other countries that the EU Commission has determined to provide an adequate level of data protection in accordance with the General Data Protection Regulation (EU 2016/679), e.g. Processor shall agree and put in place entered into European Commission approved Standard Contractual Clauses or other data protection safeguards in compliance with Data Protection Act. 
  4. Auditing, Assistance and Reporting.
    1. Processor shall cooperate with and assist the Controller when necessary to comply with the Data Protection Act, and to enable Data Subjects to exercise their rights under the Data Protection Act. Processor shall allow for and assist in audits, including inspections, following Controller’s legitimate written request and at such times as agreed between the Parties. The Processor shall in such event make available facilities, policies, documents and information necessary and limited for the purpose of the audit, and as relevant with regards to the Processing of Personal Data on behalf of the Controller and as provided for by mandatory Data Protection Act provisions.
    2. An audit shall not grant the Controller access to Processor’s, or any third-party’s, trade secrets or proprietary information unless required to comply with the Data Protection Act. The Controller shall ensure that its personnel conducting such audits are subject to adequate secrecy obligations. 
    3. In the event that a Data Subject, Supervisory Authority, law enforcement authority or any other third-party requests information from the Processor regarding Processing of Personal Data, the Processor shall refer the requesting party to the Controller and may not disclose any Personal Data to the requesting party, nor act on the Controller’s behalf, unless otherwise required by applicable law.
    4. The Processor shall promptly, and at the latest within applicable time-limits set forth in the Data Protection Act, notify the Controller about: (a) any legally binding request for disclosure of the Personal Data by the Supervisory Authority, or a law enforcement authority, unless otherwise prohibited; and (b) any request received directly from the Data Subjects, without responding to that request, unless it has been authorised by the Controller to do so.
    5. Furthermore, the Processor shall immediately notify the Controller in case of accidental or unauthorized access to the Controller’s Personal Data or other security incident involving the Controller’s Personal Data. Such notification shall at least: (a) describe the nature of the Personal Data incident, including, if possible, the categories and number of data subjects concerned and categories of Personal Data concerned; (b) provide name and contact details to the Data Protection Officer or other contact point where further information can be obtained; (c) describe the likely consequences of the Personal Data incident; and (d) describe what actions have been taken, or which the Processor proposes to take, to correct the Personal Data incident, including, where appropriate, measures to reduce any adverse effects.
    6. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
  5. Sub-Processing. 
    1. The Processor shall not engage with other processors without prior specific written consent of the Controller. The current Sub-Processors are listed in Appendix B.
    2. The Controller hereby agrees that the Processor may, when relevant for the purposes of maintaining, developing and/or enhancing the Services, exchange Processors or to add other Processors. The agreement is however conditional upon the Processor: i) having entered into separate data processing agreements with such Processors that is in accordance with this Data Processing Agreement and in any case comply with Data Protection Act; ii) giving the Controller reasonable (in any event no less than thirty (30) working days prior written notice of such an intended change or addition including details of the provider, the purpose and scope of sub-processing and the related data processing agreement.
    3. The Controller may object to such notified change in the event of its reasonable concerns with regards to the appropriate protection of Personal Data. Such objection shall be detailed in writing within fifteen (15) working days from the Processor’s original notice where after the Parties shall in good faith endeavour to settle the situation. In the event that the Controller’s reasonable concerns still remain after conclusion of such good faith effort, then either Party shall have the right to terminate the Services under the Terms of Use Cloud Vault Services forthwith by written notice without liability for either Party.
  6. Ownership of and Liability for Data. 
    1. The Processor hereby acknowledges and agrees that the Processor shall never at any time receive ownership of the Personal Data supplied to the Processor by the Controller pursuant to the Terms of Use Cloud Vault Services unless and to the extent described in the Terms of Use Cloud Vault Services. Upon the termination of theServices under the Terms of Use Cloud Vault Services, Processor will delete all such Personal Data that Processor has no rights to keep (i.e. where Processor itself became Controller of) or, if Controller requests in writing, Processor shall instead return all such data before deleting any remaining copies. Such a request must however be done within thirty (30) days after the termination of the Services under the Terms of Use Cloud Vault Services. 
    2. Controller represents and warrants that: (i) Controller owns or has obtained the  consents and rights related to Personal Data transferred to Processor for processing, and Controller hereby grants Processor a license to use such Personal Data in accordance with the Terms of Use Cloud Vault Services and this DPA; (ii) the Personal Data does not infringe or violate any patents, copyrights, trademarks or other intellectual property, proprietary or privacy or publicity rights of any third party; and (iii) Controller shall not use Processor services in order to profile, monitor or any other action which is restricted under GDPR and other applicable privacy laws. Controller shall remain solely responsible and liable for the Personal Data and expressly releases Processor from any and all liability arising from Processor’s use of Personal Data as permitted herein.
  7. Liability. Each Party is liable in accordance with the Data Protection Act, subject to the general limitation of liability as set out in the Terms of Use Cloud Vault Services. Each Party accepts and acknowledges that any penalties or administrative fines imposed on either Party (or both) by the supervisory authority pursuant to the Data Protection Act shall be regarded as conclusive and thus agrees to refrain from making any claims for compensation through recourse proceedings (or otherwise) against the other Party on the basis of thereof.
  8. Confidentiality.  The Processor shall not, without the prior written consent of the Controller, divulge the whole or any part of the Personal Data to any person. To the extent that any Personal Data is disclosed to employees or consultants of the Processor in accordance with Article 11, the Processor shall ensure that such individuals are bound by non-disclosure undertakings no less onerous than those set forth herein and in the Terms of Use Cloud Vault Services.  
  9. Future changes to the Data Protection Act. In the event that either Party deems changes of this Data Protection Agreement to be necessary due to changes of the Data Protection Act, the Parties shall negotiate any such change in good faith and amend any changes agreed by written amendment to the Terms of Use Cloud Vault Services. A change shall be deemed necessary if needed in order to avoid any form of new/additional liability or risk of liability for either Party.


Appendix A

Processing categories

The Processing of Personal Data in accordance with the Terms of Use Cloud Vault Services may concern the following categories of Data Subjects and categories of Personal Data:

  • Cardholder Data (Payment card details):
    • Card number
    • Name on the card
    • Expiry date
    • CVV2
    • Billing address
  • Bank Account Data:
    • Bank account number
    • Bank name
    • Account holder name
    • Account holder address
  • Alternative Payment Data:
    • Email address associated with digital wallets and alternative payment methods such as PayPal
    • Username associated with digital wallets and alternative payment methods such as Crypto currency wallets
  • Browser data:
    • Browser user agent
    • Browser feature support


Appendix B

Sub- Processors

  • Giesecke+Devrient (G+D)
  • Pagos
  • Google Cloud
  • 3dsecure.io