Privacy policy for Clients’ end users (Data processor role)

Table of Contents

1. Introduction
2. Scope and Application
3. Definitions
4. Gr4vy’s Role as Data Processor
5. Categories of Personal Data Processed
6. Purposes of Processing
7. Legal Basis for Processing
8. Sub-Processing and Third Parties
9. International Data Transfers
10. Data Security Measures
11. Retention and Deletion of Personal Data
12. Assistance to Controllers and Data Subject Rights
13. Personal Data Breach Management
14. Records and Documentation (RoPA)
15. Accountability and Audit Support
16. Contact Information

1. Introduction

Gr4vy, Inc. (“Gr4vy”, “we”, “our”, or “us”) provides a cloud-based payment orchestration platform that enables its clients (each a “Controller”) to manage and route payment transactions across multiple payment service providers.

This Privacy Policy explains how Gr4vy processes personal data in its capacity as a data processor, strictly in accordance with the written instructions of its clients, and in compliance with applicable data protection laws, including:

1.1 The General Data Protection Regulation (EU) 2016/679 (“EU GDPR”).
1.2 The UK General Data Protection Regulation (“UK GDPR”) and Data Protection Act 2018 as amended.

This Policy is intended to support transparency and demonstrate Gr4vy’s compliance with Article 28 GDPR and related obligations.

2. Scope and Application

2.1 This Policy applies solely to the processing of personal data performed by Gr4vy as a processor on behalf of its clients, where the client acts as the controller.

2.2 It does not apply to processing of personal data Gr4vy carries out in its own capacity as a data controller (e.g., with respect to employees, job applicants, vendors, or prospective customers). For such processing, please refer to our separate Privacy Notice (Controller Role).

3. Definitions

For the purposes of this Privacy Policy, the following terms shall have the meanings set out below:

3.1 “Applicable Data Protection Law” means the EU GDPR, UK GDPR, and any other data protection or privacy laws to which Gr4vy is subject.
3.2 “Controller” means the natural or legal person which determines the purposes and means of the processing of personal data.
3.3 “Processor” means the natural or legal person which processes personal data on behalf of a controller.
3.4 “Data Subject” means an identified or identifiable natural person.
3.5 “Personal Data” means any information relating to a Data Subject.
3.6 “Processing” means any operation performed on personal data, such as collection, recording, structuring, storage, use, or disclosure.
3.7 “Sub-Processor” means any third party appointed by Gr4vy to process personal data on its behalf.

4. Gr4vy’s Role as Data Processor

Gr4vy processes personal data solely on behalf of and under the documented instructions of its clients. Such instructions are set out in:

4.1 The Master Services Agreement or SaaS Agreement.
4.2 The Data Processing Agreement (“DPA”).
4.3 Any other written instructions lawfully issued by the Controller.

Gr4vy does not determine the purposes or legal basis for processing, and shall not process personal data for its own purposes, unless expressly authorised in writing by the Controller or required by law.

5. Categories of Personal Data Processed

Depending on the configuration of services and integration by the client, Gr4vy may process the following categories of personal data:

5.1 Name, email address, and other contact details.
5.2 Pseudonymised payment transaction IDs.
5.3 IP address, browser and device metadata.
5.4 Payment method metadata (e.g., token, provider).
5.5 Risk scoring and fraud signal metadata.
5.6 Transaction timestamps, amounts, merchant identifiers.
5.7 Technical logs and diagnostics for support and debugging.

Gr4vy does not process payment card data (e.g. PAN, CVV) directly and does not store such information.

6. Purposes of Processing

Gr4vy processes personal data solely for the following business purposes, as instructed by the Controller:

6.1 Routing transactions to designated payment service providers.
6.2 Facilitating fraud detection and risk mitigation strategies.
6.3 Enabling dashboard reporting, analytics, and insights.
6.4 Providing technical support and incident management.
6.5 Performing service optimization and system diagnostics.
6.6 Complying with legal or regulatory obligations (where instructed).

Gr4vy shall not process personal data for advertising, profiling, or any secondary purpose unless explicitly permitted by the Controller.

7. Legal Basis for Processing

7.1As a processor, Gr4vy does not determine the legal basis for processing personal data. The Controller is solely responsible for ensuring that all processing performed by Gr4vy is lawful and based on one or more valid legal grounds under Article 6 GDPR.

8. Sub-Processing and Third Parties

Gr4vy engages a limited number of third-party Sub-Processors to support the delivery of its services. Sub-Processors are subject to:

8.1 Prior due diligence and risk assessment.
8.2 Contractual obligations equivalent to those under the Gr4vy DPA.
8.3 Ongoing monitoring of compliance with security and privacy standards.

Controllers will be notified in advance of any intended addition or replacement of Sub-Processors, consistent with the terms of the applicable DPA.

A current list of Sub-Processors is available [here / upon request].

9. International Data Transfers

Gr4vy may transfer personal data outside the EEA/UK only where permitted by Applicable Data Protection Law, and subject to appropriate safeguards, including:

9.1 European Commission Standard Contractual Clauses (SCCs).
9.2 UK International Data Transfer Addendum or IDTA.
9.3 Adequacy decisions adopted by the European Commission or UK authorities.
9.4 Transfer Risk Assessments (TRAs) and supplementary measures where required.

10. Data Security Measures

Gr4vy implements technical and organisational security measures appropriate to the risks associated with data processing, including:

10.1 Encryption of personal data in transit and at rest.
10.2 Access control policies, identity and access management (IAM).
10.3 Network and application firewalls.
10.4 Logging, monitoring, and alerting systems.
10.5 Multi-factor authentication (MFA) and role-based access controls.
10.6 Security awareness training for personnel.
10.7 Business continuity and disaster recovery planning.
10.8 Regular audits, vulnerability scans, and penetration testing.

11. Retention and Deletion of Personal Data

Gr4vy retains personal data only for the duration of the client relationship or as otherwise instructed in writing by the Controller. Upon termination of services, Gr4vy will:

11.1 Return or delete personal data, at the Controller’s option.
11.2 Delete backup copies within a reasonable timeframe.
11.3 Certify the completion of such actions upon request.

No personal data shall be retained by Gr4vy beyond the retention period required for legal or compliance obligations, unless otherwise agreed with the Controller.

12. Assistance to Controllers and Data Subject Rights

Gr4vy assists Controllers in fulfilling their obligations to respond to data subject rights requests under Articles 12 to 22 of the GDPR. This includes:

12.1 Responding to data subject access, rectification, or erasure requests.
12.2 Supporting data portability or restriction measures.
12.3 Cooperating with Controllers in responding to objections or consent withdrawals.
12.4 Implementing technical and organisational means to facilitate such responses.
12.5 Gr4vy shall not respond directly to any data subject request unless legally required or explicitly instructed by the Controller.

13. Personal Data Breach Management

In the event of a personal data breach, Gr4vy shall:

13.1 Notify the Controller without undue delay after becoming aware of the breach.
13.2 Provide all relevant information required under Article 33(3) GDPR.
13.3 Cooperate with the Controller in managing breach containment, mitigation, and notification obligations.
13.4 Maintain an internal incident register and investigation documentation.

14. Records and Documentation (RoPA)

Gr4vy maintains a Record of Processing Activities (“RoPA”) as required under Article 30(2) GDPR. The RoPA includes:

14.1 Categories of processing activities conducted on behalf of each Controller.
14.2 Categories of data subjects and personal data processed.
14.3 Categories of recipients, including sub-processors.
14.4 Transfers to third countries and safeguards in place.
14.5 Security measures implemented to protect personal data.

15. Accountability and Audit Support

Gr4vy demonstrates accountability by:

15.1 Maintaining internal policies and procedures aligned with GDPR principles.
15.2 Delivering regular training and awareness programs.
15.3 Cooperating with external audits where contractually agreed.
15.4 Supporting Controllers with compliance documentation (e.g., Data Protection Impact Assessments (“DPIAs”), Transfer Risk Assessments (“TRAs”)).

16. Contact Information

To contact Gr4vy regarding data protection matters:

Data Protection Officer (DPO)
Gr4vy Inc.
Email: dpo@gr4vy.com

EU Representative and UK Representative (Article 27 GDPR):
Details available upon request.