Privacy Notice – European Economic Area (EEA), U.K. & Switzerland
Last Updated: January 2023
If you are located in the European Economic Area, U.K., or Switzerland, you may have rights under the General Data Protection Regulation (the “GDPR”). Under the GDPR, Gravy is required to provide individuals with certain information about the processing of their “Personal Data” and rights available to them with respect to such Personal Data.
The GDPR defines “Personal Data” as any data that identifies or can identify a particular unique user or device, including, name, address, mobile device identifiers, precise location data*, IP, cookie identifiers, and biometric data, among others.
* For clarity, “precise location data” does not mean “real-time” data. Instead, it is information that describes the precise geographic location of a device derived through any technology that is capable of determining with reasonable specificity the actual physical location of a device.
Your Rights in Connection with Personal Data
The GDPR grants you a number of rights with respect to your Personal Data that controllers, such as Gravy, may hold about you. Each of your rights is outlined in more detail below:
- Right to Access. This enables you to receive a copy of Personal Data we hold about you and to check that we are lawfully processing it.
- Right to Correct. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Right to Object. You have a right to object to the processing of your Personal Data. This right exists where we are collecting your Personal Data because we have a legitimate interest in that data (like preventing fraud) and there is something about your particular situation, which makes you want to object to processing on this ground. You also have a right to object where we are processing your Personal Data for direct marketing purposes.
- Right to Erasure. This enables you to ask us to delete or remove Personal Data where there is no good reason for us to continue to process it. You also have a right to ask us to delete or remove your Personal Data where you have exercised your right to object to processing and we have not overriding legitimate ground to retain it.
- Restrict Processing. This right enables you to ask us to suspend the processing of Personal Data about you, for example, if you want us to establish its accuracy.
- Request Transfer. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent, or performance of a contract with you, for use of that personal Data.
- Lodge a Complaint. You have the right to file a complaint with the relevant data protection supervisory authority.
For more details on the rights you have in respect of your personal data, please refer to the European Commission (https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en)
How to Exercise your Rights
In order to exercise any of the rights described above, please contact us at [email protected].
We may need to request specific information from you to help us confirm your identity and assist us in responding to your request. This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. We will only use the information you provide to us when exercising your rights above to verify your identity or authority to make the request.
We will deliver our written response by mail or electronically, at your option. We will not charge you a fee for access to your personal information (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, excessive, or manifestly unfounded, or we may refuse to comply with your request in these circumstances.
Should you have a complaint, please contact us as soon as possible. If you feel that your complaint has not been adequately resolved, please note that the GDPR gives you the right to contact your local data protection supervisory authority.
Legal Basis for Processing Personal Data
In respect of each of the purposes for which we use your Personal Data, the GDPR requires us to ensure that we have a legally justified reason, or “legal basis” for that use. Most commonly, our legal basis for processing your Personal Data will be:
- In some cases, we rely on legitimate interest as our legal basis for processing your Personal Data. When we use Personal Data to maintain the security of our services, such as to detect fraud or to ensure that bugs are detected and fixed, to protect our system and information from unauthorized persons, and to comply with law, we rely on our legitimate interest. In determining our legitimate interest, we consider and balance any potential impact on you and your rights before we process your Personal Data to make sure that our interests do not override the impact on you.
- In certain circumstances, we process your Personal Data as necessary to perform a contract we are about to enter into or have entered into with you, or to communicate with our customers with respect to our services (“Contractual Necessity”).
- In some cases, we will process your Personal Data where we need to comply with an EEA, U.K., or Swiss legal or regulatory obligation (“Compliance with Law”).
Transfers of Personal Data
Gravy may share your Personal Data with third parties who are located in jurisdictions outside the EEA, U.K., or Switzerland. These jurisdictions have privacy laws that the European Commission considers are less protective of Personal Data than the privacy laws in your own country.
As described in the Privacy Shield Principles, Gravy is accountable for Personal Data that it receives and subsequently transfers to third parties to the extent such third parties who process Personal Data on our behalf do so in a manner that does not comply with the Privacy Shield Principles, unless we prove that we are not responsible for the event giving rise to the damage. We are not, however, liable for the data handling practices of our third-party partners and customers unless they are acting on our behalf.
In compliance with the Privacy Shield Principles, Gravy commits to resolve complaints about our collection or use of your Personal Data. EEA, U.K. or Swiss individuals with inquiries or complaints regarding this Privacy Notice should first contact us at:
45610 Woodland Rd., Suite 100
Sterling, VA 20166
Gravy has further committed to refer unresolved Privacy Shield complaints to American Arbitration Association (AAA) an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not resolved your complaint, please contact or visit http://go.adr.org/privacyshield.html for more information or to file a complaint. The services of AAA are provided at no cost to you.
As further explained in the Privacy Shield Principles, binding arbitration before a Privacy Shield Panel will also be made available to you in order to address residual complaints not resolved by any other means. Gravy is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
Please contact us with any questions or comments about this EEA, U.K. & Switzerland Privacy Notice or our practices at:
- General Privacy Email/DPO Contact: [email protected]
- General Contact Address:
Gravy Analytics, Inc.
45610 Woodland Rd., Suite 100
Sterling, VA, 20166
- EU Data Protection Representative:
DataRep has locations in each of the 27 EU countries, the UK, and Norway & Iceland in the European Economic Area (EEA). If you want to raise a question to Gravy Analytics related to the GDPR or the exercise of your rights in respect of your personal data, you may do so by:
- Sending an email to DataRep at [email protected],
- Contacting DataRep via their online webform at: datarep.com/datarequest, or
- Mailing your inquiry to DataRep at the most convenient of the addresses set forth under DataRep Addresses.
PLEASE NOTE: when mailing inquiries, it is ESSENTIAL that you mark your letters for “DataRep”, and not “Gravy Analytics, Inc.” or your inquiry may not reach DataRep. Please refer clearly to Gravy Analytics, Inc. in your correspondence. Please do not contact DataRep for any general inquiries regarding Gravy’s services.