Privacy Policy

Effective Date: March 28, 2025


Privacy and security are very important to us at Tail Risk, Inc., the company behind the Gravy mobile app.


This End User Privacy Policy (“Policy”) is meant to help you (the “end user”) understand how we at Gravy collect, use, and share your data when you use Gravy products or services. This Policy applies to Tail Risk, Inc. (collectively, “Gravy,” “we,” “our,” and “us”). (Please see the "Contacting Gravy" section below for which of these entities is responsible for processing your data.)

You should read this Policy carefully. It contains important information about your privacy rights and choices.


First, Some Background

The Gravy mission is to make saving on shopping fun and zero effort. By delivering access to exciting and user-friendly cash back rewards, we help consumers save money automatically at their favorite shops.


About this Policy

Our goal with this Policy is to provide a simple and straightforward explanation of what data Gravy collects from and about you and how we use and share that information. We value transparency and want to provide you with a clear and concise description of how we treat your data.

Gravy's services are not directed to individuals under 21, and we do not knowingly collect data relating to children.


Promotional Communications

You can opt out of receiving email and in-app push notifications containing promotional messages from us by following the instructions on-screen or in those messages. If you opt out, we may still send you non-promotional communications, such as transaction receipts and messages about your account or our processing of your information.


Our Data Practices

Gravy is committed to providing end users with meaningful control over their data. This section describes Gravy's data practices relating to our processing of data about you. We also provide summaries of our practices by data category and product in the "Summaries of Processing Activities" section.


Data We Collect and Categories of Sources

The data we collect depends on the shops you connect through Gravy. Depending on third-party apps you connect, we may collect:

- Registration and Contact Information: name, email, password, social media usernames, phone number, and addresses.

- Transaction Information: offers viewed/redeemed, products purchased, store preferences, and interactions with our services and partners.

- Shop Session Data: cookies, session storage, and local storage (only used to automate shopping on your behalf).

- Shop Purchase Information and History: item descriptions, purchase times, costs, and store details. Includes info from receipts (e.g., payment type, EBT use).

- Shop Loyalty and Retailer Account Info: purchase and transaction info from connected retailer accounts.

- Geolocation Information: general and precise location data (only if allowed by your device).

- Mobile Device Info: device ID, settings, OS, usage data.

- Invisible CAPTCHA: used for security, operates in the background. Data handled per [Google Privacy Policy](https://www.google.com/policies/privacy/).

- Cookies and Similar Technologies: session and persistent cookies, pixel tags, beacons, and analytics tools.

- Additional Info to Connect Accounts: such as one-time passwords (OTP).


Data We Receive from Devices

We may collect the following from your smartphone, tablet, or computer:

- IP address

- Timezone and location

- Device model and OS

- Browser and network data


Data from Other Sources

To provide services or ensure security, we may receive data from third parties such as wireless carriers or service providers.


How We Use Your Data

We use your data to:

- Provide and maintain services

- Improve and develop new services

- Verify identity and prevent fraud

- Offer support

- Communicate updates and messages

- Investigate misuse

- Comply with legal obligations

- Fulfill other purposes with your consent

We may use anonymized or aggregated data for analytics, research, and service development.


Our Lawful Bases for Processing (EEA and UK)

Only U.S.-based users are eligible for Gravy services.


Third Parties

We do not share data with non-affiliated third parties unless legally permitted. We only share your financial data to operate services you requested, with your consent, or to prevent fraud. Cookie data may be shared with third parties. See our Cookie Policy and All Audience Privacy Statement for details.


California Privacy Notice (CCPA)

CCPA gives California residents rights regarding their personal information, including:

- Know, access, and correct personal information

- Opt out of data sale or sharing

- Limit use of sensitive information

- Request deletion of personal data

To exercise these rights, contact [privacy@gravyapp.com].


Right to Non-Discrimination

Gravy will not discriminate against users for exercising privacy rights. However, certain personalized features (e.g., custom offers) may be affected.


Right to Delete

You may request deletion of personal data. This will affect personalization and pending rewards may be lost. Login credentials will be retained so you may continue using your account.


We may deny deletion if required for:

- Completing a transaction

- Detecting fraud or illegal activity

- Debugging

- Exercising legal rights

- Compliance with law

- Research

- Internal business use


Right to Correct

You can request corrections to inaccurate personal data. Changes are reflected promptly but may be retained for legal or business purposes.


Retention and Deletion Practices

We retain data only as long as needed. If a developer disconnects your data, we will delete your personal data unless legally required to retain it.


Protection of Data

We apply security controls to protect your data and limit access to authorized personnel.


Your Data Protection Rights

We honor the following rights (with some legal limitations):

- Access, correct, delete, or restrict personal data

- Object to processing

- Withdraw consent

- Receive data in portable format


To exercise rights, contact [help@gravyapp.com](mailto:help@gravyapp.com). We may request identity verification.

Complaints can be directed to local data protection authorities or to our DPO at [privacy@gravyapp.com].


Tail Risk, Inc. has appointed a Data Protection Officer (DPO) who oversees compliance and privacy practices. Contact the DPO at [privacy@gravyapp.com].