Legal
Privacy Policy
Last updated: June 2026
This policy explains what personal data grvy (“we”, “us”, “our”) collects when you visit grvy.ai or use our platform, why we collect it, and what rights you have. We respect your privacy and are committed to protecting your personal data in accordance with the UK GDPR, EU GDPR, and applicable data protection laws.
01 Who we are
grvy is the data controller for personal data collected on grvy.ai and in the grvy platform. If you have questions about how we handle your data, contact us at privacy@grvy.ai.
02 Data we collect
| Category | Examples | Source |
|---|---|---|
| Account data | Name, email address, password (hashed) | You, on sign-up |
| Company data | Company name, ABN/company number, address, ERP credentials | You, during onboarding |
| Document data | Receipts, invoices, purchase orders you upload or email to grvy | You |
| Usage data | Pages visited, features used, timestamps, browser type, IP address | Automatically collected |
| Payment data | Subscription status, billing email — card details handled by Lemon Squeezy | Lemon Squeezy (processor) |
| Communications | Support emails, feedback messages | You |
We do not collect sensitive personal data (health, financial account numbers, biometrics, etc.).
03 Lawful basis
We process your personal data under the following lawful bases:
- Contract — processing necessary to provide the grvy service you have subscribed to.
- Legitimate interests — site analytics, fraud prevention, improving our product, and direct marketing to existing customers (you can opt out at any time).
- Legal obligation — retaining financial records, responding to lawful requests from authorities.
- Consent — analytics cookies (where you have given consent via our cookie banner). You may withdraw consent at any time.
04 How we use your data
- Provide, operate, and maintain the grvy platform
- Process and route financial documents using AI
- Manage your subscription and process payments
- Send transactional emails (receipts, approvals, system alerts)
- Respond to support requests
- Monitor and improve platform performance and security
- Comply with legal and regulatory obligations
We do not sell your data. We do not use your uploaded business documents to train AI models. AI processing of your documents is performed solely to extract structured data on your behalf.
05 Who we share data with
We share data only with trusted sub-processors required to operate the service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | AWS (US / EU) |
| Vercel | Web hosting and edge delivery | Global CDN |
| Anthropic | AI document processing (Claude API) | United States |
| Lemon Squeezy | Payment processing and subscription management | United States |
| Resend | Transactional email delivery | United States |
We may also disclose data if required by law, court order, or to protect the rights and safety of grvy, our users, or others.
06 International transfers
Some of our sub-processors are located in the United States. Where we transfer personal data outside the UK or EEA, we ensure adequate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on an adequacy decision where applicable.
07 Retention
We keep your personal data only as long as necessary:
- Account and company data — retained for the duration of your subscription plus 90 days after termination (to allow for reactivation or export). After that, accounts and associated personal data are deleted.
- Document data — retained while your account is active. You can delete documents at any time from within the platform.
- Billing records — retained for 7 years to comply with financial and tax regulations.
- Usage logs — retained for 90 days for security and debugging purposes.
08 Cookies
We use two categories of cookies:
| Category | Purpose | Consent required |
|---|---|---|
| Essential | Authentication session, security tokens, cookie preference storage | No — strictly necessary |
| Analytics | Understanding how visitors use the site (page views, navigation paths). No personal data is shared with third parties for advertising. | Yes — via consent banner |
You can change your cookie preference at any time by clearing your browser’s local storage for grvy.ai, which will reset the consent banner.
09 Your rights
Under GDPR / UK GDPR you have the following rights in relation to your personal data. To exercise any of them, email privacy@grvy.ai. We will respond within 30 days.
Access
Request a copy of the personal data we hold about you.
Rectification
Ask us to correct inaccurate or incomplete data.
Erasure
Request deletion of your personal data (subject to legal retention obligations).
Portability
Receive your data in a structured, machine-readable format.
Restriction
Ask us to limit how we process your data in certain circumstances.
Objection
Object to processing based on legitimate interests, including direct marketing.
Withdraw consent
Withdraw cookie consent at any time without affecting prior lawful processing.
Complain
Lodge a complaint with the ICO (UK) at ico.org.uk or your local supervisory authority (EU).
10 Children’s privacy
grvy is a business tool and is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with their data, contact us at privacy@grvy.ai and we will delete it promptly.
11 Changes to this policy
We may update this policy from time to time. When we make material changes we will notify active users by email and update the “Last updated” date above. Continued use of grvy after a policy update constitutes acceptance of the new policy.
12 Contact
For any privacy-related questions, data subject requests, or to withdraw consent:
We will respond within 30 days as required by law.
© 2026 grvy. All rights reserved. Terms of Service