Legal

Privacy Policy

Last updated: March 21, 2026

1. Introduction

GravityFlo ("we", "us", "our"), operated at gravityflo.ai, is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights regarding that data.

This policy applies to all users of the GravityFlo platform, including account holders and their email subscribers.

2. Data We Collect

Account Data (from you, the user)

  • Name and email address (during registration)
  • Brand name, contact information, and account preferences
  • Payment information (processed securely by Stripe — we do not store card numbers)
  • Email content you create (campaigns, templates, sequences)
  • Brand voice reference materials you upload for AI analysis

Subscriber Data (your contacts)

  • Email addresses and names of subscribers you import or collect via forms
  • Tags, custom fields, and metadata you assign to subscribers
  • Engagement data: email opens, clicks, bounces, and complaints
  • Form submissions and responses
  • Subscription status and preference selections

Technical Data (collected automatically)

  • IP address, browser type, and device information
  • Pages visited and features used within the platform
  • Cookies and similar tracking technologies (see Section 7)

3. How We Use Your Data

We use collected data to:

  • Provide the Service — Send emails on your behalf, manage subscribers, run sequences and automations
  • AI Features — Generate email copy, analyze brand voice, perform sentiment analysis, and optimize subject lines using AI models
  • Analytics — Track email engagement (opens, clicks, bounces) to provide reporting and insights
  • Improve the Service — Understand usage patterns to fix bugs and develop new features
  • Billing — Process payments and manage subscriptions
  • Communication — Send service-related notifications (account alerts, billing confirmations, security notices)

We do notsell, rent, or share your data or your subscribers' data with third parties for their marketing purposes.

4. Legal Basis for Processing (GDPR)

If you are located in the UK or European Economic Area, we process your personal data under the following legal bases:

  • Contract performance — Processing necessary to provide the Service you signed up for (account management, email sending, subscriber management, billing)
  • Legitimate interest — Processing necessary for our legitimate business interests (service improvement, security monitoring, fraud prevention, usage analytics) where those interests are not overridden by your rights
  • Consent — Processing based on your explicit consent (AI analysis of your brand voice samples, optional marketing communications from GravityFlo). You may withdraw consent at any time
  • Legal obligation — Processing required to comply with applicable laws (tax records, anti-spam compliance, responding to lawful data requests)

5. Third-Party Services

GravityFlo uses the following third-party services to operate the platform:

Supabase

Database hosting and authentication. Your account data and subscriber data is stored in Supabase's PostgreSQL infrastructure.

Resend

Email delivery service. Resend transmits emails on your behalf and processes delivery events (opens, clicks, bounces).

Stripe

Payment processing. Stripe handles all payment transactions. We never see or store your full card details.

Anthropic (Claude AI)

AI features. Email content, brand voice samples, and subscriber engagement data may be sent to Anthropic's API for AI-powered generation, analysis, and optimization. Data sent to AI models is not used to train those models.

Netlify

Application hosting and deployment. The GravityFlo web application is hosted on Netlify's infrastructure.

Each third-party service has its own privacy policy. We recommend reviewing their policies for details on how they handle data.

6. Data Retention

  • Active accounts: Data is retained for the duration of your account
  • Closed accounts: You have 30 days to export your data after account closure. After 30 days, all data is permanently deleted
  • Email engagement logs: Retained for 12 months for analytics, then aggregated and anonymized
  • Unsubscribed contacts: Email address retained in a suppression list to prevent future sends, as required by anti-spam laws

7. Data Security

We protect your data with:

  • Encryption in transit (TLS/HTTPS on all connections)
  • Encryption at rest (database-level encryption via Supabase)
  • Secure authentication with hashed passwords
  • Access controls limiting data access to authorized personnel only
  • Regular security reviews of our infrastructure and dependencies

No system is 100% secure. If we discover a data breach that affects your account, we will notify you within 72 hours as required by applicable law.

8. International Data Transfers

GravityFlo is operated from the United Kingdom. However, the third-party services we use to operate the platform (including Supabase, Resend, Stripe, Anthropic, and Netlify) may process and store data in the United States or other countries outside the UK and European Economic Area.

Where your data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, including reliance on the service providers' Standard Contractual Clauses (SCCs), UK International Data Transfer Agreements, or adequacy decisions as applicable.

By using the Service, you acknowledge that your data may be processed in jurisdictions with different data protection laws than your country of residence.

9. Cookies

GravityFlo uses cookies for:

  • Authentication: Session cookies to keep you logged in
  • Preferences: Remembering your settings and UI preferences

We do not use third-party advertising or tracking cookies. We do not sell cookie data to third parties.

10. Your Rights

Depending on your location, you may have the following rights:

  • Access — Request a copy of your personal data
  • Correction — Request correction of inaccurate data
  • Deletion — Request deletion of your personal data
  • Portability — Request your data in a machine-readable format (CSV export)
  • Objection — Object to certain types of data processing
  • Withdrawal of consent — Withdraw consent where processing is based on consent

To exercise any of these rights, contact us at privacy@gravityflo.ai. We will respond within 30 days.

11. Your Subscribers' Data

As a GravityFlo user, you are the data controller for the subscriber data you collect and manage through the platform. GravityFlo acts as a data processor on your behalf.

You are responsible for:

  • Obtaining proper consent from your subscribers before sending them emails
  • Providing your subscribers with a way to unsubscribe (GravityFlo includes this automatically)
  • Responding to data subject requests from your subscribers
  • Having your own privacy policy that discloses your use of GravityFlo

12. Children's Privacy

GravityFlo is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 18, we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. The "Last updated" date at the top of this page reflects the most recent revision.

14. Contact

For privacy-related questions or requests, contact us at:

GravityFlo

Email: privacy@gravityflo.ai

Website: gravityflo.ai