Gravito Privacy Notice


This document is in effect since the beginning of September 2021.

This Privacy Notice details what information we collect about you, how we use it and what are your rights and choices.

In this document “Gravito” refers to Gravito Oy which is a Finnish limited company (company ID 2891268-5).

By “Service” we mean the Gravito service as detailed by our Terms and Conditions.

User Data

The key for interacting with the Gravito’s services (handshake API’s) is based on the users Gravito Profile and the collection of an observed profile. The key behind Gravito’s ideology is to give complete transparency to the user on the data that is been collected and used. The businesses users of Gravito can freely use any data about the user as long as there is a consent in place.

Customer-provided information

From business customers who sign-in to our Gravito Portal we collect the following information:

Email addressRequired in order to sign into the portal
Business domainRequired
Business nameOptional
Business IDOptional
Phone NumberOptional
Billing and payment informationRequired for subscriptions
Messages with our support and salesRequired for customer support. We retain email messages between you and our staff
User information from integrated toolsRequired if integrations enabled.

Cookies and tracking

We use cookies on our websites and applications.

Cookies are small files that a site or its service provider transfers to your computers hard drive through your Web browser (if you allow) that enables the site or service provider’s systems to recognize your browser, capture and remember certain information. We use cookies to compile aggregate data about site and application traffic and interaction so that we can offer better experience and tools in the future. We may contract with third-party service providers to assist us in better understanding our site visitors. These service providers are not permitted to use the information collected on our behalf except to help us conduct and improve our business.

Cookies are also used to store current session/login information for the Service.

Gravito and Data Processing

The way Gravito processes data is compliant with GDPR legislation. Gravito collects data to our Azure infrastructure. All data is encrypted on transfer and at rest.

Data Collection

Data collection is essential to solution to work. Every website, mobile application, email, redirected URL etc. will contribute to data collection. If the customer has given the consent to collect the data of his/her behavior, will that enrich the customer profile. In opposite case the data is not being collected from domains that don’t have the consent or not collected at all.


Everything in Gravito works around consents, meaning the permissions to use data and different channels to communicate with customer. Consents are given on domain and company level, allowing different setup for any party in Gravito network or all settings can be global and management of permissions is super-simple to end-user.


End-user can connect his/her data to various parties in Gravito network. In basic this means that one customer profile can be used by various companies and their subsidiaries and end-user controls whether data is shared between these parties. Each party has also their private data that is never shared so business critical and trade secret type of data is not shared to other parties.


Every user in Gravito is in full control of their own data and how it is used. Transparent system allows monitoring and reporting of how data is being used and settings for control can be changed any time and those are reflected immediately.


 When customer data is being shared between multiple companies or subsidiaries it grows in value. Valuable data allows better customer experience and well targeted offers and service. Again, all consolidation is controlled by the end-user and without permission no data is combined with other domain ever.


 Growing value of data means commercial interest. This benefits the end-user directly; they can commercialize the data that is being collected about them and decide the balance between sharing and the commercial value. Value can materialize as well-targeted offers where the price is reduced with the value of data.


 Centralized customer data allows border-crossing loyalty programs, instead of registering to tens of those the customer can centralize their behavior as buying customer, decide how much different parties are able to target and consume that data. Consumer will see this as bundled offers and chained affiliation programs.


End-user is allowed to change his/hers mind anytime, change their profile data regarding the address, email, telephone etc. or change the permission settings and control e.g. how much newsletters and other type of communication is received.

Gravito and Privacy

We have been and are continually training all our employees in data protection awareness. 

All of our vendors have been reviewed, evaluating their compliance status, and arranging similar GDPR-ready data processing agreements with them, or stopped using their tools if we don’t achieve a healthy level of compliance.

These are the details of what information Gravito collects about you, how we use it, and what are your rights and choices. Gravito rolls on consents, and all data we collect is consented by the end-user. Gravito classifies its consents into two different parts: 1) Channel Consents and 2) Data Consents

1) Channel Consents

Web: Personalized web content based on your behaviour and preferences.

Mobile: Permission to send you mobile push notifications.

Email: Permission to contact you via e-mail.

SMS: Permission to send you SMS’s.

Call: Permission to contact you via phone call.

Snail mail: Permission to send you direct postal mail.

2) Data Consents

Data Collection: Permission to observe your behavioral data, i.e. your actions on the web anonymously.

Analytics: Permission to analyze your behavioral data anonymously.

Targeting: Permission to allow personally targeted messages based on the analysis of your behavioral data on the web. 

Cross Device: Permission to allow cross-device identification. You will be able to identify individual devices.

Sharing Data: General permission to allow sharing anonymous data with chosen 3rd parties to improve personalized messaging to you.

Reidentification: General permission to allow sharing anonymous data with chosen 3rd parties to improve personalized messaging to you.

How are we collecting the data?

Gravito operates on different levels of profile types. The profile types capture different amount of data based on their business purpose:

Profile Type Captured data Purpose/feature for data collection
Micro Profiles N/AGravito and TCF CMP, Micro profiling API, Cross Domain Profile sharing using matchOnId 
Observed Profile/Anonymous profiles Device, Browser, Domains visited, consent matrix,  Gravito and TCF CMP, Observe API, Cross Domains Profile sharing using OpUid, streaming connector 
Gravito Profile  Email, Phone no*, devices, domains per devices, consents, segments  Gravito and TCF CMP, Gravito Profile API, Omnichannel Marketing, Cross Domains Profile sharing using GravitoId 

We use the collected user data to provide the Gravito services in delivery, maintenance, and enhancement of the Service, to provide support and to prevent or address technical or security issues.

To communicate with you

We may send you service-related messages and notifications. These include notifications that are part of the service. We also send administrative messages regarding your Gravito subscriptions, technical status updates and other related notifications.

We may also send you messages or call you regarding new product features and helpful tips on using the product and to offer training and support. You can opt-out from such messages and calls at any time.

For payments and billing

We collect payment and billing data from Gravito customers for fulfilment of payments for the Service.

For improvement of the Service and analytics

To help improve the Service, our website and Gravito Portal and to develop new features and functionality we collect and analyze usage information. Processing User Data for analytics purposes is done in aggregated or anonymized form.

Legal basis

We process User Data only where:

  • Processing User Data is necessary for providing the Service.
  • Processing is necessary to comply with a legal obligation.
  • Processing is in legitimate interests of Gravito, but not in conflict of our users’ rights.

Your rights

If you no longer wish to receive our newsletter or other promotional messages, you can opt-out of receiving them by following the instructions included on such messages.

You can request a copy, correction or deletion of your personal data by emailing We will respond to your request within 30 days.

You can object to our processing of your personal data at any time. For any requests or concerns, please contact our Data Protection Officer at 


At Gravito, we take privacy and security seriously, and implement a variety of security measures to maintain the safety of your data. Gravito portal has been audited from security perspective by a third party in 2020. 


We store our data in Microsoft Azure data centers in Europe (Ireland and Germany). The data is not transferred outside the EU.

Sharing and Disclosure

We do not share or disclose information to third parties except in the following situations:

User instructions or consent

Information may be disclosed to third parties if we are explicitly instructed to do so by the user, or by user consent.

Third-party service providers

We may engage third-party companies service providers or business partners to process our data and to support our business. These include for example server and hosting providers, payment processors and customer service and management tools. We ensure that these third parties process your data with utmost care and in accordance with the privacy legislation.

An up-to-date list of our processors is available on request from 

Change of ownership

We may disclose User Data to allow a change of ownership of Gravito (including, but not limited to, an acquisition by or merger with another company) and related transfer of all such information to the new owner, in which case any information remains protected in accordance with this Privacy Notice.

Legal obligations

We may disclose personal data if we reasonably believe disclosure is in accordance with or required by any applicable law, regulation, or legal process.

Enforcement of our rights, prevention of fraud, and for safety

We also may disclose personal information to:

  • protect Gravito from fraud, abuse or other criminal activity
  • protect Gravito rights and property against third-party allegations and claims
  • enforce our contracts and policies
  • protect rights and safety of others

Data Retention

We keep your data as long as you remain as a Gravito User. You can request your user account to be removed by contacting our support at For legal reasons we have to retain certain information for a longer period. This includes such information as billing and payments data.


EU General Data Protection Regulation (GDPR)

As an EU based company with customers in the EU, we are committed to EU General Data Protection Regulation. You can read about our GDPR compliance in a separate section in the end of this document. 

Information Regarding Children and Youth

We do not collect any information from anyone under 18 years of age. Our website, products and services are all directed to people who are at least 18 years old or older.

Changes to this Privacy Notice

We will notify Gravito users of any non-trivial changes to this Privacy Notice via email.

Data Protection Authority

Finnish Data Protection Authority:
Office of the Data Protection Ombudsman

Contacting us

Please feel free to contact us if you have questions regarding our privacy, this notice or practices. You can email us at 

Our mailing address is:

Gravito Oy
Lapinlahdenkatu 16
00180 Helsinki