Privacy Policy

Gravicity Inc. is responsible for personal information in our possession or custody, including information that has been transferred to third-party service providers acting on our behalf. We have designated a Privacy Officer who is accountable for our compliance with this policy and applicable privacy legislation.

Our Privacy Officer oversees our compliance with PIPEDA's 10 Fair Information Principles, Quebec Law 25 requirements, and GDPR obligations where applicable. All employees and contractors who handle personal information are required to adhere to this policy and applicable data protection procedures.

We collect the following categories of personal information:

We do not intentionally collect sensitive personal information (such as health data, biometric data, or financial account numbers) through our website. If our services require processing such data for a client engagement, this is governed by a separate data processing agreement.

We identify the purposes for collecting personal information before or at the time of collection. We collect and use personal information for the following purposes:

• •Service delivery: To provide Gravity Studio, including content management, collaboration workflows, staging, auditing, and publishing features
• •Account management: To create and manage your account, authenticate your identity, and process billing
• •Responding to inquiries: To reply to your contact form submissions, support requests, and emails
• •AI processing: To provide AI-assisted features within Gravity Studio, such as content suggestions and automated workflows
• •Website analytics: To understand how visitors use our website and improve performance (with your consent for non-essential tracking)
• •Marketing communications: To send newsletters or promotional materials (only with your express opt-in consent)
• •Legal compliance: To meet obligations under applicable law, including record-keeping and tax requirements

We will not use personal information for any purpose other than those identified above without first obtaining your consent, except where required or permitted by law.

We obtain your consent before or at the time we collect, use, or disclose your personal information, except where consent is not required by law.

Express consent is required for:

• •Marketing and promotional communications
• •Non-essential cookies and tracking technologies
• •Any use of your information beyond the original purpose of collection

Implied consent applies when:

• •You create an account to use Gravity Studio
• •You submit a contact form for the purpose of receiving a response to your inquiry
• •Processing is necessary to fulfill a contracted service

Withdrawing consent: You may withdraw your consent at any time by contacting us at privacy@gravicity.io. We will explain the consequences of withdrawal (for example, we may no longer be able to provide certain services). Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

We collect only the personal information that is necessary for the purposes identified above. We do not collect information beyond what is required to deliver our services, respond to inquiries, or fulfill our legal obligations.

Personal information is used only for the purposes for which it was collected or for purposes consistent with those purposes. We do not sell, rent, or trade your personal information to third parties.

We may disclose personal information in the following circumstances:

• •To third-party service providers who process data on our behalf (see Section 10)
• •Where required by law, regulation, court order, or governmental authority
• •To protect the rights, safety, or property of Gravicity Inc., our clients, or the public

Data Retention Schedule

When personal information is no longer needed for its identified purpose, or when a retention period expires, we securely delete or anonymize the information using methods appropriate to its sensitivity.

We take reasonable steps to ensure that personal information is accurate, complete, and up-to-date as necessary for the purposes for which it is used. If you believe that information we hold about you is inaccurate or incomplete, please contact us and we will correct it promptly.

We protect personal information with administrative, technical, and physical safeguards appropriate to the sensitivity of the information. Our security practices include:

• •Encryption: Data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)
• •Access controls: Access to personal information is restricted to authorized personnel on a need-to-know basis, with role-based access controls and multi-factor authentication
• •Monitoring and logging: We maintain logging and monitoring of access to systems that process personal information
• •Vendor management: Third-party service providers are assessed for security practices and bound by data processing agreements before receiving personal information
• •Incident response: We maintain a documented incident response plan and conduct regular risk assessments
• •Personnel training: Team members receive privacy and security awareness training

The level of protection applied is proportional to the sensitivity of the personal information involved.

Gravity Studio includes artificial intelligence features, including large language models, to assist with content creation, editing suggestions, and workflow automation.

Key facts about our AI processing:

• •Data submitted to AI features may be processed by third-party AI providers (identified in Section 10) subject to their data processing terms
• •Under our commercial API agreements, data sent to AI providers is not used to train their models
• •AI-generated outputs may not be fully accurate. All AI outputs should be reviewed before publication
• •We do not use AI to make solely automated decisions that produce legal or similarly significant effects on individuals

If you interact with an AI-powered feature in Gravity Studio, the interface will clearly indicate that AI is generating the output.

In delivering our services, we engage third-party sub-processors who may process personal information on our behalf. We require all sub-processors to maintain appropriate security and privacy controls through contractual data processing agreements.

Gravicity Inc. remains accountable for personal information transferred to third-party processors. Each sub-processor is contractually obligated to process data only for the purposes we specify, to maintain security standards at least equivalent to our own, to notify us without delay in the event of a breach, and to delete or return data upon termination of the relationship.

An up-to-date list of sub-processors is available by contacting privacy@gravicity.io.

Your personal information may be transferred to and processed in countries outside of your province or country of residence. Specifically:

• •Canada: Our primary hosting infrastructure is located in Canada
• •United States (Anthropic, OpenRouter): When data is processed through AI features, it may be transmitted to servers in the United States

For residents of Quebec:

Before transferring personal information outside Quebec, we conduct a Privacy Impact Assessment as required by Law 25 to ensure that the receiving jurisdiction provides equivalent protection. Our transfers to the United States are governed by data processing agreements that include contractual safeguards.

For residents of the European Union/EEA:

The European Commission has recognized Canada as providing an adequate level of data protection for commercial organizations subject to PIPEDA. For onward transfers to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by technical measures including encryption in transit and at rest. You may obtain a copy of the applicable safeguards by contacting us at privacy@gravicity.io.

Our website uses cookies and similar technologies. In compliance with Quebec Law 25 and the EU ePrivacy Directive, we obtain your express opt-in consent before placing any non-essential cookies or tracking technologies on your device.

Cookie categories:

Privacy by default: All non-essential cookie categories are disabled by default.

Granular control: You may accept or reject cookies by individual category.

Changing your preferences: You can modify your cookie settings at any time through the cookie preferences link in the website footer.

Under PIPEDA and Quebec Law 25, you have the following rights regarding your personal information:

• •Access: You may request access to the personal information we hold about you, including information about who it has been disclosed to
• •Correction: You may request that we correct inaccurate or incomplete personal information
• •Withdrawal of consent: You may withdraw your consent to the collection, use, or disclosure of your personal information, subject to legal or contractual obligations
• •Data portability (Quebec): You may request that we provide your personal information in a structured, commonly used, and technologically neutral format
• •De-indexing (Quebec): You may request that we cease disseminating your personal information or de-index any hyperlink attached to your name, where the dissemination contravenes the law or a court order

To exercise any of these rights, contact us at privacy@gravicity.io. We will respond within 30 calendar days.

If you are located in the European Union or European Economic Area, the General Data Protection Regulation (GDPR) provides you with additional rights. Gravicity Inc. acts as the data controller for personal information collected through this website and Gravity Studio.

Lawful bases for processing:

Your GDPR data subject rights:

In addition to the rights listed in Section 13, EU/EEA residents have the right to:

• •Erasure ("right to be forgotten"): Request deletion of your personal data when it is no longer necessary for the purposes collected (Art. 17)
• •Restriction of processing: Request that we limit how your data is processed in certain circumstances (Art. 18)
• •Data portability: Receive your personal data in a structured, commonly used, machine-readable format (Art. 20)
• •Objection: Object to processing based on legitimate interests, including profiling (Art. 21)
• •Automated decision-making: Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Art. 22)

We will respond to all data subject requests within one month of receipt.

Right to lodge a complaint:

You have the right to lodge a complaint with a supervisory authority in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement.

We comply with Canada's Anti-Spam Legislation (CASL). We will not send you commercial electronic messages unless:

• •You have provided express consent (opt-in) to receive such messages, or
• •We have implied consent based on an existing business relationship

Every commercial electronic message we send will:

• •Identify Gravicity Inc. as the sender, including our contact information
• •Include a functional unsubscribe mechanism that remains active for at least 60 days
• •Process unsubscribe requests within 10 business days

In the event of a breach of security safeguards involving personal information that creates a real risk of significant harm (RROSH), we will:

• •Report to the Office of the Privacy Commissioner of Canada (OPC) as soon as feasible, as required by PIPEDA s. 10.1
• •Notify affected individuals as soon as feasible, providing a description of the breach, the types of personal information involved, and steps individuals can take to mitigate harm
• •Maintain breach records for a minimum of 24 months, as required by PIPEDA s. 10.3

For EU/EEA residents:

Where a breach is likely to result in a high risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33) and notify you directly without undue delay (GDPR Art. 34).

Our website and services are directed to businesses and professionals and are not intended for individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child, we will take prompt steps to delete it.

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, provide additional notice (such as a prominent website notice or email notification).

Continued use of our website or services following the posting of changes constitutes your acceptance of those changes, except where consent is required by law.

If you have questions or concerns about this Privacy Policy or our handling of your personal information, please contact our Privacy Officer:

We will investigate all complaints promptly and respond within 30 days. If you are not satisfied with our response, you have the right to escalate your complaint to the appropriate regulatory authority: