Privacy notice

Privacy notice of Gravito Ltd. was published on October 8, 2024, and replaced all previous versions.

Your privacy is important to us. This Privacy Notice covers what we collect and how we use, disclose, transfer, and store your information.

Name of the person responsible

The person responsible within the meaning of the GDPR and other national data protection laws of the member states, as well as other data protection regulations, is the

Gravito Oy
Lapinlahdenkatu 16, 00180 Helsinki
Finland
Phone: + 358 504860739
Email: support@gravito.net
Company registration number FI2891268-5

You may submit inquiries regarding personal data protection, privacy, and security matters to support@gravito.net

General information about the collection and processing of your data

1. Scope of processing

In principle, we process personal data only insofar as this is necessary to provide a functioning website and our content and services. The processing of personal data takes place regularly only with consent. An exception applies to cases in which prior consent cannot be obtained for reasons of fact and the processing of the data is permitted by law.

2. Legal basis

The processing of your data is either based on your consent or in case the processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract, or based on legitimate interest, cf. GDPR art. 6(1)(a)-(b), (f).

If the processing is based on your consent, you may at any time withdraw your consent by contacting us using the contact information in clause 1.

3. Storage and deletion of your data

In principle, we only store personal data for as long as is necessary to fulfill contractual or legal obligations for which we collected the data. After that, we delete the data immediately, unless we still need the data until the expiry of the statutory limitation period for evidence purposes for claims under civil law or due to statutory retention obligations.

We delete or block the personal data of the data subject as soon as the purpose of the storage is fulfilled. It may also be stored if provided for by the European or national legislator in EU regulations, laws, or regulations to which our company is subject (see details in sections 3.1-3.3). Blocking or deletion of the data also takes place when a storage period prescribed by the standards mentioned expires unless there is a need for further storage of the data for the conclusion of a contract or fulfillment of the contract.

3.1. Data Retention Policy

Due to tax regulations, Account Data will be retained for up to five full fiscal years from your cancellation of your Gravito CMP account.

Configuration Data and System Generated Data will be erased immediately when you cancel the Gravito CMP account.

End User Data will be erased on an ongoing basis after 12 months from registration and immediately when you cancel the Gravito CMP/Solution account.

3.2 Data Retention for Compliance with Legal Requirements

You may not require Gravito to change any of the default retention periods, except for the reasons for erasure pursuant to clause 3.3, but you may suggest changes for compliance with specific sector laws and regulations.

3.3 Data Restitution and/or Deletion

No data except Account Data will be retained after the termination of the Agreement. You may request a data copy before termination. You must only cancel the Gravito CMP/solution account once the data copy has been delivered, as Gravito will not otherwise be able to deliver the data copy.

Provision of the website and creation of log files

1. Scope of data processing

Gravito processes personal data only if this is necessary to provide a functioning website and our content and services. The processing of personal data takes place regularly only with consent. An exception applies to cases in which prior consent cannot be obtained for reasons of fact and the processing of the data is permitted by law.

Any of the information we collect from you may be used for one or more of the following purposes:

1.1. To personalize your experience (the information will help Gravito better respond to your individual needs);

1.2. To improve our website (Gravito continually strives to improve our website offerings based on the information and feedback we receive from you);

1.3. To establish a primary channel of communication with you;

1.4. To enable you to scan your website for trackers;

1.5. To enable you to talk to an expert.

2. Data processed

2.1 Each time our website is accessed, our system may automatically collect data and information from the computer system of the calling computer. E.g., this is information like

  • Information about the type and version of your internet browser
  • The operating system of your computer or smartphone
  • Your internet service provider
  • Your IP address
  • Date and time of your access
  • Geographic location
  • Websites from which you came to us
  • Websites that you visit from our site

We collect such technical information in so-called “log files”, so that you can display our website correctly and we can identify the causes of any technical problems, for the technical optimization of our websites and for the purpose of the security of our computer systems and networks. For these purposes, the legal basis is a legitimate interest in the processing of data according to GDPR art. 6(1)(f).

The data will be deleted as soon as it is no longer necessary for the purpose of its collection. Typically, this technical information will be erased or rendered unrecognizable at the latest after seven days.

The collection of data for the provision of the website and the storage of the data in log files is essential for the operation of the website.

2.2 Each time you use our Service to scan your website, your email address will be processed, and definitions of the cookies found when the Service has scanned your website(s), including reports on the result of each scan.

Contact requests for product information, a demo, or other concerns

1. Description and scope of data processing

On our website, you can contact us via various options: e.g., book a demo, request a quote, request product information, request guides, contact request form, support tickets, and our chat function. If you make use of these options, the data entered in the input mask will be transmitted to us and saved. In addition to the specific input macro data, the IP address and the date and time of the request are collected and stored.

Alternatively, you can contact us via email address. In this case, your personal data transmitted by email will be stored.

In this context, the data will not be disclosed to third parties unless necessary to process the query (for example, a demo booking tool). In any case, the data will be used exclusively to process the conversation unless agreed upon otherwise.

2. Legal basis for processing

The legal basis for the processing of the data is, in general, the consent of the user, GDPR art. 6(1)(a).

3. Purpose of the data processing

The processing of personal data from the input mask is solely for the processing of your request.

4. Duration of storage

If you have booked a demo, requested product information or an offer, we reserve the right to store the data for two years to measure the profitability of our sales and marketing. Otherwise, we will delete the data as soon as it is no longer necessary to achieve the purpose of its collection. For the personal data entered in the contact form and those sent by email, this is the case when the respective conversation with you has ended. The conversation is ended when it can be inferred from the circumstances that the relevant facts have been finally clarified.

5. Revoking consent and removal possibility

You have the possibility at any time to revoke your consent to the processing of the personal data. If you contact us by email, you may object to the storage of your personal data at any time. In such a case, the conversation can not continue. All personal data stored in the course of contacting will be deleted in this case.

Webinars

Gravito offers webinars from time to time, which you can sign up for from our website. In these cases, the data put in the sign-up form during the sign-up process will be used by Gravito for the purposes of the webinar and communication regarding the webinar and other relevant topics. If the webinar is organized together with a partner, then the data might be shared with them. The data is processed on the legal basis of consent, Art. 6 para. 1 s. 1 lit. a GDPR. You have the right to withdraw your consent to process your data at any time by contacting support@gravito.net

Newsletter

When signing up for the Newsletter, data entered into the input mask will also be stored in order to provide the Newsletter. The legal basis for this processing is GDPR art. 6(1)(a). Your email address, subscription time, and IP address will be retained as long as you subscribe to our newsletter. This service is provided by means of a double-opt-in. Thus, you will receive an email containing a link by which you can confirm that you are the owner of the email address and wish to be notified via our email service. You can unsubscribe from this service at any time by opting out via the link provided in each Newsletter any time.

If you subscribe to the Gravito newsletter, Gravito will email you about relevant changes concerning the Service, such as the implementation of additional functions.

Optionally, your first name, last name, company name, and the country you are located in will be processed to provide you with personalized newsletters.

You become a customer or partner of Gravito

1. Scope of data processing

You can become a Gravito customer or partner. Any of the information we collect from you may be used for one or more of the following purposes:

1.1 To enable you to control the user experience towards End Users and enable the Service to automatically apply the End User’s consent to other websites of yours;

1.2 To identify you as a contracting party;

1.3 To enable secure login for you in the Service Manager at Gravito.com;

1.4 To establish a primary channel of communication with you;

1.5 To enable Gravito to issue valid VAT invoices and to process transactions (your information will not be sold, exchanged, transferred, or given to any other company for any reason whatsoever, without your consent, other than for the express purpose of delivering the service requested);

1.6 To enable automated handling of the subscriptions;

1.7 To produce and display cookie declarations to End Users and store and display scan report(s) to you;

1.8 To provide you with aggregated information on the choices of the End Users regarding accepted cookie types and generate a graphical representation in the Service Manager and/or

1.9 To send periodic emails [the email address you provide for order processing may be used to send you information and updates pertaining to your order, in addition to receiving occasional company news (if accepted), updates, related product or service information, etc.]

If at any time you would like to unsubscribe from receiving future emails, you may cancel your account after logging in by clicking on “Cancel my account.”

2. Data processed

If you choose to register on our website and become a Customer or a Partner, four categories of data to and on behalf of you will be processed:

“Account Data”

When you register for an account on our site, place an order, subscribe to our newsletter, or respond to a survey, basic contact details are collected, such as the email address and name of your contact person, company name, address, phone number, VAT number, preferred language and currency, any purchase order number, any email address of invoice recipients and masked credit card or bank account details.

“Configuration Data”

We collect your direct input to our cloud service Gravito (the “Service”) after login, like the domain name(s) of the website(s) where you implement the Service and the configuration of the content, looks, and behavior toward website visitors (“End Users”).

“System Generated Data”

The Service automatically creates and stores metadata on the basis of the other types of data, e.g.:

  • If you become a customer, subscription data, like start date, latest invoice date, and the result of a mandatory VAT number validation. Issued invoices are stored so that you may access any issued invoices from within the Service Manager.
  • If you sign up for a Gravito CMP account, check our privacy policy, sign up for our newsletter, or download a resource, please note that we evaluate your user behavior when you register for our service and record your campaign behavior. Embedded links contain UTM parameters and other identifiers that will identify all parameters of your “clicks.”The UTM parameters allow us to add trackable extensions to your URLs. The parameters are:
    • Medium: This parameter describes the medium in which the link is embedded. Examples are email, social media, or a website.
    • Source: This UTM parameter defines the link’s source. This can be newsletters, websites, apps, or social media channels.
    • Campaign: this type of UTM parameter is used to identify the actual campaigns. For example, if we send you a newsletter every month, the individual newsletters can be evaluated separately.
    • Term: keywords so that the link can be identified better.
    • Content: Within a campaign, we insert different elements to be tracked so that we can identify them clearly and evaluate them separately. Examples: a button, image, or video.

The identifiers are generated by the service providers listed in section 13.3 of this privacy policy. We use the identifiers in combination with conversion events, such as account creation (for example, if a trial period starts or you upgrade to a premium account), to inform the service providers about the event in relation to the provided identifiers.

  • Aggregated statistical data on End User consents.

3. Legal basis for processing

The legal basis for the processing of the data is in the presence of consent, GDPR art. 6(1)(a). With registration for a Gravito CMP account, the legal basis is GDPR art. 6(1)(b) for the fulfillment of a contract or the implementation of pre-contractual measures.

4. Purpose of the data processing

Registration is required to fulfill the customer or partner contract or to carry out pre-contractual measures.

5. Opposition and removal possibility

You always have the option to cancel your account. You can change the data stored about you at any time. If the data is required to fulfill a contract or to carry out pre-contractual measures, premature deletion of the data is only possible unless contractual or legal obligations preclude deletion

Cookies and tracking technologies

What is a cookie?

A cookie is a small data file stored in your computer, tablet or smartphone. A cookie is not a program that can contain harmful malware or virus.

How our website uses cookies

Some cookies perform essential functions for our website. Cookies also help us get an overview of your visit to our website so we can continuously optimize and tailor the experience to your needs and interests. For example, cookies remember things like the items added to the shopping cart, whether you have visited our website before, if you are logged in, and the specific language and currency you prefer to see on the website. We also use cookies to target our ads specifically to you on other websites. In general, we use cookies as part of our service to present you with content that is as relevant to you as possible.

You can see the specific services that store cookies and why they do it, under the different categories:

How long are cookies stored?

The length of time a cookie is stored on your devices and browsers varies. The lifetime is calculated according to your last visit to the website. When a cookie expires, it is automatically deleted. All our cookies’ lifetimes are specified in our cookie policy.

How to block or delete cookies

You may at any time block all or just third-party cookies completely by changing the browser settings on your computer, tablet, or smartphone. The location of these settings will depend on the browser you use. However, you should be aware that if you block all or just third-party cookies, there may be functions and services that you will be unable to use on the website (because these depend on cookies).

How can you delete cookies?

It is easy to delete cookies that you have previously accepted. It depends on which browser (Chrome, Firefox, Safari, etc.) and device (smartphone, tablet, PC, Mac) you are using.
You can typically find this information under settings – Security and Privacy – but this may vary from one browser to another. Specify which device/browser you are using (click the appropriate link):

Changing your consent

You can change your consent by either deleting cookies from your browser or by changing your original choice by clicking the link

Remember: If you use more than one browser, you must delete cookies in all of them.

Your consent applies to the following domains: gravito.net and the below mentioned cookies are gathered from the domain. The list is always available from the Gravito website under consent preferences.

Minors

Our services are not aimed at children under 13 years. We do not knowingly collect information from children under the age of 13. If you have yet to reach the age limit, do not use the services or provide us with your personal information. If you are a parent of a child below the age limit and you learn that your child has provided Gravito with personal information, please contact us at support@gravito.net and insist on exercising your rights of access, correction, cancellation and/or opposition. If you are a resident of California and are under 18 years of age and wish to erase publicly available content, don’t hesitate to get in touch with us at support@gravito.net

Online presence on social networks

We maintain online presences in social networks in order to communicate there with customers and interested parties, among others, and to provide information about our products and services.

The users’ data is usually processed by social networks that are concerned with market research and advertising purposes. In this way, usage profiles can be created based on the interests of the users and on-site behavior, if it exists. For this purpose, cookies and other identifiers are stored on the users’ computers. On the basis of these usage profiles, advertisements, for example, are then placed within the social networks but also on third-party websites.

As part of the operation of our online presences, it is possible that we can access information such as statistics on the use of our online presences, which are provided by the social networks. These statistics are aggregated and may include, in particular, demographic information and data on interaction with our online presence and the posts and content distributed via them. Please refer to the list below for details and links to the data of the social networks that we can access as operators of the online presence.

The legal basis for data processing is GDPR art. 6(1)(a)-(b), in order to stay in contact with and inform our customers and to carry out pre-contractual measures with future customers and interested parties.

For the legal basis of the data processing carried out by the social networks on their own responsibility, please refer to the data protection information of the respective social network. The links below also provide you with further information on the respective data processing and the options to object.

We would like to point out that data protection requests can be asserted most efficiently with the respective provider of the social network, as only these providers have access to the data and can take appropriate measures directly. Below is a list with information on the social networks on which we operate online presences:

Third-party links

Occasionally, at our discretion, we may include or offer third-party products or services on our website. These third-party sites have separate independent privacy policies. We, therefore, have no responsibility or liability for the content and activities of these linked websites. Nonetheless, we seek to protect the integrity of our website and welcome any feedback about these websites.

Recipients of data and data transfer to third countries

1. Recipients of Data

Gravito does not sell, trade, or otherwise transfer any personally identifiable information to outside parties.

This does not include trusted third parties or processors who assist us in operating our website, conducting our business, or servicing you. Such trusted parties may have access to personally identifiable information on a need-to-know basis and will be contractually obliged to keep your information confidential.

We may also release your information when we believe a release is appropriate to comply with the law, enforce our site policies, or protect our rights or the rights of others, property, or safety. Furthermore, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses.

We only pass on the data we have collected if this is necessary for the fulfillment of the contract or for the provision of the technical functionality of the website, or if there is another legal basis for passing on the data.

In principle, we process your data ourselves. In some cases, however, we also use service providers. In addition to the processors mentioned in this privacy policy, these may include, in particular, data centers that store our website and databases, IT service providers that maintain our systems, and consulting companies. If we pass on data to processors, they may only use the data to fulfill their tasks. We have carefully selected and commissioned the processors. They are contractually bound to our instructions, have suitable technical and organizational measures in place to protect the rights of the data subjects, and are regularly monitored by us.

In addition, disclosure may take place in connection with official enquiries, court orders and legal proceedings if it is necessary for legal prosecution or enforcement. When governments make a lawful demand for customer data from Gravito, Gravito strives to limit the disclosure. Gravito will only release specific data mandated by the relevant legal demand.

If compelled to disclose your data, Gravito will promptly notify you and provide a copy of the demand unless legally prohibited from doing so.

If Gravito commissions third parties with the collection, processing and use of data within the scope of commissioned processing in accordance with Art. 28 GDPR, this will also take place exclusively in compliance with the statutory provisions on data protection.

2. Data Transfer to Third Countries

As explained in this privacy policy, we use services whose providers are partly located in so-called third countries (outside the European Union or the European Economic Area) or process personal data there, i.e., countries whose level of data protection does not correspond to that of the European Union. Where this is the case and the European Commission has not issued an adequacy decision (Art. 45 GDPR) for these countries, we have taken appropriate precautions to ensure an adequate level of data protection for any data transfers. These include, among others, the standard contractual clauses of the European Union or binding internal data protection regulations.

If a third country transfer is provided for and no adequacy decision or appropriate safeguards are in place, it is possible and there is a risk that authorities in the respective third country (e.g. intelligence services) may gain access to the transferred data in order to collect and analyze it, and that enforceability of your data subject rights cannot be guaranteed.

3. Processors /Trusted Third Parties

Processor Function Data processing Location Legal basis       Privacy Policy

Google Ads, Google Building Gordon House, 4 Barrow Street, Dublin D04 E5W5, Ireland

 

 Advertising
Web analytics service

Gclid, Ads viewed, Cookie ID, Date and time of visit, Device info, Geographic location, IP address, Search terms, Ads shown, Impressions, Online identifiers, Browser info

For Enhanced conversion, email address, phone number, name, street and number, city, zip code and country

 In Ireland and the USA GDPR Art. 6 (1) lit. a https://policies.google.com/privacy?hl=en
Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland

Data hosting for Gravito Solution in MSFT Azure

Microsoft Clarity for Visitor Heatmap

 Gravito infrastructure and analytics services Databases are hosted on servers within EU member states, specifically Ireland with a hot fail-over mechanism to Microsoft’s data center in Amsterdam, the Netherlands GDPR Art. 6 (1) lit. b https://privacy.microsoft.com/en-gb/privacystatement

Dealfront Group GmbH

Durlacher Allee 73

76131 Karlsruhe

Germany

 Dealfront processes its data primarily within Europe, adhering strictly to GDPR standards. The company uses AI models specifically tailored for European data in multiple languages. Europe Databases are hosted on servers within EU member states, GDPR Art. 6 (1) lit. a

Your rights

If we process your personal data, you have – after successful identification – the following rights towards us:

  • Right to information (Article 15 GDPR)
  • Right to deletion (Article 17 GDPR)
  • Right to rectification (Article 16 GDPR)
  • Right to restriction of processing (Article 18 GDPR)
  • Right to data portability (Article 20 GDPR) – You may at any time order a complete data copy, which you may transmit to another controller of the data. Your data will be delivered within ten working days by Gravito as spreadsheet files in Microsoft Excel format. Logical relations between datasets will be preserved in the form of unique identifiers. You are required to pay €1.000 (Euro one thousand) and any applicable taxes on delivery for each data copy order.
  • Right to withdraw consent (Article 7(3) GDPR)
  • Right to object to certain data processing activities (Article 21 GDPR).

In order to exercise the rights described here, you can contact us at any time using the support@gravito.net email address.

Security and integrity of the data

Protecting the information you give us or that we receive about you is our priority. We take appropriate security measures to protect your information from loss, misuse, unauthorized access, alteration, disclosure, or destruction. Gravito has taken measures to ensure the ongoing confidentiality, integrity, availability, and resiliency of systems and services that process personal information and will restore the availability and access to information in the event of a physical or technical incident in a timely manner.

How our technology works

At Gravito, we prioritize user privacy while delivering powerful data orchestration services. Our technology empowers businesses to harness data responsibly, ensuring that all processes are fully transparent and compliant with privacy regulations. Here’s how our technology works:

  1. First-Party Data Collection:
    Gravito operates within a first-party data framework, ensuring that all data collected remains within the domain of our customers. We do not engage in cross-domain data sharing or aggregation. The data collected is strictly limited to the first-party context, meaning that only the customer who owns the domain has access to and control over the data.
  2. Cookie-Based Identification & Consent:
    Once user consent is obtained, Gravito deploys a first-party cookie to facilitate identification and data collection. This cookie operates within the customer’s domain, ensuring that user data is collected securely and transparently. No data collection occurs without prior consent, and users can manage their preferences at any time.
  3. Data Privacy & Security:
    All collected data is securely stored and processed within the first-party domain of the customer, employing industry-standard encryption and anonymization techniques. At no point is data shared with third parties or across different legal entities unless explicitly authorized by the customer. This ensures that each entity retains full control over its own data.
  4. No Cross-Entity Data Sharing:
    Gravito’s platform is designed to ensure complete data sovereignty. We do not share or aggregate data across different legal entities. Each customer’s data remains isolated and secure, with no risk of cross-entity contamination or unauthorized access.
  5. Identity Stitching:
    Gravito provides flexibility for legal entities to manage how identities are recognized and stitched together within their own ecosystem. Each entity can define the keys or identifiers used to merge user profiles across domains, enabling more effective personalization and insights without compromising data privacy or control.
  6. Data Processing & Insights:
    Our platform processes data using intelligent algorithms, ensuring that any insights generated are meaningful while respecting user privacy. By anonymizing and aggregating data where necessary, we deliver actionable insights that help businesses grow without exposing personal information.

Compliance with Global Privacy Regulations:
Gravito is built to comply with leading data protection regulations such as GDPR and CCPA. We respect user privacy preferences at every stage and provide businesses with the tools to manage user data rights, such as access, correction, and deletion requests, in a fully compliant manner.