Gravity Privacy Policy
Last updated: 25 June 2026
This Privacy Policy explains how we handle your personal data when you use the Gravity application (the "App") and our website at trygravity.app (the "Website"). We aim to be straightforward: we tell you what we collect, why, where your data is processed, and — just as importantly — what we do not collect.
1. Who we are (Data Controller)
The data controller is:
Calibrate System Ltd, a private limited company incorporated in England and Wales. Company number (Companies House): 17109642. Registered office: 128 City Road, London, EC1V 2NX, United Kingdom.
For any privacy-related request, contact us at contact@trygravity.app.
We have determined that we are not required to appoint a Data Protection Officer; the contact above is your single point of contact for all data protection matters.
Because Calibrate System Ltd is established in the United Kingdom and also offers the service to users in the European Union, both the UK GDPR and Regulation (EU) 2016/679 (GDPR) apply to European users (Art. 3(2) GDPR).
2. What data we collect and why
We collect only the data needed to run Gravity. The table below lists each category, with its purpose, the legal basis we rely on, and the provider (processor) that handles it on our behalf.
| Data category | Examples | Purpose | Legal basis | Where it is processed |
|---|---|---|---|---|
| Account data | Email; sign-in credentials (Sign in with Apple / Google) | Create and protect your account | Contract | Supabase Auth — EU (France, eu-west-3); Google Sign-In via Google LLC where you choose it |
| Account emails | One-time login codes, service emails | Verify your identity and send essential service messages | Contract | Resend — EU |
| Onboarding questionnaire | Age, gender, goal, phone-use habits, apps you want to manage | Personalise your experience and content | Consent | Supabase — EU |
| App usage data | In-app calendar activities, focus sessions, streaks, preferences | Sync your data across devices and let you continue where you left off | Contract | Supabase — EU |
| Analytics events (aggregated) | Usage events expressed in bands/segments, never exact values | Understand how the App is used and improve it | Legitimate interest | PostHog — EU cloud |
| Diagnostics and crash data | Technical error reports, device information needed for debugging | Detect and fix malfunctions | Legitimate interest | Sentry — EU (ingest in Germany) |
| Subscription status | Active/expired status, in-app purchase history | Manage access to paid features | Contract | RevenueCat — United States (see §5) |
| Push notifications | Notification token, device identifier | Send reminders and service messages; promotional messages only with your consent | Legitimate interest / Consent (marketing) | OneSignal — United States (see §5) |
The fields in the onboarding questionnaire are optional: you can skip them and still use the App; if you do, the experience is simply less personalised. All other categories above are needed to provide the service.
The providers listed above act as our processors and are the recipients of your data (Art. 13(1)(e) GDPR). Where you choose to sign in with Google, your authentication is handled by Google LLC.
3. What we do NOT collect
Gravity helps you manage app blocking and your time, so it matters that you know what stays on your device and never reaches us.
- Screen Time data and blocked apps. Which apps you block and how long you use them stays on your device, managed by Apple's system (Family Controls). We do not receive or store it.
- Your system calendar events. If you grant calendar access, Gravity reads your calendar only on the device to show you your schedule; these events are never synced to our servers.
- No advertising. The Gravity App contains no advertising.
- No cross-app or cross-site tracking (in the App). Inside the App we do not use the IDFA and we do not ask for advertising tracking consent (ATT), because we do not track anything for advertising. (The Website uses analytics cookies that require your consent — see §12.)
4. The legal bases for processing your data
- Performance of a contract (Art. 6(1)(b) GDPR): account management, account emails, data sync and subscription management. Without these the App cannot function.
- Legitimate interest (Art. 6(1)(f) GDPR): aggregated usage analytics, crash diagnostics and essential service notifications, to keep the App stable and improve it. We process this data in a minimised and, where possible, segmented form. You may object to processing based on legitimate interest at any time (Art. 21 GDPR) by contacting us.
- Consent (Art. 6(1)(a) GDPR): promotional/marketing push notifications, optional questionnaire fields, and the Website analytics cookies. You can withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
5. Where your data lives and international transfers
Most of your data stays in the European Union:
- Supabase (account, profile, usage data) — EU
- Resend (account emails) — EU
- PostHog (aggregated analytics) — EU cloud
- Sentry (crashes and diagnostics) — EU
Two providers process data in the United States, each with adequate safeguards under the GDPR:
- RevenueCat (subscription status and purchase history) — United States. Transfer based on the Standard Contractual Clauses (SCCs) approved by the European Commission. (data processing addendum)
- OneSignal (push token and device identifier) — United States. OneSignal relies on the EU-US Data Privacy Framework (and, where applicable, its UK Extension) and on the SCCs. (data processing addendum)
Because our controller is established in the United Kingdom, your EU personal data may be accessed from the UK; this is covered by the European Commission's adequacy decision for the United Kingdom (which is subject to periodic review). Two of our processors additionally process data in the United States (covered by the SCCs / DPF, as set out above). The Website uses one further US-based processor (Google Analytics 4, Google LLC) — see §12.
You can request a copy of the safeguards (SCCs) for any transfer by writing to contact@trygravity.app.
6. How long we keep your data
We keep your data for as long as your account exists. When you delete your account, we delete your data: the deletion is propagated from our servers (Supabase) and cascades to the providers that hold data linked to your account (RevenueCat and OneSignal).
Some data may be kept for a limited time after account deletion where the law requires or permits it, namely: billing and tax records (for the period required by UK tax law, typically up to 6 years), security and abuse logs (for up to 90 days, to protect the service), and encrypted backups (purged on their normal cycle, within 35 days). We do not use this residual data for any other purpose.
You can delete your account directly from the App, at any time.
7. Data security
We take appropriate technical and organisational measures to protect your data (Art. 32 GDPR), including encryption in transit (HTTPS/TLS), encryption at rest where our providers offer it, restricted access on a need-to-know basis, and data-processing agreements with all our providers. No method of transmission or storage is completely secure, so we cannot guarantee absolute security; we work to protect your data using measures appropriate to the risk.
8. Automated decision-making and profiling
We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing (Art. 22 GDPR). The personalisation of your experience (based on the onboarding questionnaire) tailors content and suggestions, but it does not produce legal effects and you can use the App regardless of it.
9. Your rights
Under the GDPR (and the UK GDPR) you have the right to:
- access your data and obtain a copy;
- request its rectification if it is inaccurate;
- request its erasure — you can do this immediately from the dedicated control in the App (subject to the limited retention described in §6);
- obtain its portability in a machine-readable format;
- object to or request the restriction of certain processing;
- withdraw consent where processing is based on consent.
You also have the right to lodge a complaint with a supervisory authority: in the United Kingdom the ICO (Information Commissioner's Office); in the European Union the authority of your country of residence (in Italy, the Garante per la protezione dei dati personali).
To exercise your rights, contact us at contact@trygravity.app.
10. Children
Gravity is intended for users who are at least 16 years old. We do not knowingly collect data from anyone under 16. If you believe a child under 16 has provided us with personal data, contact us at contact@trygravity.app and we will delete it.
11. Session replay
To understand how to improve the App, we use a tool (PostHog) that may record your interactions with the interface in a sampled form (for example, navigation paths). These recordings are masked: personal content and input fields are obscured and not captured. The purpose is solely product improvement, never advertising profiling. In the App, where used, this is based on our legitimate interest and you can object to it at any time (see §9); on the Website it runs only after you accept analytics cookies (see §12).
12. The Gravity website (trygravity.app)
This section covers the public Website at trygravity.app (the marketing site and the pre-launch
waitlist), which is separate from the App described above.
12.1 Waitlist
If you join our pre-launch waitlist, we collect the email address you provide and, optionally, your name and country.
- Purpose: solely to notify you when Gravity launches and to send you early-access information.
- Legal basis: your explicit consent (Art. 6(1)(a) GDPR), given via the unticked checkbox on the waitlist form, which links to this policy.
- Where it lives: the waitlist is stored in Supabase — EU (the same EU project as the App). Launch emails are sent via Resend (EU).
- Retention: until you unsubscribe or request deletion, or at most 12 months after launch, whichever comes first.
- Your rights: you can ask us to delete your waitlist data at any time at contact@trygravity.app; every launch email also includes an unsubscribe link.
12.2 Website cookies and analytics
Unlike the App, the Website uses analytics cookies. They load only after you accept them in the cookie banner (opt-in). If you decline — or before you choose — no analytics cookies are set and no analytics requests are made.
| Cookie / tool | Purpose | Type | Retention |
|---|---|---|---|
gravity_consent |
Remembers your cookie choice (accept/decline) | First-party, strictly necessary | Up to 12 months |
PostHog (e.g. ph_*) |
Website usage analytics + sampled, masked session replay | First-party, set only after consent | Up to 12 months |
Google Analytics 4 (e.g. _ga, _ga_*) |
Website traffic and audience analytics | Third-party (Google LLC), set only after consent | Up to 24 months |
- Legal basis: your consent (Art. 6(1)(a) GDPR; PECR reg. 6 / ePrivacy), given through the
cookie banner. You can withdraw it at any time by declining or by clearing the
gravity_consentcookie. Thegravity_consentcookie itself is strictly necessary and does not require consent. - No advertising: Google Analytics is configured without Google advertising features / Google Signals, with IP anonymisation and non-personalised signals. We do not use this data for advertising or cross-site ad profiling.
- International transfer (GA4): Google Analytics processes data in the United States (Google LLC), covered by the EU-US Data Privacy Framework and the Standard Contractual Clauses (SCCs).
- No personal data to analytics: we never send your email or name to analytics tools; the waitlist form is excluded from event capture and from session replay.
13. United States residents (California and other states)
If you are a resident of California or another US state with a comprehensive privacy law, the following applies in addition to the rest of this policy.
- Categories collected: the categories described in §2 (identifiers such as email, app-usage and profile information, device identifiers, and purchase history).
- No sale or sharing: we do not sell your personal information and we do not share it for cross-context behavioural advertising, as those terms are defined under the California Consumer Privacy Act (CCPA/CPRA).
- Your rights: you may request to know, access, correct, or delete the personal information we hold about you, and you will not be discriminated against for exercising these rights.
- How to exercise them: contact us at contact@trygravity.app.
14. Changes to this policy
We may update this policy over time. When we do, we update the date at the top of the page and, if the changes are significant, we notify you in the App or on the Website. We encourage you to review it periodically.
Contact: contact@trygravity.app Controller: Calibrate System Ltd — 128 City Road, London, EC1V 2NX, United Kingdom (no. 17109642) Legally binding version: English.