Privacy Policy
Effective 30 June 2026 · Last updated 30 June 2026
This Privacy Policy explains how Gavri (“Gavri”, “we”, “us” or “our”) collects, uses, discloses and protects personal data when you visit our website at trygavri.com (the “Website”) or use the Gavri Creatives application at app.trygavri.com (the “Service”). It also describes your rights under the EU General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”) and the Bulgarian Personal Data Protection Act.
Please read this Policy carefully. By using the Website or the Service you acknowledge that you have read and understood it. If you do not agree with it, please do not use the Service.
1. Who we are (Data Controller)
The controller responsible for your personal data is:
- Gavri
- Hristo Matov 29, Sofia, Bulgaria
- Contact for all privacy matters: support@trygavri.com
We have not appointed a statutory Data Protection Officer, as we are not required to do so. Privacy enquiries should be directed to the contact address above.
2. Scope of this Policy
This Policy applies to personal data we process about: (a) visitors to the Website; (b) account holders and authorised users of the Service; (c) members invited to a team or workspace; and (d) individuals who contact us. Where you use the Service to process data about your own customers or audiences, you act as the controller of that data and we act as your processor under Section 12.
3. Personal data we collect
We collect the following categories of personal data, depending on how you interact with us:
3.1 Account data
Your name, email address, password (stored only in hashed form by our authentication provider) or third-party sign-in identifiers, and account settings.
3.2 Brand and onboarding data
Information you provide to configure your brand, including your website URL, social media (e.g. Instagram) handles, business type, brand description, products and services, ideal-customer profile, target location, language and campaign goals.
3.3 Content you upload
Images, logos, brand assets and any other materials you upload to the Service.
3.4 Data collected on your instruction
When you direct the Service to analyse a website or social-media profile you nominate, we automatically retrieve publicly available content from those sources — including screenshots, images and text — to build your brand profile. You are responsible for ensuring you have the right to instruct this collection (see our Terms & Conditions).
3.5 Generated output and usage data
The creatives, copy and other output produced for you, together with metering and usage records (for example, the number of creatives generated) used to operate plans and limits.
3.6 Billing data
Subscription plan, billing status, transaction identifiers and billing history. Card payments are processed by Stripe; we do not receive or store full payment-card numbers.
3.7 Team and invitation data
Where you create a team or invite others, we process the email addresses, names, roles and seat assignments of invited and joined members.
3.8 Technical and analytics data
Device and browser information, IP address, pages viewed, in-product events, approximate location derived from IP, log data and information collected through cookies and similar technologies (see Section 10).
4. How and why we use your data (legal bases)
We process personal data only where we have a lawful basis under Article 6 GDPR. The table below sets out our purposes and the corresponding legal bases.
| Purpose | Legal basis |
|---|---|
| Creating and managing your account; providing the Service and generating creatives | Performance of a contract (Art. 6(1)(b)) |
| Processing payments and managing subscriptions | Performance of a contract (Art. 6(1)(b)) |
| Securing the Service, preventing abuse, enforcing limits and maintaining logs | Legitimate interests (Art. 6(1)(f)) |
| Product analytics and improving and developing the Service | Legitimate interests (Art. 6(1)(f)); consent for non-essential cookies |
| Sending service and transactional emails (e.g. invitations, billing notices) | Performance of a contract / legitimate interests |
| Sending marketing communications, where applicable | Consent (Art. 6(1)(a)), which you may withdraw at any time |
| Complying with accounting, tax and other legal obligations | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms. You may object to such processing as described in Section 9.
5. AI processing of your data
The Service uses third-party artificial-intelligence models — currently Google’s Gemini API and OpenAI’s API — to generate creatives and copy. To do so, we transmit relevant inputs (such as your brand profile, prompts, uploaded assets and content collected on your instruction) to those providers solely to produce output for you.
These providers process the inputs as our sub-processors under their respective API terms. Under those terms, content submitted via their APIs is not used to train their general models. We do not carry out any solely automated decision-making that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR; all generated output is provided for your review and use.
6. Who we share data with (sub-processors)
We do not sell your personal data. We share it with trusted service providers who process it on our behalf and under contract, and only as necessary to operate the Service:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication and file storage | EU / USA |
| Google Cloud | Application hosting and infrastructure | EU / USA |
| Google (Gemini API) | AI generation of creatives and copy | USA |
| OpenAI | AI generation of creatives and copy | USA |
| Stripe | Payment processing and subscription billing | EU / USA |
| PostHog | Product analytics | EU / USA |
| Resend | Transactional and service emails | USA |
| Browserless | Retrieval of content you instruct us to analyse | EU / USA |
We may also disclose personal data where required by law, to enforce our agreements, to protect our rights, property or safety or those of others, or in connection with a merger, acquisition or sale of assets (in which case we will notify you).
7. International data transfers
Some of our sub-processors are located outside the European Economic Area (“EEA”), including in the United States. Where personal data is transferred outside the EEA, we rely on appropriate safeguards under Chapter V GDPR, such as the European Commission’s Standard Contractual Clauses or an adequacy decision. You may request a copy of the relevant safeguards by contacting us at support@trygavri.com.
8. How long we keep your data
We retain personal data for as long as your account is active and as needed to provide the Service. When you delete your account — which you can do from within the Service — or ask us to delete your data, we will delete or anonymise it within a reasonable period, except where we must retain it to:
- comply with legal obligations, including accounting and tax records, which we keep for the statutory retention period;
- resolve disputes or enforce our agreements; and
- maintain security and prevent abuse for a limited period in our logs.
Residual copies may persist in routine backups for a limited time before they are overwritten.
9. Your rights
Subject to the conditions in the GDPR, you have the right to:
- access the personal data we hold about you (Art. 15);
- have inaccurate data corrected (Art. 16);
- have your data erased (Art. 17);
- restrict our processing of your data (Art. 18);
- receive your data in a portable format (Art. 20);
- object to processing based on legitimate interests or to direct marketing (Art. 21); and
- withdraw consent at any time, without affecting prior processing.
To exercise any of these rights, contact us at support@trygavri.com. We will respond within one month, as required by the GDPR. You also have the right to lodge a complaint with a supervisory authority, in particular the Bulgarian Commission for Personal Data Protection (Комисия за защита на личните данни), 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria, kzld.bg.
10. Cookies and similar technologies
We use cookies and similar technologies to operate the Website and the Service. These fall into two broad categories:
- Strictly necessary — required for authentication, session management and security. These cannot be switched off.
- Analytics — used by PostHog to understand how the Service is used so we can improve it. We set these only where required consent has been given.
You can manage non-essential cookies through your browser settings and, where offered, our in-product controls.
11. How we protect your data
We implement appropriate technical and organisational measures to protect personal data, including encryption of data in transit, access controls, hashed credentials and row-level security on our database. No method of transmission or storage is completely secure, and we cannot guarantee absolute security; however, we maintain procedures to address suspected data breaches and will notify you and any applicable regulator where required by law.
12. Children
The Service is intended for businesses and is not directed to individuals under 18 years of age (and in no event under 16). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
13. When you are the controller
When you use the Service to process personal data relating to your own customers, audiences or contacts, you are the controller of that data and we process it on your behalf as your processor, only on your documented instructions and as described in this Policy and our Terms & Conditions. You are responsible for ensuring you have a lawful basis for that processing.
14. Changes to this Policy
We may update this Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you by email or through the Service. Your continued use of the Service after an update constitutes acceptance of the revised Policy.
15. Contact us
If you have any questions about this Policy or how we handle your personal data, please contact us at support@trygavri.com.