Effective Date: May 27, 2026 · Last Updated: May 27, 2026
Gravity Hub by ADV Design ("Gravity Hub", "we", "us", or "our")
This Privacy Policy explains how we collect, use, disclose, retain, and protect personal data when you access our website, dashboard, APIs, mobile or desktop applications, Shopify app listing, Amazon Selling Partner API integration, or any other product or service we offer (collectively, the "Service"). This Policy is incorporated by reference into our Terms of Use. By accessing or using the Service you acknowledge and agree to the practices described herein. If you do not agree, you must immediately discontinue all use of the Service.
Gravity Hub is a B2B platform used by merchants ("Customers") to manage their commerce operations. This Policy covers two distinct relationships:
(a) Controller relationship. When you visit our marketing site, register an account, or contact us, we act as a "data controller" (GDPR) / "business" (CCPA/CPRA) of your personal data.
(b) Processor relationship. When our Customers use the Service to process data about their own end customers (for example, order or shipping data originating from a connected Shopify store or an Amazon seller account), we act as a "data processor" (GDPR) / "service provider" (CCPA/CPRA) on behalf of the Customer. The Customer is the controller/business of that data, is solely responsible for the lawful basis of processing, for providing notices to and obtaining consents from data subjects, and for responding to data-subject requests. End users of Customer stores should consult the Customer's own privacy policy. We process such data only on the Customer's documented instructions and to provide the Service.
We collect the following categories of personal data:
(a) Account & Identification Data — name, email address, password (hashed), phone number, business name, role, profile preferences, time-zone, language.
(b) Authentication & Security Data — login timestamps, IP address, device identifiers, session tokens, multi-factor-authentication state, and audit logs.
(c) Billing Data — billing name, billing address, last four digits of payment card, payment-method tokens, transaction history, invoices, and tax-related identifiers. Full payment-card data is collected and processed exclusively by our PCI-DSS-compliant payment processors; we do not store full card numbers.
(d) Customer Store Data (Processor Capacity) — data we process on behalf of our Customers, which may include their end customers' names, email addresses, phone numbers, shipping/billing addresses, order history, product preferences, fulfillment status, and similar order- or shipping-related personal data. This data is collected from connected platforms such as Shopify and Amazon and from third-party shipping/logistics providers.
(e) Integration Credentials — OAuth tokens, API keys, refresh tokens, webhook signing secrets, and similar credentials provided to connect Third-Party Services. These are encrypted at rest.
(f) Communications Data — messages, emails, support tickets, feedback, and other correspondence with us.
(g) Usage & Diagnostic Data — pages visited, features used, click and scroll events, error reports, performance metrics, browser type, operating system, referrer URLs, and crash logs.
(h) Cookies & Similar Technologies — see Section 9 below.
We do not knowingly collect any data from children under the age of sixteen (16). If you believe a child has provided us personal data, please contact privacy@adv.design and we will promptly delete it.
We collect personal data (a) directly from you when you register, configure integrations, or contact us; (b) automatically through your use of the Service (cookies, log files, telemetry); (c) from third-party platforms you connect to the Service (e.g., Shopify, Amazon, payment processors, shipping carriers); and (d) from public sources or third-party data providers used to detect fraud, prevent abuse, or comply with law.
We process personal data for the following purposes, on the following legal bases (where GDPR or similar laws apply):
(a) Provision of the Service — to create and manage accounts, authenticate users, sync orders, fulfill shipping operations, process payments, and otherwise deliver the Service. Legal basis: performance of a contract; legitimate interests.
(b) Security & Fraud Prevention — to detect, prevent, and respond to security incidents, abuse, fraud, and unlawful activity. Legal basis: legitimate interests; legal obligation.
(c) Service Improvement & Analytics — to analyze usage, debug issues, develop new features, and benchmark performance. Legal basis: legitimate interests.
(d) Communications — to send transactional emails, service notices, support replies, and (where permitted) marketing communications. Legal basis: performance of a contract; legitimate interests; consent where required.
(e) Billing & Compliance — to invoice, collect payment, manage taxes, maintain records, and comply with accounting and legal obligations. Legal basis: performance of a contract; legal obligation.
(f) Legal Defense — to establish, exercise, or defend legal claims and to enforce our Terms. Legal basis: legitimate interests; legal obligation.
(g) On Customer Instructions (Processor Capacity) — to process Customer Store Data as instructed by our Customers. Legal basis: the Customer's lawful basis as controller.
We do not sell personal data. We share personal data only as described below:
(a) Sub-processors and Service Providers — we share data with vendors who help us operate the Service under written data-processing agreements that require appropriate confidentiality and security obligations. Categories include cloud-hosting providers, database providers, email-delivery providers, payment processors, customer-support tools, error-tracking and analytics providers, and shipping-carrier APIs.
(b) Third-Party Platforms You Connect — if you connect a Third-Party Service (e.g., Shopify, Amazon, a payment processor, or a shipping carrier), data flows between Gravity Hub and that platform as necessary to provide the requested functionality. Their use of data is governed by their own privacy policies.
(c) Within the Customer Account — if you are an authorized user of a Customer account, your personal data and activity may be visible to other authorized users and administrators of that account.
(d) Legal & Safety — we may disclose data when we reasonably believe disclosure is required to comply with law, legal process, or governmental request; to enforce our Terms; to protect the rights, property, or safety of Gravity Hub by ADV Design, our users, or others; or to detect, prevent, or address fraud, security, or technical issues.
(e) Business Transfers — in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our business or assets, personal data may be transferred to the successor or acquirer.
(f) With Your Consent — for any other purpose disclosed at the time and with your consent.
We are based in the United States and our sub-processors may be located in the United States, the European Economic Area, the United Kingdom, Canada, and other jurisdictions. By using the Service you acknowledge that personal data may be transferred to and processed in countries whose data-protection laws may differ from those of your country of residence. For transfers from the EEA, the United Kingdom, or Switzerland to a country not deemed adequate, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or other lawful transfer mechanisms.
We retain personal data only for as long as is necessary to provide the Service, comply with legal obligations (including tax, accounting, and audit obligations), resolve disputes, and enforce our agreements. Account-related data is generally retained for the lifetime of the account plus a reasonable period thereafter (up to seven (7) years where required by law). Customer Store Data is retained per the Customer's configuration and instructions and, for data sourced from Amazon, in accordance with the retention limits described in Section 14. Backups containing personal data are retained for a limited period in encrypted form and overwritten on a rolling basis. Anonymized or aggregated data may be retained indefinitely.
We implement administrative, technical, and physical safeguards designed to protect personal data, including encryption in transit (TLS) and at rest, access controls, secret rotation, audit logging, principle-of-least-privilege access, vulnerability management, and security training. However, no method of transmission or storage is one hundred percent (100%) secure. We cannot guarantee absolute security. You are responsible for safeguarding your credentials and for the security of your devices and networks. We disclaim, to the maximum extent permitted by law, all liability for unauthorized access caused by factors outside our reasonable control.
We and our service providers use cookies, local storage, web beacons, pixels, and similar technologies to (a) operate and secure the Service (strictly necessary); (b) remember your preferences (functional); (c) analyze usage and performance (analytics); and (d) where applicable, deliver relevant marketing (advertising). You can manage cookies through your browser settings and, where required by law, through our cookie-consent banner. Disabling certain cookies may impair the functionality of the Service.
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights, subject to applicable conditions and exceptions:
(a) Access — obtain confirmation and a copy of personal data we hold about you.
(b) Rectification — correct inaccurate or incomplete data.
(c) Erasure — request deletion ("right to be forgotten").
(d) Restriction — restrict processing in certain circumstances.
(e) Portability — receive data in a structured, commonly used, machine-readable format.
(f) Objection — object to processing based on legitimate interests or for direct marketing.
(g) Withdraw Consent — where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
(h) Lodge a Complaint — with your local supervisory authority.
For data we process as a processor on behalf of a Customer, please direct your request to the Customer (the controller); we will assist them as required.
If you are a California resident, you have the right to:
(a) Know the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties with whom we share it.
(b) Delete personal information we collected from you, subject to legal exceptions.
(c) Correct inaccurate personal information.
(d) Opt Out of Sale or Sharing. We do not "sell" personal information for monetary consideration and we do not "share" personal information for cross-context behavioral advertising as those terms are defined under the CPRA. Should this practice ever change, we will provide a "Do Not Sell or Share My Personal Information" link.
(e) Limit Use of Sensitive Personal Information. We do not use sensitive personal information for purposes that would trigger the right to limit under the CPRA.
(f) Non-Discrimination. We will not discriminate against you for exercising any of these rights.
Categories disclosed (last 12 months): identifiers, customer records, commercial information, internet/network activity, geolocation (general), and inferences, each shared with the categories of recipients described in Section 5.
To exercise any right described in Sections 10 or 11, please email privacy@adv.design with the subject line "Privacy Rights Request" and include the information necessary to verify your identity and locate your data. We will respond within the time frames required by applicable law (generally one (1) month under GDPR; forty-five (45) days under CCPA/CPRA, extendable as permitted). You may designate an authorized agent in accordance with applicable law; we may require verification of the agent's authority. We reserve the right to deny requests that are unverifiable, unfounded, excessive, or otherwise permitted to be denied under applicable law.
If you install Gravity Hub from the Shopify App Store or otherwise connect a Shopify store, the following additional disclosures apply:
(a) Data we receive from Shopify. When you install the app, Shopify shares with us information necessary to operate the app, including your store name, contact email, store domain, country, currency, and timezone. With your authorization (granted at install time via OAuth scopes), we also access store catalog data, order data, fulfillment data, customer data (including names, addresses, emails, and phone numbers contained in orders), inventory data, and shipping/location data. We process this data solely to provide the requested functionality of the Service.
(b) Mandatory compliance webhooks. Pursuant to Shopify's protected-data requirements, we implement and respond to the following compliance webhooks:
customers/data_request — when a store's customer requests their data, the merchant forwards the request through Shopify; we deliver to the merchant the customer-related data we hold so the merchant can fulfill the request.
customers/redact — forty-eight (48) hours after a merchant requests deletion of a specific customer's data (or as otherwise required), we delete or de-identify all personal data of that customer in our systems, except where retention is required by law.
shop/redact — forty-eight (48) hours after a store uninstalls the app, and following any retention period required by Shopify (typically forty-eight (48) hours), we delete or de-identify all personal data associated with the store, except where retention is required by law (e.g., for tax, audit, or legal-defense purposes).
(c) Uninstallation. You may uninstall the app at any time from your Shopify admin. Upon uninstallation we will receive a shop/redact webhook and process it as described above.
(d) Subprocessors used for Shopify data. A current list is available upon request to privacy@adv.design.
If you connect an Amazon seller account to Gravity Hub via the Amazon Selling Partner API ("SP-API"), the following additional disclosures apply. These disclosures are made in accordance with the Amazon Acceptable Use Policy and the Amazon Data Protection Policy ("DPP").
(a) Data we receive from Amazon. With your authorization (granted via the Login with Amazon OAuth consent screen at the time you install or connect Gravity Hub), we receive the following categories of data from the SP-API: seller-account identifiers, marketplace participations, store and brand metadata, listings and catalog data, inventory data, order data (including order identifiers, line items, quantities, prices, taxes, shipping options, and order status), fulfillment data, return and refund data, financial-event data, and — where authorized under the Direct-to-Consumer Shipping role — buyer information necessary to ship an order, including buyer name, shipping address, buyer email (anonymized by Amazon where applicable), and buyer phone number. We do not request or use Amazon data for any purpose other than to provide the Service that you have connected the account to.
(b) Purpose limitation. Amazon order and buyer information is used solely to (i) import unshipped merchant-fulfilled orders into Gravity Hub, (ii) route order line items to the warehouses and carriers configured in your account, (iii) generate shipping labels and produce shipment confirmations, and (iv) push shipment, cancellation, and refund updates back to Amazon. We do not use Amazon data for advertising, retargeting, profiling, resale, sharing with brokers, or training of generative-AI models, and we do not use it to compete against Amazon or against your own business.
(c) Restricted Data Token. Where the SP-API requires a Restricted Data Token ("RDT") to access personally identifiable information (PII) of buyers, we request a token scoped only to the specific data elements required to fulfill the call, hold it in memory for no longer than the SP-API token lifetime, and never log or persist it.
(d) Retention of Amazon PII. Personally identifiable information of buyers received from Amazon is retained only as long as needed to fulfill, ship, deliver, and support the related order, and is automatically deleted or de-identified from our active systems and analytics no later than thirty (30) days after the order has been delivered, except where a longer period is required by applicable law (for example, tax, accounting, audit, or legal-defense obligations). Encrypted backups are overwritten on a rolling schedule.
(e) Encryption and access control. Amazon SP-API refresh tokens, access tokens, RDTs, and any persisted buyer PII are encrypted at rest using industry-standard cryptography (AES-256). Encryption keys are managed in a dedicated key-management system with access restricted to personnel with a need to know. All access to Amazon data is logged and reviewed.
(f) Sub-processors used for Amazon data. Amazon order data is processed by our cloud-hosting and database providers, our shipping-carrier integrations (where shipping data is forwarded to produce labels), and our error-tracking and observability providers (with PII fields stripped). A current list of sub-processors is available upon request to privacy@adv.design.
(g) Disconnection. You may revoke Gravity Hub's access to your Amazon seller account at any time from your Seller Central account under Apps and Services or from the Integrations page in the Gravity Hub dashboard. Upon disconnection, we will delete or de-identify Amazon-sourced personal data within thirty (30) days, subject to legal retention exceptions and the thirty-day post-delivery limit described in (d).
(h) Security incident notification. In the event of a security incident affecting Amazon-sourced data, we will notify Amazon's Security Incident Response Team within twenty-four (24) hours of detection, in addition to any notifications required to you and to data-protection authorities under applicable law.
Subscription fees are processed by third-party payment processors. We do not collect or store full payment-card numbers. The payment processor's collection, use, and protection of your payment information is governed by its own privacy policy, which we strongly encourage you to review. We are not liable for the acts, omissions, errors, breaches, or failures of any payment processor.
When you connect a shipping carrier or fulfillment provider, we transmit address and order data necessary to generate labels, track shipments, and update fulfillment status. The carrier's or provider's processing of that data is governed by its own terms and privacy policy. We are not responsible for the practices of any such third party.
We do not engage in automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you, except for routine fraud-prevention and security checks reviewable by our staff on request.
Our Service does not currently respond to "Do Not Track" browser signals. We treat all users consistently in accordance with this Policy.
The Service may contain links to third-party websites, services, or resources that we do not control. We are not responsible for the content, privacy practices, or security of any third-party site or service. Inclusion of any link does not constitute endorsement.
We may update this Privacy Policy from time to time in our sole discretion. The "Effective Date" at the top reflects the most recent revision. Material changes will be communicated by reasonable means (such as email or in-Service notice). Your continued use of the Service after the Effective Date constitutes acceptance of the updated Policy.
For questions, requests, or complaints regarding this Policy or our data practices:
Gravity Hub by ADV Design
Privacy & Compliance
General privacy: privacy@adv.design
Data Protection Officer (where appointed): dpo@adv.design
Legal: legal@adv.design
EEA/UK individuals may also lodge a complaint with their local data-protection supervisory authority. California residents may contact the California Privacy Protection Agency or the California Attorney General.
If any provision of this Policy is held invalid or unenforceable by a court of competent jurisdiction, that provision shall be enforced to the maximum extent permitted, and the remaining provisions shall remain in full force and effect. Our failure to enforce any provision is not a waiver of our right to do so later.
By using Gravity Hub you acknowledge that you have read, understood, and accepted this Privacy Policy in its entirety.