Effective Date: April 2, 2026 | Last Updated: April 2, 2026
Gravity Rail, Inc. ("Gravity Rail," "we," "us," or "our") operates an AI-powered communications platform (the "Services"). This Privacy Policy (this "Policy") describes how we collect, use, share, retain and protect information in connection with the Services and our website.
This Policy applies to visitors to our website and users of our self-service accounts. This Policy does not apply to information we obtain from other sources, including from any third party or other website that does not include a link to this Policy. Enterprise customers with a separately executed Master Services Agreement or Data Processing Addendum are also governed by those agreements, which supersede this Policy to the extent of any conflict.
If you are a patient or individual end user who interacted with a Gravity Rail-powered application operated by a healthcare organization, please contact that organization regarding your data. Gravity Rail processes that data on behalf of the healthcare organization (the "Associate") under a Business Associate Agreement and is not the primary contact for individual patient rights requests. Information collected by an Associate is subject to the Associate's privacy policy.
We may receive information from third parties such as identity verification services, payment processors, and analytics providers. We use this information only to the extent necessary to provide the Services or as otherwise described in this Policy.
We use information we collect to:
We process your information only for the purposes described in this Policy or for compatible purposes that you would reasonably expect given the context of collection.
| Account Type | Customer Content for Model Training | Concierge Interaction Data |
|---|---|---|
| Enterprise | Never. Gravity Rail does not use Enterprise Customer Content to train, fine-tune, or improve AI models. | Never without separate written agreement. |
| Self-service | No. Gravity Rail does not use Customer Content to train AI models. | May use de-identified and aggregated data from concierge interactions to improve the Services. |
If you are a self-service customer and wish to opt out of any use of concierge interaction data for model improvement, submit a request to privacy@gravityrail.com. We will process opt-out requests within forty-five (45) days, with a possible forty-five (45) day extension if necessary, with notice to you of the extension.
We do not sell your personal information. We do not share personal information for cross-context behavioral advertising. We share information only as described below:
We use third-party vendors to provide the Services. These vendors are contractually required to use your information only to provide their services to us and not for their own purposes. Our key sub-processors include:
| Category | Examples |
|---|---|
| AI model inference | [Anthropic, Google, etc.] |
| Cloud infrastructure | Amazon Web Services |
| Voice / telephony | [Deepgram, ElevenLabs, Twilio] |
| Payment processing | [Stripe] |
| Analytics | Google Analytics |
| Customer support | Email and Slack (no third-party provider) |
A current and complete list of sub-processors is available at https://www.gravityrail.com/legal/sub-processors. We will notify customers of material sub-processor changes by posting such changes at https://www.gravityrail.com/legal/sub-processors. If you object to a new sub-processor, you may terminate your account pursuant to the Terms of Service.
If Gravity Rail is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.
We may disclose information if we believe in good faith that disclosure is required by applicable law, regulation, legal process, or government request. Where permitted, we will notify you before disclosing.
We may disclose information to prevent or address fraud, security threats, violations of our Terms of Service, or to protect the rights, property, or safety of Gravity Rail, our customers, or the public.
We may share information for any other purpose with your prior consent.
| Data Type | Retention Period |
|---|---|
| Self-service Customer Content | 30 days from last account activity or account termination |
| Enterprise Customer Content | As specified in the applicable MSA and BAA |
| Account information | Duration of account plus 2 years after closure |
| Billing records | 7 years (tax and accounting requirements) |
| Usage logs and analytics | 12 months rolling |
| Support communications | 3 years |
We may retain information longer where required by applicable law, to resolve disputes, or to enforce our agreements. Where HIPAA or other regulatory retention requirements apply to data we process on behalf of Enterprise customers, we will retain data as required by such laws notwithstanding any deletion request. Upon deletion, data is removed from production systems within 30 days and from backups within 90 days. Data in backups is subject to the same encryption and access controls as data in production systems.
We implement administrative, technical, and physical safeguards designed to protect your information, including:
Gravity Rail is currently undergoing SOC 2 Type II audit preparation. For information regarding our current security posture and certifications, contact security@gravityrail.com.
No security measure is perfect. In the event of a security incident affecting your data, we will notify you as required by applicable law.
The Services may record calls and generate transcripts. Whether a call is recorded and how recordings are used is controlled by the Customer operating the applicable workflow. Gravity Rail processes recordings as a data processor on behalf of the Customer.
If you were an End User in a call operated by one of our customers, please contact that customer regarding recordings of your call.
Gravity Rail does not create, store, or use voice biometric identifiers (voiceprints) for speaker identification, verification, or any other purpose.
Gravity Rail-powered voice interactions are conducted by artificial intelligence. Customers are responsible for disclosing the AI nature of interactions to their End Users as required by applicable law, including California AB 2905.
We use cookies and similar technologies to:
Types of cookies we use:
We do not use advertising cookies or share data with advertising networks.
Do Not Track: Gravity Rail does not currently respond to Do Not Track (DNT) browser signals. There is no industry consensus on how to interpret DNT signals, and we do not alter our data collection practices based on DNT settings.
To manage cookies, use your browser settings or the cookie consent banner displayed when you first visit our website.
Depending on where you are located, you may have certain rights regarding your personal information.
In addition to the rights above, California residents have the right to:
To submit a request, contact privacy@gravityrail.com. We will acknowledge your request within ten (10) business days and respond within forty-five (45) days, with a possible forty-five (45) day extension with notice.
Categories of sensitive personal information we may process:
Certain data we process on behalf of Enterprise customers may be subject to HIPAA retention requirements. To the extent that data is governed by HIPAA and the applicable Business Associate Agreement, HIPAA retention obligations take precedence over CCPA deletion requests. The CCPA provides a partial exemption for data collected, processed, sold, or disclosed pursuant to HIPAA. If you are a patient whose data was processed through Gravity Rail on behalf of a healthcare provider, please direct deletion requests to that provider, as they are the appropriate party to evaluate HIPAA retention obligations.
Gravity Rail is a Business Associate under HIPAA for Enterprise customers operating under a Business Associate Agreement. When processing PHI on behalf of an Enterprise customer:
If you are a patient whose PHI was processed by Gravity Rail on behalf of a healthcare provider, please contact that provider directly to exercise your HIPAA rights. The provider (Covered Entity) is the appropriate party to handle patient rights requests.
Self-service accounts may not be used to process PHI. See our Terms of Service for details.
Gravity Rail is headquartered in the United States. Your information will be transferred to and processed in the United States. Gravity Rail currently operates primarily in the United States.
If you are located outside the United States, please be aware that the United States may have data protection laws different from those in your country. By using the Services, you consent to the transfer and processing of your information in the United States.
As Gravity Rail expands internationally, we will implement appropriate transfer mechanisms as required by applicable law, including EU Standard Contractual Clauses or equivalent safeguards.
The Services are not directed to children under 13 (or under 16 where required by applicable law). We do not knowingly collect personal information from children under these ages. If we learn that we have collected personal information from a child without appropriate consent, we will delete that information. If you believe we have collected such information, contact privacy@gravityrail.com.
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated Policy and updating the "Last Updated" date at the top. For significant changes, we will provide additional notice (such as email notification or an in-product banner) at least 30 days before the change takes effect. Your continued use of the Services after the effective date of a material change constitutes acceptance of the updated Policy.
We have appointed EU Rep as our Representative under Article 27 of the EU General Data Protection Regulation ("GDPR"). All GDPR queries from EU Data Subjects or Data Protection authorities should be submitted to eurep.ie via their dedicated form.
BizLegal Ltd trading as EU Rep have their registered office at 27 Cork Road, Midleton Co. Cork, Ireland. Company number 635921.
Mailing address:
Gravity Rail, Inc. 114 High St. Grass Valley, CA 95945
We aim to respond to all privacy inquiries within 30 days.
Gravity Rail, Inc. — Approved 2026-04-08