What is Gravy Analytics?

Gravy Analytics is a location data intelligence platform that tracks the movements of over one billion mobile devices and processes approximately 17 billion location signals every day. The company converts raw GPS coordinates into behavioral insights — identifying where people shop, eat, worship, exercise, seek medical care, and attend events. This data is sold to advertisers, retailers, financial firms, real estate developers, and government agencies who use it to make decisions that directly affect people's lives.

But Gravy Analytics made global headlines for an entirely different reason: in January 2025, the company suffered a massive data breach that exposed the precise location records of millions of people worldwide. The breach revealed granular GPS coordinates linked to identifiable devices, laying bare the daily movements, routines, and sensitive location visits of an enormous number of individuals. The stolen data reportedly included records from users of popular apps including Tinder, Grindr, Candy Crush, MyFitnessPal, and numerous others — apps whose users had no idea their location data was being harvested and aggregated by Gravy Analytics.

The January 2025 breach was a watershed moment for the location data brokerage industry. It demonstrated concretely what privacy advocates had warned for years: that the massive centralized databases maintained by location data brokers are catastrophic single points of failure. When Gravy Analytics was breached, the attackers did not just get names and emails — they got timestamped GPS coordinates showing exactly where millions of people were at specific moments in time.

Here is what Gravy Analytics collects and what may have been exposed in the breach:

Precise GPS coordinates with timestamps
Location visit history spanning months or years
Point-of-interest visit records (stores, restaurants, clinics)
Dwell time at each location
Movement patterns and commute routes
Retail store visit frequency and shopping behavior
Event attendance records (concerts, rallies, sports)
Travel patterns including hotel and airport visits
Real-time location signals from advertising data
Device trajectory mapping over time
Cross-referenced behavioral segments

Why You Should Remove Your Information from Gravy Analytics

The January 2025 data breach transforms the urgency of removing your data from Gravy Analytics from a privacy best practice into a critical security response.

Your Breached Location Data Is Circulating on the Dark Web: The data stolen in the January 2025 breach has been observed on dark web forums and hacker marketplaces. This means that criminals, stalkers, and hostile actors potentially have access to your precise historical location data. Unlike a stolen password that you can change, location history cannot be undone — if someone knows you visited a specific address at a specific time, that information is permanently compromised.

Sensitive Location Exposure: The breached data includes visits to locations that reveal deeply personal information — reproductive health clinics, addiction treatment facilities, mental health providers, houses of worship, LGBTQ+ venues, political events, and domestic violence shelters. For individuals in vulnerable situations, the exposure of this location data can create immediate physical danger.

Pattern-of-Life Analysis by Bad Actors: With timestamped GPS coordinates, anyone who obtains the breached data can reconstruct your daily routine — when you leave home, what route you take to work, where you stop for coffee, where your children go to school. This pattern-of-life intelligence is exactly what military and intelligence agencies use for surveillance, and it is now potentially available to anyone with access to the stolen Gravy Analytics dataset.

Ongoing Collection Despite the Breach: Gravy Analytics continues to collect location data even after the breach. If you have not opted out, the company is still building your behavioral profile, adding new location data on top of the compromised historical records. Every day you delay removal is another day of location data being collected by a company with a proven inability to protect it.

Regulatory Consequences Are Catching Up: The FTC banned Gravy Analytics (and its subsidiary Venntel) from selling sensitive location data following the breach. However, enforcement is ongoing, and there is no guarantee that all copies of your data have been secured. Removing your data directly ensures you are not relying solely on regulatory action to protect your privacy.

How to Remove Yourself from Gravy Analytics: Step-by-Step

Step 1: Determine If You Were Affected by the January 2025 Breach

The Gravy Analytics breach exposed data collected through advertising SDKs embedded in thousands of popular apps. If you used any app that displayed advertisements and had location permissions enabled at any point before January 2025, your data may have been compromised. Popular apps identified in the breach include dating apps, fitness trackers, weather apps, mobile games, and social media platforms. Assume your data was exposed unless you have strong evidence otherwise.

Step 2: Lock Down Your Current Device Settings

Immediately take steps to stop the ongoing flow of your location data:

iPhone: Go to Settings > Privacy & Security > Tracking and disable "Allow Apps to Request to Track." Also go to Settings > Privacy & Security > Location Services and review every app's access.
Android: Go to Settings > Privacy > Ads and delete your advertising ID. Review location permissions under Settings > Location > App Permissions.
Remove or disable any apps you do not actively use, especially free apps supported by advertising.

Step 3: Navigate to Gravy Analytics' Privacy Page

Visit gravyanalytics.com/privacy to review their current privacy policy and consumer rights information. Because the company has been subject to FTC enforcement actions, their privacy page may have updated procedures for consumer data requests. Look for a consumer opt-out form or data subject access request mechanism.

Step 4: Submit a Formal Deletion Request via Email

Send a comprehensive deletion request to privacy@gravyanalytics.com with the subject line "Urgent Data Deletion Request — Breach Victim — CCPA Section 1798.105." Your email should include:

Your full legal name
Phone number(s) associated with your mobile devices
Mobile device advertising IDs (if you know them — check your device settings)
Email addresses linked to app store accounts
A clear statement requesting immediate deletion of all location data, device identifiers, behavioral profiles, visit histories, and any derived analytics

Reference the January 2025 data breach explicitly and state that you are requesting deletion as a directly affected individual.

Step 5: File a Complaint with the FTC

Given that the FTC has already taken enforcement action against Gravy Analytics, your individual complaint adds weight to ongoing regulatory proceedings. File a complaint at reportfraud.ftc.gov describing the breach, specifying that you believe your location data was compromised, and stating that you have requested deletion from Gravy Analytics directly. Also consider filing with your state's Attorney General office, which may have its own investigation.

Step 6: Monitor for Misuse of Your Location Data

After submitting your deletion request, monitor for signs that your breached location data is being used:

Unexpected targeted advertising based on places you have visited
Phishing emails or messages referencing specific locations
Unusual social media contact from people connected to places in your location history
Any signs of stalking or surveillance

If you detect misuse, file an updated complaint with the FTC and contact local law enforcement.

What CCPA Rights Protect You

The California Consumer Privacy Act provides critical protections for individuals affected by the Gravy Analytics breach. Under CCPA, you have the right to demand deletion of all personal information Gravy Analytics holds about you, including location data, device identifiers, and behavioral inferences. The California Privacy Rights Act (CPRA) further classifies precise geolocation as "sensitive personal information" subject to enhanced protections. Gravy Analytics must respond to your deletion request within 45 days. Importantly, the FTC's enforcement action against Gravy Analytics does not substitute for your individual rights — you should exercise your CCPA rights directly regardless of the status of federal enforcement proceedings.

Important Notes

The FTC ban is limited: The FTC prohibited Gravy Analytics from selling sensitive location data, but this does not automatically delete your historical data from their systems. You must submit your own deletion request.
Venntel is the same company: Gravy Analytics operated a government-focused subsidiary called Venntel that sold location data to federal agencies including DHS, IRS, and CBP. If your data was in Gravy Analytics' systems, it may have been shared with government entities before the ban.
App-level consent is not real consent: Gravy Analytics claimed its data collection was based on user consent (via app location permissions). However, most users who granted location access to a weather app or mobile game did not knowingly consent to having their GPS coordinates aggregated and sold by a third-party data broker.
Breach notification may not reach you: Because Gravy Analytics has no direct consumer relationship, they may not have a way to notify you individually about the breach. Do not wait for a notification that may never come.

Automate Your Removal with GhostMyData

The Gravy Analytics breach underscores why location data broker removal cannot be a one-time manual effort. Your data exists across an interconnected ecosystem of location intelligence companies — Mobilewalla, SafeGraph, Placer.ai, Near Intelligence, and dozens of others — that share, resell, and repackage the same underlying location signals.

Automated CCPA deletion requests sent to Gravy Analytics, Mobilewalla, and all major location data brokers
Breach monitoring that detects if your data appears in known data breach datasets
Continuous re-scan monitoring to catch data re-collection through new advertising bidstream channels
Enterprise broker coverage targeting the B2B data companies that consumers rarely know are tracking them

Start your free privacy scan to find out which data brokers have your location data — including companies connected to the Gravy Analytics breach — and let GhostMyData handle the deletion requests.

Frequently Asked Questions

Was my data part of the Gravy Analytics January 2025 breach?

If you used any smartphone app with location permissions enabled and advertising in it before January 2025, your location data may have been exposed. The breach affected data collected from thousands of popular apps including Tinder, Grindr, Candy Crush, MyFitnessPal, and many others. There is no public lookup tool to check if your specific device was affected.

What exactly was exposed in the Gravy Analytics breach?

The breach exposed precise GPS coordinates with timestamps, device advertising IDs, and visit histories. This means attackers could potentially see exactly where specific devices were located at specific times — including sensitive locations like medical facilities, places of worship, and private residences.

Has the FTC shut down Gravy Analytics?

The FTC banned Gravy Analytics and its subsidiary Venntel from selling sensitive location data, but the company has not been shut down entirely. The order requires them to delete historical sensitive location data and implement a comprehensive privacy program. However, enforcement of these requirements is ongoing, and there is no confirmation that all data has been deleted.

Can I sue Gravy Analytics for the breach?

Class action lawsuits have been filed against Gravy Analytics related to the January 2025 breach. If you believe your data was exposed, you may be eligible to join a class action or pursue individual legal claims depending on your jurisdiction and the harm you experienced. Consult a privacy attorney for guidance specific to your situation.

How do I stop location data brokers from tracking me going forward?

The most effective steps are: (1) disable advertising tracking on all your devices, (2) review and restrict app location permissions, (3) remove apps you do not use, (4) use a privacy-focused DNS service that blocks known tracking domains, and (5) enroll in an ongoing data removal service like GhostMyData that continuously monitors and submits deletion requests on your behalf.

How to Remove Yourself from Gravy Analytics in 2026 (Step-by-Step Guide)