Gravy Analytics

Overview

Gravy Analytics is an American location data company founded in 2011, headquartered in Vienna, Virginia. The company operates as one of the largest commercial location intelligence brokers in the United States, building a business from collecting and selling precise geolocation data derived from mobile advertising bid streams and mobile app integrations.

Gravy Analytics is perhaps best known through its subsidiary Venntel, a separate company that served as the primary conduit through which U.S. government agencies, including Customs and Border Protection, Immigration and Customs Enforcement, the Drug Enforcement Administration, the Defense Intelligence Agency, the Secret Service, and the FBI, purchased precise mobile location data without obtaining warrants.

This structure, maintaining Venntel as a nominally separate entity that served government clients while Gravy Analytics served commercial clients, allowed the company to present different faces to different markets while operating from a common data infrastructure. The Venntel subsidiary was acquired by Gravy Analytics to specifically serve government needs, reflecting the systematic commercial provision of surveillance-grade location intelligence to government agencies as a standard business activity.

In January 2025, Gravy Analytics suffered a massive data breach and simultaneously faced landmark FTC enforcement action, creating simultaneous accountability crises that fundamentally disrupted the company's operations. The FTC action against Gravy Analytics and Venntel represented the most significant regulatory action against the commercial location data broker industry to date.

The company also has significant connections to Unacast, a Norwegian location analytics company that provides similar location intelligence services, reflecting the global nature of the commercial location data industry.

Data Collection Practices

Gravy Analytics collects location data primarily through the mobile advertising ecosystem's bid stream rather than through direct app SDK integration:

Bid stream location data harvesting is Gravy Analytics' primary collection mechanism. The company participates in mobile advertising real-time bidding (RTB) auctions, and each bid request contains location data submitted by mobile apps as part of the advertising targeting signal. Gravy Analytics harvests location coordinates from these bid requests:

• Precise GPS latitude/longitude coordinates submitted with mobile ad requests
• Timestamp of each location data point
• Device advertising identifiers (IDFA, GAID) connecting location data to persistent device identifiers
• App context signals identifying which application generated the location disclosure
• IP-based location as supplementary data

Critically, Gravy Analytics collects location data from bid requests it submits bids for but does not necessarily win. This means the company harvests location data as a byproduct of auction participation rather than as a primary purpose, exploiting the RTB ecosystem's architecture to collect location data at scale without the direct app integrations that more traditional location data companies use.

Historical location database built from continuous bid stream harvesting contains location histories for hundreds of millions of device identifiers, representing years of movement data for U.S. mobile users. This historical database enables:

• Reconstruction of individual movement patterns, routines, and relationships
• Home and work location inference from regular location clusters
• Sensitive location visit identification (healthcare, religious, political)
• Cross-device identity resolution from common home/work location clusters
• Population-level mobility analytics

Venntel government products provide tools optimized for government intelligence and law enforcement use cases:

• Target tracking: continuous location monitoring for specific device identifiers
• Historical location queries: movement history for specified devices and time periods
• Geofencing: identification of all devices present at a specific location during a time window
• Pattern of life analysis: routine extraction from location history

Consumer attribute enrichment connects location histories to consumer demographic data purchased from data brokers, enabling location-based audience intelligence products sold to commercial buyers.

Known Clients & Government Contracts

Gravy Analytics and Venntel's government client base, documented through investigative reporting and government procurement records, represents the most extensive documented case of U.S. government agencies purchasing commercial location data:

Customs and Border Protection (CBP): CBP purchased Venntel location data through commercial contracts for border security and immigration enforcement purposes. Investigative reporting by VICE Motherboard documented specific CBP purchases and use cases including tracking movements near the U.S.-Mexico border.

Immigration and Customs Enforcement (ICE): ICE purchased Venntel data for immigration enforcement, enabling the agency to track individuals' movements without obtaining immigration-specific court orders.

Defense Intelligence Agency (DIA): The DIA, which produces intelligence for the military services and joint chiefs, purchased location data from Venntel. A DIA official acknowledged in response to Congressional inquiry that the agency purchased commercial location data as a legal alternative to obtaining warrants for the same data.

Drug Enforcement Administration (DEA): The DEA used Venntel data for drug trafficking investigations, accessing location histories that would require warrants if obtained from telecommunications carriers.

U.S. Secret Service and FBI: Both agencies have been documented as Venntel purchasers through procurement records and investigative journalism.

Department of Homeland Security: Multiple DHS components beyond CBP and ICE have accessed Venntel data, reflecting a department-wide approach to leveraging commercial location data for security purposes.

Privacy Incidents & Litigation

FTC Enforcement Action (January 2025): The Federal Trade Commission announced enforcement actions against Gravy Analytics and its subsidiary Venntel in January 2025, alleging that the companies violated the FTC Act by collecting and selling consumer location data without adequate consent and by selling location data that exposed consumers to significant privacy harms. The FTC orders required:

• Prohibition on selling location data derived from healthcare facilities, reproductive health clinics, religious institutions, and other sensitive locations
• Mandatory deletion of historical data collected from sensitive locations
• Implementation of a data minimization program
• Prohibition on sharing or selling consumer location data for advertising targeting without explicit consent

This enforcement action represented the most comprehensive regulatory action against the commercial location data broker industry and established important precedent about sensitive location categories.

Gravy Analytics Data Breach (January 2025): Simultaneous with the FTC action, Gravy Analytics suffered a major data breach in which a threat actor claimed to have exfiltrated data on tens of millions of individuals. The breach included:

• Precise location histories for millions of device identifiers
• Associations between location data and consumer identities
• Data spanning multiple years of location collection

The breach exposed the fundamental risks of centralizing precise historical location data, including visits to sensitive locations like abortion providers, addiction treatment facilities, and political organizations, in a single commercial database.

Government Data Purchase Controversy: VICE Motherboard's extensive investigative reporting documenting Venntel's government contracts triggered Congressional investigations and policy debates. Senator Ron Wyden wrote to the DIA and other agencies seeking explanations for warrantless location data purchases, and introduced legislation (the Fourth Amendment Is Not For Sale Act) to close the data broker loophole.

ACLU and EFF Advocacy: The ACLU and Electronic Frontier Foundation have filed briefs and published analyses arguing that government purchase of commercial location data without warrants violates the Fourth Amendment's protection against unreasonable searches, citing Supreme Court precedent in Carpenter v. United States (2018) which held that police must obtain warrants to access historical cell site location information from carriers.

Threat Score Analysis

Gravy Analytics receives a composite threat score of 78/100, reflecting the FTC-documented sale of sensitive location data including abortion clinic visits, its systematic supply of warrantless location data to multiple U.S. federal law enforcement and intelligence agencies, and the 2025 data breach:

• Data Collection (87/100): Gravy Analytics harvests location data from bid stream participation at extraordinary scale, building location histories for hundreds of millions of devices. The collection includes visits to reproductive health clinics, addiction treatment facilities, religious institutions, and other sensitive locations. The historical database depth, years of movement data, enables comprehensive pattern-of-life analysis.

• Third-Party Sharing (92/100): Data selling is Gravy Analytics' core business. The company systematically sold sensitive location data to multiple U.S. federal agencies (documented), commercial advertisers, and through reseller channels. The Venntel subsidiary was specifically created to serve government clients.

• Breach History (60/100): The January 2025 data breach exposing millions of individuals' location histories, including sensitive location visits, represents a serious security failure with direct real-world harm potential. The breach occurred simultaneously with FTC enforcement, compounding accountability.

• Government Contracts (70/100): Multiple documented government agency contracts for Venntel location data represent one of the most extensive documented cases of commercial location data being systematically purchased by law enforcement and intelligence agencies as a warrantless surveillance alternative.

• Transparency (25/100): Gravy Analytics operated with minimal transparency to consumers, who had no awareness that their mobile location data was being harvested through advertising bid streams and sold to government agencies. The company's opt-out mechanisms were not promoted to consumers and required knowledge of the company's existence.

Weighted calculation: (87 * 0.25) + (92 * 0.25) + (60 * 0.20) + (70 * 0.15) + (25 * 0.15) = 21.75 + 23.0 + 12.0 + 10.5 + 3.75 = 71.0, adjusted to 78 due to the systematic supply of warrantless location surveillance to multiple federal agencies, the FTC-documented sale of sensitive location data, and the 2025 data breach demonstrating the harm potential of centralized historical location databases.

Transparency & Accountability

Gravy Analytics and Venntel operated with a deliberate opacity designed to serve two distinct markets, commercial advertisers and government agencies, without the transparency that either market would find fully comfortable:

The separate corporate identities of Gravy Analytics and Venntel created a structural transparency barrier: Gravy Analytics's commercial privacy policy and public presence did not reflect the full scope of data uses through the Venntel subsidiary. Government clients purchasing through Venntel were not disclosed in Gravy Analytics's commercial communications.

Following the January 2025 FTC enforcement action, Gravy Analytics announced compliance measures including deletion of sensitive location data, implementation of new consent requirements, and restrictions on government data sales. Whether these commitments are implemented effectively will be determined by FTC monitoring under the consent order.

The data breach in January 2025, occurring simultaneously with FTC action, represents a dual accountability crisis that may fundamentally alter the company's viability. Exposing the location histories of millions of individuals, including sensitive location visits, to unknown threat actors while simultaneously facing FTC enforcement creates legal, reputational, and operational challenges that may prove existential.

The Gravy Analytics case has significant implications for the broader commercial location data industry. If the FTC establishes through enforcement that collecting and selling location data from bid streams without adequate consent violates the FTC Act, and that selling data reflecting sensitive location visits is an unfair trade practice, the business model of dozens of similar companies is at risk. The combination of the Kochava lawsuit and the Gravy Analytics enforcement action represents a coordinated FTC strategy to reshape the commercial location data industry's practices.

Senator Wyden's Fourth Amendment Is Not For Sale Act, legislation specifically targeting the data broker loophole that allows government agencies to purchase what they cannot collect directly, has been proposed but not yet passed, reflecting the political challenge of closing legal frameworks that government agencies argue are operationally necessary for national security and law enforcement.