GRAYPASSDOC/LEGAL-02

Privacy
Policy.

Effective June 25, 2026. What we collect on the site, in the demo, and in the product; why we process it; how long it lives; and the rights you keep over all of it.

I. SCOPE

This Privacy Policy explains how GrayPass (“GrayPass,” “we,” “us”) handles personal data across three surfaces: this website, the hosted demo experience, and the GrayPass product (the SDK and API our customers integrate).

When a customer integrates GrayPass into their application, that customer is the controller of their end users' data and this policy applies to our role as their processor. The product-specific detail lives in the Data Privacy document; region-specific detail lives in the GDPR and BIPA documents. Where those documents are more protective, they win.

II. WHAT WE COLLECT

Website visitors:

  • Standard server logs: IP address, user agent, requested pages, timestamps. Used for security and reliability, kept briefly.
  • Privacy-respecting analytics: aggregated page views and referrers. We do not run advertising trackers.
  • The on-page “live signature” demonstration runs entirely in your browser. Its readings - pointer timings, key timings (never keys), scroll rhythm - are processed locally, sent nowhere, and forgotten when the tab closes. You can turn it off on the page at any time.

Demo users:

  • Account basics if you create one: email address and a display name.
  • Behavioral timing signals collected with your consent during calibration and verification: reaction timings, keystroke intervals (never the keys or text you type), and pointer dynamics.
  • Derived artifacts: the salted behavioral print and decision logs with reason codes.

Product end users (our customers' users):

  • The same categories of timing signals and derived artifacts, processed on the instructions of the customer whose application you are using.
  • We never receive the content you type, the pages' contents, or your identity beyond the pseudonymous identifier the customer assigns.

III. WHAT WE NEVER COLLECT

  • Typed content. The SDK reads the timing between keys, never which keys.
  • Raw behavioral streams at rest. Streams are reduced to a salted print in-session; the raw series is discarded.
  • Photographs, voice, fingerprints, face geometry, or any static biometric image.
  • Data from advertising brokers, and we do not sell or share personal data for advertising.

IV. WHY WE PROCESS IT

  • To provide the service: verifying that the person behind a session is who they claim to be, and returning decisions to the applications you use.
  • To secure the service: rate limiting, abuse detection, and incident investigation.
  • To improve the service: aggregate, de-identified statistics about decision quality, latency, and drift. Research on identifiable data happens only with separate, explicit opt-in consent and is revocable.
  • To communicate with you: transactional email about your account, and product updates you can opt out of.

Where GDPR applies, our lawful bases per activity are set out in the GDPR document: contract performance for delivering the service, legitimate interests for security, and consent for behavioral enrollment and research data.

V. SHARING

We do not sell personal data. We share it only with:

  • Infrastructure sub-processors (hosting, storage, email delivery) bound by data-processing agreements and limited to what operating the service requires.
  • Our customers, for their own end users' sessions: decisions, confidence, and reason codes - not raw signals.
  • Authorities, if legally compelled; we will notify affected users where the law allows.
  • A successor entity in a merger or acquisition, under this policy's commitments.

VI. RETENTION

  • Raw behavioral streams: not retained. Reduced in-session, then discarded.
  • Salted prints and helper data: retained while the account or the customer relationship is active, then deleted within thirty (30) days.
  • Decision logs: up to twelve (12) months, for security and audit.
  • Server logs: up to ninety (90) days.
  • Opt-in research data: until you withdraw consent or three (3) years, whichever comes first.

VII. SECURITY

TLS 1.3 in transit with HSTS and per-request nonces; envelope encryption at rest for prints and helper data; per-user salts so no artifact is portable across accounts; access controls and audit logging internally. The full posture, threat model, and disclosure process live in the Security document and Trust Center.

VIII. YOUR RIGHTS

Wherever you are, you can ask us to access, correct, export, or delete personal data we hold about you, and you can withdraw consent for anything consent-based (including behavioral enrollment) without losing access to unrelated features.

Deletion includes the salted print: erasing it destroys the template, and rotating your seed invalidates any prior artifact. Send requests to hello@graypass.org with the subject “Data request”; we respond within thirty (30) days. If you are an end user of a customer's application, we will route your request to that customer or act on their instruction, as the law requires.

EU/EEA, UK, and Swiss users have the additional rights described in the GDPR document. Illinois residents should also read the BIPA policy.

IX. INTERNATIONAL TRANSFERS

We are a U.S.-based service. Where personal data of EU/EEA, UK, or Swiss users is transferred to the United States, we rely on Standard Contractual Clauses together with the technical measures described above. Details and our data-processing agreement are covered in the GDPR document.

X. CHILDREN

The Services are not directed to children under 16, and we do not knowingly collect their data. If you believe a child has provided us personal data, contact us and we will delete it.

XI. CHANGES AND CONTACT

When this policy changes materially, we will post the new version here with a new effective date and notify account holders by email. We will not retroactively weaken commitments for data already collected.

Privacy questions and requests: hello@graypass.org (subject “Privacy”).