GRAYPASSDOC/LEGAL-01
Terms of
Service.
Effective June 25, 2026. The agreement that governs the GrayPass website, demo, SDK, and API. Written to be read: fourteen sections, no surprises.
I. ACCEPTANCE
These Terms of Service (the “Terms”) are a binding agreement between you and GrayPass (“GrayPass,” “we,” “us,” or “our”). They govern your access to and use of the GrayPass website, the hosted demo experience, the GrayPass SDK, the GrayPass API, and any related documentation and services (together, the “Services”).
By accessing or using the Services, creating an account, or obtaining an API key, you accept these Terms. If you are using the Services on behalf of a company or other legal entity, you represent that you have authority to bind that entity, and “you” refers to that entity. If you do not agree to these Terms, do not use the Services.
II. THE SERVICES
GrayPass provides behavioral authentication infrastructure: an SDK that reads interaction timing signals in the end user's browser, and an API that returns verification decisions with calibrated confidence to your systems.
The hosted demo experience is provided for evaluation, inspiration, and feedback. It is not a production authentication system, and you must not rely on it to protect production assets or sensitive information.
We may modify, suspend, or discontinue any part of the Services as they evolve. Where a change materially reduces the functionality of a paid Service, we will use reasonable efforts to give advance notice.
III. ACCOUNTS AND API KEYS
You are responsible for the accuracy of the information associated with your account and for everything that happens under your API keys.
- Secret keys (sk_) must be kept confidential, stored server-side, and rotated if you suspect exposure.
- Publishable keys (pk_) may ship in client code but remain bound to your account and these Terms.
- You must notify us promptly at hello@graypass.org if you become aware of unauthorized use of your keys or account.
We may suspend keys that show signs of compromise, abuse, or usage patterns that put the Services or other customers at risk. Where practical, we will contact you before or promptly after doing so.
IV. ACCEPTABLE USE
You agree not to misuse the Services. In particular, you will not:
- probe, scan, or test the vulnerability of the Services except through our coordinated disclosure process described in the Trust Center;
- interfere with service availability, including load testing without written permission;
- attempt to re-identify, reverse engineer, or reconstruct raw behavioral data from salted prints or any other artifact of the Services;
- use the Services to authenticate or surveil individuals without a lawful basis and any legally required notice and consent;
- use the Services in violation of applicable law, including biometric privacy, data protection, export control, and sanctions laws;
- resell, sublicense, or white-label the Services without a written agreement with us.
If you integrate the SDK into your product, you are responsible for presenting your end users with any notices and obtaining any consents required in your jurisdictions, including those described in our Biometric Information Privacy policy and GDPR documentation.
V. PRIVACY AND BEHAVIORAL DATA
Our handling of personal data is described in the Privacy Policy, the Data Privacy document, the Biometric Information Privacy (BIPA) policy, and the GDPR page. Those documents are part of how we deliver the Services, and we will not weaken the commitments in them retroactively for data already collected.
In short: the SDK reads interaction timings, not content; raw behavioral streams are not persisted; what we store is a salted, revocable print; and deletion is available on request.
VI. FEES AND PAYMENT
Paid usage is sold as session packs at the rates published on our pricing page or agreed in an order form. Except as required by law or expressly stated otherwise, fees are non-refundable; purchased sessions do not expire until used.
You are responsible for applicable taxes other than taxes on our income. If you believe an invoice is incorrect, contact us within thirty (30) days of the invoice date and we will work with you in good faith to resolve it.
VII. INTELLECTUAL PROPERTY
GrayPass and its licensors own the Services, including the SDK, API, models, documentation, site content, and branding. We grant you a limited, non-exclusive, non-transferable, revocable license to use the SDK and API as documented, solely to integrate the Services into your products while these Terms are in effect.
You own your applications and your data. You grant us the rights in your data that are necessary to operate the Services, consistent with the privacy documents referenced in Section V.
VIII. FEEDBACK
If you send us feedback, ideas, or suggestions, you grant us a perpetual, irrevocable, worldwide, royalty-free license to use them without restriction or obligation to you. We appreciate every report and read all of them.
IX. DISCLAIMERS
THE SERVICES ARE PROVIDED “AS IS” AND “AS AVAILABLE.” TO THE MAXIMUM EXTENT PERMITTED BY LAW, WE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.
Authentication is probabilistic by nature. We publish calibrated confidence precisely so that your policy layer can decide what to do with uncertainty; you are responsible for configuring thresholds, fallbacks, and recovery paths appropriate to the sensitivity of what you protect.
X. LIMITATION OF LIABILITY
TO THE MAXIMUM EXTENT PERMITTED BY LAW, NEITHER PARTY WILL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR ANY LOSS OF PROFITS, REVENUE, DATA, OR GOODWILL, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
EXCEPT FOR YOUR PAYMENT OBLIGATIONS, YOUR INDEMNIFICATION OBLIGATIONS, OR EITHER PARTY'S WILLFUL MISCONDUCT, EACH PARTY'S TOTAL LIABILITY ARISING OUT OF OR RELATING TO THESE TERMS IS LIMITED TO THE GREATER OF (A) THE AMOUNTS YOU PAID US FOR THE SERVICES IN THE TWELVE (12) MONTHS BEFORE THE EVENT GIVING RISE TO LIABILITY AND (B) ONE HUNDRED U.S. DOLLARS (US$100).
XI. INDEMNIFICATION
You will defend and indemnify GrayPass against third-party claims arising from (a) your applications and services, (b) your use of the Services in violation of these Terms or applicable law, or (c) your failure to provide legally required notices to, or obtain legally required consents from, your end users.
XII. TERM AND TERMINATION
These Terms apply for as long as you use the Services. You may stop using the Services at any time. We may suspend or terminate access for material breach that remains uncured fifteen (15) days after notice, or immediately for breaches involving abuse, security, or law.
Upon termination, your license to the SDK and API ends and outstanding fees become due. Sections that by their nature should survive (including IV, V, VII, IX, X, XI, and XIV) survive termination. Data deletion on termination is handled as described in the Data Privacy document.
XIII. CHANGES TO THESE TERMS
We may update these Terms as the Services evolve. If a change is material, we will post the updated Terms here with a new effective date and, for account holders, make reasonable efforts to notify you by email. Continued use of the Services after the effective date constitutes acceptance of the updated Terms.
XIV. GOVERNING LAW AND CONTACT
These Terms are governed by the laws of the State of Delaware, USA, excluding its conflict-of-laws rules. The parties will first attempt in good faith to resolve any dispute informally; unresolved disputes will be brought exclusively in the state or federal courts located in Delaware, and both parties consent to their jurisdiction.
Questions about these Terms: hello@graypass.org. Legal notices to GrayPass must be sent to the same address with the subject “Legal notice.”
THE LEGAL LIBRARY