This policy explains what data GrayPass collects, why, where it is stored, and the rights you have over it.
It covers the hosted GrayPass service (app.graypass.org, api.graypass.org) and self-hosted deployments.
1. The actors
| Role | Who |
|---|---|
| Data Controller | The GrayPass customer (tenant) for end-user data collected via GrayPass. |
| Data Processor | GrayPass - we process behavioural signals on the customer's behalf. |
| End-user | The natural person whose behaviour is being scored. |
| Operators | Aditya Ranjan and Arav Mathur, GrayPass founders. |
A Data Processing Agreement (DPA) is available for B2B contracts in the EU, UK, and California.
2. What we collect
From the customer (tenant)
- Account: name, contact email, billing email, plan tier.
- Authentication: API key public + hashed secret. Plaintext secrets are never stored.
- Webhook configurations: target URL + signing secret (encrypted at rest).
- Audit log: privileged actions (key creation, policy changes, session kills).
From the end-user - passive behavioural signals
GrayPass scores identity from statistical summaries of typing, pointer, scroll, focus, and optional gaze. We collect none of:
- The text the user typed, URLs visited, or page contents.
- Screen captures, audio, video, or microphone input.
- Location, IP geolocation, contacts, or unrelated device sensors.
On the user's device, in 5-15 second windows, we derive timing and kinematic statistics only - not raw coordinates or key identities. These reduce to a 54-dimensional feature vector; only the vector and an opaque session ID leave the device.
Derived telemetry (server-side)
- Trust score and state for active sessions.
- Per-user behavioural template (64-D embedding + cancelable projection).
- Short-lived authorization tokens for replay detection.
3. Why we collect it
| Purpose | Lawful basis (GDPR) |
|---|---|
| Provide and operate the service | Contract (Art. 6(1)(b)) |
| Detect account compromise / fraud | Legitimate interest (Art. 6(1)(f)) |
| Issue and verify auth tokens | Contract |
| Diagnose outages, ensure security | Legitimate interest |
| Transactional email (billing, security) | Contract |
We do not sell, rent, share, or barter end-user behavioural data. Production templates are scoped to a single tenant.
3a. Research donations (opt-in only)
An optional demo/SDK toggle lets end users donate a pseudonymised summary vector for model improvement. It is disabled by default, requires explicit user consent, stores summary vectors only (never raw events), and is purged after 365 days.
4. End-user rights
If you use a website that integrates GrayPass, contact that website (the tenant) to access, delete, or rotate your behavioural template. GrayPass cannot map templates to natural persons - that mapping lives in the tenant's user database. Tenants should call DELETE /v1/users/{email} on your behalf.
5. Where data lives
- Hot storage: Postgres on AWS RDS (us-east-2). Templates encrypted at rest (Fernet).
- Cache / sessions: Redis on AWS ElastiCache (us-east-2), TLS in transit.
- Logs: CloudWatch Logs, 30-day default retention.
- Backups: Nightly RDS snapshots, 14-day retention.
EU data residency via single-tenant deployment in eu-west-1 is available on request.
6. Retention
| Data class | Retention |
|---|---|
| Behavioural templates | Until tenant deletes user or rotates; inactive purged after 90 days. |
| Active sessions (Redis) | 1 hour from last frame. |
| Auth tokens | 5 minutes default. |
| API usage logs | 90 days. |
| Audit log | 7 years. |
| Webhook DLQ | 30 days. |
7. Security
TLS 1.2+ everywhere, HMAC-signed tokens, cancelable templates, per-tenant signing secrets, SSRF guard on webhooks, and fail-closed trust enforcement. Report vulnerabilities to public@graypass.org.
8. Sub-processors
| Vendor | Purpose | Region |
|---|---|---|
| Amazon Web Services | Compute, database, cache, storage, logs | us-east-2 |
| Stripe | Subscription billing | US |
| GitHub | Source control, CI/CD | US |
9. Children
GrayPass is not designed for users under 16. Do not enrol children without verifiable parental consent.
10. Changes
Material changes are announced ≥30 days in advance via email to billing contacts and a banner on app.graypass.org.
11. Contact
- Privacy:
hello@graypass.org - Security:
public@graypass.org - Founders: Aditya Ranjan, Arav Mathur