GRAYPASSDOC/LEGAL-05

GDPR,
by design.

Effective June 25, 2026. Roles, lawful bases, and every data-subject right - plus the part most vendors can't say: minimization here is architecture, not paperwork.

I. ROLES

For visitors to this website and users of our hosted demo, GrayPass is the data controller.

For end users of applications that integrate the GrayPass SDK and API, our customer is the controller and GrayPass acts as their processor under Article 28, processing behavioral timing data solely on the customer's documented instructions. Our data-processing agreement (Section VI) governs that relationship.

II. LAWFUL BASES, PER ACTIVITY

  • Behavioral enrollment and verification: explicit consent (Article 6(1)(a), and Article 9(2)(a) to the extent behavioral templates are treated as special-category data). Consent is gated in the SDK, granular, and withdrawable without losing unrelated functionality.
  • Operating the website and demo accounts: performance of a contract (Article 6(1)(b)).
  • Security, abuse prevention, and service integrity: legitimate interests (Article 6(1)(f)), balanced against user rights and documented in our records of processing.
  • Opt-in research data: separate explicit consent, revocable at any time.
  • Legal compliance: Article 6(1)(c) where a law compels processing.

III. MINIMIZATION AND PROTECTION BY DESIGN

GDPR asks for data protection by design and by default (Article 25); GrayPass's architecture is a literal implementation of it:

  • Timings only - the SDK cannot read content, so content is never processed.
  • Raw streams are reduced in-session and discarded; only a salted, purpose-bound template persists.
  • Per-user salts make templates unlinkable across services (purpose limitation, enforced cryptographically).
  • Templates are cancelable, satisfying erasure in a way static biometrics cannot.
  • Decision logs carry reason codes so every automated decision is explainable to a human.

IV. DATA-SUBJECT RIGHTS

EU/EEA, UK, and Swiss users can exercise every GDPR right against us:

  • Access and portability: a copy of your print metadata, decision history, and account data in a machine-readable format (Articles 15, 20).
  • Rectification of account data (Article 16).
  • Erasure: destruction of the template, helper data, and salt within thirty (30) days (Article 17).
  • Restriction and objection, including to any legitimate-interests processing (Articles 18, 21).
  • Withdrawal of consent at any time, with effect going forward (Article 7(3)).
  • Human review of any decision you believe was made solely by automated means with legal or similarly significant effect (Article 22). Reason codes make this review real rather than ceremonial.

Send requests to hello@graypass.org with the subject “GDPR request.” We respond within thirty (30) days. If we act as processor for the application you use, we will route the request to the controller and support their response, as Article 28 requires.

V. INTERNATIONAL TRANSFERS

GrayPass operates from the United States. Transfers of EU/EEA, UK, and Swiss personal data rely on the European Commission's Standard Contractual Clauses (and the UK Addendum / Swiss amendments as applicable), together with the supplementary technical measures documented here: encryption in transit and at rest, per-user salting, and the structural absence of raw behavioral data.

VI. THE DPA AND SUB-PROCESSORS

A data-processing agreement incorporating Article 28 terms and the SCCs is available to every customer - request it at hello@graypass.org.

Sub-processors are limited to hosting, storage, and transactional email, each under equivalent contractual protections. Customers with an executed DPA receive advance notice of sub-processor changes and may object on reasonable data-protection grounds.

VII. BREACH NOTIFICATION

If a personal-data breach occurs, we notify affected controllers without undue delay after becoming aware, with enough detail to meet their Article 33 obligation to notify supervisory authorities within seventy-two (72) hours. Where we are the controller, we notify the competent authority and affected users directly on the same standard.

It is worth restating what a breach can expose here: salted templates that score nothing outside their own account, and reason-coded logs. Raw behavior is not in the database, because it is never stored.

VIII. COMPLAINTS AND CONTACT

Privacy questions and rights requests: hello@graypass.org (subject “GDPR”). We would rather fix a concern directly, but you also have the right to lodge a complaint with your local supervisory authority - for EU residents, the authority of your member state; for UK residents, the Information Commissioner's Office.