Skip to content
What ELARA Collects · 1–3 of 15
Behavioral Signals — Not Raw Biometrics
ELARA does not collect fingerprints, facial images, retinal scans, or voice recordings. ELARA collects derived behavioral signals — patterns of how an identity interacts with systems — not the physical characteristics themselves.
Collection1 / 15Signal Types Collected
ELARA processes: keystroke cadence patterns, mouse movement velocity, session timing sequences, access frequency patterns, device interaction rhythms, and application navigation sequences. These are behavioral — not physiological.
Signal Types2 / 15What ELARA Does Not Collect
ELARA does not store: passwords, credentials, keylogged content, screen captures, audio, video, physical biometric templates, genetic data, or any personally identifiable raw biometric identifier as defined under BIPA, GDPR, or CCPA.
Exclusions3 / 15How Data Is Processed · 4–7 of 15
Ephemeral Processing
Behavioral signals are processed in-memory during the active session scoring window. Raw signal data does not persist beyond the scoring computation. Only the resulting risk score and event metadata are retained.
Processing4 / 15Encryption Standards
All data in transit is encrypted with TLS 1.3. All retained score metadata is encrypted at rest using AES-256. Encryption keys are managed per-tenant and rotated on configurable schedules.
Encryption5 / 15Purpose Limitation
Data processed by ELARA is used exclusively for identity risk scoring within the contracted deployment. ELARA does not use client data to train models for other organizations and does not share signal data across tenants.
Purpose6 / 15Privacy by Design Architecture
ELARA's data minimization and purpose limitation are enforced at the architecture level — not by runtime policy checks. The system is structurally incapable of retaining raw biometric data because the ingestion layer discards it after scoring.
Architecture7 / 15Retention & Deletion · 8–10 of 15
Retention Schedule
Risk score records and session event metadata are retained for 90 days by default. Clients may configure shorter retention windows. Audit logs required for compliance evidence are retained for 12 months unless client policy specifies otherwise.
Retention8 / 15Deletion on Request
Clients may submit a verified deletion request for all data associated with a specific identity. ELARA executes deletion within 72 hours and provides a signed confirmation. This applies to score history, session metadata, and baseline model data for that identity.
Deletion9 / 15Data Portability
On contract termination, ELARA provides a full export of all client-associated data in machine-readable format within 30 days. Following confirmed export, all ELARA-held copies are purged and deletion is certified in writing.
Portability10 / 15Legal & Regulatory Compliance · 11–15 of 15
BIPA (Illinois)
ELARA's behavioral signal processing satisfies BIPA requirements: written policy published, informed consent documented at deployment, retention schedule enforced, and deletion-on-request implemented. No biometric identifiers are sold or disclosed.
BIPA11 / 15Texas & Washington State
Compliance with CUBI (Texas) and CWBPA (Washington) biometric privacy statutes. Consent, disclosure, retention, and destruction requirements are addressed in ELARA's deployment agreement and this policy.
State Law12 / 15GDPR Article 9 — Special Categories
ELARA's behavioral signals are not classified as biometric data under GDPR Article 9 because they do not uniquely identify a natural person. Processing is lawful under Article 6(1)(f) — legitimate interest — with a documented balancing test on file.
GDPR13 / 15CCPA / CPRA
ELARA does not sell or share behavioral signal data. Consumer rights — access, deletion, correction, and opt-out of sale — are supported through the deploying organization's data subject request workflow. ELARA provides the technical interface to execute deletion.
CCPA14 / 15Full Legal Policy Document
The complete ELARA Biometric Data Privacy Policy — the formal legal instrument covering all collection, processing, storage, transfer, retention, and deletion obligations — is published here.
15 / 15