ConsentProof - GDPR Consent Management API

BY USING CONSENTPROOF, YOU AGREE TO BE LEGALLY BOUND BY THESE TERMS. THESE TERMS CONTAIN IMPORTANT LIMITATIONS ON OUR LIABILITY, REQUIRE BINDING ARBITRATION OF DISPUTES, AND WAIVE YOUR RIGHT TO JURY TRIAL AND CLASS ACTIONS. IF YOU DO NOT AGREE, DO NOT USE THE SERVICE.

1. Introduction and Acceptance

1.1 The Parties

These Terms and Conditions ("Terms") constitute a legally binding agreement between:

Oventro Technologies Ltd (trading as "ConsentProof")
Company Number: 16737923
Registered Office: 14 Albemarle Street, London, W1S 4HL, United Kingdom
("we", "us", "our", "ConsentProof", or "the Company")

and

You ("you", "your", "Customer", or "Client")

1.2 Acceptance and Agreement

By: (a) creating an account, (b) accessing our API, (c) using our dashboard, (d) clicking "I agree" or any similar button, (e) accessing our website at https://consentproof.io, or (f) otherwise using any part of the ConsentProof service, you expressly agree to be legally bound by these Terms in their entirety without modification.

1.3 Binding Acknowledgment

You acknowledge and expressly agree that:

(a) You have read these Terms in full;
(b) You understand these Terms completely;
(c) You accept all risks, limitations, and exclusions contained herein;
(d) You have had the opportunity to seek independent legal advice;
(e) You enter into these Terms voluntarily and with full knowledge;
(f) These Terms represent the entire agreement between us;
(g) You waive any right to claim these Terms are unfair, unreasonable, or unenforceable.

1.4 No Use Without Agreement

If you do not agree to these Terms in their entirety, you must immediately cease all use of the Service and may not create an account, access the API, or use ConsentProof in any way.

1.5 Corporate Authority

If you are accepting these Terms on behalf of a company, organization, partnership, or other legal entity:

(a) You represent and warrant that you have full legal authority to bind such entity;
(b) References to "you" include both you personally and the entity you represent;
(c) Both you personally and the entity are jointly and severally liable under these Terms;
(d) You personally guarantee the entity's obligations under these Terms.

1.6 Age and Capacity

You represent and warrant that:

(a) You are at least 18 years old;
(b) You have full legal capacity to enter into binding contracts;
(c) You are not prohibited from using the Service under UK law or the laws of your jurisdiction;
(d) You are not located in a sanctioned jurisdiction.

1.7 Proof of Acceptance

CRITICAL NOTICE: We record and store cryptographic proof of your acceptance of these Terms using our own ConsentProof technology. This creates tamper-evident evidence that you agreed to these Terms, including the timestamp, IP address, user agent, and a cryptographic hash of these Terms. This proof may be used as evidence in any dispute. By using the Service, you expressly consent to this recording and storage.

2. Definitions

2.1 "Service" means the ConsentProof API, dashboard, documentation, website (https://consentproof.io), PDF generation functionality, cryptographic proof system, and all associated services, tools, and features provided by ConsentProof.
2.2 "Consent Record" means a cryptographically signed, tamper-evident record of user consent captured and stored through the Service, including but not limited to: timestamp (UTC), IP address, user identifier, consent text, consent version, consent type, user agent, geolocation data (if provided), custom metadata, and cryptographic proof hash.
2.3 "PDF Consent Certificate" means the portable document format (PDF) file generated by the Service containing a formatted, human-readable representation of a Consent Record, including the cryptographic proof hash, visual formatting, and metadata, which we generate and store on your behalf.
2.4 "API" means the application programming interface provided by ConsentProof, including all endpoints, SDKs, libraries, code examples, and integration tools.
2.5 "Dashboard" means the web-based user interface accessible at https://consentproof.io/dashboard for managing your Account, viewing Consent Records, generating reports, and accessing Service features.
2.6 "Account" means your registered user account with ConsentProof, including your credentials, API keys, settings, and associated data.
2.7 "Subscription Plan" or "Plan" means the pricing tier you have selected: Free, Starter, Pro, Business, or Enterprise, as described at https://consentproof.io/pricing.
2.8 "Consent Limit" means the maximum number of Consent Records you may store per calendar month under your Subscription Plan.
2.9 "Your Data" means any and all data, content, information, records, or materials you submit to, upload to, transmit through, or store via the Service, including Consent Records, configuration data, user identifiers, metadata, and any other information.
2.10 "Documentation" means all technical documentation, user guides, API specifications, integration guides, best practices, code examples, and other materials provided by ConsentProof at https://consentproof.io/docs or otherwise.
2.11 "Cryptographic Proof" means the tamper-evident hash generated using cryptographic algorithms (currently SHA-256 or stronger) to create mathematical proof that a Consent Record has not been altered since creation.
2.12 "Third Party Services" means services provided by entities other than ConsentProof, including but not limited to Stripe (payment processing), hosting providers, content delivery networks, and any other sub-processors.
2.13 "Intellectual Property" means all patents, trademarks, service marks, trade names, copyrights, trade secrets, know-how, moral rights, rights of publicity, database rights, and any other intellectual property rights, whether registered or unregistered.

3. The Service - Detailed Description

3.1 What ConsentProof Provides

ConsentProof is a developer-first, technical infrastructure service that provides:

(a) Consent Recording: RESTful API endpoints to record user consent events with cryptographic timestamping;
(b) Cryptographic Proof Generation: Creation of tamper-evident cryptographic hashes using SHA-256 (or stronger algorithms) proving consent records have not been modified since creation;
(c) Secure Data Storage: Enterprise-grade secure storage of Consent Records in encrypted database infrastructure for the duration of your subscription;
(d) PDF Generation: Automated creation of PDF Consent Certificates containing formatted consent information, cryptographic proof, and visual presentation (generated on a best-effort basis, typically within seconds);
(e) PDF Storage: Long-term storage of generated PDF files accessible via the API and Dashboard;
(f) Developer-First API: RESTful HTTPS API designed for straightforward integration, with comprehensive documentation, code examples, SDKs, and developer tools;
(g) Dashboard Interface: Web-based interface for viewing, searching, filtering, exporting, and managing Consent Records;
(h) Comprehensive Audit Trail: Detailed logging of all consent events, API calls, and system activities with timestamps and cryptographic integrity;
(i) Data Export: Ability to export Consent Records in multiple formats (JSON, CSV, PDF) for your own records and compliance purposes;
(j) Verification System: Tools and API endpoints to verify the cryptographic integrity of Consent Records;
(k) Webhook Notifications: Real-time HTTP webhook notifications of consent events for integration into your systems (optional feature);
(l) Rate Limiting: API rate limits to ensure system stability, security, and fair usage across customers;
(m) Multi-Regulation Infrastructure Support: Infrastructure designed with features to support compliance requirements across multiple global privacy regulations including GDPR, CCPA, LGPD, PIPA, and other privacy frameworks.

3.2 Technical Specifications

The Service operates with the following technical characteristics:

(a) Cryptographic Algorithm: Currently SHA-256 cryptographic hashing (may be upgraded to SHA-3, SHA-512, or stronger algorithms without notice as security best practices evolve);
(b) Timestamp Format: Coordinated Universal Time (UTC) timestamps in ISO 8601 format for international consistency;
(c) Data Format: JSON for API requests and responses; PDF for consent certificates;
(d) API Protocol: RESTful HTTPS API with JSON payloads and standard HTTP methods (GET, POST, PUT, DELETE);
(e) Authentication: API key-based authentication with secure token management and optional additional security features;
(f) Encryption Standards:
- TLS 1.2 or higher for all data in transit
- AES-256 (or equivalent strength) encryption for data at rest
- Encrypted database storage
(g) Geographic Storage: Data stored in UK and/or EU data centers to support GDPR and international data transfer requirements;
(h) Backup Procedures: Automated daily backups (best effort, not guaranteed for all scenarios);
(i) API Rate Limits: Variable rate limits based on Subscription Plan (subject to change for security and performance reasons);
(j) Security Infrastructure: Enterprise-grade security measures including firewalls, intrusion detection, access controls, and security monitoring.

3.3 What ConsentProof IS - Service Capabilities

3.3.1 Compliance Infrastructure (What the Service Provides)

ConsentProof IS:

(a) A GDPR-Compliant Data Processor: ConsentProof as a service operates in compliance with the UK General Data Protection Regulation (UK GDPR) and EU General Data Protection Regulation (EU GDPR). We process personal data in accordance with data protection law, implement appropriate technical and organizational security measures as required by Article 32 GDPR, act as a compliant data processor under Article 28, and maintain data processing records as required by Article 30.

(b) CCPA-Ready Infrastructure: ConsentProof provides infrastructure features designed to support California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) compliance requirements, including:

The ability to record consumer consent and opt-in/opt-out preferences
API endpoints to retrieve consumer data for access requests
Deletion capabilities to support consumer deletion requests
Audit trails to demonstrate compliance efforts

(c) LGPD-Compatible Infrastructure: ConsentProof supports Lei Geral de Proteção de Dados (LGPD - Brazil's General Data Protection Law) compliance needs through:

Consent management and recording capabilities
Data subject rights features (access, deletion, portability)
Audit trails and proof of consent mechanisms
Infrastructure aligned with LGPD requirements

(d) PIPA-Supportive Infrastructure: ConsentProof infrastructure supports Personal Information Protection Act (PIPA - South Korea's privacy law) requirements including:

Consent management and documentation
Data subject rights support
Data handling and security measures
Accountability features through audit trails

(e) Global Privacy Regulation Infrastructure: ConsentProof is designed to help businesses manage consent and privacy workflows across various global privacy regulations, providing infrastructure that can be configured to support requirements of:

GDPR (European Union and United Kingdom)
CCPA / CPRA (California, USA)
LGPD (Brazil)
PIPA (South Korea)
And other privacy frameworks as applicable to your business

(f) Enterprise-Grade Security: ConsentProof implements security measures consistent with industry standards for SaaS platforms, including:

Encryption of data in transit and at rest
Access controls and authentication
Security monitoring and logging
Regular security assessments
Compliance with security best practices

(g) Developer-First Platform: ConsentProof provides developer-friendly tools including:

Well-documented RESTful API
Code examples and integration guides
SDKs and libraries (where available)
Clear error messages and responses
Developer support resources

(h) Cryptographic Tamper-Evidence: ConsentProof uses SHA-256 cryptographic hashing to create tamper-evident proof that consent records have not been altered since creation, providing a mathematical verification mechanism.

(i) "Stripe for Consent Management": ConsentProof provides simple, developer-focused infrastructure for consent management, similar to how Stripe simplified payment processing.

3.3.2 Critical Disclaimers - What ConsentProof Is NOT

YOU EXPRESSLY ACKNOWLEDGE, UNDERSTAND, AND AGREE THAT:

(a) NOT LEGAL ADVICE OR LEGAL SERVICES

ConsentProof is a technical infrastructure tool only. We do not provide, and the Service does not constitute:

Legal advice or legal consultation
Legal services or legal representation
Compliance consulting or regulatory advice
Data protection advisory services
Opinions on the legality of your practices
Guidance on how to comply with specific laws

We are not solicitors, barristers, attorneys, legal professionals, or compliance consultants. Nothing in the Service, Documentation, website, marketing materials, or any communication from us constitutes legal advice or legal services.

(b) NOT A GUARANTEE OF YOUR LEGAL COMPLIANCE

CRITICAL UNDERSTANDING:

While ConsentProof as a Service operates in compliance with GDPR, provides CCPA-ready features, supports LGPD requirements, and offers PIPA-compatible infrastructure, use of ConsentProof does NOT automatically guarantee, ensure, certify, or establish that YOUR business, website, application, data processing activities, or operations are compliant with GDPR, CCPA, LGPD, PIPA, or any other law or regulation.

Why Using ConsentProof Doesn't Automatically Make You Compliant:

Legal compliance with privacy regulations requires far more than using compliant infrastructure tools. You must:

For GDPR Compliance, you must:

Establish lawful bases for all personal data processing (Article 6)
Implement privacy by design and by default (Article 25)
Conduct Data Protection Impact Assessments where required (Article 35)
Appoint a Data Protection Officer if required (Article 37)
Maintain detailed records of processing activities (Article 30)
Implement appropriate security measures in your own systems (Article 32)
Have data breach notification procedures (Articles 33-34)
Honor all data subject rights (Articles 15-22)
Provide comprehensive privacy notices (Articles 13-14)
Obtain valid consent where consent is your lawful basis (Article 7)
Ensure consent is freely given, specific, informed, and unambiguous
Make consent withdrawal as easy as giving consent

For CCPA Compliance, you must:

Provide compliant privacy notices at collection
Honor consumer rights (access, deletion, opt-out, non-discrimination)
Implement "Do Not Sell My Personal Information" mechanisms
Maintain service provider agreements
Respond to consumer requests within required timeframes
Train personnel on CCPA requirements
Conduct regular compliance audits

For LGPD Compliance, you must:

Establish legal bases for processing
Provide clear information to data subjects
Honor data subject rights
Implement security measures
Report data breaches to authorities
Maintain processing records
Appoint data protection officer where required

For PIPA Compliance (South Korea), you must:

Obtain meaningful consent for collection and use of personal information
Provide clear notice of collection and use purposes
Limit collection to necessary purposes
Implement security measures
Honor individual rights (access, correction, deletion)
Appoint a personal information protection officer where required
Comply with cross-border transfer requirements

The Service Provides Infrastructure; You Provide Compliance:

ConsentProof provides the technical infrastructure and tools (consent storage, cryptographic proof, audit trails, data retrieval APIs). However, YOU are responsible for:

Understanding which regulations apply to your business
Implementing proper consent collection mechanisms on your websites/apps
Writing legally compliant consent text and privacy notices
Ensuring consent is obtained properly before recording it
Honoring all user/consumer rights requests
Implementing your own security and privacy measures
Training your staff on compliance requirements
Conducting required assessments and audits
Responding to regulatory inquiries
Maintaining overall compliance programs

Helpful Analogy: Using a GDPR-compliant email service doesn't automatically make your email marketing GDPR-compliant - you still need proper consent, unsubscribe mechanisms, transparent privacy notices, and lawful processing. Similarly, ConsentProof is compliant infrastructure that supports your compliance efforts, but does not replace your legal obligations or guarantee your compliance.

(c) NOT A COMPLETE PRIVACY/CONSENT SOLUTION

ConsentProof stores and manages consent records, but does NOT:

Provide cookie consent banners or consent management interfaces for your website
Replace your obligation to obtain valid, informed, freely-given, specific, and unambiguous consent
Design or implement consent collection mechanisms for you
Ensure your consent request wording is legally compliant
Guarantee the legal validity or enforceability of consents you collect
Automatically handle consent withdrawal mechanisms (you must build these)
Monitor whether you honor user rights requests
Ensure you provide adequate privacy notices
Replace your privacy policy or terms of service

You must implement consent collection interfaces, privacy notices, and user rights mechanisms in your own systems.

(d) NOT A LEGAL DEFENSIBILITY GUARANTEE

While Consent Records include cryptographic proofs using SHA-256 hashing and are designed to be tamper-evident, we make absolutely NO guarantee, representation, or warranty that:

Consent records will be accepted as valid evidence in any legal proceeding, court, tribunal, arbitration, or regulatory investigation
Courts, regulators, or authorities will deem our records admissible, reliable, or probative
Cryptographic proofs will be considered legally sufficient or technically reliable by any authority
PDF Consent Certificates will be accepted by regulators (ICO, FTC, ANPD, PIPC, etc.), courts, or data subjects
Consent records will protect you from regulatory fines, enforcement actions, or legal claims
Our tamper-evident mechanisms meet evidentiary standards in any jurisdiction
The records will demonstrate you obtained "valid consent" under any regulation

Acceptance of evidence is determined by courts, regulators, and legal processes - not by us.

(e) NOT A SUBSTITUTE FOR LEGAL COUNSEL

You should consult with qualified legal professionals (solicitors, barristers, attorneys, privacy lawyers, compliance consultants) regarding:

Which privacy regulations apply to your business operations
Whether you need to obtain consent under applicable laws
How to properly obtain, document, and manage consent
What specific information must be included in consent requests and privacy notices
How to handle consent withdrawal and data subject/consumer rights requests
Whether ConsentProof is suitable and sufficient for your specific use case and legal requirements
Your overall data protection, privacy, and compliance strategy
Compliance with GDPR, CCPA, LGPD, PIPA, and any other applicable regulations
How to respond to regulatory investigations or enforcement actions
Whether your consent mechanisms meet legal requirements

We strongly recommend obtaining legal advice before relying on ConsentProof for compliance purposes.

(f) NOT A VALIDATOR OF YOUR PRACTICES

ConsentProof provides infrastructure to store what you send us. We do NOT:

Validate whether the consents you record are legally valid
Verify that you obtained proper consent before recording it in our system
Review or approve your consent request wording for legal compliance
Ensure your consent collection methods are compliant with regulations
Monitor whether you are using the Service lawfully or ethically
Audit your data processing activities for compliance
Take any responsibility for the legality of how you use the Service
Guarantee that your privacy practices are adequate

You are solely responsible for ensuring you collect and record only valid, lawful consents.

(g) NOT A GUARANTEE OF OUTCOMES

We do NOT guarantee that:

Use of ConsentProof will prevent legal claims, lawsuits, or regulatory actions against you
You will successfully defend against regulatory investigations by the ICO, FTC, ANPD, PIPC, or other authorities
Data subjects or consumers will accept your consent records as valid
Regulators will accept your consent records as proof of compliance
Your use of cryptographic proofs will be successful in any legal context
You will avoid fines, penalties, or enforcement actions
Consent records will resolve disputes in your favor

Legal outcomes depend on many factors beyond the Service.

(h) NOT INSURANCE, INDEMNIFICATION, OR PROTECTION

ConsentProof does NOT:

Insure you against regulatory fines, penalties, or enforcement actions
Indemnify you for legal claims by data subjects, consumers, or third parties
Protect you from costs of regulatory investigations or legal proceedings
Cover damages arising from data breaches, security incidents, or compliance failures
Provide any form of financial protection or risk transfer
Guarantee reimbursement for any losses, damages, or liabilities
Act as errors and omissions (E&O) insurance

You should obtain appropriate Professional Indemnity Insurance, Cyber Liability Insurance, and Errors & Omissions Insurance to protect your business.

(i) NOT RESPONSIBLE FOR YOUR INTEGRATION

While we provide a "developer-first" API with documentation and code examples:

YOU are solely responsible for correctly integrating the API into your systems
YOU must implement proper error handling and edge cases
YOU must test your integration thoroughly before production use
YOU must follow security best practices when storing and using API keys
YOU must implement appropriate retry logic and failover mechanisms
WE are not liable for integration errors, bugs in your code, or implementation mistakes
WE do not guarantee that integration will be "simple" or "easy" for your specific use case
The complexity of integration depends on your technical environment and requirements

Developer-friendly tools reduce integration friction but do not eliminate your responsibility to implement correctly.

(j) "ENTERPRISE-GRADE SECURITY" EXPLAINED

When we refer to "enterprise-grade security," we mean:

We implement security measures consistent with industry standards for SaaS platforms
We use encryption, access controls, and monitoring as described in Section 9.8
We follow security best practices for cloud infrastructure

"Enterprise-grade" does NOT mean:

Absolute security or zero risk of breaches
Guaranteed protection against all cyber threats
Security equivalent to Fortune 500 companies or government agencies
Customized security for your specific requirements (unless you have an Enterprise agreement)
That breaches are impossible or will never occur

No security system is 100% secure, and we disclaim guarantees of absolute security (see Section 12.2).

(k) PDF GENERATION IS BEST-EFFORT

While we describe PDF generation as "instant" or "automated":

PDF generation typically occurs within seconds but is not guaranteed
PDF generation may fail due to technical issues, resource constraints, or data problems
We use best-effort processes but do not guarantee 100% success rate
PDFs are visual representations and not the authoritative record (the database record is authoritative)
PDF formatting may vary based on data content and system state

3.4 Critical Technology Limitations

YOU EXPRESSLY ACKNOWLEDGE AND ACCEPT THE FOLLOWING LIMITATIONS:

(a) Cryptographic Limitations:

SHA-256 and other cryptographic algorithms may be broken, compromised, or become obsolete over time
Cryptographic security depends on the underlying mathematics remaining secure
Future advances in computing (particularly quantum computing) may compromise current cryptographic methods
We may change cryptographic algorithms without notice as security best practices evolve
Cryptographic tamper-evidence is a technical mechanism, not a legal guarantee
Hash collisions, though statistically improbable, are theoretically possible
Implementation bugs or vulnerabilities could compromise cryptographic integrity

(b) PDF Limitations:

PDF Consent Certificates are visual, human-readable representations only
PDFs can be copied, modified, forged, or manipulated by third parties with appropriate tools
PDF generation may fail due to technical issues, resource constraints, or malformed data
PDFs may not render correctly on all devices, operating systems, or PDF readers
We do not guarantee long-term format compatibility as PDF standards evolve
PDFs are not the authoritative source of truth (database records are authoritative)

(c) Data Storage Limitations:

Data may be lost, corrupted, or become unavailable due to technical failures, natural disasters, cyber attacks, or human error
Backups are best-effort and not guaranteed to be successful or restorable in all scenarios
We may experience database corruption, hardware failures, or infrastructure issues
Storage infrastructure may fail, be compromised by attackers, or become unavailable
Data recovery is not guaranteed even with backup systems in place

(d) Timestamp Limitations:

Timestamps are based on server clock time, which may drift or be misconfigured
Server time synchronization (NTP) may fail or be compromised
Timestamps may be challenged, disputed, or questioned in legal proceedings
We do not guarantee timestamp accuracy for legal or evidentiary purposes
Time zone conversions may introduce errors if not handled correctly
Leap seconds and other timing anomalies may affect precision

(e) API Limitations:

The API may experience downtime, errors, bugs, performance degradation, or complete failures
API responses may be delayed, incomplete, incorrect, or missing
API rate limits may prevent you from storing or retrieving data when needed
API specifications, endpoints, request/response formats may change (with or without notice)
Backward compatibility is not guaranteed for all API changes
Third-party integrations or SDKs may break due to API changes

(f) Multi-Regulation Support Limitations:

CRITICAL UNDERSTANDING:

"Support" for multiple regulations means we provide infrastructure features that CAN BE USED in compliance efforts
It does NOT mean we guarantee compliance with any specific regulation
Features designed for one regulation may not fully satisfy another regulation's specific requirements
You must understand the specific requirements of each regulation applicable to YOUR business
We do not customize the Service to meet requirements of specific regulations (unless you have an Enterprise agreement with custom terms)
Regulatory requirements change over time; we may not update the Service immediately to reflect changes
You are responsible for configuring and using the Service in a way that meets your compliance obligations

(g) "Simple Integration" and "Developer-First" Limitations:

Integration complexity varies based on your technical environment, existing systems, and requirements
"Developer-first" means we prioritize API design and documentation, not that integration is guaranteed to be simple
Code examples and documentation are provided as guidance, not as complete production-ready solutions
You must adapt examples to your specific use case, security requirements, and environment
Integration may require significant development effort depending on your systems
We do not provide custom integration services (unless arranged separately)

3.5 Service Modifications

We reserve the absolute and unrestricted right to:

(a) Modify, update, change, or alter any aspect of the Service at any time with or without notice;
(b) Add or remove features, functionality, or capabilities without notice or compensation;
(c) Change technical specifications, cryptographic algorithms, data formats, or security measures without notice;
(d) Suspend or discontinue the Service entirely, with or without notice or compensation;
(e) Migrate to new infrastructure, databases, hosting providers, or geographic regions without notice;
(f) Change API endpoints, request/response formats, authentication methods, or rate limits (with reasonable notice for breaking changes when feasible).

WE SHALL NOT BE LIABLE FOR ANY CONSEQUENCES RESULTING FROM SERVICE MODIFICATIONS, INCLUDING:

Integration breakages requiring code changes
Data migration issues or temporary unavailability
Feature removals or deprecations
Performance changes or degradation
Need to update your systems to maintain compatibility

3.6 Beta and Experimental Features

From time to time, we may offer features designated as "beta," "alpha," "experimental," "preview," "early access," or similar designations. Such features:

(a) Are provided "AS IS" without any warranties whatsoever;
(b) May contain significant bugs, errors, defects, or security vulnerabilities;
(c) May be modified, discontinued, or removed at any time without notice or compensation;
(d) May result in data loss, corruption, security issues, or unavailability;
(e) Are used entirely at your own risk with full assumption of all consequences;
(f) May never be released as stable, production-ready features;
(g) May perform differently than described, documented, or expected;
(h) Should not be used for production, mission-critical, or high-risk purposes.

YOU ASSUME ALL RISKS ASSOCIATED WITH USING BETA FEATURES AND AGREE NOT TO RELY ON THEM FOR CRITICAL OPERATIONS.

4. Account Registration and Security

4.1 Account Creation Requirements

To use the Service, you must create an Account by providing:

(a) A valid email address;
(b) A secure password meeting our requirements;
(c) Your full legal name or business name;
(d) Accurate business information (if registering as a business);
(e) Payment information (for paid Plans);
(f) Any other information we reasonably request.

You represent and warrant that all information provided is:

Accurate and complete;
Current and up-to-date;
Truthful and not misleading;
Provided with authorization if on behalf of a business.

4.2 Prohibited Account Activities

You must not:

(a) Provide false, inaccurate, misleading, or fraudulent information;
(b) Impersonate any person, entity, or organization;
(c) Use a false name or identity;
(d) Create multiple accounts to circumvent Consent Limits or other restrictions;
(e) Share your account credentials with others;
(f) Allow others to access your Account;
(g) Create an Account using automated means (bots, scrapers, etc.);
(h) Register an Account for someone else without authorization;
(i) Use disposable email addresses or temporary email services;
(j) Create an Account if you are under 18 years old.

4.3 Account Security - Your Sole Responsibility

YOU ARE ENTIRELY AND SOLELY RESPONSIBLE FOR:

(a) Maintaining the confidentiality and security of your account credentials, including:

Passwords
API keys
Access tokens
Authentication secrets
Two-factor authentication devices

(b) All activities that occur under your Account, including:

API calls made using your API keys
Actions taken through the Dashboard
Data submitted or deleted
Payment transactions
Unauthorized access by third parties

Unauthorized access to your Account
Compromised credentials
Security breaches
Suspicious activity

WE ARE NOT RESPONSIBLE FOR ANY LOSSES, DAMAGES, OR LIABILITIES RESULTING FROM:

Unauthorized use of your Account
Compromised credentials
Weak passwords
Failure to secure API keys
Sharing of credentials
Phishing attacks or social engineering

YOU AGREE TO INDEMNIFY US FOR ALL LOSSES ARISING FROM UNAUTHORIZED USE OF YOUR ACCOUNT, WHETHER OR NOT YOU WERE NEGLIGENT IN SECURING YOUR CREDENTIALS.

4.4 Account Termination by You

You may terminate your Account at any time by:

(a) Using the account deletion feature in the Dashboard settings;
(b) Emailing support@consentproof.io with a termination request;
(c) Following the account closure process specified in the Dashboard.

Upon termination by you:

(a) Your access to the Service ceases immediately;
(b) All licenses granted to you terminate immediately;
(c) You remain responsible for all fees accrued up to termination;
(d) NO REFUNDS will be provided for any prepaid fees, unused subscription time, or unused Consent Limits;
(e) Your Data will be retained for 30 days then permanently deleted (see Section 9.7);
(f) You must immediately cease all use of the API and Service;
(g) You must delete all API keys and credentials;
(h) All of your obligations under these Terms survive termination.

4.5 Account Suspension or Termination by Us

WE RESERVE THE ABSOLUTE RIGHT TO SUSPEND OR TERMINATE YOUR ACCOUNT IMMEDIATELY, WITH OR WITHOUT NOTICE, FOR ANY REASON OR NO REASON, INCLUDING BUT NOT LIMITED TO:

(a) Breach of Terms: Any violation of these Terms, including minor or technical violations;

(b) Payment Issues:

Failed payments
Chargebacks or payment disputes
Suspected fraud
Insufficient funds
Expired payment methods

(c) Prohibited Use:

Using the Service for illegal purposes
Storing illegal, harmful, or abusive content
Exceeding rate limits or Consent Limits
Attempting to circumvent restrictions
Reverse engineering or unauthorized access

(d) Security Risks:

Your Account is compromised
Unusual activity detected
Suspected hacking or unauthorized access
DDoS attacks or malicious traffic from your Account
Security vulnerabilities in your integration

(e) Legal or Regulatory Reasons:

Court orders or legal process
Regulatory requirements
Law enforcement requests
Sanctions or embargoes
Terms of Service violations reported by third parties

(f) Business Reasons:

We cease offering the Service
We no longer serve your industry or jurisdiction
We determine you are a competitor
Reputational risk to our business
Any reason we determine appropriate

(g) Risk Management:

High-risk customer profile
Suspicious activity patterns
Association with known bad actors
Excessive support burden
Abusive behavior toward our staff

UPON TERMINATION OR SUSPENSION BY US:

(a) Your access terminates immediately without notice;
(b) NO REFUNDS are provided under any circumstances;
(c) We may immediately delete Your Data without retention period;
(d) All licenses terminate immediately;
(e) You must cease all use of the Service;
(f) We may publicly disclose the fact and reason for termination;
(g) You remain liable for all fees owed and all breaches committed;
(h) All indemnification obligations survive indefinitely.

4.6 No Liability for Termination

WE SHALL NOT BE LIABLE FOR ANY DAMAGES, LOSSES, OR CONSEQUENCES ARISING FROM ACCOUNT SUSPENSION OR TERMINATION, INCLUDING:

Loss of data
Loss of business
Loss of revenue or profits
Inability to access Consent Records
Reputational harm
Regulatory consequences
Third-party claims

5. Subscription Plans and Consent Limits

5.1 Available Subscription Plans

ConsentProof offers the following Subscription Plans as detailed at https://consentproof.io/pricing:

Plan	Monthly	Annual (15% off)	Consent Limit	Overage Rate
Starter	£0	£0	500 consents	N/A (hard limit)
Pro	£49	£499.80	10,000 consents	£0.005/consent
Business	£149	£1,519.80	50,000 consents	£0.003/consent
Enterprise	£999	£10,189.80	500,000 consents	Custom

5.2 Plan Features

All Plans include:

API access
Dashboard access
Cryptographic proof generation using SHA-256
PDF Consent Certificate generation and storage
Email support (response times vary by plan)
Data export functionality
Webhook notifications (where available)

Enterprise Plans may include:

Custom consent limits
Dedicated support with dedicated contact
Service Level Agreements (SLA)
Custom contract terms
Premium features

5.2.1 Support Response Times

Support response times are based on your subscription plan:

Support Tier	Plans	Response Time
Standard Support	Free, Starter, Pro	Within 48 business hours
Priority Support	Business	Within 24 business hours
Dedicated Support	Enterprise	Within 4 business hours + dedicated contact

Business Hours: Monday to Friday, 9:00 AM to 5:00 PM GMT/BST (excluding UK public holidays).

Response times are targets and not guaranteed SLAs unless you have an Enterprise agreement with specific SLA terms. Response time refers to initial acknowledgment of your support request, not resolution time.

5.3 Starter Plan Terms

The Starter plan is free forever with the following terms:

(a) Free Access: The Starter plan is completely free with no credit card required;
(b) Hard Limit: The Starter plan has a hard limit of 500 consents per month with no overage option;
(c) Features: The Starter plan includes basic API access, PDF receipts, and email support;
(d) Upgrade Anytime: You may upgrade to a paid plan at any time through the Dashboard;
(e) One Account Per Customer: Free Starter accounts are limited to one per customer and one per business entity. You may not create multiple accounts to circumvent consent limits;
(f) Abuse Prevention: We reserve the right to suspend or terminate accounts that abuse the free Starter plan.

5.4 Consent Limit Enforcement

When you reach your monthly Consent Limit:

(a) Notification: You will receive an automated email notification to your registered email address;
(b) API Rejection: The API will reject any further consent storage requests with an HTTP error response (typically 429 Too Many Requests or 403 Forbidden);
(c) Existing Data: All existing Consent Records remain fully accessible via the API and Dashboard;
(d) Upgrade Required: To continue storing new consents, you must upgrade to a higher-tier plan through the Dashboard;
(e) No Obligation: We have no obligation to store consents exceeding your limit, provide grace periods or buffer capacity, temporarily increase your limit, or preserve rejected consent requests;
(f) Monthly Reset: Consent Limits reset on the first day of each calendar month (UTC timezone);
(g) Overage Policy: Pro and Business plans include overage pricing (see pricing table above). Starter plan users must upgrade to continue storing consents after reaching the limit.

YOU ACKNOWLEDGE THAT:

Reaching your Consent Limit may disrupt your business operations
You are solely responsible for monitoring your usage
We are not liable for any consequences of reaching your limit
You should upgrade proactively before reaching limits

5.5 Plan Upgrades

You may upgrade your Subscription Plan at any time through the Dashboard. Upgrades are processed as follows:

(a) Immediate Effect: Upgrades take effect immediately upon payment;
(b) Prorated Billing: You will be charged a prorated amount for the remainder of your current billing cycle at the new plan rate;
(c) Consent Limit: Your new, higher Consent Limit becomes available immediately;
(d) No Refund: No refund or credit is provided for the unused portion of your previous plan.

5.6 Plan Downgrades

You may downgrade your Subscription Plan through the Dashboard. Downgrades are processed as follows:

(a) Effective Date: Downgrades take effect at the start of your next billing cycle, not immediately;
(b) No Prorated Refund: No refund, credit, or prorated amount is provided for the current billing cycle;
(c) Data Retention: If you downgrade to a plan with a lower Consent Limit than your current stored data: you will not be able to store new consents until your usage falls below the new limit, we may delete older Consent Records to bring you into compliance, we will provide 7 days' notice before deleting data (if feasible), and you should export your data before downgrading;
(d) Feature Loss: You may lose access to certain features available only on higher-tier plans.

5.7 Enterprise Plans

Enterprise plans with custom pricing, custom terms, and custom Consent Limits are available by contacting sales@consentproof.io.

(a) Enterprise terms will be documented in a separate written agreement;
(b) Where there is conflict between these Terms and an Enterprise agreement, the Enterprise agreement controls;
(c) Enterprise pricing and terms are confidential and may not be disclosed;
(d) Enterprise customers may have additional or different obligations.

5.8 Plan Modifications by Us

We reserve the right to:

(a) Add, modify, or remove Subscription Plans at any time;
(b) Change plan features, limits, or pricing with 30 days' notice to existing customers;
(c) Discontinue any plan with 60 days' notice;
(d) Migrate you to a different plan if yours is discontinued;
(e) Adjust Consent Limits based on fair usage policies.

If we materially change your plan terms, you may cancel within 30 days of notice, but no refund will be provided.

6. Fees, Billing, and Payment

6.1 Pricing

Current pricing for all Subscription Plans is published on our website at https://consentproof.io/pricing. All prices are:

(a) In British Pounds Sterling (£ GBP);
(b) Exclusive of VAT and other taxes;
(c) Subject to change in accordance with Section 6.2;
(d) Non-negotiable except for Enterprise plans.

6.2 Price Changes

We reserve the right to change our pricing at any time. For existing customers:

(a) Notice Period: We will provide at least 30 days' advance written notice of any price increase via email;
(b) Effective Date: New pricing will apply at the start of your next billing cycle following the notice period;
(c) Acceptance: Continued use of the Service after the price change constitutes acceptance of the new pricing;
(d) Right to Cancel: If you do not accept the new pricing, your sole remedy is to cancel your subscription before the new prices take effect (no refund will be provided);
(e) No Negotiation: Price changes are non-negotiable and apply to all customers equally (except Enterprise customers with specific contractual terms).

Price decreases, if any, may be applied at our discretion without notice.

6.3 Billing Cycles

Subscriptions are billed as follows:

(a) Monthly Subscriptions:

Billed monthly in advance
Charged on the same day each month (or last day of month if original sign-up was on 29th-31st)
Auto-renew automatically unless canceled

(b) Annual Subscriptions:

Billed annually in advance
15% discount applied compared to monthly pricing
Charged on the anniversary of your original sign-up date
Auto-renew automatically unless canceled

6.4 Payment Processing

(a) Payment Processor: All payments are processed by Stripe, Inc., a third-party payment processor. We do not directly handle or store your payment card information;
(b) Authorization: By providing payment information, you authorize us to charge your designated payment method for subscription fees, upgrade fees, renewal fees, and any other fees owed under these Terms;
(c) Valid Payment Method: You must provide and maintain a current, valid, and accepted payment method. Accepted methods include credit cards (Visa, Mastercard, American Express), debit cards, and other payment methods as made available by Stripe;
(d) Accurate Information: You must provide accurate, current, and complete payment information, including card number, expiration date, CVV/security code, billing address, and cardholder name;
(e) Update Obligation: You must promptly update your payment information if it changes or becomes invalid (e.g., card expiration, change of billing address);
(f) Stripe Terms: Your payment is also subject to Stripe's terms and conditions and privacy policy. We are not responsible for Stripe's services or policies.

6.5 Failed Payments and Collections

If a payment fails for any reason:

(a) Retry Attempts: We will automatically attempt to process the payment again according to Stripe's retry logic (typically multiple times over 7-14 days);
(b) Notification: You will receive email notifications of failed payments;
(c) Grace Period: You will have 7 days from the first failed payment attempt to update your payment method;
(d) Service Suspension: If payment fails for 7 consecutive days, your access to the Service will be suspended, API requests will be rejected, you cannot store new Consent Records, and existing data remains stored but inaccessible;
(e) Account Termination: If payment fails for 14 consecutive days, your Account will be terminated, Your Data may be permanently deleted, and you will be banned from creating new accounts;
(f) Outstanding Liability: You remain fully liable for all unpaid fees, late fees and interest (see Section 6.9), collection costs and legal fees, and any damages caused by non-payment;
(g) Collections: We may refer your account to a debt collection agency or pursue legal action to recover unpaid amounts. You agree to pay all collection costs, including reasonable attorneys' fees.

6.6 Taxes and Duties

(a) Exclusive of Tax: All fees stated are exclusive of all taxes, duties, levies, tariffs, and governmental charges (collectively, "Taxes");
(b) Your Responsibility: You are solely responsible for paying all Taxes associated with your use of the Service, including but not limited to Value Added Tax (VAT), Goods and Services Tax (GST), sales tax, withholding tax, and import duties;
(c) VAT Collection: If we are legally required to collect VAT, we will charge VAT at the applicable rate on top of subscription fees, you will be invoiced for the VAT amount, and VAT-registered businesses must provide a valid VAT number;
(d) Tax Exemption: If you claim tax exemption, you must provide valid tax exemption certificates, proof of exemption status, and any required documentation;
(e) Tax Changes: We may adjust tax treatment if laws change or if your tax status changes.

6.7 Disputed Charges

(a) Dispute Period: If you dispute any charge, you must notify us in writing at support@consentproof.io within 30 days of the charge appearing on your statement;
(b) Required Information: Disputes must include your account email, transaction date and amount, specific reason for dispute, and supporting documentation;
(c) Late Disputes: Failure to dispute a charge within 30 days constitutes full acceptance of the charge and waiver of any right to dispute;
(d) Chargebacks: If you initiate a chargeback with your payment card issuer, we may immediately terminate your Account, pursue collection of the disputed amount plus chargeback fees, ban you from future use of the Service, and you waive any right to claim the chargeback was valid if you did not first contact us;
(e) Investigation: We will investigate valid disputes and respond within 30 days.

6.8 NO REFUNDS POLICY

ALL FEES PAID TO CONSENTPROOF ARE STRICTLY NON-REFUNDABLE UNDER ANY AND ALL CIRCUMSTANCES.

WE DO NOT PROVIDE REFUNDS, CREDITS, OR PRORATED AMOUNTS FOR:

(a) Partial months or partial years of service;
(b) Unused subscription time;
(c) Unused Consent Limits or capacity;
(d) Account downgrades;
(e) Account terminations (whether by you or by us);
(f) Account suspensions;
(g) Service unavailability, downtime, or outages of any duration;
(h) Dissatisfaction with the Service;
(i) Change of mind after purchasing;
(j) Technical issues or bugs;
(k) Failed integrations or implementation challenges;
(l) Breach of these Terms by you;
(m) Force majeure events;
(n) Changes to the Service or features;
(o) Discontinuation of features or the entire Service;
(p) Your failure to use the Service;
(q) Your misunderstanding of Service capabilities;
(r) Changes in your business needs;
(s) Regulatory changes affecting your business;
(t) Data loss or corruption;
(u) Security incidents;
(v) Any other reason whatsoever, whether listed here or not.

BY SUBSCRIBING TO ANY PAID PLAN, YOU EXPRESSLY ACKNOWLEDGE AND AGREE TO THIS NO-REFUND POLICY AND WAIVE ANY RIGHT TO REQUEST, DEMAND, OR PURSUE A REFUND THROUGH US, YOUR PAYMENT CARD ISSUER, STRIPE, OR ANY COURT OR AUTHORITY.

Consumer Rights Notice (UK Customers Only): If you are a consumer in the UK, you have a legal right to cancel within 14 days of first purchasing a subscription (the "cooling-off period") under the Consumer Contracts Regulations 2013. However, if you access or use the Service during this 14-day period, you expressly agree that we begin providing the Service immediately and you waive your right to cancel and receive a refund. The 14-day right to cancel does NOT apply to renewals, only to initial purchases.

6.9 Late Payments and Interest

Any amounts not paid when due shall:

(a) Accrue interest at a rate of 4% above the Bank of England base rate per annum from the due date until payment is received in full;
(b) Be subject to late payment fees of £25 per month;
(c) Result in suspension or termination of your Account;
(d) Be referred to collections;
(e) Incur collection costs, legal fees, and court costs, all payable by you.

Interest and fees accrue daily and compound monthly.

7. Your Responsibilities and Acceptable Use

7.1 Your Sole and Exclusive Responsibilities

YOU ARE SOLELY, EXCLUSIVELY, AND COMPLETELY RESPONSIBLE FOR:

(a) Legal Compliance: Ensuring your use of the Service, your data processing activities, and your consent collection practices comply with all applicable laws, regulations, and industry standards, including UK GDPR, EU GDPR, Data Protection Act 2018, PECR, CCPA/CPRA, LGPD, PIPA, consumer protection laws, advertising and marketing laws, industry-specific regulations, and terms of service of platforms where you operate.

(b) Valid Consent Obtaining: Obtaining valid, informed, freely-given, specific, unambiguous, and lawful consent from your users, including providing clear consent requests, ensuring consent is freely given without coercion, using affirmative opt-in mechanisms, obtaining separate consent for different processing purposes, obtaining parental consent for minors where required, and making consent as easy to withdraw as to give.

(c) Consent Collection Mechanisms: Designing, implementing, testing, and maintaining proper consent collection interfaces, including cookie banners, privacy preference centers, sign-up forms, terms acceptance mechanisms, marketing consent opt-ins, and third-party data sharing consent requests.

(d) Privacy Notices and Transparency: Providing clear, comprehensive, and legally compliant privacy notices to your users.

(e) User Rights Fulfillment: Honoring all user rights under data protection law, including rights of access, rectification, erasure, restriction, data portability, objection, withdrawal of consent, and rights related to automated decision-making.

(f) Data Accuracy and Lawfulness: Ensuring that all data you submit to the Service is accurate, lawfully collected, not fraudulent, and not in violation of any third-party rights.

(g) Security Measures: Implementing appropriate technical and organizational security measures in your own systems.

(h) Proper Integration: Correctly integrating the ConsentProof API according to the Documentation.

(i) Monitoring and Compliance: Continuously monitoring your compliance obligations.

(j) Consent Withdrawal Mechanisms: Implementing systems to allow users to easily withdraw consent.

(k) Record Keeping: Maintaining your own independent records of what data you process and why.

WE ARE NOT RESPONSIBLE FOR ANY OF THE ABOVE. YOUR FAILURE TO FULFILL ANY OF THESE RESPONSIBILITIES IS A MATERIAL BREACH OF THESE TERMS AND GROUNDS FOR IMMEDIATE TERMINATION WITHOUT REFUND.

7.2 Prohibited Uses

YOU ABSOLUTELY MAY NOT:

(a) Illegal Activities: Use the Service for any unlawful purpose, store illegally collected data, engage in fraud or deception, or violate any person's rights;
(b) False or Fraudulent Data: Store false, fraudulent, fabricated, or invented consent records, create fake consent records, backdate records with false timestamps, or submit records for users who did not actually consent;
(c) Children's Data: Collect or store consent records from children under 13 (or under 16 in the EU/UK) without verifiable parental consent mechanisms;
(d) Circumventing Limits: Attempt to exceed, bypass, or circumvent Consent Limits or create multiple accounts for additional trials;
(e) Reverse Engineering: Reverse engineer, decompile, disassemble, or derive source code from any aspect of the Service;
(f) Unauthorized Access: Access the Service through unauthorized means or attempt to gain unauthorized access to our systems;
(g) Interference and Disruption: Interfere with, disrupt, or overload the Service, transmit malware, or launch denial-of-service attacks;
(h) Security Testing: Conduct penetration testing or security assessments without prior written approval;
(i) Competitive Use: Use the Service to build a competitive product or benchmark against competitors without authorization;
(j) Intellectual Property Violations: Remove proprietary notices or use our trademarks without permission;
(k) Reselling and Redistribution: Resell, redistribute, or sublicense access to the Service;
(l) Abusive Content: Store illegal, harmful, threatening, abusive, harassing, defamatory, obscene, or hateful content;
(m) High-Risk Use Cases: Use the Service in medical, life-support, emergency services, or safety-critical systems without Enterprise agreement and explicit approval.

VIOLATION OF ANY PROHIBITED USE IS A MATERIAL BREACH RESULTING IN IMMEDIATE TERMINATION, NO REFUND, POTENTIAL LEGAL ACTION, AND FULL INDEMNIFICATION OBLIGATIONS.

7.3 Compliance Monitoring and Enforcement

We reserve the right (but have absolutely no obligation) to:

(a) Monitor your use of the Service for compliance with these Terms;
(b) Audit your Account, API usage, and stored data;
(c) Investigate suspected violations;
(d) Remove, delete, or disable access to any content that violates these Terms;
(e) Suspend or terminate your Account for violations;
(f) Report illegal activity to law enforcement, regulators (including the ICO, FTC, ANPD, PIPC), or other authorities;
(g) Preserve data for legal proceedings;
(h) Cooperate with law enforcement investigations.

You agree to cooperate fully with any such investigation or audit.

7.4 Consequences of Prohibited Use

If you engage in any Prohibited Use, we may:

(a) Immediately terminate your Account without notice or refund;
(b) Delete all Your Data immediately;
(c) Ban you and your organization from future use;
(d) Report you to law enforcement or regulatory authorities;
(e) Pursue legal action for damages;
(f) Seek injunctive relief;
(g) Publicly disclose the violation (if legally permissible);
(h) Invoice you for any costs, damages, or losses incurred.

You remain fully liable for all consequences and agree to indemnify us for all related losses.

8. Intellectual Property Rights

8.1 Our Ownership

ConsentProof and all aspects of the Service, including software code, algorithms, architecture, APIs, endpoints, SDKs, documentation, website design, trademarks, logos, brand assets, cryptographic implementations, database schemas, user interfaces, proprietary processes, and trade secrets are owned exclusively by or licensed to Oventro Technologies Ltd and are protected by UK and international copyright, trademark, trade secret, patent, and other intellectual property laws. All rights are reserved.

8.2 Limited License to You

Subject to your strict compliance with these Terms and payment of all fees, we grant you a limited, non-exclusive, non-transferable, non-sublicensable, revocable, worldwide license to access and use the Service solely for your internal business purposes in accordance with these Terms and the Documentation.

This license does NOT permit you to:

(a) Use the Service for any purpose not expressly authorized;
(b) Modify, adapt, or create derivative works;
(c) Copy or replicate any part of the Service;
(d) Reverse engineer or discover source code;
(e) Remove or alter proprietary notices;
(f) Use for competitive purposes;
(g) Resell, redistribute, or sublicense access.

8.3 Your Ownership of Your Data

You retain all ownership rights in Your Data. We claim no ownership of Consent Records or other data you submit. However, by submitting Your Data to the Service, you grant us a worldwide, non-exclusive, royalty-free, fully sublicensable, transferable license to use, store, process, transmit, display, and perform Your Data solely to the extent necessary to provide the Service to you, generate PDF Consent Certificates, create cryptographic proofs, perform backups and disaster recovery, detect and prevent fraud or abuse, comply with legal obligations, and enforce these Terms.

8.4 Restrictions on Your Use

You expressly agree that you will NOT copy, reproduce, modify, translate, create derivative works, rent, lease, sell, sublicense, assign, transfer, remove proprietary notices, use our trademarks without permission, frame or mirror the Service, use it for competitive purposes, or reverse engineer any part of the Service.

8.5 Feedback and Suggestions

If you provide us with any suggestions, ideas, enhancement requests, recommendations, feedback, or other information regarding the Service ("Feedback"), you agree that we may use, modify, and commercialize such Feedback without any obligation to you and you grant us an unrestricted, perpetual, irrevocable, worldwide, royalty-free, fully sublicensable license to use Feedback for any purpose.

9. Data Protection and Privacy

9.1 Data Processing Roles

For the purposes of UK GDPR, EU GDPR, Data Protection Act 2018, and all applicable data protection laws: (a) You are the Data Controller with respect to any personal data contained in the Consent Records and other data you submit to the Service; (b) We are the Data Processor, processing personal data solely on your behalf and in accordance with your documented instructions via the API and these Terms.

9.2 Data Processing Agreement

These Terms constitute a Data Processing Agreement ("DPA") under Article 28 UK GDPR and EU GDPR. By using the Service, you instruct us to process personal data in accordance with these Terms, our Privacy Policy, instructions you provide via the API, Dashboard, or in writing, and applicable data protection laws.

9.3 Your Obligations as Data Controller

AS THE DATA CONTROLLER, YOU MUST:

(a) Have a lawful basis for processing personal data under UK GDPR Article 6;
(b) Provide privacy notices to data subjects that comply with Articles 13-14;
(c) Obtain necessary consents where consent is your lawful basis;
(d) Ensure data accuracy and keep personal data up-to-date;
(e) Implement appropriate security measures in your own systems;
(f) Respond to data subject rights requests;
(g) Report data breaches to supervisory authorities within required timeframes;
(h) Notify data subjects of breaches where required;
(i) Conduct Data Protection Impact Assessments (DPIAs) where required;
(j) Comply with all data protection laws applicable to your processing activities;
(k) Maintain records of processing activities;
(l) Only transfer data internationally with appropriate safeguards in place;
(m) Ensure you have authority to instruct us to process personal data on your behalf.

WE ARE NOT RESPONSIBLE FOR YOUR COMPLIANCE WITH ANY OF THE ABOVE.

9.4 Our Obligations as Data Processor

As the data processor, we will:

(a) Process personal data only on your documented instructions;
(b) Ensure personnel processing your data are subject to confidentiality obligations;
(c) Implement appropriate technical and organizational security measures;
(d) Assist you (where reasonably possible and at your cost) with data subject rights requests, impact assessments, consultations with supervisory authorities, and data breach notifications;
(e) Notify you without undue delay upon becoming aware of a personal data breach affecting Your Data;
(f) Delete or return Your Data upon termination of the Service;
(g) Make available information necessary to demonstrate compliance with our obligations as a processor;
(h) Allow for and contribute to audits (subject to reasonable notice, confidentiality, and reimbursement of costs);
(i) Not engage sub-processors without your prior general written authorization.

9.5 Sub-Processors

We currently engage the following sub-processors:

Sub-Processor	Purpose	Location
Stripe, Inc.	Payment processing	United States (with EU/UK operations)
Render Services, Inc.	Infrastructure and data hosting	European Union (Frankfurt, Germany)

We may add, change, or remove sub-processors at any time. We will notify you of any sub-processor changes via email or through the Dashboard. Continued use of the Service after notification constitutes consent to the new sub-processor.

9.6 International Data Transfers

Your Data is primarily stored in the United Kingdom and/or European Economic Area. We may transfer Your Data outside the UK or EEA to sub-processors (e.g., Stripe in the United States). Where data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or adequacy decisions.

9.7 Data Retention and Deletion

(a) Active Subscription: While your Account is active, we retain Your Data indefinitely for the duration of your subscription;
(b) Upon Termination by You: Your Data is retained for 30 days after account termination. During this period, you may reactivate your Account. After 30 days, Your Data is permanently and irreversibly deleted. You should export all data before terminating;
(c) Upon Termination by Us: If we terminate your Account for breach, we may delete Your Data immediately without the 30-day retention period;
(d) Legal Retention: We may retain limited data longer if required by law;
(e) Backups: Data in backups may persist for up to 90 days after deletion from production systems;
(f) Anonymized Data: We may retain aggregated, anonymized data indefinitely for analytics.

DATA EXPORT IS YOUR RESPONSIBILITY. WE ARE NOT LIABLE FOR DATA LOSS AFTER ACCOUNT TERMINATION.

9.8 Security Measures

Technical Measures:

TLS 1.2 or higher for all data in transit
AES-256 encryption (or equivalent) for data at rest
Encrypted database storage
API key authentication with role-based access control
Firewalls, network segmentation, intrusion detection
Regular security testing and code reviews
Real-time security monitoring and centralized logging
SHA-256 or stronger hashing for Consent Records

Organizational Measures:

Regular security and data protection training for all personnel
Confidentiality agreements for all staff
Background checks for personnel with data access (where legally permitted)
Documented incident response plan and procedures
Security assessments of sub-processors
Disaster recovery and business continuity plans

HOWEVER, NO SECURITY IS ABSOLUTE. WE CANNOT AND DO NOT GUARANTEE that the Service will be completely secure, that unauthorized access will never occur, or that Your Data will be 100% protected from loss, theft, or corruption.

9.9 Data Breaches

If we become aware of a personal data breach affecting Your Data, we will notify you without undue delay (and where feasible, within 72 hours). Upon receiving a breach notification, you are responsible for assessing whether you must notify supervisory authorities and affected data subjects, and for taking appropriate remedial measures.

10. Limitation of Liability

READ THIS SECTION CAREFULLY. IT SIGNIFICANTLY LIMITS OUR LIABILITY TO YOU.

10.1 Maximum Liability Cap

TO THE MAXIMUM EXTENT PERMITTED BY UK LAW, the total aggregate liability of Oventro Technologies Ltd (trading as ConsentProof) to you for any and all claims, damages, losses, liabilities, costs, and expenses arising out of or related to these Terms, your use of the Service, or any other cause of action SHALL NOT EXCEED THE GREATER OF: (a) The total amount you actually paid to us in the 12 months immediately preceding the event giving rise to the claim, or (b) £100 (One Hundred Pounds Sterling).

For customers on the Starter plan who have paid £0, our maximum liability is capped at £100. This cap applies in aggregate to all claims, not per claim.

10.2 Excluded Damages

TO THE MAXIMUM EXTENT PERMITTED BY UK LAW, WE SHALL NOT BE LIABLE FOR ANY:

Indirect, incidental, special, consequential, punitive, or exemplary damages;
Loss of profits, revenue, income, anticipated savings, or business opportunity;
Loss of goodwill or damage to reputation;
Loss of data (except gross negligence);
Loss of use of the Service or any systems;
Business interruption or downtime;
Cost of procurement of substitute goods or services;
Regulatory fines, penalties, or enforcement actions;
Legal fees in disputes with third parties or regulators;
Third-party claims against you;

EVEN IF we have been advised, knew, or should have known of the possibility of such damages.

10.3 Categories of Excluded Liability

WE ARE NOT LIABLE FOR DAMAGES ARISING FROM:

Service downtime, outages, or unavailability of any duration;
Unauthorized access to your Account due to compromised credentials;
Bugs, errors, defects, or malfunctions in the Service;
Data loss, corruption, or unavailability;
Third-party service failures (Stripe, hosting providers, etc.);
Your failure to properly integrate the API;
Regulatory investigations, fines, or penalties;
Validity, legality, or enforceability of consent records;
Force majeure events.

10.4 Non-Excludable Liability

Nothing in these Terms excludes or limits our liability for:

(a) Death or personal injury caused by our negligence;
(b) Fraud or fraudulent misrepresentation;
(c) Gross negligence or willful misconduct by us;
(d) Any other liability that cannot lawfully be excluded or limited under UK law.

11. Indemnification

11.1 Your Indemnification Obligations

YOU AGREE TO INDEMNIFY, DEFEND, AND HOLD HARMLESS:

Oventro Technologies Ltd (trading as ConsentProof)
Our officers, directors, employees, agents, contractors
Our affiliates, subsidiaries, and parent companies
Our licensors and suppliers
Our legal counsel and advisors

FROM AND AGAINST any and all claims, demands, actions, lawsuits, proceedings, liabilities, damages, losses, costs, expenses, fees (including reasonable attorneys' fees), fines, penalties, settlements, judgments, and awards arising out of or related to:

Your use of the Service;
Your breach of any provision of these Terms;
Your violation of any applicable law or third-party rights;
Your Data or any content you submit to the Service;
Your consent collection practices;
Data subject and consumer claims against you;
Regulatory actions against you;
Third-party claims;
Breach of your representations and warranties;
Account security issues caused by compromised credentials;
Your business operations.

11.2 Indemnification Survival

Your indemnification obligations survive termination or expiration of these Terms, closure or deletion of your Account, cessation of your use of the Service, and indefinitely for as long as claims may be brought under applicable statutes of limitations.

12. Warranties and Disclaimers

12.1 Your Representations and Warranties

You represent, warrant, and covenant that:

You have full legal authority and capacity to enter into these Terms;
Your use of the Service complies with all applicable laws and regulations;
You have all necessary rights to submit Your Data to the Service;
Your Data does not contain illegal, harmful, or infringing content;
You will use the Service only for lawful purposes;
All information you provide to us is accurate and complete;
You are at least 18 years old and not located in a sanctioned jurisdiction.

12.2 DISCLAIMER OF WARRANTIES

TO THE MAXIMUM EXTENT PERMITTED BY UK LAW, THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE.

WE EXPRESSLY DISCLAIM ALL WARRANTIES, INCLUDING BUT NOT LIMITED TO:

Implied warranties of merchantability, fitness for a particular purpose, non-infringement, and title;
Warranties that the Service will meet your requirements or expectations;
Warranties that the Service will be uninterrupted, timely, secure, or error-free;
Warranties that the Service will be completely secure or free from vulnerabilities;
Warranties that use of the Service will result in legal compliance;
Warranties that consent records will be legally valid, enforceable, or admissible as evidence;
Warranties regarding third-party services.

12.3 No Legal or Compliance Advice

CRITICAL DISCLAIMER:

OVENTRO TECHNOLOGIES LTD (TRADING AS CONSENTPROOF) IS NOT A LAW FIRM. WE ARE NOT LAWYERS, BARRISTERS, SOLICITORS, OR LEGAL PROFESSIONALS. THE SERVICE DOES NOT CONSTITUTE AND MUST NOT BE RELIED UPON AS LEGAL ADVICE, COMPLIANCE CONSULTING, REGULATORY ADVICE, OR DATA PROTECTION ADVICE. YOU MUST CONSULT WITH QUALIFIED LEGAL COUNSEL REGARDING YOUR LEGAL AND REGULATORY OBLIGATIONS.

13. Confidentiality

Both parties agree to keep confidential information strictly confidential and use it only for the purposes of these Terms. "Confidential Information" means any non-public information disclosed by one party to the other that is marked as confidential or would reasonably be understood to be confidential.

Confidentiality obligations survive termination for 5 years (indefinitely for trade secrets). The Receiving Party may disclose Confidential Information if required by law, but must provide prompt notice to the Disclosing Party and cooperate to limit disclosure.

14. Term and Termination

14.1 Term

These Terms commence on the date you first access or use the Service (the "Effective Date") and continue until terminated in accordance with this Section 14.

14.2 Termination by You

You may terminate your Account at any time by using the account deletion feature in the Dashboard settings or emailing support@consentproof.io. No refunds will be provided for any prepaid fees or unused subscription time. You remain responsible for all fees accrued up to termination. It is your sole responsibility to export Your Data before terminating your Account.

14.3 Termination or Suspension by Us

We may terminate or suspend your access to the Service immediately, with or without prior notice, for any reason or no reason, including breach of Terms, payment issues, prohibited use, security risks, legal requirements, business reasons, or our sole discretion.

14.4 Effect of Termination

Upon termination:

Your right to access and use the Service immediately ceases;
All licenses granted to you terminate immediately;
You must cease all use of the Service and delete all API keys;
No refunds will be provided under any circumstances;
Your Data will be handled per Section 9.7 (retained 30 days if you terminate; may be deleted immediately if we terminate for breach);
We shall not be liable for any damages or consequences arising from termination.

14.5 Survival of Terms

The following sections survive termination indefinitely: Fees and Payment (for amounts owed), Intellectual Property Rights, Limitation of Liability, Indemnification, Warranties and Disclaimers, Confidentiality (for 5 years or indefinitely for trade secrets), Effect of Termination, and General Provisions (Governing Law, Arbitration, etc.).

15. Dispute Resolution and General Provisions

15.1 Governing Law

These Terms and any dispute or claim arising out of or in connection with them shall be governed by and construed in accordance with the laws of England and Wales, without regard to conflict of law principles.

15.2 Mandatory Arbitration of Disputes

PLEASE READ THIS SECTION CAREFULLY. IT AFFECTS YOUR LEGAL RIGHTS.

You and Oventro Technologies Ltd agree that any dispute, claim, or controversy arising out of or relating to these Terms or the Service shall be settled by binding arbitration, rather than in court. Arbitration shall be conducted in accordance with the London Court of International Arbitration (LCIA) rules, with one arbitrator, in London, in English.

Exceptions to Arbitration: Small claims (under £10,000), intellectual property claims, and requests for injunctive relief may be brought in court.

Pre-Arbitration Resolution: Before initiating arbitration, parties shall attempt good faith negotiations for 30 days following written notice.

Time Limitation: Any claim or dispute must be brought within ONE (1) YEAR after the claim or cause of action arises, or such claim is permanently barred.

15.3 CLASS ACTION WAIVER

YOU AND OVENTRO TECHNOLOGIES LTD AGREE THAT EACH PARTY MAY BRING CLAIMS AGAINST THE OTHER ONLY IN AN INDIVIDUAL CAPACITY, AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS, CONSOLIDATED, OR REPRESENTATIVE PROCEEDING. You waive any right to participate in a class action lawsuit against us. Arbitration will be conducted on an individual basis only.

15.4 Jurisdiction and Venue

If arbitration does not apply, you agree that any legal action or proceeding shall be brought exclusively in the courts of England and Wales. You irrevocably submit to the exclusive jurisdiction of such courts and waive any objection to venue.

15.5 Entire Agreement

These Terms, together with our Privacy Policy and any written amendments, constitute the entire agreement between you and ConsentProof regarding the Service and supersede all prior understandings, agreements, representations, and warranties.

15.6 Amendments to These Terms

We may modify these Terms at any time by posting the revised Terms on our website. Material changes become effective 30 days after posting. Continued use of the Service after changes become effective constitutes your binding acceptance of the revised Terms. If you do not agree, your sole remedy is to terminate your Account (no refund will be provided).

15.7 Waiver

Our failure to enforce any right or provision of these Terms shall not constitute a waiver of that right or provision. No waiver by us shall be effective unless made in writing and signed by an authorized officer.

15.8 Severability

If any provision of these Terms is held to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect. The invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable.

15.9 Force Majeure

Neither party shall be liable for any failure or delay in performance (other than payment obligations) due to causes beyond its reasonable control, including acts of God, natural disasters, pandemics, war, terrorism, government actions, infrastructure failures, cyber attacks, or third-party supplier failures. If a force majeure event continues for more than 90 days, either party may terminate these Terms without liability.

15.10 Notices

All notices must be in writing. Notices to you may be sent to your registered email address. Notices to us must be sent to:

Oventro Technologies Ltd (trading as ConsentProof)
Attn: Legal Department
14 Albemarle Street
London, W1S 4HL
United Kingdom
Email: legal@consentproof.io

15.11 Assignment

You may not assign, transfer, delegate, or sublicense these Terms without our prior written consent. We may assign these Terms freely to any affiliate, subsidiary, or in connection with a merger, acquisition, or sale of assets.

15.12 No Third-Party Beneficiaries

These Terms are for the sole benefit of you and ConsentProof. No third party has any right to enforce any provision of these Terms, except the Indemnified Parties who may enforce indemnification rights.

15.13 Relationship of Parties

You and ConsentProof are independent contractors. These Terms do not create a partnership, joint venture, agency, franchise, or employer-employee relationship.

15.14 Export Compliance

You represent and warrant that you are not located in a sanctioned country or listed on any UK, EU, or US Government sanctions list, and you will not use the Service in violation of any export or import laws.

15.15 Anti-Bribery and Anti-Corruption

You agree to comply with all applicable anti-bribery and anti-corruption laws, including the UK Bribery Act 2010.

16. Contact Information and Company Details

If you have any questions about these Terms or the Service, please contact us:

Support & Billing: support@consentproof.io
Legal: legal@consentproof.io
Sales: sales@consentproof.io

Legal Name: Oventro Technologies Ltd
Trading Name: ConsentProof
Company Number: 16737923
Registered Office: 14 Albemarle Street, London, W1S 4HL, United Kingdom
Website: https://consentproof.io
Pricing: https://consentproof.io/pricing
Documentation: https://consentproof.io/docs
Privacy Policy: https://consentproof.io/privacy

17. Acceptance and Acknowledgment

BY USING THE SERVICE, CREATING AN ACCOUNT, ACCESSING THE API, OR CLICKING "I AGREE," YOU ACKNOWLEDGE THAT YOU HAVE:

✓ Read these Terms in their entirety
✓ Understood all provisions, including limitations of liability, disclaimers, and arbitration requirements
✓ Had the opportunity to seek independent legal advice
✓ Voluntarily agreed to be bound by these Terms
✓ Agreed to the binding arbitration and class action waiver provisions
✓ Acknowledged that the Service is provided "AS IS" without warranties
✓ Acknowledged that ConsentProof is not liable for your legal compliance
✓ Acknowledged the NO REFUND policy
✓ Acknowledged that we record and store proof of your acceptance using ConsentProof technology
✓ Assumed all risks associated with using the Service
✓ Agreed to indemnify us for claims arising from your use

IF YOU DO NOT AGREE TO THESE TERMS, DO NOT USE THE SERVICE.

18. Final Provisions

18.1 Multiple Counterparts

These Terms may be executed in multiple counterparts, each of which shall be deemed an original and all of which together shall constitute one agreement.

18.2 No Oral Modifications

These Terms may only be modified by a written amendment signed by an authorized representative of both parties, or by us posting a revised version as described in Section 15.6. Oral modifications are not valid.

18.3 English Language Controls

These Terms are drafted in English. Any translation is provided for convenience only. If there is any conflict between the English version and a translation, the English version controls.

18.4 Cumulative Remedies

All rights and remedies provided in these Terms are cumulative and not exclusive, and the exercise of any right or remedy does not preclude the exercise of any other rights or remedies.

18.5 Equitable Relief

You acknowledge that breach of Sections 7 (Acceptable Use), 8 (Intellectual Property), or 13 (Confidentiality) may cause irreparable harm for which monetary damages are insufficient, and we are entitled to seek equitable relief (including injunctive relief and specific performance) without posting bond.