Zero Box Terms of Service

FLXY.io | Fluxy.One Zero Box
Version 2.0 — February 13, 2026

"The use of the websites https://fluxy.one and https://zero.flxy.io are also governed by our Website Terms of Use and Privacy Policy, which you accept upon registration or use of services."

SIA Fluxy One
Reg. No. LV40203559086
Rupniecības iela 16-14B, Riga, LV-1010, Latvia
Email: legal@fluxy.one
DPO: dpo@fluxy.one
Support: support@flxy.io

Note: This document is the official English version. In the event of any discrepancies between this version and translations into other languages, the English version shall prevail.

1. GENERAL PROVISIONS

1.1 Parties and Subject Matter

This Agreement ("Agreement") is entered into by and between SIA Fluxy One (Reg. No. LV40203559086, Latvia), hereinafter referred to as the "Provider," "We," "Us," or "Fluxy," and the individual or legal entity accepting these terms, hereinafter referred to as the "Client," "You," or "User."

IMPORTANT: PROVIDER ROLE

SIA Fluxy One acts as a TECHNICAL INFRASTRUCTURE PROVIDER for Zero Box services. We provide:

Cloud hosting infrastructure for Digital Product Passports (DPPs)
GS1-compliant QR code generation
AI-powered translation and data structuring tools
Web-based dashboard for DPP management

We do NOT:

Verify, validate, or certify the accuracy of your product data
Act as a licensed DPP operator (unless explicitly agreed in writing for specific use cases)
Assume responsibility for product safety, GPSR compliance, or ESPR regulatory obligations
Control or moderate content uploaded by users (except in response to legal complaints)

YOU (the User) are the responsible party for:

All product data accuracy and completeness
GPSR compliance (if you are a Manufacturer or Responsible Person under EU law)
ESPR compliance (product-specific requirements for textiles, electronics, etc.)
Product safety and liability
Ownership/licensing of GTINs, trademarks, and intellectual property

1.2 Service Description

Zero Box is a tiered service offering:

Free Tier (GS1 QR Free):

Up to 100 perpetual GS1-compliant QR codes
Basic product landing pages
GS1 Digital Link generation
AI-powered multilingual translation (24+ languages)
Basic scan analytics
Dashboard access at https://zero.flxy.io

Paid Tiers:

DPP Light (€9.99/month): Basic ESPR compliance fields, data export
DPP Extended (€29.90/month): Extended sustainability data, document storage, B2B sharing
DPP Pro (€49.90/month): Full DPP managed service, SLA, compliance monitoring

Complete tier features are described at https://fluxy.one/zero-box.

1.3 Conclusion and Acceptance

The Agreement is deemed concluded from the moment the Client performs the first of the following actions:

(a) Registration of an account on https://zero.flxy.io or https://fluxy.one
(b) Payment via Stripe, PayPal, or Revolut Pay for any paid tier
(c) Generation of the first QR code or product page
(d) Use of API access (where applicable)

By accepting these terms, you confirm that:

You are at least 18 years old or represent a legal entity with authority to enter contracts
You have read and agree to our Privacy Policy and Cookie Policy
All information provided during registration is accurate and complete
You understand that YOU are responsible for compliance with GPSR, ESPR, and product safety regulations
You accept the AI Translation Disclaimer (Section 5)

1.4 Service Infrastructure

Zero Box operates on cloud infrastructure hosted by Google Cloud Platform (Belgium) but is a standalone service with its own Terms of Service. These Terms govern your use of Zero Box exclusively.

If you also use other Fluxy.One products or services (such as the Enterprise DPP Platform at https://app.flxy.io), those services are governed by their own separate agreements and are not covered by these Zero Box Terms.

2. SERVICE TIERS AND FEATURES

2.1 Free Tier (GS1 QR Free)

What's Included:

Up to 100 perpetual GS1 Digital Link QR codes
Digital product pages (brand business card based on GTIN)
Dashboard access
AI-powered translation into 24+ languages (see Section 5)
Basic scan analytics (number of scans, country, device type)
Unlimited updates to product information
QR codes valid for the life of the product

Limitations:

No ESPR compliance data fields (materials, sustainability)
No document storage (certificates, test reports)
No API access
No advanced analytics
No SLA guarantees (best-effort support)
No dedicated compliance monitoring

Duration:

Free tier access is perpetual so long as:

The service remains available
You comply with these Terms
You maintain an active account (login at least once every 24 months)

2.2 Paid Tiers (DPP Light, Extended, Pro)

Payment Terms:

Billing cycle: Monthly subscription (auto-renewal)
Payment methods: Stripe, PayPal, Revolut Pay
Currency: EUR (€)
Prices displayed at https://fluxy.one/zero-box

Auto-Renewal:

Subscriptions automatically renew each month unless cancelled
You will be charged on the same day each month
Cancellation takes effect at the end of the current billing period
No refunds for partial months

Upgrade/Downgrade:

You may upgrade to a higher tier at any time (charged immediately, prorated)
You may downgrade to a lower tier or Free tier (takes effect next billing cycle)
Downgrading may result in loss of features (document storage, advanced data fields)
Your QR codes remain functional during and after downgrade

2.3 Price Changes

The Provider reserves the right to modify subscription prices with 30 days' advance notice via email. Price changes apply only to new billing periods. You may cancel before the price increase takes effect if you do not accept the new pricing.

3. GS1 STANDARDS AND PRODUCT REQUIREMENTS

3.1 GTIN Requirement

To use Zero Box, you must assign valid GTINs (Global Trade Item Numbers) to your products. GTINs must be:

Issued by a licensed GS1 member organization in your country
Unique to each product variant
Not internal codes, SKUs, or non-GS1 identifiers

IMPORTANT: You represent and warrant that:

You own or have a valid license to use all GTINs entered into Zero Box
You will NOT use GTINs belonging to other companies or products you do not manufacture/distribute
You understand that unauthorized use of GTINs may result in immediate account suspension and legal liability

If you do not have GTINs, you can obtain them from your national GS1 office (e.g., GS1 Latvia, GS1 UK, GS1 Germany).

3.2 GS1 Digital Link Compliance

Zero Box generates GS1 Digital Link URIs compliant with the GS1 standard (https://dpp.flxy.io/01/{GTIN}). These URIs:

Resolve to your product's digital page
Are scannable by smartphones and checkout systems
Meet EU DPP technical requirements (ESPR Regulation 2024/1781)
Remain functional even if you change your website URL

3.3 Perpetual QR Codes

"Perpetual" means:

Your QR code never expires (unless you delete it or violate these Terms)
You can update the destination URL, product info, or compliance data anytime
No reprinting required when information changes
QR codes remain active for the life of the product (minimum 10 years, per ESPR)

Exception: QR codes may be deactivated if:

You violate these Terms (Section 10)
We receive a valid legal complaint (Section 4.5)
Your account is deleted for non-payment (after 90 days on paid tiers)
You request deletion under GDPR (Section 9)

4. USER RESPONSIBILITIES AND COMPLIANCE

4.1 You Are the Manufacturer/Responsible Person

Under EU law (GPSR, ESPR), YOU are responsible for:

(a) General Product Safety Regulation (GPSR):

Conducting product risk assessments
Ensuring products are safe for consumers
Providing warnings and safety instructions
Designating a Responsible Person in the EU (if you are a non-EU manufacturer)
Maintaining technical documentation
Reporting serious incidents to authorities

(b) Ecodesign for Sustainable Products Regulation (ESPR):

Providing accurate product information (materials, origin, sustainability data)
Meeting product-specific requirements (e.g., textile labeling, battery passports)
Updating DPPs when product composition changes
Complying with minimum data requirements for your product category

You are liable for any harm caused by defective products
You are liable for misleading or false product information
You are liable for violations of consumer protection laws

Fluxy is NOT responsible for any of the above. We provide infrastructure; you provide compliant content.

4.2 Data Accuracy and Completeness

You represent and warrant that all data uploaded to Zero Box is:

Accurate: Information is true and not misleading
Complete: All mandatory ESPR/GPSR fields are filled (for paid tiers)
Up-to-date: You update data when product specifications change
Lawful: Content does not violate laws, infringe IP rights, or contain harmful material

Examples of prohibited content:

False certifications (e.g., "CE marked" when not actually certified)
Counterfeit product data (copying competitor's DPP)
Misleading environmental claims ("100% recyclable" when not true)
Unauthorized use of trademarks or copyrighted images

4.3 Intellectual Property Ownership

Your IP:

You retain all rights to your trademarks, logos, product names, and images
You warrant that you have the right to use all uploaded content
You indemnify Fluxy against IP infringement claims by third parties (see Section 11.3)

You may NOT:

Upload content owned by others (competitor logos, stock photos without license)
Use Fluxy's branding in a way that implies endorsement
Reverse-engineer or copy Fluxy's software

Fluxy's IP:

The Zero Box platform, software, dashboard, and infrastructure are owned by SIA Fluxy One
You may not reverse-engineer, copy, or create derivative works
You may not resell or white-label Zero Box services without written permission

4.4 License Grant to Fluxy

By using Zero Box, you grant Fluxy a non-exclusive, worldwide, royalty-free license to:

Host and display your product data via QR codes and digital product pages
Transfer data to third parties as required by law (EU Commission, customs authorities, national regulators)
Make data publicly accessible when scanned by consumers
Store data in backup and archive systems (including 10+ year ESPR archive)
Translate your data into multiple languages using AI (see Section 5)

This license terminates when you delete your data, subject to Section 9.4 (ESPR archive obligations).

4.5 Takedown Requests and Complaint Response

If we receive a complaint (from a consumer, competitor, regulator, or IP holder) alleging that your DPP contains:

False or misleading information
Infringing content (trademark, copyright)
Unsafe product warnings
Violations of GPSR/ESPR

Our process:

Acknowledgment: Within 4 hours of receiving complaint
Investigation: Within 24 hours, we will: Review the complaint and your DPP content; Contact you via email for clarification; Request evidence (certificates, licenses, documentation)
Decision: Within 24 hours of investigation completion: If complaint is valid: Immediate takedown (DPP suspended, QR code disabled); If complaint is invalid: No action, complainant notified
Notification: Within 2 hours of takedown, we will: Email you with reason for suspension; Provide 7-day appeal window; Allow you to correct and republish (if you fix the issue)

Appeal Process:

Submit appeal via email to legal@fluxy.one within 7 days
Provide evidence (test reports, GS1 license, trademark registration)
We will review within 3 business days
If appeal successful, DPP reinstated

No Liability for Takedowns:

Fluxy is NOT liable for damages resulting from takedowns (lost sales, reputational harm)
Takedowns are made in good faith based on available information
You indemnify Fluxy for any claims arising from your content (Section 11.3)

5. AI-POWERED TRANSLATION AND MULTILINGUAL DISPLAY

5.1 How AI Translation Works

Zero Box uses AI-powered translation to make your product data accessible to consumers worldwide. The process is as follows:

Step 1: Input (Your Language)

You enter product data in any language (e.g., Latvian, German, Spanish, Russian)
This is your original source data

Step 2: Master Data Translation (English)

Your input is automatically translated into English (Master Data) using: Google Cloud Translation API, Google Vertex AI, Google Gemini models
Master Data is structured in JSON format compliant with: ESPR requirements (Regulation 2024/1781), GS1 standards (product identification)

Step 3: Consumer Display (24+ Languages)

English Master Data is automatically translated into 24+ languages: EU Official Languages (24): Bulgarian, Croatian, Czech, Danish, Dutch, English, Estonian, Finnish, French, German, Greek, Hungarian, Irish, Italian, Latvian, Lithuanian, Maltese, Polish, Portuguese, Romanian, Slovak, Slovenian, Spanish, Swedish. Additional Languages: Norwegian, Icelandic, Turkish, Russian, Ukrainian
Consumers see product information in their preferred language when scanning QR codes

Step 4: Version Control and Data Retention

Every change triggers a new translation cycle: Original language → English Master Data → 24+ consumer languages
All versions are logged with: Timestamps (date and time of change), Content hashes (SHA-256) for data integrity
THREE JSON files stored (CRITICAL for legal compliance):
- Original Language JSON — Your input in the language you entered (Latvian, German, etc.) — LEGALLY REQUIRED for client liability protection
- Master Data JSON (English, ESPR-compliant) — Used for regulatory reporting
- International JSON (24+ languages) — Consumer-facing translations

Why Original Language is Stored:

Legal liability: YOU are responsible for the accuracy of your original input
Regulatory compliance: Authorities may request data in the original language
Audit trail: Proves what you actually entered vs. what AI translated
Dispute resolution: If AI mistranslates, original language proves your intent

5.2 AI Translation Disclaimer — CRITICAL

IMPORTANT: AI translations are provided as a convenience feature and may contain errors. You acknowledge and agree that:

(a) AI is not perfect: AI translation may produce inaccurate, incomplete, or nonsensical translations. Technical terms, brand names, and safety warnings are especially prone to errors. Example errors: "wash in cold water" → "wash in old water" or "choking hazard" → "joke hazard".

(b) You are responsible for accuracy: You must verify that AI translations convey the correct meaning, especially for: Safety warnings (choking hazards, allergens, flammability), Usage instructions (dosage, assembly, washing), Compliance statements (CE marking, GPSR responsible person). If translations are incorrect, you must correct them manually or unpublish the DPP.

(c) Fluxy is NOT liable for translation errors: We do NOT review, verify, or certify AI translations. We are NOT responsible for harm caused by mistranslations (e.g., consumer injury from incorrect safety warning). You indemnify Fluxy against claims arising from translation errors (Section 11.3).

(d) No human review (unless paid service): Free and Light tiers: 100% automated AI translation (no human review). Extended tier: You can request manual correction (self-service editing). Pro tier: Optional human translation review available (contact support@flxy.io for quote).

5.3 Your Obligations

Before publishing a DPP, you MUST:

Review AI-generated translations (at minimum, English Master Data)
Verify accuracy of safety-critical information (warnings, allergens, hazards)
Manually correct any errors in the Zero Box dashboard
Confirm that all 24+ language versions are acceptable (or disable specific languages)

If you discover translation errors after publishing:

Update the source data in your dashboard
AI will automatically re-translate (new version created)
Old version remains in archive (10+ years, per ESPR)

5.4 Schema Validation

All Master Data (English JSON) is automatically validated against:

GS1 standards (product identification, Digital Link format)
ESPR schema (Google Cloud-based validation)

If validation fails:

You will receive an error message in the dashboard
You must correct the data before publishing
Common issues: missing mandatory fields, invalid GTIN format, incorrect data types

5.5 Language Coverage and Consumer Choice

Consumer Experience:

When scanning a QR code, consumers see a language selector
Default language is based on their device/browser settings
Consumers can switch to any of the 24+ available languages

You can disable specific languages if you prefer not to display AI translations (e.g., disable Russian if you don't sell in Russia).

6. DATA HOSTING, SECURITY, AND GDPR COMPLIANCE

6.1 Data Location and Certifications

All Zero Box data is hosted in the European Union:

Primary location: Google Cloud Platform, Belgium data center
Backup location: EU-West (Belgium, Netherlands)
No data transfers outside the EU (except where required by law, e.g., for non-EU regulators)

Google Cloud Certifications:

ISO 27001 (Information Security Management)
ISO 27017 (Cloud Security)
ISO 27018 (Cloud Privacy)
SOC 2 Type II (Security, Availability, Confidentiality)
GDPR-compliant (Google Ireland Ltd, EU-based entity)

Fluxy's Security Measures:

Encryption in transit: TLS 1.3+ for all HTTPS connections
Encryption at rest: AES-256 for all stored data
Access controls: Multi-Factor Authentication (MFA) for staff, role-based access
Backup & Recovery: Daily automated backups, tested quarterly
Monitoring: Real-time intrusion detection, security logging
Version Control: All DPP changes logged with SHA-256 hashes

6.2 GDPR Compliance

Zero Box processes personal data in accordance with:

GDPR (Regulation 2016/679)
Latvian Data Protection Law
Our Privacy Policy

Data Processing Roles:

For B2B Clients: You are the Data Controller; we are the Data Processor (see Appendix A: DPA)
For B2C Scanning: We are the Data Controller for scan analytics (country, device type)

6.3 Personal Data We Collect

From Clients (Account Data):

Name, email, company name, billing address
Payment information (processed by Stripe/PayPal, not stored by us)
Usage data (logins, QR codes created, tier upgrades)

From Consumers (QR Code Scans):

Scan timestamp, country, device type (iOS/Android)
NO GPS location, NO personal identifiers, NO names or emails

In DPP Content (if you choose to include):

Responsible Person name and email (GPSR requirement)
Supplier contact details (optional)

See Privacy Policy for full details.

6.4 Your Rights (GDPR)

You have the right to:

Access your data (email dpo@fluxy.one)
Correct inaccurate data (edit in dashboard)
Delete your account and data (subject to ESPR archive, Section 9.4)
Export your data (JSON/CSV download)
Withdraw consent for marketing emails (unsubscribe link)

To exercise these rights, contact: dpo@fluxy.one

6.5 Data Retention

Active accounts: Data retained for the duration of your subscription
Cancelled accounts: Data retained for 12 months, then deleted (unless ESPR archive applies)
ESPR Compliance: Published DPPs archived for 10-15 years (read-only, see Section 9.4)
Logs and hashes: Stored for 10+ years for regulatory compliance and audit trail

7. PAYMENT TERMS

7.1 Payment Methods

Payments are processed via:

Stripe Payments Europe Ltd (primary)
PayPal
Revolut Pay

We do NOT store your credit card details. Payment processors handle all sensitive financial data in compliance with PCI-DSS standards.

7.2 VAT and Taxes

(a) EU Clients:

Prices include Latvian VAT (21%) unless Reverse Charge applies
If you are a VAT-registered business in another EU country, provide your VAT number at checkout to apply Reverse Charge

(b) Non-EU Clients:

Services are zero-rated for export (0% Latvian VAT)
You are responsible for any local taxes (VAT, sales tax, withholding tax) in your jurisdiction

7.3 Refund Policy

EU Consumer Rights (14-Day Withdrawal):

If you are an EU consumer (individual, not a business), you have 14 days from the date of purchase to request a full refund
To exercise this right, email legal@fluxy.one with "Withdrawal Request" in the subject line
Refunds are processed within 14 days via the original payment method

Business Clients:

No refunds for partial months or cancelled subscriptions
Payments are non-refundable once the billing period has started
If you cancel, your access continues until the end of the paid period

Exceptions:

If the service is materially non-functional (e.g., QR codes don't resolve) for more than 72 hours, you may request a prorated refund

7.4 Failed Payments

If your payment fails:

Day 1-7: We retry charging your card and send email reminders
Day 8-14: Your account is suspended (read-only access, QR codes still work)
Day 15+: Your account is downgraded to Free tier or deleted (paid tier features removed)

To reactivate, update your payment method and pay outstanding invoices.

8. SERVICE AVAILABILITY AND SUPPORT

8.1 Uptime (Free Tier)

For Free Tier users:

Target uptime: 99% per month (best effort)
No SLA guarantees
No compensation for downtime
Scheduled maintenance may occur with 24-hour notice

8.2 Uptime (Paid Tiers)

For DPP Light, Extended, and Pro users:

Target uptime: 99.5% per month (excluding scheduled maintenance)
Downtime exceeding this threshold may qualify for Service Credits (see Section 8.4)

Exclusions from uptime calculation:

Scheduled maintenance (announced 24 hours in advance)
Force majeure events (DDoS attacks, internet backbone failures)
Client-side issues (local network, device problems)
Third-party service outages (Stripe, payment gateways, Google Cloud)

8.3 Technical Support

Free Tier:

Email support: support@flxy.io
Response time: Best effort (typically 48-72 business hours)
No phone or live chat support

Paid Tiers:

Email support: support@flxy.io
Response times: P1 (Critical): Platform completely unavailable → 8 business hours. P2 (High): Core functions degraded → 24 business hours. P3 (Normal): General questions, minor bugs → 48 business hours

DPP Pro Only:

Priority support with 4-hour response time for P1 issues
Dedicated account manager (for annual contracts)

8.4 Service Credits (Paid Tiers Only)

If monthly uptime falls below 99.5%, you may request compensation:

Uptime Achieved	Service Credit
99.0% – 99.49%	5% of monthly fee
95.0% – 98.99%	10% of monthly fee
Below 95.0%	20% of monthly fee

How to claim:

Email legal@fluxy.one within 30 days of the incident
Provide details (dates, affected QR codes)
Credits applied to next month's invoice (no cash refunds)

9. TERM, TERMINATION, AND DATA ARCHIVING

9.1 Agreement Duration

Free Tier: Indefinite, until you or we terminate
Paid Tiers: Monthly subscription, auto-renewing until cancelled

9.2 Cancellation by Client

You may cancel at any time:

Free Tier: Delete your account in dashboard settings
Paid Tiers: Cancel auto-renewal in dashboard → Access continues until end of billing period

No refunds for unused time (except EU consumer 14-day withdrawal right).

9.3 Suspension/Termination by Fluxy

We may suspend or terminate your account if:

You violate these Terms (counterfeit products, illegal content, IP infringement, unauthorized GTINs)
Payment failure exceeds 14 days (paid tiers)
You engage in abusive behavior (spam, harassment, hacking attempts)
We receive a valid legal complaint and you fail to respond (Section 4.5)
Required by law or sanctions (Section 10)

Notice: 7 days' notice via email (except for severe violations: immediate suspension).

9.4 ESPR Archiving Obligation (10+ Years)

CRITICAL: Even after account termination, Fluxy is legally required to maintain published DPPs.

For Published DPPs:

All published Digital Product Passports are archived in read-only mode for: Minimum 10 years (ESPR Regulation 2024/1781 requirement); Up to 15 years (best practice for regulatory inspections)
Archived DPPs remain: Accessible by regulators (EU Commission, customs authorities, national market surveillance); Accessible by consumers (QR codes remain scannable); Immutable (you cannot edit archived versions)

Why this is required:

ESPR mandates long-term data retention for product traceability
Regulators may inspect products years after sale
Customs authorities need historical data for import/export compliance
Consumer protection laws require access to product information

For Unpublished Data:

If you created QR codes but never made them public, we delete all data within 12 months of account closure

9.5 Data Export Before Termination

Before terminating, you can:

Download all product data (JSON/CSV export)
Save QR code images (PNG/SVG)
Export compliance documents (DPP Extended/Pro tiers)

After termination, data export is only available for 30 days (contact support@flxy.io).

9.6 Version Control and Audit Trail

All DPP changes are logged:

Timestamp: Date and time of modification
Content hash: SHA-256 hash of all three JSON files:
- Original Language JSON (what you entered in your language)
- Master Data JSON (English, ESPR-compliant)
- International JSON (24+ consumer languages)
User ID: Who made the change
Change log: What fields were modified

What data is provided to regulators:

Original language input (what you actually entered) — PRIMARY source of truth for your legal liability
English Master Data (ESPR-compliant JSON) — for EU Commission reporting
All versions (via version control system)
Audit trail (timestamps, hashes, changes)

Why original language storage is CRITICAL:

Regulators want to see what YOU entered, not just AI translations
Original language proves your compliance intent and protects your liability
If AI mistranslates safety warning, original language shows you entered it correctly
Required for regulatory disputes and legal proceedings

Audit trail available to:

You (via dashboard, for your own DPPs)
Regulators (upon legal request, with 72-hour notice to you)
Law enforcement (with valid court order)

Retention: Logs stored for 10+ years (same as DPP archive).

10. PROHIBITED USE AND SANCTIONS

10.1 Prohibited Content

You may NOT use Zero Box for products that are:

Counterfeit or fraudulent (fake certifications, unauthorized GTINs, misleading claims)
Illegal (weapons without licenses, controlled substances, sanctioned goods)
Harmful (products banned under GPSR, dangerous chemicals without warnings, recalled items)
Infringing IP rights (unauthorized use of trademarks, copyrighted images, patented designs)

Examples:

Creating a DPP with Nike's GTIN for a fake Nike product
Claiming "CE marked" without actual CE certification
Using competitor's product images
Selling products banned in the EU (e.g., unsafe toys, non-compliant electronics)

Consequences: Immediate suspension, QR code deactivation, account termination without refund, reporting to authorities.

10.2 Sanctions Compliance

Client Warranties: You represent that:

You are NOT on any sanctions lists (EU, OFAC, UN, HMT, Latvia)
You will NOT use Zero Box to benefit sanctioned persons or entities
You will NOT create DPPs for dual-use goods without appropriate export licenses

Fluxy's Rights: If you appear on a sanctions list or violate export controls:

We will immediately block your account
QR codes will be deactivated
No refunds will be issued
We may report violations to authorities

10.3 Marketplace Compliance

If you use Zero Box QR codes for Amazon, Etsy, Shopify, or other marketplaces:

Place QR codes on physical packaging ONLY (not in product listing photos)
Do NOT offer incentives for reviews via QR codes
Do NOT redirect to competitor platforms
Comply with marketplace policies (we are not responsible for marketplace violations)

11. LIABILITY AND INDEMNIFICATION

11.1 Limitation of Liability

Fluxy's liability is limited as follows:

(a) For Free Tier users: The Provider's liability is limited to €0 (zero). We provide the service "as is" with no warranties.

(b) For Paid Tier users: Our maximum liability is capped at the amount you paid in the 12 months preceding the incident.

We are NOT liable for:

Regulatory fines (GPSR violations, ESPR non-compliance, customs penalties)
Product liability claims (injuries, damages caused by defective products)
Lost revenue (marketplace bans, customs seizures, reputational harm)
AI translation errors (mistranslations, incorrect safety warnings)
Data accuracy (false certifications, unauthorized GTINs, misleading claims uploaded by you)
Takedowns (suspension due to valid complaints, Section 4.5)
Third-party services (Stripe outages, Google Cloud failures, payment processor issues)

11.2 Force Majeure

Neither party is liable for delays caused by:

War, terrorism, sanctions, embargoes
Natural disasters (floods, earthquakes)
Internet backbone failures, DDoS attacks
Government actions (emergency laws, service shutdowns)
Google Cloud outages, AI service disruptions

11.3 Indemnification

You agree to indemnify and hold harmless SIA Fluxy One from claims arising from:

(a) Your content:

IP infringement (unauthorized use of trademarks, logos, images)
False or misleading product information
Violations of GPSR, ESPR, or product safety laws

(b) Regulatory penalties:

Fines imposed by EU regulators for non-compliant DPPs
Customs penalties for incorrect product data
Consumer protection violations

Consumer injuries caused by defective products or incorrect safety warnings
Damages resulting from AI translation errors that you failed to correct

(d) Unauthorized GTINs:

Claims by GS1 or other GTIN holders for unauthorized use

Example Scenarios:

Scenario 1: AI Mistranslation. You publish a DPP with safety warning "Not suitable for children under 3 years". AI mistranslates to "Suitable for children under 3 years". Child chokes on small part. Parents sue Fluxy. Result: You indemnify Fluxy (you were responsible for verifying translations)

Scenario 2: Fake Certification. You claim product is "CE marked" but it's not actually certified. Regulator fines you €10,000. Regulator also issues warning to Fluxy for hosting false data. Result: You indemnify Fluxy (you provided false information)

Scenario 3: Unauthorized GTIN. You use a competitor's GTIN for your own product. GS1 or competitor sues for trademark infringement. Result: You indemnify Fluxy (you violated GTIN licensing)

12. CONFIDENTIALITY

12.1 Definition

"Confidential Information" includes:

Your business plans, pricing strategies, supplier lists
Non-public product specifications
API keys, login credentials
Contract terms and pricing agreements

12.2 Obligations

We will:

NOT disclose your Confidential Information to third parties (except subprocessors under NDA or as required by law)
Use industry-standard security measures (encryption, access controls)
Notify you of data breaches within 72 hours (GDPR requirement)

Exceptions:

Information already public (e.g., published DPP data)
Required by law (court orders, regulator requests)

13. API ACCESS AND INTEGRATION

13.1 API Availability

Free Tier: No API access
DPP Light: Read-only API (retrieve product data)
DPP Extended/Pro: Full API (create, update, delete products)

13.2 API Terms

If you use our API:

You must keep API keys confidential
Fair use policy applies (no rate limits, but no abuse)
You may NOT scrape or abuse the API
You may NOT resell API access to third parties

For API partnerships (e.g., Avery integration), see our separate API Partnership Terms.

13.3 API Uptime

API uptime is included in Service Level calculations (Section 8.1-8.2). If the API is unavailable, you may qualify for Service Credits.

14. AMENDMENTS AND UPDATES

14.1 Changes to Terms

We may update these Terms at any time. Changes will be effective:

For Free Tier: Immediately upon posting at https://fluxy.one/zero-box-terms
For Paid Tiers: 30 days after email notification

If you do not accept the new terms, you may cancel your subscription before they take effect.

14.2 Regulatory Changes (ESPR Updates)

If EU DPP regulations change, we will update the Service to remain compliant. We may:

Add new mandatory data fields to paid tiers
Require you to update existing DPPs within a reasonable timeframe (e.g., 90 days)
Notify you via email of required actions

Failure to comply may result in QR code deactivation (to avoid regulatory penalties for both parties).

15. GOVERNING LAW AND DISPUTE RESOLUTION

15.1 Governing Law

This Agreement is governed by the substantive law of the Republic of Latvia, excluding conflict-of-law provisions.

15.2 Dispute Resolution

For EU Consumers:

You may file complaints with the Latvian Consumer Rights Protection Centre (CRPC)
EU Online Dispute Resolution (ODR) platform: https://ec.europa.eu/consumers/odr

For Business Clients:

Disputes shall be resolved by arbitration under the rules of the Luxembourg Arbitration Association
Language: English
Seat: Luxembourg
Arbitration costs borne equally by both parties

15.3 Exceptions

Either party may seek injunctive relief in a court of competent jurisdiction for:

IP infringement
Data breaches
Violation of confidentiality obligations

16. MISCELLANEOUS

16.1 Entire Agreement

These Terms, together with our Privacy Policy, Cookie Policy, and DPA (Appendix A), constitute the entire agreement between you and SIA Fluxy One.

16.2 Severability

If any provision is found invalid, the remaining provisions remain in full effect.

16.3 Assignment

You may NOT assign or transfer this Agreement without our written consent. We may assign this Agreement to an affiliate or successor entity with 30 days' notice.

16.4 No Waiver

Our failure to enforce any right does not constitute a waiver of that right.

16.5 Language

The English version of these Terms is the authoritative version. Translations are provided for convenience only.

17. CONTACT INFORMATION

For questions, support, or legal inquiries:
General Support: support@flxy.io
Legal Questions: legal@fluxy.one
Data Protection Officer: dpo@fluxy.one
Billing Issues: billing@fluxy.one
Takedown Requests / Complaints: legal@fluxy.one

Registered Address:
SIA Fluxy One
Rupniecības iela 16-14B
Riga, LV-1010, Latvia
Reg. No. LV40203559086

APPENDIX A: DATA PROCESSING ADDENDUM (DPA)

In accordance with Art. 28 GDPR

1. ROLES AND SUBJECT MATTER

1.1 Data Processing Relationship:

For B2B Clients (businesses using Zero Box to create DPPs): You are the Data Controller, and SIA Fluxy One is the Data Processor.
For B2C Scanning (consumers scanning QR codes): SIA Fluxy One is the Data Controller for scan analytics.

1.2 Subject Matter of Processing:

Processing involves personal data necessary to provide Zero Box services:

Client Account Data: Name, email, company name, billing address (if business)
Product Contact Data: Names and emails of responsible persons listed in DPPs (e.g., for EU GPSR compliance)
Consumer Scan Data: Timestamp, country, device type (anonymized, no personal identifiers)

1.3 Purpose of Processing:

Provide Zero Box dashboard and QR code generation services
Display Digital Product Passports to consumers
AI-powered translation (Google Cloud Translation API, Vertex AI, Gemini)
Comply with ESPR and EU DPP regulations
Process payments (via Stripe/PayPal subprocessors)
Provide customer support

1.4 Duration of Processing:

For the duration of your subscription
Plus retention period (12 months after termination for business records)
Plus ESPR archive period (10-15 years for published DPPs)

2. PROCESSOR OBLIGATIONS

2.1 Instructions:
SIA Fluxy One will process personal data only on your documented instructions, which are:

These Terms of Service
Settings configured in your Zero Box dashboard
Email instructions to legal@fluxy.one or dpo@fluxy.one

2.2 Confidentiality:
All personnel accessing personal data are bound by confidentiality obligations (employment contracts, NDAs).

2.3 Security Measures:
We implement the following technical and organizational measures (TOMs):

Encryption in transit: TLS 1.3+ for all HTTPS connections
Encryption at rest: AES-256 for stored data
Access controls: Multi-Factor Authentication (MFA) for staff, role-based access
Backup & Recovery: Daily automated backups, tested quarterly
Monitoring: Real-time intrusion detection, security logging
Incident Response: Data breach notification within 72 hours (GDPR Art. 33)
Version Control: SHA-256 hashes for all DPP versions

2.4 Audit Rights:
Upon written request (maximum once per year), you may:

Request security audit reports (SOC 2 Type II, ISO 27001 if available)
Review our data processing practices
Conduct on-site audits (with 30 days' notice, during business hours, at your expense)

3. SUB-PROCESSORS

3.1 General Authorization:
You grant SIA Fluxy One general written authorization to engage sub-processors, subject to the following conditions:

30 days' advance notice of new sub-processors (via email)
You may object if the sub-processor does not meet GDPR standards
If you object, we will either find an alternative or allow you to terminate the Agreement without penalty

3.2 Current Sub-Processors:

Sub-Processor	Service	Location	Legal Basis
Google Cloud Platform (Google Ireland Ltd)	Hosting (Belgium), AI (Translation API, Vertex AI, Gemini)	EU (Belgium, Netherlands)	Standard Contractual Clauses (SCCs)
Stripe Payments Europe Ltd	Payment processing	EU (Ireland)	SCCs
PayPal (Europe) S.à r.l. et Cie, S.C.A.	Payment processing	EU (Luxembourg)	SCCs
Revolut Ltd	Payment processing	EU (Lithuania)	SCCs
Odoo S.A.	CRM	EU (Belgium)	SCCs
Crisp IM SARL	Customer support chat	EU (France)	SCCs
Hugo.ai	AI support assistant	EU/USA	SCCs
SendPulse	Email marketing	EU/USA	SCCs
Mailchimp (Intuit Inc.)	Email marketing	USA	SCCs
Mailerlite	Email marketing	EU (Lithuania)	SCCs

3.3 Sub-Processor Obligations:
All sub-processors are contractually bound to:

Comply with GDPR
Implement appropriate security measures
Notify us of data breaches within 24 hours
Delete data upon termination

4. INTERNATIONAL DATA TRANSFERS

4.1 Primary Data Location:
All personal data is stored in the European Economic Area (EEA):

Primary data center: Google Cloud Belgium
Backup data center: EU-West (Belgium, Netherlands)

4.2 Transfers Outside the EEA:
Some sub-processors (Mailchimp, Hugo.ai, SendPulse) may process data in the United States. These transfers are conducted using:

Standard Contractual Clauses (SCCs) approved by the European Commission (2021/914)
Supplementary Measures: Encryption in transit and at rest, pseudonymization where feasible
Data Protection Impact Assessment (DPIA): Available upon request

4.3 No Transfers to Unsafe Countries:
We do NOT transfer personal data to countries without GDPR adequacy decisions (e.g., China, Russia) unless:

Required by law (e.g., customs data for international shipments)
You explicitly instruct us to do so

5. DATA SUBJECT RIGHTS

5.1 Assistance with Rights Requests:
If a consumer or business contact submits a GDPR rights request (access, deletion, correction, portability), we will:

Forward the request to you within 3 business days (if you are the Controller)
Assist you in fulfilling the request (e.g., providing data exports)
Respond directly if we are the Controller (for scan analytics)

5.2 Response Timeframe:
We will assist you in responding to rights requests within 30 days of receiving the request (GDPR Art. 12).

5.3 Data Deletion:
If you or a data subject requests deletion:

We will delete personal data within 30 days (unless ESPR archive applies)
Published DPPs may remain in read-only archive (legal obligation, 10-15 years)
Backup data will be deleted within 90 days (next backup rotation cycle)

6. DATA BREACH NOTIFICATION

6.1 Incident Response:
In the event of a personal data breach, we will:

Within 24 hours: Assess the scope and severity
Within 72 hours: Notify you via email to the account holder and dpo@fluxy.one
Within 7 days: Provide a detailed incident report (affected data, root cause, remediation)

6.2 Your Obligations:
If we notify you of a breach:

You (as Controller) must notify your supervisory authority within 72 hours (if required under GDPR Art. 33)
You (as Controller) must notify affected data subjects if the breach poses a high risk (GDPR Art. 34)

7. RETURN AND DELETION OF DATA

7.1 Upon Termination:
When the Agreement terminates, we will:

Within 30 days: Provide you with a final data export (JSON/CSV)
Within 90 days: Delete all personal data from active systems

Exception: ESPR Archive Data

Published DPPs will remain in read-only archive for 10-15 years (legal requirement)
You will be notified when archive data is finally deleted

7.2 Certification of Deletion:
Upon request, we will provide a written certification confirming deletion of all personal data (except archived data).

8. CONTACT FOR DPA MATTERS

For questions or requests related to data processing:
Data Protection Officer (DPO):

Email: dpo@fluxy.one
Phone: +371 26125210
Address: SIA Fluxy One, Rupniecības iela 16-14B, Riga, LV-1010, Latvia

END OF ZERO BOX TERMS OF SERVICE