Terms of Service

1) Parties & Agreement; Clickwrap

By clicking Create Account, Continue with Google, or similar; checking the acceptance box; or using the Services, you agree to these Terms, the Privacy Policy, the Messaging Compliance Addendum (Addendum A), the Data Processing Addendum (Addendum B), and the Acceptable Use Policy (Addendum C) (collectively, the "Agreement"). We log acceptance (name, email, IP, user agent, timestamp, version). If you accept for an organization, you represent authority to bind it.

2) Definitions

• Account: your Zappycards tenant.
• Contact Data: end-customer data you upload/sync.
• GBP: Google Business Profile you connect.
• Integrations: third-party services you connect (Zapier/CRM/POS, email/SMS gateways).
• Laws: privacy/telecom/platform rules (PIPEDA, CASL, TCPA, CTIA, GDPR/UK GDPR, CPRA, Google policies).
• Services: our app/APIs that (i) connect to GBP to read/post authorized data (e.g., review replies), (ii) import Contact Data via Zapier/API, (iii) run review-request messaging, and (iv) provide analytics, logs, and compliance tooling.

3) Customer Responsibilities

3.1 Account security. Keep credentials confidential; tell us about suspected compromise.

3.2 Lawful inputs. You control your inputs and will message only contacts with valid consent appropriate to jurisdiction and message type.

3.3 Platform compliance. You must follow platform rules (e.g., Google Maps/UGC & Business Profile policies; no review gating or incentives).

3.4 Prohibited use. No illegal/deceptive/abusive content; no malware; no evasion of carrier vetting or use of grey routes; no scraping; no resale without permission.

3.5 Content repurposing (optional). If enabled, you warrant rights/permissions to reuse review content and images; we'll honor takedown requests consistent with platform policy.

4) Integrations, Dependencies, Support, API

4.1 Scopes. You authorize only the scopes you approve; we may adjust/suspend features if required by carriers/platforms/law.

4.2 Third-party dependencies. Features depending on Google/Yelp/Facebook/carriers are subject to their availability, rate limits, and rules; we're not liable for their outages/changes.

4.3 Support & onboarding. Standard email/in-app support. Typical onboarding: one session (~30–40 minutes) to connect GBP/integrations and publish templates; complex setups may require more.

4.4 API & fair use. Use documented endpoints and auth; we may throttle/suspend abusive or excessive calls.

5) Messaging Program Essentials (recipient-facing)

6) Fees & Taxes (Billed every 4 weeks)

Billing cycle. Unless stated otherwise, subscriptions bill every 28 days to the payment method on file.

Pass-through at cost. SMS/MMS, email delivery, A2P 10DLC/toll-free verification and surcharges, and carrier pass-throughs are rebilled at cost (no markup). Taxes are your responsibility.

Auto-renew; cancellation. Each 28-day cycle auto-renews unless cancelled before the cycle ends; cancellation is effective at cycle end.

No refunds except where required by law or expressly stated.

6A) Payment; disputes; late fees; changes

Processor. We use a third-party processor (e.g., Stripe) for recurring charges; you agree to their terms.

Invoice disputes. Notify us within 15 days of invoice/charge; undisputed amounts remain due.

Late fees; suspension. Overdue sums may incur 1.5%/month interest (or legal max) and service suspension; reactivation fees may apply. Unjustified chargebacks are a material breach.

Changes. Base subscription fees may change with 30 days' notice (email/in-app). Carrier/email pass-throughs may change at any time and are rebilled at cost.

7) IP; Publicity; Agencies

7.1 Ownership. You own your content and Contact Data; we own the Services. You grant us a limited licence to process data to provide/improve the Services, prevent fraud/abuse, and comply with law.

7.2 Publicity & feedback. Unless you opt out, we may identify you (name/logo) as a customer (no confidential info). Feedback may be used to improve the Services.

7.3 Agencies & multi-location. Agencies/franchises will (i) obtain downstream acceptance, (ii) separate locations/workspaces, (iii) ensure user compliance. We may require direct end-client acceptance for certain features.

8) Confidentiality; Security; Force majeure

8.1 Confidentiality. Each party protects the other's Confidential Information with reasonable care; use only for this Agreement.

8.2 Security program. We maintain administrative/technical/physical safeguards proportionate to risk (see Privacy & DPA).

8.3 Force majeure. Neither party is liable for delays/failures due to events beyond reasonable control (including platform/carrier outages, internet failures, DDoS, acts of God, labour disputes, government actions). Payment obligations excluded.

9) Suspension & Termination; Data Return

We may suspend immediately for violations of law/platform/carrier rules, security risk, or abuse. Either party may terminate for uncured material breach after 30 days' notice. On termination, we provide export for 30 days and then delete/de-identify Customer Personal Data per our retention schedule (we retain suppression logs to honor opt-outs). No guarantee of outcomes or deliverability (platform/carrier policies apply).

10) Warranties; Disclaimers; High-risk use

We warrant the Services will perform materially per documentation; exclusive remedy is re-performance or pro-rata refund for the affected period. Otherwise, the Services are provided "AS IS" and "AS AVAILABLE." We don't warrant deliverability, outcomes, or your legal compliance. We're not a law firm and don't provide legal advice. The Services aren't for life-support/safety-critical uses.

11) Indemnities

By Customer. You will defend/indemnify us against claims arising from (i) your content/instructions; (ii) your violation of law/platform/carrier rules; (iii) alleged lack of valid consent.

By Zappycards. We will defend/indemnify you against third-party claims that the Services themselves infringe IP (excluding your content, combinations we didn't supply, or non-current versions you decline to update).

12) Liability Cap

13) Governing Law; Venue; Language

New Brunswick law and the federal laws of Canada apply. Venue: courts of New Brunswick, Canada. Class/representative actions are waived where permitted.

English language: The parties confirm that this Agreement and related documents are in English. Les parties confirment que la présente convention et tous les documents s'y rattachant sont rédigés en anglais.

13B) Dispute Resolution; Mediation

Before starting litigation, the parties will attempt in good faith to resolve disputes through a mediation in New Brunswick commenced within 30 days after written notice of the dispute. This does not limit either party's right to seek injunctive relief.

14) Notices; Assignment; Changes to Terms; Order

We may send notices to your account email or in-app. Assignment requires consent (not unreasonably withheld) except to an affiliate or in a merger/acquisition. We may update these Terms with 30 days' notice for material adverse changes; continued use after the effective date constitutes acceptance. Precedence: Order → these Terms → Addendum B (DPA) → Privacy Policy → Addendum A (Messaging) → Addendum C (AUP) → Documentation.

15) Betas; Open-Source; Export; Anti-Corruption; Entire Agreement; Survival

Betas are as-is and may be withdrawn without liability. Open-source components may be included and are licensed under their own terms (notices available on request).

Export & sanctions: You represent you're not on sanctions lists and will comply with Canadian/US/EU export laws; no use in embargoed countries.

Anti-corruption: Each party complies with anti-bribery laws (CFPOA, FCPA, UK Bribery Act). This Agreement is the entire agreement; if any term is unenforceable, the rest remains in effect. Sections intended to survive (Fees, Confidentiality, IP, Indemnities, Limitations, Governing Law, Messaging, AUP) survive termination.

Addendum A --- Messaging Compliance (CASL / TCPA / CTIA / GBP)

A1) Consent & Records

• CASL (Canada): express consent where required; implied consent limited to (i) existing business relationship (generally up to 24 months post-purchase/contract) or (ii) inquiry (6 months); each CEM must include sender identification and a working unsubscribe.
• TCPA (U.S.): prior express consent for informational; prior express written consent (one-to-one seller consent) for marketing texts sent via automated means; revocation by any reasonable means must be honored.
• CAN-SPAM (U.S. email): truthful headers/subjects, clear identification and postal address, and a functioning one-click unsubscribe honored within 10 business days.
• Maintain auditable consent logs (who/what/when/source/method/scope/expiry) and global suppression lists.

A2) Quiet Hours; Registration; STOP/HELP

• Configure per-jurisdiction quiet hours and frequency caps. Complete A2P 10DLC brand/campaign registration (or toll-free verification) before U.S. sends; carriers may block/throttle unregistered traffic.
• We support STOP keywords (STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, QUIT); after one confirmation, sending stops to that number (global suppression unless topic-level is configured). HELP returns program contact and opt-out instructions.

A3) Content & Review Integrity

• No illegal/deceptive content; no SHAFT categories; include clear sender identification and opt-out text.
• No review gating and no incentives for reviews. Comply with Google Business Profile/Maps UGC policies for replies/content.

A4) Multi-Platform; Monitoring; Fines

• If you direct review requests to Yelp/Facebook/industry sites, you must follow each platform's solicitation/branding rules.
• We and/or carriers may monitor for spam/abuse. We may suspend/modify messaging to comply with law and platform/carrier rules. Government fines, carrier penalties, and platform sanctions caused by your campaigns may be passed through at cost.

Addendum B --- Data Processing Addendum (Controller ↔ Processor)

B1) Roles & Scope. Customer is controller/business; Zappycards is processor/service provider. We process Customer Personal Data only on documented instructions to provide the Services.

B2) Subprocessors; change notice. We engage subprocessors under written contracts with equivalent protections; we remain responsible. We will give 30 days' notice of material subprocessor changes; you may object on reasonable grounds. If unresolved, we'll work in good faith on alternatives; if none, you may terminate affected Services.

B3) Security (TOMs). Access controls; MFA for admin access; encryption in transit; least-privilege; logging/monitoring; vulnerability management; secure SDLC; vendor risk review; backups/DR.

B4) Incidents; assistance; audits. We will notify you without undue delay of a breach affecting Customer Personal Data and cooperate on mitigation and legally required notices. We assist with data-subject requests, DPIAs, and regulator inquiries. On reasonable notice, we will provide information necessary to demonstrate compliance and allow audits under reasonable conditions and frequency limits.

B5) Transfers; deletion/return; CPRA; HIPAA. For restricted transfers we use EU SCCs (2021/914/EU) (Modules 2/3), UK IDTA/UK Addendum, and Swiss add-on. On termination or request we delete/return Customer Personal Data subject to legal retention and suppression obligations (reasonable fees may apply for bespoke exports). Under CPRA we won't sell or share personal information, won't use/disclose it beyond business purposes, won't combine data except as permitted, and will support verifiable consumer requests. HIPAA: PHI is prohibited unless a BAA is executed in advance.

Addendum C --- Acceptable Use Policy (AUP)

You will not:

• send unlawful, harmful, deceptive, defamatory, harassing, or discriminatory content
• promote illegal goods/services
• send malware, phishing, or exploit links
• attempt unauthorized access or burden the Services
• snowshoe/spam, use grey routes, or bypass registration
• impersonate others or misrepresent identity
• process children's data (<16) or special categories without lawful basis and configuration
• infringe IP or publicity/privacy rights

We may block, throttle, or remove content and suspend accounts to protect recipients, carriers, platforms, or the Service.

Content complaints / takedown. Email support@zappycards.com with the message ID/URL, your contact info, basis of complaint, and proof of rights (where relevant). We may remove content in our reasonable discretion, without waiving defenses.