Terms & Privacy
Use ExactOnce fairly, keep your credentials secure, don't abuse the API, and understand that during private beta the service is provided as-is. The full legal text follows below.
Acceptance of Terms
By accessing or using the ExactOnce API, website, or any associated services (collectively, the "Service"), you agree to be bound by these Terms of Service ("Terms"). If you are using the Service on behalf of an organisation, you represent that you have authority to bind that organisation to these Terms.
If you do not agree to these Terms, do not use the Service. Your continued use of the Service after any changes to these Terms constitutes acceptance of those changes.
The Service
ExactOnce provides a developer API for creating and managing single-use, time-limited actions with exactly-once consumption guarantees. The Service includes the API, documentation, dashboard, and any client libraries we publish.
ExactOnce is a single-purpose infrastructure primitive. We do not provide authentication systems, user management, identity verification, or payment processing. We store action payloads on your behalf but are not responsible for the business logic you build on top of the Service.
Private Beta Program
The Service is currently in private beta. During this period:
- Access is by invitation only and may be revoked at any time without notice.
- The Service is provided free of charge. Pricing will be introduced before general availability with reasonable advance notice.
- Features, API structure, and behaviour may change without backward-compatibility guarantees.
- Uptime and data retention targets are provided on a best-efforts basis only — no SLA applies during beta.
- We may ask you for feedback. You're not obligated to provide it, but we genuinely want it.
Do not use the beta Service for production workloads where data loss or downtime would cause material harm. We will communicate clearly before the Service is considered production-ready.
Accounts & API Keys
To use the Service you will receive a client-id and client-secret. You are responsible for:
- Keeping your client-secret confidential and never exposing it in client-side code, public repositories, or logs.
- All API activity that occurs under your credentials, whether authorised by you or not.
- Notifying us immediately at hello@exactonce.com if you suspect your credentials have been compromised.
- Rotating compromised credentials promptly via the dashboard.
We reserve the right to suspend credentials that appear to be misused or compromised, with or without prior notice.
Acceptable Use
You may use the Service only for lawful purposes consistent with these Terms. You must not:
- Use the Service to transmit or store illegal content, including content that violates privacy laws or intellectual property rights.
- Attempt to circumvent rate limits, authentication, or security measures.
- Resell or sublicense access to the Service without our written permission.
- Use the Service to conduct denial-of-service attacks, spam campaigns, or any activity that disrupts or degrades the Service for others.
- Reverse engineer, decompile, or attempt to extract the source code of any component of the Service.
- Store sensitive regulated data (e.g. full payment card numbers, government ID numbers, protected health information) in action payloads without appropriate safeguards and our written agreement to support that use case.
- Represent your product as ExactOnce or use our branding without permission.
We impose rate limits to protect the reliability of the Service for all users. Current limits are communicated in the API documentation. We will attempt to notify you before taking action for sustained limit violations, but reserve the right to throttle or suspend access immediately in cases of abuse.
Your Data
You retain all rights to the data you store in action payloads ("Customer Data"). We do not claim ownership of Customer Data.
By using the Service, you grant us a limited, non-exclusive licence to store, process, and transmit Customer Data solely as necessary to provide the Service to you. We will not access your payload data except to provide the Service, investigate security incidents, or as required by law.
You may delete individual actions via the API at any time. Upon termination of your account, we will delete your Customer Data within 30 days, except where retention is required by law. Aggregated, anonymised usage statistics may be retained indefinitely.
Treat payloads as a reference store — store identifiers (user IDs, order IDs, file references) rather than raw sensitive values. We encrypt payload data at rest, but you remain responsible for the sensitivity of the data you choose to include.
Availability & SLA
During private beta, the Service is provided on a best-efforts basis with no uptime guarantee. We aim for high availability but make no commitments regarding minimum uptime, scheduled maintenance windows, or recovery time objectives.
We will communicate planned maintenance and significant incidents via hello@exactonce.com and our status page. SLA commitments will be introduced alongside paid tiers at general availability.
Payment & Pricing
The Service is currently free during private beta. When paid tiers are introduced:
- We will provide at least 30 days' notice before any charges apply to existing beta users.
- Pricing, billing cycles, and refund policies will be published in the documentation at that time.
- Continued use of the Service after billing commences constitutes acceptance of the applicable pricing.
Intellectual Property
The Service, including all software, documentation, and brand assets, is owned by ExactOnce, Inc. and protected by applicable intellectual property laws. Nothing in these Terms transfers any ownership of our IP to you.
If you provide feedback, suggestions, or bug reports about the Service, you grant us a perpetual, irrevocable, royalty-free licence to use that feedback for any purpose without obligation to you.
Our open-source client libraries are published under their respective licences (typically MIT). Those licences govern your use of that code separately from these Terms.
Termination
Either party may terminate these Terms at any time. You may stop using the Service and request account deletion by emailing hello@exactonce.com. We may suspend or terminate your access immediately if:
- You breach any provision of these Terms and fail to remedy the breach within 7 days of notice.
- We determine your use poses a security or legal risk to ExactOnce or other users.
- We discontinue the Service (with reasonable notice where feasible).
Upon termination, your right to use the Service ceases immediately. Sections covering intellectual property, limitation of liability, and governing law survive termination.
Limitation of Liability
The Service is provided "as is" and "as available" without warranties of any kind, express or implied, including warranties of merchantability, fitness for a particular purpose, or non-infringement.
To the maximum extent permitted by applicable law, ExactOnce, Inc. shall not be liable for any indirect, incidental, special, consequential, or punitive damages, or any loss of profits, revenue, data, or business opportunities arising out of or related to your use of the Service.
Our total aggregate liability for any claim arising from these Terms or the Service shall not exceed the greater of (a) the amounts you paid us in the 12 months prior to the claim, or (b) USD $100. During private beta when the Service is provided free, our aggregate liability is limited to USD $100.
Some jurisdictions do not allow the exclusion of implied warranties or limitation of liability for consequential damages. In those jurisdictions, our liability is limited to the maximum extent permitted by law.
Changes to These Terms
We may update these Terms from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page.
- Send notice to your registered email address at least 14 days before changes take effect.
- For significant changes during beta, we may require re-acceptance before continued access.
Your continued use of the Service after the effective date of changes constitutes your acceptance of the updated Terms.
Governing Law & Disputes
These Terms are governed by the laws of the State of Delaware, United States, without regard to conflict-of-law principles. Any dispute arising from these Terms shall first be addressed through good-faith negotiation. If unresolved within 30 days, disputes shall be submitted to binding arbitration under the rules of the American Arbitration Association, conducted in English.
Notwithstanding the above, either party may seek injunctive or other equitable relief in any court of competent jurisdiction for matters relating to intellectual property or confidentiality.
Contact
Questions about these Terms? We're a small team — email us directly.
We collect what we need to run the service, we don't sell your data, action payloads are yours, and you can ask us to delete everything at any time.
Overview
This Privacy Policy explains how ExactOnce, Inc. ("ExactOnce", "we", "us", "our") collects, uses, and protects information when you use the ExactOnce API and related services ("Service"). It applies to developers and organisations using the Service, not to end-users of applications built on top of the Service (your customers).
If you are building a product that processes your own users' personal data via the ExactOnce API (e.g. storing a user's email in an action payload), you are acting as a data controller for that data, and ExactOnce acts as a data processor on your behalf. You are responsible for appropriate notice and consent from your end-users.
What We Collect
When you sign up for beta access, we collect your name, email address, and company name (if provided). This is used to provide access, communicate service updates, and contact you about your account.
We log API requests including timestamps, endpoint called, HTTP method, response status code, request size, response time, and your client-id. We do not log your client-secret. These logs are used for security monitoring, debugging, billing, and improving the Service.
The payload content you include when creating actions is stored and returned on consumption. This is Customer Data — we treat it as yours, access it only to provide the Service, and encrypt it at rest.
We collect IP addresses, user agent strings, and request metadata automatically as part of operating the Service. This data is used for security, rate limiting, and abuse prevention.
| Data Type | Examples | Purpose |
|---|---|---|
| Account info | Email, name, company | Access, communication |
| API logs | Timestamps, endpoints, status codes | Security, debugging, billing |
| Payload data | Your action payloads | Service delivery |
| Technical data | IP addresses, user agents | Security, rate limiting |
| Usage stats | Request counts, error rates | Analytics, improvement |
How We Use It
We use collected data to:
- Provide, operate, and improve the Service.
- Authenticate requests and enforce rate limits.
- Detect, investigate, and prevent security incidents and abuse.
- Communicate service updates, changes to these policies, and (with your consent) product news.
- Generate aggregated, anonymised analytics about Service usage patterns.
- Comply with legal obligations.
We do not use your payload data to train machine learning models. We do not sell or rent any personal data to third parties. We do not serve advertising.
Sharing & Disclosure
We share data only in the following circumstances:
We use sub-processors to operate the Service (cloud infrastructure, monitoring, error tracking). These providers process data only under our instruction and are bound by data processing agreements. Current sub-processors include AWS (infrastructure) and Sentry (error monitoring).
We may disclose data if required by law, court order, or government authority. Where legally permitted, we will notify you before complying and will limit disclosure to the minimum required.
If ExactOnce is acquired, merges, or transfers assets, your data may transfer to the acquiring entity. We will notify you via email and this page before any such transfer, and the acquirer will be bound by this Privacy Policy or a materially equivalent one.
We will not share your data for other purposes without your explicit consent.
Data Retention
We retain different categories of data for different periods:
| Data Type | Retention Period |
|---|---|
| Action payload data | Until action is deleted, account is closed, or plan retention limit is reached |
| Expired action records | 30 days post-expiry (beta); plan-dependent at GA |
| API request logs | 90 days |
| Account information | Duration of account + 30 days post-closure |
| Aggregated usage stats | Indefinitely (anonymised) |
| Legal hold data | As required by applicable law |
You can delete individual actions via the API immediately. To request full account deletion, email hello@exactonce.com. We will complete deletion within 30 days.
Security
We implement the following controls to protect your data:
- Encryption at rest (AES-256) for all payload data and credentials.
- Encryption in transit (TLS 1.2+) for all API communications.
- Hashing (bcrypt) for PIN codes — PINs are never stored in plain text or returned in any response.
- API key hashing — your client-secret is hashed on receipt and never stored in recoverable form.
- Access controls limiting internal access to Customer Data on a need-to-know basis.
- Audit logging of internal access to production systems.
No system is perfectly secure. If you discover a security vulnerability, please report it responsibly to hello@exactonce.com. We will acknowledge reports within 48 hours and work to resolve confirmed vulnerabilities promptly.
Cookies & Tracking
The ExactOnce marketing website uses minimal, privacy-respecting analytics to understand page visits (no cross-site tracking, no fingerprinting). The API itself does not use cookies.
The dashboard may use session cookies necessary for authentication. We do not use advertising cookies, third-party tracking pixels, or behavioural retargeting.
Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
| Right | What It Means |
|---|---|
| Access | Request a copy of the personal data we hold about you. |
| Rectification | Request correction of inaccurate personal data. |
| Erasure | Request deletion of your personal data (subject to legal retention obligations). |
| Portability | Request your data in a machine-readable format. |
| Restriction | Request that we limit processing of your data in certain circumstances. |
| Objection | Object to processing based on legitimate interests. |
| Opt-out | Unsubscribe from marketing communications at any time. |
To exercise any of these rights, email hello@exactonce.com with your request. We will respond within 30 days. We may need to verify your identity before fulfilling your request.
If you are located in the European Economic Area or UK, you have the right to lodge a complaint with your local data protection authority if you believe we have not handled your data lawfully.
Children's Privacy
The Service is designed for developers and is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected such data, please contact us immediately and we will delete it.
International Data Transfers
ExactOnce is based in the United States. If you access the Service from outside the US, your data may be transferred to and processed in the US. Where required by applicable law (such as GDPR), we implement appropriate safeguards for international transfers, including Standard Contractual Clauses.
Changes to This Policy
We may update this Privacy Policy as the Service evolves. When we make material changes, we will update the "Last updated" date above and notify you via email at least 14 days before changes take effect. We encourage you to review this page periodically.
Contact & Data Controller
ExactOnce, Inc. is the data controller for personal data collected in connection with the Service.
For privacy requests, data subject rights, or questions about this policy:
hello@exactonce.com