Terms of Service

1 Acceptance of Terms

These Terms of Service ("Terms") constitute a legally binding agreement between you ("User," "you," or "your") and Self Multiplexer ("SelfMux," "we," "us," or "our") governing your access to and use of the SelfMux service, website, and any related services (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by these Terms, including the Privacy Policy incorporated by reference. If you do not agree to these Terms, you must not access or use the Service.

These Terms include specific, irrevocable commitments regarding data protection that survive any business transfer, acquisition, merger, or change of control. These protections are enforceable by any User and cannot be waived or modified without explicit written consent from each affected User.

2 Definitions

For purposes of these Terms:

• "Service" means the Self Multiplexer platform, including all software, websites, APIs, and related services.
• "User Data" means any data, information, or content submitted, uploaded, or generated by Users through the Service, including personal data, profile information, and authorization records.
• "Historical Data" means all User Data processed by the Service prior to any Business Transfer Event.
• "Business Transfer Event" means any merger, acquisition, consolidation, sale of assets, change of control, bankruptcy, reorganization, name change, change of business purpose or model, partnership, joint venture, or any other transaction, event, or arrangement that results in a change of ownership, operation, or control of SelfMux, regardless of the nature, circumstances, or rationale for such change.
• "Successor Entity" means any person, corporation, partnership, or other entity that acquires SelfMux or its assets through a Business Transfer Event.
• "Data Protection Commitments" means the irrevocable commitments set forth in Section 4 of these Terms.
• "Monetization" means any act of selling, licensing, renting, leasing, or otherwise deriving revenue from User Data, including but not limited to advertising, data brokerage, or third-party analytics.

3 Description of Service

SelfMux provides a distributed identity platform that enables Users to control their personal information and share it securely with websites and services they trust. The Service facilitates:

• Secure authentication using passkeys and WebAuthn/FIDO2 standards
• User-controlled data sharing with granular permissions
• Complete audit trails of data access
• Instant revocation of site access
• Multiple personas for different contexts
• End-to-end encryption of sensitive data

The Service operates on a principle of user data sovereignty: Users maintain complete ownership and control of their data at all times.

4 Irrevocable Data Protection Commitments

4.1 No Monetization Commitment

SelfMux hereby covenants and agrees that:

• SelfMux shall not, and shall not permit any Successor Entity to, engage in Monetization of User Data
• SelfMux shall not, and shall not permit any Successor Entity to, sell, rent, lease, license, or transfer User Data to any third party for monetary or other consideration
• SelfMux shall not, and shall not permit any Successor Entity to, use User Data for advertising, marketing, or promotional purposes
• SelfMux shall not, and shall not permit any Successor Entity to, share User Data with data brokers, aggregators, or analytics providers except as explicitly authorized by the User

This commitment applies in perpetuity to all Historical Data and to all data of Users who registered prior to any Business Transfer Event.

4.2 Privacy Policy Immutability

SelfMux hereby covenants and agrees that:

• The Privacy Policy in effect at the time of any Business Transfer Event shall remain in full force and effect with respect to all Historical Data
• No changes to the Privacy Policy shall be made that reduce privacy protections or expand data sharing permissions for Historical Data without explicit, affirmative, opt-in consent from each affected User
• Any Successor Entity must adopt and maintain privacy protections at least as stringent as those in the Privacy Policy in effect immediately prior to the Business Transfer Event
• Grandfathering provision: Users who registered before a Business Transfer Event shall forever be governed by the Privacy Policy in effect at their time of registration, unless they explicitly consent to changes

4.3 Data Handling Standards

SelfMux hereby covenants and agrees that the following data handling standards shall apply to all User Data, including Historical Data, regardless of any Business Transfer Event:

• User Authorization Required: User Data shall only be shared with third parties explicitly authorized by the User
• Granular Control: Users shall maintain the ability to control exactly which data fields are shared with each authorized party
• Instant Revocation: Users shall maintain the ability to revoke access instantly, with global effect within 60 seconds
• Audit Trail: Complete, immutable audit logs of all data access shall be maintained and accessible to Users
• Encryption: User Data shall be encrypted at rest using AES-256-GCM or equivalent and in transit using TLS 1.3 or better
• No Tracking: The Service shall not employ tracking cookies, fingerprinting, or other tracking technologies for purposes other than service delivery and security

4.4 Scope of Protected Data

The Data Protection Commitments apply to all categories of data processed by the Service, including but not limited to:

• Account information (email, username, authentication credentials)
• Profile information and persona data
• Authorization records and access grants
• Audit logs and access history
• Device information and session data
• Any data derived, inferred, or generated from the above

Critical provision: If the Service processed data category X prior to a Business Transfer Event, data category X shall be permanently protected from Monetization, regardless of whether future features or services involve similar data categories.

5 Business Transfers and Change of Control

5.1 Mandatory Conditions for Business Transfers

In the event of any Business Transfer Event, the following conditions are mandatory and shall be incorporated into any transfer agreement:

1. Successor Binding: The Successor Entity must execute a written agreement explicitly accepting and binding itself to all Data Protection Commitments set forth in Section 4
2. User Notice: All Users must receive at least 90 days advance notice of any Business Transfer Event, including:
   • Identity of the Successor Entity
   • Confirmation that Data Protection Commitments will be honored
   • Detailed explanation of any changes to service operations
   • Instructions for data export and account deletion
3. Opt-Out Right: Users shall have the right to:
   • Delete their accounts and all associated data
   • Export all data in machine-readable format
   • Revoke all third-party authorizations
   at any time during the 90-day notice period without penalty
4. Pre-Transfer Automatic Deletion: Users may flag their accounts for automatic deletion in the event of any Business Transfer Event. When flagged:
   • User data shall be permanently and irretrievably deleted from all SelfMux systems immediately upon notice of a Business Transfer Event
   • Deletion occurs prior to any resources, data, or assets changing hands or transferring to any Successor Entity
   • Deletion must be completed before the transaction is finalized or any data becomes accessible to the Successor Entity
   • Users receive confirmation of deletion via their registered email address
   • This flag can be set or removed at any time through the account dashboard
5. Data Segregation: Historical Data must be maintained separately from any data processed by the Successor Entity under different terms, with appropriate technical and organizational safeguards
6. Escrow Requirement: A complete, encrypted copy of all Historical Data and audit logs must be placed in escrow with an independent third party, accessible to Users in the event of breach

5.2 Prohibited Actions

In connection with any Business Transfer Event, the following actions are expressly and absolutely prohibited, regardless of the circumstances, nature, purpose, financial condition, business rationale, or any other factor relating to the Business Transfer Event:

• Absolute Monetization Prohibition: The Successor Entity shall not monetize Historical Data under any circumstances, including but not limited to situations involving bankruptcy, financial distress, creditor demands, new business models, market changes, or strategic pivots. This prohibition applies irrespective of the reason for the Business Transfer Event, the identity of the Successor Entity, or any claimed necessity or business justification.
• Policy Downgrade: The Successor Entity shall not reduce privacy protections for Historical Data
• Forced Migration: Users shall not be required to accept new terms as a condition of continued service access
• Bundling: Historical Data shall not be bundled, combined, or cross-referenced with data from other services operated by the Successor Entity without explicit User consent
• Inference and Profiling: The Successor Entity shall not create profiles, segments, or inferences from Historical Data for purposes beyond those authorized under the original Privacy Policy
• Circumvention: No attempt shall be made to circumvent these prohibitions through technicalities, restructuring, rebranding, subsidiary creation, or any other means

5.3 Successor Entity Obligations

Any Successor Entity shall be obligated to:

• Maintain the Service with at least the same level of security and privacy protections
• Honor all existing user authorizations and access controls
• Provide Users with the same data export and deletion capabilities
• Maintain audit logs in accordance with Section 4.3
• Respond to User data requests within the same timeframes as SelfMux
• Submit to annual independent security audits, with results made available to Users

5.4 Automatic Termination Provision

Material Breach: If a Successor Entity materially breaches any Data Protection Commitment:

• All Users shall have the immediate right to terminate their accounts with full data deletion
• The Successor Entity must notify all affected Users within 48 hours of discovery of the breach
• The escrowed data shall be released to Users or permanently deleted per User instruction
• Users shall have standing to seek injunctive relief and damages as set forth in Section 6

6 User Rights and Enforcement

6.1 Enforcement Rights

Each User is an express third-party beneficiary of the Data Protection Commitments and has standing to enforce these Terms against SelfMux or any Successor Entity. Users may seek:

• Injunctive Relief: Immediate injunctive relief to prevent or remedy any breach of Data Protection Commitments
• Specific Performance: Court orders requiring compliance with Data Protection Commitments
• Damages: Compensatory damages for any harm resulting from breach, including:
  • Actual damages proven by User
  • Statutory damages of $1,000 per violation, where applicable
  • Attorney's fees and costs
  • Punitive damages for willful or egregious violations

6.2 Class Action Rights

Notwithstanding any other provision in these Terms, Users retain the right to bring class action lawsuits to enforce Data Protection Commitments. Any arbitration provision in these Terms does not apply to claims seeking to enforce the protections in Sections 4 and 5.

6.3 No Waiver

The Data Protection Commitments cannot be waived, limited, or modified by:

• Continued use of the Service
• Acceptance of updated Terms of Service
• Any form of clickwrap or browsewrap agreement
• Any provision in these Terms or any future agreement

Any attempted waiver is void and unenforceable.

6.4 Data Subject Rights

In addition to enforcement rights, Users have the following data subject rights:

• Right to Access: View all data held about you
• Right to Rectification: Correct inaccurate data
• Right to Deletion: Permanently delete your account and all data
• Right to Data Portability: Export data in machine-readable format
• Right to Revocation: Instantly revoke all third-party access
• Right to Audit: Review complete audit logs of data access
• Right to Object: Object to any use of data beyond service provision
• Right to Pre-Transfer Deletion: Flag account for automatic deletion in the event of any Business Transfer Event, ensuring data is permanently deleted before any transaction is finalized

7 Account Terms

7.1 Account Creation

To use the Service, you must create an account. You agree to:

• Provide accurate, current, and complete information
• Maintain the security of your passkeys and authentication credentials
• Notify us immediately of any unauthorized access
• Be responsible for all activities under your account

7.2 Age Requirement

You must be at least 13 years of age (or 16 in the EU) to use the Service. By using the Service, you represent and warrant that you meet this age requirement.

7.3 Account Responsibilities

You are responsible for:

• Maintaining accurate profile information
• Managing third-party authorizations appropriately
• Reviewing audit logs for unauthorized access
• Using the Service in compliance with applicable laws

8 Prohibited Conduct

You agree not to:

• Violate any applicable laws or regulations
• Infringe upon intellectual property rights
• Upload malicious code or conduct security attacks
• Attempt to gain unauthorized access to the Service or other accounts
• Interfere with or disrupt the Service
• Use the Service to transmit spam or unsolicited communications
• Impersonate others or provide false information
• Scrape, crawl, or harvest data from the Service
• Use the Service for any unlawful purpose

9 Intellectual Property

9.1 SelfMux Intellectual Property

The Service, including all software, designs, text, graphics, and other content, is owned by SelfMux and protected by intellectual property laws. You are granted a limited, non-exclusive, non-transferable license to use the Service for its intended purpose.

9.2 User Data Ownership

You retain all ownership rights to your User Data. By using the Service, you grant SelfMux a limited license to process your data solely for the purpose of providing the Service. This license:

• Is non-exclusive and revocable at any time
• Does not include any right to monetize or transfer your data
• Terminates upon account deletion
• Does not grant any rights to Successor Entities beyond those in Section 5

10 Termination

10.1 Termination by User

You may terminate your account at any time by:

• Using the account deletion feature in your dashboard
• Contacting us at support@nro.pub

Upon termination, your data will be deleted in accordance with our Privacy Policy.

10.2 Termination by SelfMux

We may suspend or terminate your account if:

• You violate these Terms
• Your account is used for illegal activities
• We are required to do so by law
• Your account poses a security risk

We will provide notice before termination except where immediate action is required for security or legal reasons.

10.3 Effect of Termination

Upon termination:

• Your access to the Service will cease immediately
• All third-party authorizations will be revoked
• Your data will be deleted in accordance with the Privacy Policy
• Sections 4, 5, 6, 11, 12, and 13 of these Terms survive termination

11 Disclaimers and Limitations

11.1 Service Provided "As Is"

THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED. TO THE MAXIMUM EXTENT PERMITTED BY LAW, SHAREMUX DISCLAIMS ALL WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

Important Note: This disclaimer does not affect the Data Protection Commitments in Section 4, which are absolute and not subject to disclaimer.

11.2 Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, SHAREMUX SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR ANY LOSS OF PROFITS OR REVENUES, WHETHER INCURRED DIRECTLY OR INDIRECTLY, OR ANY LOSS OF DATA, USE, GOODWILL, OR OTHER INTANGIBLE LOSSES.

Exception: This limitation does not apply to:

• Violations of Data Protection Commitments
• Gross negligence or willful misconduct
• Violations of privacy or data protection laws
• Claims where limitation is prohibited by law

11.3 Third-Party Sites

When you authorize third-party sites to access your data, those sites are responsible for their own data handling practices. SelfMux is not responsible for the privacy practices or content of third-party sites, even if you access them through the Service.

12 Indemnification

You agree to indemnify, defend, and hold harmless SelfMux, its affiliates, officers, directors, employees, and agents from any claims, liabilities, damages, losses, and expenses, including reasonable attorney's fees, arising out of or related to:

• Your use of the Service
• Your violation of these Terms
• Your violation of any rights of another party
• Your User Data

This indemnification obligation does not apply to claims arising from SelfMux's breach of Data Protection Commitments.

13 Dispute Resolution

13.1 Governing Law

These Terms shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict of law provisions.

13.2 Arbitration Exception

Data Protection Claims Excluded: Any claims seeking to enforce the Data Protection Commitments in Sections 4, 5, or 6 are NOT subject to arbitration and may be brought in any court of competent jurisdiction. Users retain the right to bring class actions for such claims.

13.3 Other Disputes

For disputes not involving Data Protection Commitments, the parties agree to first attempt informal resolution by contacting legal@nro.pub. If informal resolution is unsuccessful within 60 days, either party may pursue formal dispute resolution.

13.4 Jurisdiction and Venue

For claims involving Data Protection Commitments, you and SelfMux consent to the exclusive jurisdiction of the state and federal courts located in Delaware. For all other claims, jurisdiction and venue shall be determined by applicable law.

14 General Provisions

14.1 Entire Agreement

These Terms, together with the Privacy Policy, constitute the entire agreement between you and SelfMux regarding the Service and supersede all prior agreements and understandings.

14.2 Amendments

We may amend these Terms from time to time. However:

• Data Protection Commitments (Sections 4, 5, 6) cannot be amended to reduce protections without explicit written consent from each affected User
• For other amendments, we will provide at least 30 days notice
• Material changes require affirmative acceptance
• Continued use after the notice period constitutes acceptance of non-material changes

14.3 Severability

If any provision of these Terms is found to be unenforceable, the remaining provisions will remain in full force and effect. The Data Protection Commitments are severable from all other provisions and shall remain enforceable regardless of the validity of any other provision.

14.4 No Waiver

Our failure to enforce any right or provision in these Terms does not constitute a waiver of that right or provision.

14.5 Assignment

You may not assign or transfer these Terms or your account without our written consent. We may assign these Terms only in connection with a Business Transfer Event that complies with Section 5.

14.6 Notices

Notices to you may be sent to the email address associated with your account. Notices to us should be sent to legal@nro.pub.

14.7 Force Majeure

SelfMux shall not be liable for any failure or delay in performance due to circumstances beyond our reasonable control, except that this provision does not excuse compliance with Data Protection Commitments.

14.8 Contact Information

For questions about these Terms, contact us at:

• General Inquiries: legal@nro.pub
• Privacy Concerns: privacy@nro.pub
• Security Issues: security@nro.pub