API Acceptable Use Policy

Last Updated: November 2025

This Acceptable Use Policy (“Policy”) applies to all use of the PassFlow API, SDKs, tools, and developer services (“Developer Services”).

By accessing or using the Developer Services, you agree to comply with this Policy.

If you violate this Policy, PassFlow may suspend or terminate your access.

1. Respect for Users

You may only process data that you have lawful grounds to collect.

You must provide clear information to your users about how their data is used, stored, and shared.

You may not collect or process data for purposes your users would not reasonably expect.

2. Data Integrity and Protection

You must protect all data sent to or received from the Developer Services with appropriate security measures, including encryption in transit and at rest.

You may not store API keys or sensitive data in client-side code, public repositories, or unsecured environments.

You must promptly delete any data you no longer require for its intended purpose.

3. Prohibited Content and Behaviour

You may not use the Developer Services to:

3.1 Harm Users or Systems

• deploy malware, spyware, or harmful code
• probe, scan, or test the security of PassFlow systems
• attempt to bypass authentication, rate limits, or access controls

3.2 Misuse Identity or Credentials

• impersonate individuals or organisations
• create fraudulent, misleading, or deceptive passes
• access accounts or data without proper authorisation

3.3 Facilitate Unlawful Activity

• violate privacy laws, consumer protection laws, or digital-communications laws
• promote or distribute illegal content
• support activities that are abusive, harassing, or discriminatory

3.4 Misuse PassFlow Services

• scrape, mine, or extract data outside permitted scopes
• interfere with normal operation of the Developer Services
• reverse engineer or attempt to derive source code
• run automated processes that degrade system performance

4. Fair and Responsible Usage

Your use of the Developer Services must remain within published rate limits and technical guidelines.

You may not deliberately generate excessive traffic, create unnecessary load, or attempt to influence system behaviour through artificial means.

PassFlow may apply traffic shaping, throttling, or temporary suspension where usage threatens system stability.

5. Integrity of the PassFlow Ecosystem

Your integration must not:

• mislead users into believing it is built by or officially endorsed by PassFlow
• replicate or materially compete with PassFlow’s core functionality
• interfere with, disrupt, or degrade the experience of other PassFlow customers

You must display the PassFlow brand only in accordance with PassFlow Branding Guidelines.

6. Security Incidents

If you experience or suspect a security incident involving data, API keys, or PassFlow systems, you must notify PassFlow without undue delay.

You must investigate incidents promptly, take corrective action, and cooperate with PassFlow where needed to protect users and systems.

7. Monitoring and Enforcement

PassFlow may monitor API usage for operational, security, and compliance purposes.

PassFlow may suspend or revoke access to the Developer Services at any time where:

• this Policy is violated
• your integration creates security or operational risk
• your usage negatively affects other customers
• required fees have not been paid

PassFlow is not required to provide advance notice but will do so where reasonable.

8. Changes to this Policy

We may update this Policy from time to time.

If changes materially affect your integration, we will provide reasonable notice.
Your continued use of the Developer Services after updates constitutes acceptance.