API Terms of Service

These API Terms of Service govern programmatic access to the Claimful purchase-protection platform. They apply to merchants, integration partners, and developers using the Claimful API, SDKs, webhooks, and developer portal.

Document marker: CLAIMFUL_API_TERMS_SENTINEL

1. Acceptance & Scope

By generating API credentials or calling any Claimful API endpoint you accept these terms on behalf of the organization you represent. These terms cover the production and sandbox APIs, the published SDKs, webhook delivery, and the developer portal. They sit alongside your merchant agreement; where a signed merchant agreement exists, that agreement's commercial terms prevail.

2. API Access & Credentials

API credentials are issued per environment (sandbox and production) and are scoped to a single merchant account. You are responsible for keeping credentials secret, rotating them on suspected exposure, and restricting their use to your own integration. Credentials must not be embedded in client-side code, mobile binaries, or any public repository. Claimful may revoke credentials that show signs of compromise or abuse.

3. Rate Limits

The Claimful API enforces a sustained aggregate ceiling of 1000 requests per minute per merchant account, per the public commitment in ADR 0039 §1. Additional per-IP throttling and WAF protections apply at the edge (ADR 0017); these edge controls may reject traffic that is bursty or originates from a narrow IP range even when the aggregate ceiling has not been reached. Rate-limited responses return HTTP 429 with a Retry-After header. Clients must back off and retry rather than retrying immediately in a tight loop.

4. Acceptable Use

You may use the API only to operate a legitimate purchase-protection integration for your own customers. You must not use the API to probe for vulnerabilities, circumvent rate limits, scrape data you are not entitled to, resell raw API access, or process traffic for a third party not covered by your merchant account. Protection plans sold through the API must be presented to customers honestly, including the protection fee and the conditions under which a customer can request a refund.

5. Data & Privacy

Data exchanged through the API is processed under the Claimful Privacy Policy. You must only transmit personal data you are lawfully entitled to share, must honor end-user data rights, and must not use Claimful-returned data for any purpose beyond operating the protected-purchase experience for your customers. Personal data handling, retention, and deletion follow the published privacy commitments at claimful.ai/legal/privacy.

6. Service Levels

Claimful targets 99.9% monthly availability for the production API, per the public commitment in ADR 0039 §2. Availability is measured against successful responses to well-formed requests, excludes scheduled maintenance announced in advance, and excludes downtime caused by factors outside Claimful's control. Sandbox environments carry no availability commitment.

7. Liability & Indemnity

PENDING-LEGAL. The limitation-of-liability cap, the mutual indemnification scope, and the exclusion of consequential damages are pending external counsel drafting. See compliance/legal/LINEAR-FOLLOWUPS-NEEDSFIX-07.md rows FER-88 and FER-94. This section must not be treated as final until counsel sign-off is recorded.

8. Governing Law

PENDING-LEGAL — governing-law clause blocked on entity/EIN procurement (Delaware C-corp). Follow-up: FER-89, see compliance/legal/LINEAR-FOLLOWUPS-NEEDSFIX-07.md

9. Changes & Termination

Claimful may update these terms and will announce material changes through the developer portal and merchant communications before they take effect. Either party may terminate API access in line with the merchant agreement; on termination, you must stop calling the API and destroy stored credentials. Sections covering acceptable use, data handling, and liability survive termination.