QuickPatch Code Push Terms of Service

[Effective date: TBD]

These terms (the “Terms”) are a binding agreement between [Company] (“QuickPatch,” “we,” “us”) and the person or entity that registers for or uses the hosted over-the-air code-push service (the “Service,” and you, the “Customer”). By creating an account, clicking “I agree,” or using the Service, you agree to these Terms. If you agree on behalf of an organization, you represent that you are authorized to bind it.

1. Definitions

• Application - a mobile application you own or are authorized to manage and into which you integrate the Service.
• Release - a baseline build of an Application registered with the Service.
• Patch - an over-the-air update to the interpreted (non-native) code, content, or configuration of a Release that you create and distribute through the Service.
• End User - a person who installs or uses your Application.
• Customer Content - the Applications, Releases, Patches, code, assets, configuration, and data you upload to or generate through the Service.

2. The Service

The Service lets you publish Releases and build, cryptographically sign, host, and deliver signed Patches to your Applications’ End Users over the air. Patches update only your Application’s interpreted Dart code (on iOS, executed through an on-device Dart interpreter; on Android, applied as a signed data patch). The Service does not download or modify native binary code. We may improve or change the Service over time and will not materially reduce the core functionality of a paid plan during a paid term without notice.

3. Accounts and API keys

You must provide accurate registration information and keep it current. You are responsible for your account, your API keys, and all activity under them. Keep credentials secret and notify us promptly of any unauthorized use. The Service is for business and professional use by users who can form a binding contract.

4. Your responsibilities and app-store compliance

You are solely responsible for every Release and Patch you distribute and for ensuring each one complies with applicable law and with the policies of the app stores that govern your Applications - including the Apple App Store Review Guidelines (including Guideline 2.5.2), the Apple Developer Program License Agreement (including §3.3.1), and the Google Play Developer Program Policies.

You must not use the Service to deliver a Patch that changes the primary purpose of an Application, that adds features or functionality inconsistent with how the Application was reviewed and advertised, or that is deceptive or designed to evade app-store review. We do not review, endorse, monitor, or assume responsibility for your Patches. See the Trust & Safety policy for the full Acceptable-Use Policy, which is incorporated into these Terms.

5. Signing keys and security

The Service signs Patches with cryptographic keys and the resulting signatures are verified on End-User devices before a Patch is applied. Depending on configuration you may hold a private signing key and/or rely on keys we manage. You are responsible for protecting any private signing key in your control. Loss or compromise of a signing key can allow unauthorized code to be delivered to your End Users; you agree to notify us promptly of any suspected compromise. We follow the practices described in our Trust & Safety policy but do not warrant that any cryptographic system is immune from compromise.

6. Customer Content and license

As between the parties, you retain all ownership of your Customer Content. You grant us a limited, non-exclusive, worldwide license to host, copy, transmit, process, sign, cache, and deliver your Customer Content solely to provide and maintain the Service, to deliver Patches to your End Users, and as permitted by these Terms and the Data Processing Addendum. You represent that you have all rights necessary to grant this license and to distribute your Customer Content to your End Users.

7. Fees, billing, and usage

Paid plans, usage limits, and billing terms are described at [pricing URL] or in your order form. Unless stated otherwise, fees are billed in advance, are non-refundable except as required by law, and renew automatically until cancelled. We may meter usage (for example, Patches or monthly active End Users) and charge for overages, and may change pricing on renewal with prior notice. You are responsible for applicable taxes other than our income taxes. Non-payment may result in suspension or termination.

8. Availability

We aim for high availability, but the Service is provided without an uptime guarantee unless a separate service-level agreement applies to your plan. We may perform maintenance and may modify or discontinue features with reasonable notice. Features labeled “beta,” “preview,” or “experimental” are provided as is and may change or be withdrawn at any time.

9. Suspension, rollback, and kill-switch

To protect End Users, the integrity of the Service, and other customers, we may - with or without prior notice where circumstances require - disable or roll back a specific Patch fleet-wide, suspend an account or Application, or restrict features, if we reasonably believe there is a breach of these Terms or the Acceptable-Use Policy, a violation of law or app-store policy, or a security or integrity risk. We will use reasonable efforts to notify you and to limit the scope of any action. You also have rollback and kill-switch controls for your own Patches.

10. Term and termination

These Terms apply while you use the Service. Either party may terminate for convenience as described in your plan, or for the other party’s material breach not cured within [30] days of notice. On termination your right to use the Service ends, and we may delete Customer Content after a reasonable retention window (subject to the DPA and law). Patches already delivered to End Users may continue to run on their devices; we cannot remove code already installed on a device.

11. Disclaimers

THE SERVICE IS PROVIDED “AS IS” AND “AS AVAILABLE,” WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. WE DO NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, OR SECURE, THAT PATCHES WILL DELIVER OR APPLY CORRECTLY ON EVERY DEVICE, OR THAT USE OF THE SERVICE WILL RESULT IN APP-STORE ACCEPTANCE OR COMPLIANCE. YOU ARE RESPONSIBLE FOR TESTING PATCHES BEFORE DISTRIBUTION.

12. Limitation of liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, NEITHER PARTY WILL BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR FOR LOST PROFITS, REVENUE, DATA, OR GOODWILL. OUR TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THESE TERMS WILL NOT EXCEED THE GREATER OF (A) THE FEES YOU PAID FOR THE SERVICE IN THE [12] MONTHS BEFORE THE EVENT GIVING RISE TO THE CLAIM, OR (B) [USD $100]. SOME JURISDICTIONS DO NOT ALLOW CERTAIN LIMITATIONS, SO SOME OF THE ABOVE MAY NOT APPLY TO YOU.

13. Indemnification

You will defend, indemnify, and hold harmless [Company] and its affiliates, officers, and employees from any third-party claim, damage, liability, cost, or expense (including reasonable legal fees) arising out of or related to: (a) your Customer Content and Patches; (b) your Applications and your distribution of Patches to End Users; (c) your violation of these Terms, the Acceptable-Use Policy, applicable law, or any app-store policy; or (d) your infringement or misappropriation of any third-party right.

14. Third-party platforms

The Service interoperates with third-party platforms (including Apple, Google, and hosting and storage providers), whose terms govern your use of them. We are not responsible for those platforms, and changes by them - including app-store policy changes or enforcement - may affect the Service. We do not guarantee that any app store will accept or continue to allow any Application or Patch.

15. Governing law, changes, and contact

These Terms are governed by the laws of [jurisdiction], without regard to conflict-of-laws rules, and the parties submit to the exclusive jurisdiction of the courts located in [venue], except that either party may seek injunctive relief in any court of competent jurisdiction. We may update these Terms; for material changes we will give reasonable notice, and continued use after the effective date constitutes acceptance. Questions: [legal@yourdomain].

Privacy Policy

[Effective date: TBD] · This policy must be reviewed against your actual data practices before publishing.

This policy explains how [Company] (“we,” “us”) collects, uses, shares, and protects personal data when you use the QuickPatch website, dashboard, CLI, and code-push service (together, the “Service”). It also explains the limited data exchanged with End-User devices that receive patches.

1. Who we are

[Company], [registered address], is the controller of personal data described in this policy for our own customers and website visitors. Where we process personal data on behalf of a business customer (for example, telemetry from their Application’s End Users), we act as a processor under the Data Processing Addendum and that customer is the controller.

2. Data we collect

• Account data - your name and email (for example, via Google sign-in), organization, and the API keys we issue to you.
• Project data - application identifiers, Release and Patch metadata, version numbers, and the build and patch artifacts you upload to deliver updates.
• Billing data - if you purchase a paid plan, billing contact and transaction records (payment-card data is handled by our payment processor, not stored by us).
• Telemetry and update-delivery data - operational events such as patch availability checks, download and install outcomes, and errors, used to operate and secure the Service.
• Technical and log data - IP address, device and browser information, and request logs collected when you use the website, dashboard, CLI, or API.

End-User devices that receive patches contact our servers to check for and download updates. This may include the device IP address and basic application and Release identifiers. We do not intend the Service to collect End-User personal data beyond what is necessary to deliver updates, and we do not use it to build profiles of End Users.

3. How we use data

• To provide, maintain, secure, and improve the Service;
• To authenticate you and communicate about your account, including service and security notices;
• To meter usage, bill paid plans, and prevent abuse and fraud;
• To monitor, investigate, and enforce our Terms and the Acceptable-Use Policy;
• To comply with legal obligations and respond to lawful requests.

4. Legal bases (EEA/UK)

Where the GDPR or UK GDPR applies, we process personal data on the bases of: performance of a contract (to provide the Service); our legitimate interests (to secure and improve the Service and prevent abuse, balanced against your rights); compliance with a legal obligation; and, where required, your consent (which you may withdraw at any time).

5. Sharing and subprocessors

We share personal data with service providers who help us operate the Service - including cloud hosting and compute, object storage and content delivery, authentication, analytics, error monitoring, and payment processing - under contracts that require them to protect the data and use it only to provide their service to us. A current list of subprocessors is available at [subprocessors URL] or on request. We may also disclose data to comply with law or to protect rights, safety, and the integrity of the Service. We do not sell personal data and do not share it for cross-context behavioral advertising.

6. International transfers

We may process and store data in [countries/regions]. Where we transfer personal data out of the EEA, UK, or other regulated regions, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and the UK Addendum.

7. Retention

We retain personal data for as long as your account is active and as needed to provide the Service, then delete or anonymize it within [retention period], unless a longer period is required by law, to resolve disputes, or to enforce our agreements. Operational logs and telemetry are retained for [log retention period].

8. Your rights

Depending on where you live (for example, under the GDPR/UK GDPR or the CCPA/CPRA), you may have rights to access, correct, delete, or port your personal data, to object to or restrict certain processing, and to withdraw consent. You may also have the right to lodge a complaint with a supervisory authority. To exercise these rights, contact [privacy@yourdomain]; we will respond as required by applicable law. We will not discriminate against you for exercising your rights.

9. Security

We use technical and organizational measures designed to protect personal data, including encryption in transit, access controls, and cryptographically signed patch artifacts that are verified on-device. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security. See our Trust & Safety policy for how to report a vulnerability.

10. Children

The Service is intended for businesses and is not directed to children, and we do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact [privacy@yourdomain] and we will delete it.

11. Changes and contact

We may update this policy; we will post the updated version here with a new effective date and, for material changes, provide additional notice. Questions or requests: [privacy@yourdomain]. If you are in the EEA or UK, our [representative / Data Protection Officer] is [details].

Data Processing Addendum (DPA)

[Effective date: TBD] · For customers who require a DPA under GDPR/UK GDPR and similar laws. Counsel review required before execution.

This DPA forms part of the agreement between [Company] (“Processor”) and the customer (“Controller”) for use of the Service (the “Agreement”), and applies to the extent [Company] processes Personal Data on the Controller’s behalf. Capitalized terms not defined here have the meaning given in the Code Push Terms of Service. In case of conflict on data-protection matters, this DPA controls.

1. Definitions

“Personal Data,” “processing,” “controller,” “processor,” “data subject,” and “personal-data breach” have the meanings given in applicable data-protection law, including the EU General Data Protection Regulation (GDPR) and the UK GDPR (“Data Protection Law”).

2. Roles and instructions

The Controller determines the purposes and means of processing; the Processor processes Personal Data only on the Controller’s documented instructions, including those set out in the Agreement, this DPA, and the Controller’s use of the Service’s features, unless required to act otherwise by law (in which case the Processor will inform the Controller unless legally prohibited). The Processor will inform the Controller if, in its opinion, an instruction infringes Data Protection Law.

3. Details of processing

• Subject matter and duration - provision of the over-the-air code-push Service for the term of the Agreement and any wind-down period.
• Nature and purpose - hosting, storing, transmitting, signing, caching, and delivering the Controller’s Releases and Patches, and related telemetry, to operate and secure the Service.
• Categories of data subjects - the Controller’s authorized users and, where applicable, End Users of the Controller’s Applications.
• Categories of Personal Data - account identifiers; application and Release identifiers; technical and log data (including IP address); and update-delivery telemetry, as described in the Privacy Policy. The Controller will not upload special-category data or use the Service to process it.

4. Processor obligations

• Process Personal Data only on the Controller’s documented instructions;
• Ensure persons authorized to process Personal Data are bound by confidentiality;
• Implement and maintain appropriate technical and organizational security measures (Section 6);
• Assist the Controller, taking into account the nature of processing and the information available, with data-subject requests and with the Controller’s obligations regarding security, breach notification, and data-protection impact assessments;
• Make available information necessary to demonstrate compliance with this DPA.

5. Confidentiality

The Processor will keep Personal Data confidential and limit access to personnel who need it to provide the Service and who are subject to confidentiality obligations.

6. Security measures

The Processor implements measures appropriate to the risk, which may include: encryption of data in transit; access controls and least-privilege administration; cryptographic signing and on-device verification of patch artifacts; network and application security controls; logging and monitoring; and regular review of its security program. A summary is available on request; details may be provided under confidentiality.

7. Sub-processors

The Controller authorizes the Processor to engage the sub-processors listed at [subprocessors URL] to process Personal Data. The Processor will impose data-protection obligations on each sub-processor that are no less protective than this DPA and remains responsible for their performance. The Processor will give the Controller notice of intended additions or changes to sub-processors so the Controller may object on reasonable grounds.

8. Data-subject requests

Taking into account the nature of the processing, the Processor will assist the Controller by appropriate measures, insofar as possible, to respond to requests from data subjects exercising their rights under Data Protection Law. If the Processor receives such a request directly, it will, unless legally prohibited, promptly forward it to the Controller and not respond except on the Controller’s instruction.

9. Personal-data breach

The Processor will notify the Controller without undue delay after becoming aware of a personal-data breach affecting the Controller’s Personal Data, and will provide information reasonably available to assist the Controller in meeting its breach-notification obligations.

10. International transfers

Where the Processor transfers Personal Data out of the EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate by reference the EU Standard Contractual Clauses (and the UK Addendum and Swiss amendments as applicable), with the Processor (or its relevant entity) as data importer, completed with the details of this DPA and the Agreement.

11. Deletion and return

On termination of the Agreement, the Processor will, at the Controller’s choice, delete or return the Personal Data and delete existing copies within [period], except to the extent retention is required by law. Personal Data in routine backups is deleted in accordance with the Processor’s backup-rotation schedule.

12. Audits

The Processor will make available information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates, subject to reasonable notice, frequency, confidentiality, and security-protective terms.

13. Liability and execution

Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Agreement. To request a countersigned copy of this DPA, contact [legal@yourdomain].

Trust & Safety

[Effective date: TBD]

QuickPatch gives developers the ability to update their applications’ interpreted Dart code instantly, over the air. With that capability comes responsibility. This page sets out our Acceptable-Use Policy, our app-store compliance position, how we secure the platform, and how we handle abuse and vulnerability reports. It is incorporated into the Code Push Terms of Service.

How the platform stays safe

QuickPatch updates only interpreted Dart code - on iOS through an on-device interpreter, and on Android as a signed data patch. It never downloads or modifies native binary code. Every patch is cryptographically signed and its signature is verified on the device before the patch is applied, so a device will refuse a patch that is unsigned, tampered with, or not signed by the expected key. Patches are staged and applied on next launch with on-device re-verification, and a server-side control can disable or roll back a patch across the fleet.

App-store compliance

Apple’s rules (App Review Guideline 2.5.2 and Developer Program License Agreement §3.3.1(b)) and Google Play’s policies permit over-the-air updates to interpreted code as long as an update does not change the primary purpose of the app or add features or functionality inconsistent with how the app was reviewed and advertised. The bright line is the app’s purpose, not the update mechanism. This is the same basis on which established code-push tools operate.

You can ship

• Bug and crash fixes;
• UI/UX improvements, copy and styling changes, and layout fixes;
• Performance and logic tuning;
• A/B tests and gradual rollouts of changes consistent with your app’s purpose;
• Content and configuration updates.

You must not ship

• Updates that change your app’s primary purpose (for example, turning one kind of app into a different kind of app);
• Features or functionality inconsistent with how your app was reviewed or advertised;
• Hidden or gated functionality intended to evade app review;
• Malware, spyware, or code that harms, surveils, or defrauds End Users, or that exfiltrates data without disclosure and consent;
• Anything unlawful, infringing, or deceptive, or that violates app-store policies or our terms.

Your responsibility

You are the publisher of your application. Ensuring each update complies with the app-store policies that apply to you and with the law is your sole responsibility. [Company] provides the technical means to deliver interpreted-code updates; it does not review, endorse, or assume responsibility for your updates.

Enforcement

Using QuickPatch to violate app-store guidelines, the law, or our terms is a breach of the Code Push Terms of Service and may result in suspension or termination of your account and disabling or rollback of the offending patch. We may act immediately, with or without prior notice, in cases of suspected abuse, legal risk, security risk, or harm to End Users.

Report abuse and responsible disclosure

To report misuse of the Service or a suspected security vulnerability, contact [security@yourdomain]. We support good-faith security research and responsible disclosure: if you follow our [disclosure policy] - investigate only your own accounts or test data, avoid privacy violations and service disruption, and give us reasonable time to remediate before public disclosure - we will not pursue legal action against you for that research. Please do not access, modify, or delete other customers’ data.