Terms of Service

These Terms of Service ("Terms") govern your access to and use of the PCRCI Identity application ("App"), website (rifftlo.com), and related services ("Services") operated by Rifftlo Inc., a Delaware corporation ("Company," "we," "us," or "our").

By accessing or using our Services, you agree to be bound by these Terms. If you do not agree, do not use the Services.

1. Eligibility

You must be at least 18 years of age to use the PCRCI application. The App is not directed at or intended for use by children under 13. By using the Services, you represent and warrant that you meet these age requirements.

If you are using the App as a field agent, you must have received authorized training and a valid government-issued promo code before conducting enrollments.

2. Description of Services

PCRCI (Pre-Civil Registration Confidence Infrastructure) provides identity registration and verification services for individuals who lack formal identity documentation. The Services include:

• Identity enrollment — capturing name, estimated birth year, location, and biometric hash (SHA-256 of facial geometry only; raw images are never stored).
• Community attestation — enabling community members to vouch for a subject's identity, building a confidence score.
• NFC card issuance — writing a Decentralized Identifier (DID) to NTAG215/216 NFC cards as portable identity credentials.
• Government and institutional verification — read-only API access for authorized institutions to verify identity without exposing personal data.
• Offline-first operation — all enrollment and attestation operations function without internet connectivity, with data synced when connectivity is available.

3. User Roles and Responsibilities

The platform supports three primary user types:

• Agents: Trained field workers who enroll subjects and manage enrollment devices. Agents must authenticate via NFC badge and biometric verification (fingerprint or Face ID). Agents are responsible for ensuring enrollment accuracy and obtaining proper consent.
• Attestors: Community members who vouch for a subject's identity. Attestors must register with a valid government ID and pass a face liveness check.
• Subjects: Individuals being enrolled in the identity system. Subjects must provide informed consent before enrollment.

4. Agent Obligations

As an authorized PCRCI agent, you agree to:

• Only enroll individuals who are physically present and have given informed consent.
• Never create false, fraudulent, or duplicate identity records.
• Operate within your registered geographic service area (within 500 metres of your registered GPS location).
• Protect enrollment devices, NFC badges, and login credentials from unauthorized access.
• Report any suspected fraud, data breaches, or system misuse immediately.

Warning: Creating false identity records, forging attestations, or misusing the system may constitute a criminal offense under local law and will result in immediate account suspension, referral to authorities, and potential legal action.

5. Consent and Enrollment

All subject enrollments require explicit, informed consent. The consent disclosure is presented in the subject's preferred language and read aloud via text-to-speech. Subjects may decline enrollment at any time. Consent is recorded in the system's immutable audit trail.

Subjects may request deletion of their identity record at any time by contacting a local government officer or emailing support@rifftlo.com.

6. NFC Cards

NFC cards issued through PCRCI contain only a Decentralized Identifier (DID) — a unique reference string. No personal data, biometric information, or sensitive details are stored on the card. Cards remain the property of the subject. Lost or damaged cards may be replaced through an authorized agent, with the replacement linked to the same DID.

7. Confidence Scores

Confidence scores are calculated based on attestations received and are used to determine access thresholds for institutional services. Scores start at 1 (self-enrollment) and increase with community attestations. Score thresholds (4, 7, 10, 15 points) unlock progressively greater access to services. National ID application is available from 4+ points, with higher thresholds unlocking banking, healthcare, land registration, and full KYC-compliant services.

Rifftlo Inc. does not guarantee that any specific score will result in service access. Institutional decisions to grant or deny services are made independently by participating institutions based on their own policies.

8. Fraud Detection

The system employs automated fraud detection rules including velocity limits (attestation and enrollment rate caps), geographic boundary enforcement, biometric similarity detection, and NFC duplication prevention. Violations may result in automatic suspension, flagging, or referral for manual review. All fraud-related actions are logged in the immutable audit trail.

9. Data and Security

We take data security seriously. Key protections include:

• All biometric data is processed as SHA-256 hashes only — raw images and audio are never stored or transmitted.
• All data in transit is encrypted via TLS 1.2+.
• All data at rest is encrypted via Google Cloud default encryption.
• An append-only, hash-chained activity log provides a tamper-evident audit trail.
• Role-based access control (RBAC) restricts system access based on user roles.

For complete details on data handling, see our Privacy Policy.

10. Third-Party Services

The Services use the following third-party infrastructure:

• Google Firebase — authentication, database (Firestore), hosting, and cloud storage.
• Google Cloud Run — backend API hosting (asia-southeast1 region).
• Google ML Kit — on-device facial geometry extraction (no images sent to cloud).

Your use of the Services is also subject to Google Firebase Terms of Service and Google Cloud Terms of Service.

11. Government API Access

Authorized government agencies and institutions may access identity verification services via the PCRCI Government API. API access is subject to:

• Approval by a Rifftlo administrator.
• Compliance with rate limits (60 requests/minute per API key).
• No personal identifiable information (PII) is exposed through the API — only confidence scores, threshold status, and aggregated statistics.
• All API access is logged and auditable.

12. Intellectual Property

All content, software, designs, trademarks, and other intellectual property in the Services are owned by Rifftlo Inc. or its licensors. You may not copy, modify, distribute, sell, or lease any part of the Services without our prior written consent.

13. Disclaimer of Warranties

The Services are provided "as is" and "as available" without warranties of any kind, either express or implied, including but not limited to implied warranties of merchantability, fitness for a particular purpose, and non-infringement. We do not warrant that the Services will be uninterrupted, error-free, or secure.

14. Limitation of Liability

To the fullest extent permitted by applicable law, Rifftlo Inc. shall not be liable for any indirect, incidental, special, consequential, or punitive damages, or any loss of profits, data, or goodwill, arising out of or in connection with your use of the Services. Our total aggregate liability shall not exceed one hundred US dollars (USD $100).

15. Indemnification

You agree to indemnify, defend, and hold harmless Rifftlo Inc. and its officers, directors, employees, and agents from and against any claims, liabilities, damages, losses, and expenses arising out of or in connection with your use of the Services, your violation of these Terms, or your infringement of any third-party rights.

16. Termination

We may suspend or terminate your access to the Services at any time, with or without cause, and with or without notice. Upon termination, your right to use the Services ceases immediately. Provisions that by their nature should survive termination shall survive.

17. Governing Law

These Terms are governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict of law provisions. Any disputes arising under these Terms shall be resolved in the state or federal courts located in Delaware.

18. Changes to These Terms

We reserve the right to modify these Terms at any time. Material changes will be communicated through the App or via email. Your continued use of the Services after changes are posted constitutes acceptance of the revised Terms.

19. Contact Us

If you have questions about these Terms, contact us at:

Rifftlo Inc.
Email: support@rifftlo.com
Website: rifftlo.com