Legal
Effective April 20, 2026 · Papertrail B.V. · Amsterdam, Netherlands
The Bitfrost service is available to three categories of user. Different terms apply to each, as described in the sections below:
Bitfrost provides two distinct functions:
Organisations are onboarded manually by Bitfrost; there is no self-serve sign-up. Bitfrost assigns each organisation a subscription tier with a monthly verification quota. Subscriptions are invoiced monthly in euros. Overages (verifications above the monthly quota) are billed as an additional line item on the following invoice.
The organisation administrator is responsible for ensuring timely payment and for keeping contact and billing information up to date. Bitfrost reserves the right to suspend or deactivate an organisation's account for non-payment, with reasonable advance notice where practicable.
Each organisation must have at least one designated administrator at all times. The platform enforces this: an administrator cannot be demoted or removed if they are the last admin of the organisation, and an administrator cannot delete their own account while they are the sole admin.
Organisation administrators may generate API keys to enable programmatic access to the signing endpoint (for example, for server-side integrations or custom mobile workflows). The following conditions apply:
The Bitfrost mobile application is available on iOS and Android. Use of the app is subject to these terms as well as the terms of the applicable app store (Apple App Store Terms of Service or Google Play Terms of Service).
The mobile app is restricted to direct camera capture. It does not permit importing images from the device's photo library or from other applications. This restriction is a deliberate security measure: it ensures that only images captured in the moment — rather than pre-edited images — can be submitted for signing.
To verify that signing requests originate from a legitimate, unmodified installation of the Bitfrost app, we use Apple App Attest (iOS) and Google Play Integrity (Android). You must use the app on a device that supports these attestation mechanisms. Attempts to bypass, spoof, or disable attestation are a violation of these terms and may result in access being denied or terminated.
The mobile app does not require an account and does not collect personal information. Images are transmitted to our servers solely to have the watermark applied and are not retained after the signed image is returned to the device.
The verification endpoint is intentionally open to the public without authentication. This design reflects the purpose of the service: any recipient of a Bitfrost-signed image — an insurer, a court, a journalist, or any other party — must be able to independently verify the image's integrity without creating an account.
Use of the public verification endpoint is subject to IP-based rate limits. Automated or bulk use that degrades service availability for other users is prohibited. If you have a high-volume verification use case, contact us to discuss an organisational account.
You may use Bitfrost for any lawful purpose. You may not:
You retain full ownership of all images you process through Bitfrost. By submitting an image, you grant Bitfrost a limited, non-exclusive licence to process that image solely to perform the requested operation (signing or verification). This licence terminates immediately upon completion of the operation.
Images are not retained. All image processing is performed in memory on our servers. No copy of your image is written to disk, stored in any database, or retained after the API response is returned. We store only a non-reversible record of the operation (verification count, timestamp, source platform) for billing and quota purposes.
By submitting an image you represent and warrant that you have the right to process it through this service and that doing so does not infringe any third-party intellectual property right or violate any applicable law.
The service is provided "as is" and "as available" without warranty of any kind, express or implied. To the maximum extent permitted by applicable law, Bitfrost disclaims all warranties, including but not limited to implied warranties of merchantability, fitness for a particular purpose, and non-infringement.
We do not warrant that: (a) the service will be available without interruption or error; (b) watermarks will survive all forms of image processing or recompression; (c) verification results will be accepted as evidence in any legal, regulatory, insurance, or administrative proceeding; or (d) the service is free from security vulnerabilities.
To the maximum extent permitted by Dutch law, Bitfrost's aggregate liability to an organisational customer for any claim arising out of or relating to these terms or the service — whether in contract, tort (including negligence), or otherwise — is limited to the total fees paid by that customer to Bitfrost in the three calendar months immediately preceding the event giving rise to the claim.
For mobile app users and public verifiers, who use the service free of charge, Bitfrost's aggregate liability is limited to €100.
In no event is Bitfrost liable for indirect, incidental, special, consequential, or punitive damages, including loss of profits, loss of data, loss of goodwill, or business interruption, even if advised of the possibility of such damages.
Nothing in these terms excludes or limits liability for death or personal injury caused by negligence, fraud, or any other liability that cannot be excluded or limited under applicable law.
By you: Organisational users may close their account at any time from the Account page in the dashboard. Mobile app users and public verifiers may simply stop using the service. No notice is required.
By Bitfrost: We may suspend or terminate an account or restrict access to the service if we determine, in our reasonable judgement, that these terms have been violated, that continued access poses a security or legal risk, or that an organisation has failed to pay invoiced amounts. We will provide reasonable advance notice where feasible, except where immediate action is required to protect the security of the service or third parties.
Upon termination of an organisational account, all account data is deleted within 30 days, subject to retention obligations described in our Privacy Policy.
These terms are governed by the laws of the Netherlands. Any dispute arising out of or in connection with these terms that cannot be resolved amicably shall be submitted to the exclusive jurisdiction of the courts of Amsterdam, the Netherlands.
If you are a consumer (an individual acting outside the course of a trade or profession) in an EU member state, mandatory consumer protection provisions of your country of residence may also apply, and you may bring proceedings before the courts of that country.
We will provide at least 14 days' notice of material changes to these terms by email to organisational users. Continued use of the service after the effective date of the revised terms constitutes acceptance. If you do not agree with a material change, you may close your account before the effective date.
For changes required by law or to address security issues, shorter notice or immediate effect may be necessary.
Questions: legal@usebitfrost.com