These Terms of Service ("Terms") constitute a legally binding agreement between you ("you" or "Developer") and Tosses LLC ("Tosses," "we," "us," or "our"), governing your access to and use of the Bounce platform, dashboard, API, and all related services (collectively, the "Service").

By creating an account, accessing the API, or otherwise using the Service, you acknowledge that you have read, understood, and agree to be bound by these Terms and our Privacy Policy. If you do not agree, you must not use the Service.

If you are using the Service on behalf of an organization, you represent that you have the authority to bind that organization to these Terms, and "you" refers to both you and that organization.

Bounce is an API proxy service that allows frontend applications to securely call third-party APIs without exposing API credentials. The Service provides:

• Secure credential storage with dual-key encryption (database secret + your Bounce key)
• CORS control — restrict which origins can access your proxied endpoints
• Endpoint allowlisting — restrict which API paths your frontend can reach
• Rate limiting — per-key and per-minute request limits to prevent abuse
• JWT authentication support — optional integration with Firebase, Auth0, and Clerk (or other JWKS authentication providers) to restrict endpoints to authenticated users

Bounce acts as a transparent relay: it injects your stored credentials into requests before forwarding them to the target API. Your frontend calls Bounce using only your Bounce key (not your actual API credentials). Bounce does not inspect, modify, or log request/response content.

Bounce is not a backend replacement. Bounce is designed for frontend access to public or semi-public APIs. For sensitive endpoints requiring server-side authorization, you should use a dedicated backend.

To use the Service you must register for an account using a valid email address. You agree to:

• Provide accurate, current, and complete information during registration.
• Be at least 18 years of age, or the age of majority in your jurisdiction if higher.
• Maintain the confidentiality of your Bounce keys. You are responsible for all activity that occurs under your account.
• Notify us immediately at contact@tosses.dev if you become aware of any unauthorized use of your account or leaked Bounce keys.
• Keep your email address current and regularly check for notifications about your account.

We reserve the right to refuse registration or suspend any account at our sole discretion, including for violations of these Terms or applicable law.

You may not use the Service if you are located in, or are a national or resident of, any country subject to U.S. trade sanctions, or if you are listed on any U.S. government denied-party list.

Subscription model. Bounce operates on a monthly subscription basis. You choose a plan (Free, Pro, Team, or Enterprise) and agree to the associated terms. All payment processing is handled by Stripe, Inc. By making a purchase you agree to Stripe's Terms of Service. Tosses does not store your payment card details.

Available plans:

• Free — 10,000 requests per month, 3 Bounce keys, 30 requests per minute max rate limit, 0.5 GB egress per month
• Pro — $5/month, 500,000 requests per month, 10 keys, 60 requests per minute max rate limit, 50 GB egress per month
• Team — $25/month, 5,000,000 requests per month, unlimited keys, 180 requests per minute max rate limit, 250 GB egress per month
• Enterprise — Contact sales for custom limits

What is counted. All requests count toward your monthly limit, including failed requests and errors. It is your responsibility to handle errors and implement retry logic. One GB is defined as one decimal gigabyte (1,000,000,000 bytes).

Egress measurement. Egress counts all data transferred from the Bounce server, including responses sent to your client application and requests forwarded to the destination API. This encompasses the full round-trip data flow through our infrastructure. Egress is measured at the server level before any client-side compression or optimization.

Monthly resets. At the start of each billing period, your request and egress allowances reset to your plan's limits. Unused requests and bandwidth from the prior month do not carry over. Allowances reset on a rolling 30-day window starting from your initial signup date (or last reset date), not a fixed calendar day each month.

Rate limits. Your plan includes a maximum requests-per-minute limit. This is a hard limit enforced per IP address per Bounce key. Requests exceeding your plan's rate limit are rejected with a 429 (Too Many Requests) error.

No refunds. All purchases are final and non-refundable, except where required by applicable law. If you believe a charge was made in error, contact us at contact@tosses.dev within 30 days of the charge.

Canceling a plan. You may cancel your subscription at any time from your dashboard. Cancellation stops the next scheduled charge; it does not remove the current month's allowances or request/egress budget already credited to your account. If you cancel mid-month, no partial refund is issued. Your remaining budget for the current month may still be used until your billing period ends.

Balance exhaustion. When you have exhausted your monthly request or egress allowance, new requests are rejected with a 402 (Payment Required) error. We may optionally send you a notification when you are approaching your limit.

Taxes. All fees are exclusive of any applicable taxes, levies, or duties imposed by taxing authorities. You are solely responsible for payment of all such taxes. Where Tosses is required by law to collect taxes, they will be added to your transaction at checkout.

Price changes. We may change pricing, plan tiers, request/bandwidth limits, or any other fees at any time. Changes apply only to future billing periods and do not affect allowances already credited to your account. Where practical, we will provide advance notice (at least 30 days) of material changes.

You agree to use the Service only for lawful purposes. The following are strictly prohibited:

• Accessing or using APIs through Bounce without authorization from the API provider.
• Using Bounce as a general-purpose proxy, VPN, tunneling service, or for non-API traffic.
• Attempting to circumvent, disable, or interfere with rate limiting, CORS controls, endpoint allowlists, or other security features.
• Sharing, reselling, or redistributing Bounce keys to any third party without express written authorization from Tosses.
• Using Bounce to access APIs for purposes prohibited by those APIs' terms of service or applicable law.
• Probing, exploiting, or attempting to compromise Bounce infrastructure or other users' configurations.
• Performing port scanning, vulnerability scanning, or network reconnaissance on Bounce or its infrastructure.
• Intentionally generating requests for the purpose of consuming your allowance maliciously or testing Bounce's limits.
• Using Bounce for any illegal activity or to violate any third-party rights or applicable law.

Violation of this section may result in immediate suspension or permanent termination of your account without refund, at our sole discretion. We may also report violations to relevant law enforcement authorities where required.

We reserve the right to throttle, rate limit, block, or otherwise mitigate traffic from your account if it threatens the stability, security, or availability of the Service.

The Service, including the Bounce platform, API, dashboard, documentation, and all associated software, are owned by Tosses LLC and protected by applicable intellectual property laws. Nothing in these Terms transfers any ownership rights to you.

Subject to your compliance with these Terms, we grant you a limited, non-exclusive, non-transferable, revocable license to access and use the Service solely for its intended purpose of proxying API calls from your frontend applications.

You may not copy, modify, distribute, sell, sublicense, reverse engineer, or create derivative works of any part of the Service or its underlying software.

Dual-key encryption. Your API credentials are encrypted using a two-factor encryption scheme: Tosses' global database secret plus your unique Bounce key. This means neither Tosses nor any attacker can decrypt your stored credentials without both the database secret AND your Bounce key. If your Bounce key is lost or stolen, neither Tosses nor anyone else can access your credentials.

Zero-knowledge architecture. Bounce keys are stored as cryptographic hashes. Tosses does not retain knowledge of your actual key values. If you lose a Bounce key, it cannot be recovered or reset — you will lose access to the configuration encrypted by that key forever. We strongly recommend saving your Bounce key securely, using browser-based key storage (if you trust your device), or treating key loss as a permanent security incident.

Your responsibility for security. You are responsible for:

• Keeping your Bounce keys confidential. Do not share them with anyone except your own frontend application.
• Configuring strict CORS policies to allow only legitimate origins.
• Configuring endpoint allowlists to restrict which API paths your frontend can access.
• Setting appropriate rate limits and monitoring your usage for suspicious patterns.
• Using JWT authentication where appropriate to ensure only your authorized users can access sensitive endpoints.
• The accuracy and legality of API credentials you store in Bounce.

Bounce is not a substitute for authentication. Bounce does not authenticate your users. For endpoints that should only be accessible to certain users, you must configure JWT authentication or use another auth mechanism at the API level. Tosses is not responsible for unauthorized access to APIs due to misconfiguration of your Bounce settings.

What Tosses is not responsible for:

• Misconfiguration of your CORS, endpoint allowlist, or rate limit settings.
• Unauthorized access to your APIs due to leaked, weak, or misconfigured Bounce keys.
• Actions, outages, breaches, or unavailability of upstream APIs you proxy through Bounce.
• Errors, failures, or unexpected behavior in requests transmitted through Bounce (unless caused by Bounce's infrastructure itself).
• Loss of data, revenue, business opportunities, or indirect damages resulting from your use of Bounce.

No warranty. THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE," WITHOUT WARRANTY OF ANY KIND. TO THE MAXIMUM EXTENT PERMITTED BY LAW, TOSSES EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. WE DO NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, RELIABLE, OR MEET YOUR SPECIFIC REQUIREMENTS.

Limitation of liability. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL TOSSES, ITS OFFICERS, DIRECTORS, EMPLOYEES, OR AGENTS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING LOST PROFITS, LOSS OF DATA, LOSS OF REVENUE, OR BUSINESS INTERRUPTION, ARISING OUT OF OR IN CONNECTION WITH YOUR USE OF OR INABILITY TO USE THE SERVICE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cap on liability. Our total cumulative liability to you for any claims arising out of or related to these Terms or the Service shall not exceed the greater of (a) the total amount you paid to Tosses in the 90 days preceding the claim, or (b) $50 USD. This cap applies to all theories of liability in the aggregate. This cap does not apply to, and does not limit, (i) your indemnification obligations under these Terms, or (ii) claims arising from infringement or misappropriation of Tosses's intellectual property rights.

Indemnification. You agree to indemnify, defend, and hold harmless Tosses LLC and its affiliates, officers, directors, and employees from any claims, damages, losses, or expenses (including reasonable attorneys' fees) arising out of your use of the Service, your violation of these Terms, or your violation of any third-party rights. Your indemnification obligations are not subject to the liability cap set forth above.

Force majeure. Tosses shall not be liable for any failure or delay in performance caused by circumstances beyond its reasonable control, including but not limited to natural disasters, internet outages, power failures, war, terrorism, labor disputes, or failures of upstream providers or services you proxy through Bounce.

By you. You may close your account at any time from your dashboard settings. Upon deletion, all Bounce keys, configurations, usage history, and account data are immediately and permanently removed. Any active monthly subscription is cancelled immediately with no refund. Account recovery is not available after voluntary deletion.

By Tosses. We may suspend or permanently terminate your account at any time, with or without notice, if we determine that you have violated these Terms, engaged in fraudulent or abusive behavior, or for any other reason at our sole discretion. Termination for cause forfeits any remaining allowance without refund.

Effect of administrative termination. When Tosses terminates an account administratively, all account data — including configurations, keys, usage history, and allowances — is immediately and permanently deleted. A hashed record of your email address is retained indefinitely to prevent re-registration, as described in Section 10.

Effect of termination. Upon termination, your right to access the Service ceases immediately. Sections 5, 6, 7, 8, 10, and 11 of these Terms survive termination.

To protect the integrity of the Service and prevent fraudulent account creation, Tosses retains data after account closure as follows:

Voluntary account closure (initiated by you)

When you delete your account, all data — including configurations, keys, usage history, and account credentials — is immediately and permanently removed. No hashed email or other identifier is retained. You may immediately re-register with the same email address, which will create a fresh account with no prior data.

Administrative termination for abuse

• Hashed email address — retained indefinitely when an account is terminated by Tosses due to abuse, fraud, or violation of these Terms. This is solely to prevent the terminated user from creating a new account. The hash cannot be reversed to recover your email address.

All other account data (configurations, keys, usage history, allowances) is permanently deleted immediately upon administrative termination, as described in Section 9. No other personal data is retained beyond the periods described in our Privacy Policy.

Retained hash data is never used for marketing, profiling, or shared with third parties. It is a security and fraud-prevention measure only.

These Terms are governed by the laws of the State of Minnesota, United States, without regard to its conflict of law provisions.

Any dispute arising out of or relating to these Terms or the Service shall first be addressed by contacting us at legal@tosses.dev. If a dispute cannot be resolved informally, it shall be submitted to binding arbitration under the rules of the American Arbitration Association, conducted in English, with the arbitration taking place in Minnesota. The arbitration award shall be final and may be entered as a judgment in any court of competent jurisdiction.

Notwithstanding the above, either party may seek injunctive or other equitable relief in a court of competent jurisdiction to prevent irreparable harm.

The parties agree that disputes will be resolved on an individual basis and not as part of any class, consolidated, or representative action.

We may update these Terms at any time and for any reason, at our sole discretion. When we do, we will revise the "Last updated" date at the top of this page.

Material changes — such as changes to our security architecture, billing model, liability limitations, dispute resolution, or data handling practices — will be communicated by email to your registered address at least 30 days before they take effect. Non-material changes (corrections, clarifications, formatting, or additions that do not reduce your rights or increase your obligations) take effect upon posting.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Terms. If you do not agree to updated Terms, you must stop using the Service and may close your account.

Entire agreement. These Terms, together with our Privacy Policy, constitute the entire agreement between you and Tosses regarding the Service and supersede all prior agreements or understandings.

Severability. If any provision of these Terms is found to be unenforceable, that provision will be modified to the minimum extent necessary to make it enforceable, and the remaining provisions will continue in full force.

No waiver. Our failure to enforce any right or provision of these Terms shall not constitute a waiver of that right or provision.

Assignment. You may not assign or transfer your rights or obligations under these Terms without our prior written consent. We may assign our rights and obligations freely, including in connection with a merger, acquisition, or sale of assets.

For questions about these Terms, to report a violation, or for any legal inquiries, please contact us at: