Terms & Conditions

Preamble

MedConnect GmbH, Bayernstraße 10, 30855 Langenhagen (hereinafter "Flonk", "Provider", or "we") operates a cloud-based Software-as-a-Service platform for digital identity verification under the "Flonk" brand and the domain https://flonk.id. The Flonk platform in particular provides the following services: reading and authenticity checks of official identity documents, biometric matching (1:1) between the document photo and a live selfie, liveness detection, and provision of corresponding APIs, SDKs, webhooks, and dashboard functions (collectively the "Services").

These General Terms and Conditions (hereinafter "GTC") govern the contractual relationship between MedConnect GmbH and entrepreneurs within the meaning of § 14 BGB, legal entities under public law, or special funds under public law (hereinafter "Customer") that use the Flonk platform for their own business purposes.

The Flonk platform is aimed exclusively at entrepreneurs in the above sense. Contracts with consumers (§ 13 BGB) are not contemplated.

1. Scope and Contracting Parties

1.1 These GTC, in the version applicable at the time of conclusion of the contract, apply exclusively to all business relations between the Provider and the Customer in connection with the provision and use of the Flonk platform.

1.2 Diverging, conflicting, or supplementary general terms and conditions of the Customer shall not become part of the contract unless their applicability is expressly agreed in writing. This also applies if the Provider performs the Services without reservation in the knowledge of the Customer's diverging terms.

1.3 Individually negotiated agreements (in particular framework agreements, enterprise agreements, service level agreements) shall take precedence over these GTC in the event of a conflict.

2. Conclusion of Contract and Registration

2.1 The presentation of Services on https://flonk.id does not constitute a binding offer but an invitation to submit an offer (invitatio ad offerendum).

2.2 The contract is concluded by (i) registration of the Customer in the Flonk dashboard and generation of API keys following acceptance of these GTC ("self-service contract") or (ii) conclusion of an individually negotiated contract (e.g. enterprise or framework agreement).

2.3 The Customer warrants that all information provided upon registration (in particular company name, registered office, authority of representation, VAT ID, contact details) is true and complete, and undertakes to keep this information up to date at all times.

2.4 The Provider is entitled to reject registration requests without giving reasons, in particular where there are indications of abusive use, missing authority of representation, or the Customer being listed on a sanctions list.

2.5 The Customer is obliged to ensure that the natural persons acting are authorised to represent the Customer and meet the relevant minimum age (at least 18 years).

3. Subject Matter of the Services

3.1 Core Services

The Provider makes the Flonk platform available to the Customer in accordance with the selected product configuration and within the limits of technical availability. The core services in particular include:

• a) Verification widget and embed SDKs (Web, iOS, Android, React Native);
• b) Server SDKs (Node.js, Python, Go, PHP) and REST API;
• c) Reading and authenticity check of official identity documents from more than 200 countries;
• d) Biometric 1:1 matching and liveness detection;
• e) Webhook notifications and dashboard with reporting functions.

3.2 Description of Services

The specific scope of functions is set out in the current product description at https://flonk.id and in the developer documentation. The Provider is entitled to adapt the Services in the sense of continuous further development, provided that the contractually agreed core functional scope is not materially impaired.

3.3 Availability

The Provider strives for 99.99% availability on a monthly average ("service target"). The following are excluded:

• (a) scheduled maintenance windows announced with reasonable notice (at least 48 hours);
• (b) outages due to force majeure;
• (c) outages caused by the Customer or third parties (in particular internet service providers, device manufacturers).

Binding service level agreements only apply if individually agreed in writing.

3.4 Beta Functions

Functions expressly marked as "Beta", "Preview", or "Experimental" are provided without warranty and without any availability commitment. The Provider is entitled to change or discontinue such functions at any time without prior notice.

3.5 No Legal Advice

The Flonk platform is a technical aid for identity verification. The Provider does not provide legal, tax, or compliance advice. The assessment of whether and to what extent the use of the Services is sufficient to meet statutory obligations (e.g. under GwG, TKG, JMStV) is the sole responsibility of the Customer.

4. Rights of Use

4.1 The Provider grants the Customer for the term of the contract a non-exclusive, non-transferable, non-sublicensable, geographically unrestricted right to use the Flonk platform, the associated SDKs, and the documentation within the agreed scope for the Customer's own business purposes.

4.2 Editing, decompiling, reverse engineering, modification, or reproduction of the software is not permitted — except in cases mandatorily permitted under §§ 69d, 69e UrhG.

4.3 The Customer is not entitled to offer the Services to third parties as its own service ("white-labeling" or "reselling") unless expressly agreed in writing.

4.4 All rights in the Flonk platform, including trademarks, logos, designs, source code, algorithms, models, and documentation, remain with the Provider or the respective rights holders.

5. Customer's Duties and Obligations

5.1 Lawful Use

The Customer undertakes to use the Flonk platform exclusively for lawful purposes and in compliance with all applicable laws, in particular the GDPR, the German Federal Data Protection Act (BDSG), the Anti-Money Laundering Act (GwG), the Interstate Treaty on the Protection of Minors in the Media (JMStV), the Telecommunications Digital Services Data Protection Act (TDDDG), and the applicable industry-specific regulations.

5.2 End-User Consent

The Customer ensures that any person being verified via the Flonk platform ("End User") has, prior to verification, been informed in the legally required form about the processing of their personal data and — where required — has given valid consent (in particular pursuant to Art. 9(2)(a) GDPR with regard to biometric data).

5.3 Prohibited Uses

The following are in particular prohibited:

• a) the verification of minors without the required consent of the legal representative;
• b) the use of the platform for mass surveillance or for creating movement or behaviour profiles beyond the verification purpose;
• c) the use in countries or for the benefit of persons listed on relevant sanctions lists of the EU, the UN, or the USA;
• d) any form of reverse engineering, load testing without prior coordination, penetration testing without written permission;
• e) the transmission of harmful content (malware, malicious code) or use for the commission of criminal offences.

5.4 Securing Access

The Customer is obliged to treat API keys, secret keys, webhook signatures, and login data as strictly confidential, store them securely, and notify the Provider immediately of any suspected compromise. Until receipt of such notification, the Customer is liable for any use made under their access credentials.

5.5 Cooperation Obligations

The Customer shall cooperate in the performance of the Services to the necessary extent, in particular by correctly integrating the SDKs, providing webhook endpoints, and responding promptly to enquiries from the Provider.

5.6 Compliance with Third-Party Terms

Where the Customer uses end devices, stores (e.g. Apple App Store, Google Play), or other third-party platforms, the Customer is solely responsible for compliance with the applicable terms there.

6. Prices, Billing, and Payment

6.1 Prices

The price list valid at the time the Services are provided applies, available at https://flonk.id/preise. The standard price under the pay-as-you-go model is EUR 0.99 net per successfully completed verification. All prices — unless expressly stated otherwise — are exclusive of the applicable statutory VAT.

6.2 Billing Unit

A "successfully completed verification" exists where a verification session has been concluded with a definitive result (successful, rejected, or manually decided). Technically aborted sessions (e.g. due to premature disconnection by the End User before the result is produced) are not charged.

6.3 Billing Period

Billing is performed monthly in arrears on the basis of the usage data visible in the dashboard. Different billing modes (e.g. volume commitments, prepayment) may be agreed for enterprise contracts.

6.4 Due Date

Invoices are due for payment without deduction within 14 calendar days of the invoice date. The decisive factor is receipt of payment in the Provider's account.

6.5 Default

In the event of default in payment, the Provider is entitled to charge default interest at the statutory rate (§ 288(2) BGB), a default flat rate of EUR 40 (§ 288(5) BGB), and to claim further damages caused by default. In the event of default of more than 30 calendar days, the Provider is entitled to suspend the Services after prior notice.

6.6 Set-Off and Retention

The Customer is only entitled to set-off against undisputed or legally established claims. A right of retention is only available to the Customer to the extent it is based on the same contractual relationship.

6.7 Price Adjustment

The Provider is entitled to adjust prices with a notice period of at least 60 calendar days. If the price increases by more than 10% compared to the previous price list, the Customer has a special right of termination effective as of the effective date of the adjustment.

7. Data Protection and Order Processing

7.1 MedConnect GmbH processes End User personal data on behalf of the Customer as a processor within the meaning of Art. 28 GDPR. The controller is the Customer.

7.2 The Customer and the Provider conclude, prior to the start of productive processing, a data processing agreement (DPA) that fulfils the requirements of Art. 28(3) GDPR. The current DPA template is available at https://flonk.id/avv and is deemed effectively agreed between the parties upon acceptance of these GTC, unless an individual DPA is concluded.

7.3 In addition, the Privacy Policy at https://flonk.id/datenschutz applies to the processing of End User data.

7.4 The Customer ensures that they comply with all required information, consent, and documentation obligations toward the End Users.

7.5 For processing activities carried out by the Provider within its own area of responsibility (e.g. anti-fraud statistics, model improvement on the basis of anonymised data, provision of the website and dashboard), the Provider acts as an independent controller.

8. Confidentiality

8.1 The parties undertake to treat all confidential information of the other party received in the course of contract performance — in particular trade and business secrets within the meaning of the German Trade Secrets Act (GeschGehG), technical details, prices, customer and supplier relationships — as strictly confidential and to use them exclusively for contractual purposes.

8.2 This obligation applies for the term of the contract and for a period of five (5) years after the end of the contract.

8.3 The confidentiality obligation does not apply to information that

• (a) is publicly known,
• (b) was demonstrably already known to the receiving party prior to disclosure,
• (c) has been lawfully obtained from third parties, or
• (d) must be disclosed on the basis of statutory or official orders.

9. Warranty

9.1 The Provider warrants that the Flonk platform substantially complies with the specifications laid down in the product description and documentation. No further warranty as to quality or fitness is assumed.

9.2 Insignificant deviations, industry-standard fluctuations in recognition accuracy, and impairments due to image, lighting, or connection quality on the End User's side do not constitute a material defect.

9.3 The Provider gives no warranty that any individual verification will produce a correct result. The platform operates probabilistically; residual risks (false accepts, false rejects) are inherent to the system.

9.4 Defects must be reported without undue delay after discovery in a comprehensible form (in particular with session ID, timestamp, error description). The Provider will remedy defects within a reasonable period at its choice by rectification or substitute performance.

9.5 The limitation period for warranty claims is — to the extent legally permissible — twelve (12) months from provision of the defective Service.

10. Liability

10.1 The Provider is liable without limitation in cases of intent and gross negligence, for injury to life, body, or health, under the provisions of the German Product Liability Act, and within the scope of an expressly assumed guarantee.

10.2 In the case of slightly negligent breach of material contractual obligations (cardinal obligations), liability is limited to the contract-typical, foreseeable damage. Cardinal obligations are those whose fulfilment makes the proper performance of the contract possible in the first place and on whose compliance the contracting party may regularly rely.

10.3 Otherwise, the Provider's liability for damages caused by slight negligence is excluded.

10.4 The Provider's aggregate liability for damages caused by slight negligence is — to the extent legally permissible — limited per loss event to the net fee actually paid by the Customer in the twelve (12) months preceding the loss event, but in no case more than EUR 100,000 per calendar year.

10.5 Liability for lost profits, indirect damages, consequential damages, loss of data (insofar as not caused by gross negligence or intent), and damages arising from improper use of the platform by End Users or third parties is — within the scope of statutory permissibility — excluded.

10.6 The Provider is not liable for consequential damages resulting from the Customer relying solely on the outcome of a single verification without conducting supplementary risk-based checks.

10.7 The above liability provisions also apply for the benefit of the Provider's legal representatives, vicarious agents, and employees.

11. Indemnification

The Customer shall indemnify the Provider on first demand against any third-party claims (in particular by End Users, authorities, and supervisory bodies) arising from culpable, contrary-to-duty use of the platform by the Customer, in particular from the breach of information or consent obligations toward End Users. This also includes reasonable legal defence costs.

12. Force Majeure

Neither party is liable for the non-performance or delayed performance of its obligations to the extent that this is due to events of force majeure (in particular war, terrorism, natural disasters, pandemics, sovereign measures, strikes outside the party's own operation, large-scale internet or energy outages). The affected party will inform the other party without undue delay of the event and its expected duration. If the event lasts longer than 30 calendar days, both parties are entitled to extraordinary termination.

13. Term and Termination

13.1 Self-service contracts are concluded for an indefinite period and may be terminated by either party in text form with a notice period of 30 calendar days to the end of the month, unless a different term is agreed in an individual agreement.

13.2 The right to extraordinary termination for good cause remains unaffected. Good cause for the Provider exists in particular in cases of:

• a) default in payment of more than 30 calendar days despite reminder;
• b) material breach of these GTC (in particular section 5);
• c) opening of insolvency proceedings over the Customer's assets or rejection thereof for lack of assets;
• d) reasonable suspicion of abusive or unlawful use of the platform.

13.3 Terminations require at least text form (§ 126b BGB).

13.4 Upon the effectiveness of the termination, access to the platform is deactivated. Data is stored, anonymised, or deleted in accordance with the rules laid down in the DPA and the Privacy Policy.

14. Reference Naming

The Provider is entitled to list the Customer as a reference customer on its website and in sales materials, naming the company and logo. The Customer may object to this use at any time in text form; in that case, the Provider will remove the reference within a reasonable period.

15. Amendments to these GTC

15.1 The Provider is entitled to amend these GTC with effect for the future, provided that this is necessary due to changes in the legal framework, technical developments, or to safeguard legitimate economic interests and the contractual balance is not materially shifted to the detriment of the Customer.

15.2 Amendments will be communicated to the Customer in text form at least 45 calendar days before they take effect. If the Customer does not object in text form within 30 calendar days of receipt of the notice of amendment, the amendments are deemed accepted. The Customer will be specifically informed of this effect in the notice of amendment.

15.3 If the Customer objects in due time, the Provider is entitled to terminate the contractual relationship by ordinary termination.

16. Final Provisions

16.1 Choice of Law

All legal relations between the parties are governed exclusively by the laws of the Federal Republic of Germany under exclusion of the UN Convention on Contracts for the International Sale of Goods (CISG).

16.2 Jurisdiction

The exclusive place of jurisdiction for all disputes arising out of or in connection with this contract is — to the extent legally permissible — Hannover, Germany. The Provider is, however, also entitled to sue the Customer at its general place of jurisdiction.

16.3 Place of Performance

The place of performance for all Services is the Provider's registered office.

16.4 Written Form

Amendments and supplements to this contract require text form. This also applies to the waiver of the text form requirement.

16.5 Assignment

The Customer may only transfer rights and obligations under this contract to third parties with the prior written consent of the Provider. Transfer in the course of corporate restructuring within the group remains permitted.

16.6 Severability

Should individual provisions of these GTC be or become invalid or unenforceable, this shall not affect the validity of the remaining provisions. The invalid or unenforceable provision shall be replaced by the valid and enforceable provision whose economic effect comes closest to that of the invalid provision. The same applies in the case of a regulatory gap.

16.7 Language

The German version of these GTC is authoritative. Translations are for informational purposes only.