Terms of use

• Binding agreement. These MultiSet SaaS (Hosted Cloud) Terms & Conditions (the “Terms”) form a binding contract between MultiSet AI Inc. (“MultiSet,” “we,” “us,” or “our”) and the organization or person accepting them (“Customer,” “you,”). By creating an account, using the Service, or clicking accept, you agree to these Terms.

‍

• Business use only. The Service is intended for business and developer use. Consumer use is not intended.

‍

• Authority. If you use the Service on behalf of a company, you represent that you have authority to bind that company, and “Customer” means that company.

• Order of precedence. If you and MultiSet have an executed Order/Subscription (including any plan selection in the console), Service Level Agreement (SLA) Addendum, Data Processing Addendum (DPA), or a separate Cloud Services Agreement (CSA) (each a “Paid Addendum”), those documents supplement these Terms for the Paid Services identified therein. In the event of conflict: Order/Subscription > SLA/DPA/CSA > these Terms > Documentation.

‍

• Updates to These Terms. We may update these Terms for Free plans at any time by posting a revised version on our website with an updated “Last Updated” date. For Paid plans, any material changes to these Terms will become effective only upon the next renewal term or as otherwise expressly agreed in an applicable Order/Subscription. This limitation does not restrict MultiSet from making non-material or administrative updates.

• Scope. MultiSet provides a hosted developer platform and APIs for building location‑aware applications (e.g., WebXR, Unity, iOS, Android, Meta Quest), including map creation, localization calls, and related SDKs (collectively, the “Service”). Plan‑specific features, quotas, and limits are stated on our site, in your console, or in an Order/Subscription and may change as described herein.

‍

• Service levels & support. Free plans: target 99.5% Monthly Uptime; scheduled maintenance will be communicated in advance via status page or console; support is community-best-effort (e.g., forum/Discord).
  
• Paid plans: target 99.95% Monthly Uptime, with scheduled maintenance communicated in advance through status.multiset.ai and the developer portal. MultiSet operates a severity-tiered support response model for Paid plans:
  
  • P1 (Critical — production down, no workaround): 1 hour response, 24x7
  • P2 (High — major degradation, no acceptable workaround): 4 business hours response
  • P3 (Medium — minor degradation, workaround available): 1 business day response
  • P4 (Low — question or low-impact issue): 2 business days response

Enterprise plan customersmay negotiate enhanced response targets, 24x7 coverage across all severities, and dedicated support contacts through the applicable Master Services Agreement, Order/Subscription, or Service Level Agreement Addendum. Service credits, where applicable, are governed by the SLA Addendum or Order/Subscription as described in the "SLA is Sole Remedy" provision below. If no SLA Addendum or Order/Subscription is in effect, the Free-plan targets apply without service credits.

Detailed information regarding the security and compliance framework supporting Service availability and resilience is published in the MultiSet SaaS Platform Security &Compliance Framework whitepaper, available on request from the MultiSet accountteam.

• Beta and experimental features. We may provide Beta or experimental features. Betas are provided as‑is, may be disabled at any time, and are excluded from any SLA or availability commitments unless expressly stated.

‍

• Third‑party services and SDKs. The Service may interoperate with third‑party services, libraries, or SDKs (e.g., ARKit/ARCore, device OS). Your use of third‑party components is subject to their terms; MultiSet is not responsible for third‑party services.

• SLA is Sole Remedy (Paid). For any failure to meet an SLA expressly stated in an SLA Addendum or Order/Subscription, Customer’s sole and exclusive remedy is the applicable service credit specified therein. Service credits are not cumulative and may not exceed the total fees paid for the affected Service during the applicable billing period. Service credits will be applied to future invoices and are not refundable in cash. Except as expressly provided in the SLA Addendum or Order/Subscription, no other remedies (including termination rights or damages) apply to SLA breaches.

‍

Feature Deprecation. For Paid plans, Multiset will provide at least 180 days’ advance notice before materially deprecating or discontinuing any core feature of the Service, except where such deprecation or removal is:

• necessary for security, legal, or regulatory compliance;
• required to address a third-party dependency or platform deprecation, or
• otherwise needed to prevent service instability. MultiSet will use commercially reasonable efforts to provide alternative functionality or migration options where feasible.

• Accounts & Credentials. You are responsible for your users’ accounts, credentials, and actions, and will maintain appropriate access controls.

Acceptable use. You and your users will not:

• reverse engineer, decompile, or create derivative works of the Service (except to the extent a restriction is prohibited by law);
• resell, sublicense, or provide the Service to third parties as a service bureau without our written consent;
• interfere with or disrupt the Service, test its security or performance without authorization, or access non‑public areas;
• use the Service in violation of law, for High‑Risk Activities (e.g., operation of emergency services, life support, nuclear facilities, or where failure could lead to death, personal injury, or severe environmental damage), or while operating vehicles or in hazardous environments;
• upload content you don’t have rights to, or that is malicious, infringing, or illegal; or
• use the Service to build a competing product or to benchmark for competitive purposes without prior written consent.

• Use limits. You will comply with usage limits, rate limits, quotas, seat/device caps, and our documentation (the “Use Limits”). Free plan limits are published in the console or site. Paid plan limits are as stated in the applicable Order/Subscription. We may enforce Use Limits technically, prohibit abusive behavior, and suspend excessive or abusive use.

• Safety & situational awareness. AR can obscure real‑world hazards. You are responsible for safe use of the Service and for implementing appropriate fail‑safes and warnings in your applications (e.g., do not use while driving; maintain line‑of‑sight to surroundings).

• Customer Content. You retain all rights to Customer Content (your maps, scans, models, point clouds, images, videos, data, and any content you submit to or generate from the Service). You grant MultiSet a worldwide, non‑exclusive license to host, process, transmit, display, and create limited technical copies of Customer Content solely to provide and maintain the Service and to prevent or address service, security, or support issues.

• Usage Data & telemetry. We may collect Usage Data (telemetry, performance metrics, API calls, device/SDK version, and similar data) and use it to maintain, secure, improve, and market the Service. We will not disclose Usage Data in a way that identifies you or your users, except

(i) to provide the Service,

(ii) as required by law, or

(iii) with your consent.

• ML/AI improvement. To improve our visual positioning and mapping models, weMultiSet may use de-identified and aggregated portions of Customer Content and Usage Data solely to develop, train, validate, and improve its visual-positioning, mapping, and related machine-learning models (“ML Improvements”). For this purpose, MultiSet will apply commercially reasonable de-identification and aggregation measures consistent with Section 4.7 (Aggregated/De-identified & Derived Data). MultiSet will not disclose or use any Customer Content in identifiable form, nor use Customer Content for any purpose other than providing or improving the Service.

• Subprocessors & Data Location. Customer authorizes MultiSet to engage Subprocessors to perform limited processing activities necessary to deliver the Service. MultiSet remains responsible for each Subprocessor’s performance and will ensure appropriate written data-protection commitments are in place. Unless expressly stated in an Order/Subscription or DPA, data residency or geographic storage location is not guaranteed. Current primary infrastructure: Amazon Web Services (AWS), U.S. East (Virginia).

• Litigation Hold. Deletion or retention timelines described in these terms may be suspended as required by applicable law, court order, or legal hold. Upon resolution or withdrawal of the legal hold, standard deletion timelines will resume.

• Privacy & DPA. Our Privacy Policy describes how we collect and use personal data. MultiSet is not GDPR/CCPA compliant by default, and no Data Processing Addendum (DPA) is offered unless specifically executed in writing for Paid plans. Free plans must not be used for processing personal data subject to GDPR/CCPA or similar laws. MultiSet does not access or process end-user data; only admin user names and emails are collected for account provisioning and management. The current list of subprocessors engaged by MultiSet to deliver the Service, including the data category and processing location for each, is published in the MultiSet SaaS Platform Security & Compliance Framework whitepaper, available on request from the MultiSet account team. MultiSet will provide thirty (30) days advance notice of new subprocessors via email to the primary account contact on file. If you process Personal Data subject to GDPR/UK GDPR/CCPA or similar, you must not use the Service to process such data unless

(i) processing fits within the Free plan limitations and does not include Prohibited Data, and

(ii) where required, a Data Processing Addendum (DPA) is executed. DPAs are available for Paid plans or as otherwise agreed in writing.

Data Protection Officer. MultiSet has designated Abhishek Sonnakula as Data Protection Officer, responsible for privacy oversight, customer data subject requests, and coordination with supervisory authorities where applicable. The Data Protection Officer may be contacted at abhishek@multiset.ai.

Prohibited Data. Do not submit the following to the Service unless expressly permitted in an Order/Subscription and a DPA is in place (if applicable):

• special category data or health/medical, financial (PCI), government‑classified, children’s data, or other data requiring enhanced protections;
• any export‑controlled technical data or ITAR/EAR controlled content;
• personal data of children under 13;
• biometrics or student education records regulated by FERPA; or
• any data you are not lawfully permitted to process. MultiSet does not process any end-user personal data and the Service is designed to operate without such access.

Admin users (typically developers) are responsible for ensuring their own applications comply with applicable data protection laws.

• Data retention & deletion. We may delete Free plan Customer Content that is inactive or exceeds quotas, after reasonable notice where practicable. Paid plan retention is as stated in the Order/Subscription or DPA (if any). Following termination, we may retain backups and logs for a limited time for security, compliance, and audit purposes. MultiSet retains only limited backup and log data for operational security and compliance. Free plan data may be deleted after reasonable notice if inactive or exceeding quotas. Paid plan retention follows the terms set in your Order/Subscription or applicable Addendum.

• Aggregated/De-identified & Derived Data. MultiSet may generate and use Aggregated Data (data that has been de-identified and/or combined with other data so it cannot reasonably identify Customer or users) and Derived Data (learned signals, parameters, weights, embeddings, and similar outputs produced by processing Customer Content/Usage Data) to operate, secure, and improve the Service. MultiSet will not disclose Aggregated or Derived Data in a form that identifies Customer or users.

• Safeguards. MultiSet maintains administrative, technical, and physical security measures for the Service, including encryption in transit and at rest, multi-tenant data isolation, role-based access controls, multi-factor authentication for privileged access, time-limited credentials, continuous logging and monitoring, annual third-party penetration testing, and a documented incident response process. The complete security framework, including subprocessor list, breach notification commitments, and the vulnerability disclosure program, is published in the MultiSet SaaS Platform Security & Compliance Framework whitepaper, available on request from the MultiSet account team. If a Paid plan includes specific controls or certifications, they will be stated in the Order/Subscription or security documentation referenced therein.

• Your responsibilities. You are responsible for securing your environment (client devices, credentials, API keys, third‑party accounts) and for backing up Customer Content you need to retain.

• Breach Notification. MultiSet will notify the affected Customer of a confirmed Security Incident affecting Customer Data without undue delay, and in any event within twenty-four (24) hours of confirmation. For Personal Data Breaches subject to GDPR Article 33 or analogous laws, MultiSet will notify the affected Customer within seventy-two (72) hours of becoming aware. Notifications will be sent to the designated security contact on file or, if none is designated, to the primary account contact, and will include, to the extent known: nature of the incident, categories and approximate volume of affected data, likely consequences, and measures taken or proposed to address the incident.

• Reservation of rights. MultiSet and its licensors own all rights in and to the Service, SDKs, documentation, and underlying IP. No rights are granted except as expressly stated.

• Open source & third‑party components. Certain components may be provided under separate open‑source licenses or third‑party terms. To the extent of a conflict, those licenses govern the component.

• Feedback. You may provide ideas, suggestions, or feedback (collectively, “Feedback”). We may freely use Feedback without restriction and without any obligation to you.

• Confidentiality. Confidential Information’ means non-public information disclosed by a party that is marked confidential or should reasonably be understood as confidential. The receiving party will: (a) use it only to perform under these Terms; (b) not disclose it to third parties except to Affiliates, employees, and Subprocessors under similar duties; and (c) protect it with reasonable care. Exclusions: info that is public, already known, independently developed, or rightfully received from a third party. Required disclosures (e.g., by law) permitted with prompt notice where lawful. Confidentiality survives 3 years; trade secrets survive so long as a trade secret.

• Fees; Payment; Taxes; Overages. Customer will pay fees specified in the console and any Order/Subscription. Usage beyond plan quotas may incur overage charges at then-current rates. All fees are non-cancelable and non-refundable except as expressly stated. Invoices are due 30 days net; late amounts may accrue 1.5% per month (or the maximum permitted by law). Fees are exclusive of taxes; Customer is responsible for all taxes, withholdings, and similar charges (excluding MultiSet’s income-based taxes). Customer may not withhold, offset, or delay payments.

• Changes to Service. We may change, discontinue, or deprecate features, quotas, or limits. Changes to Free plans may occur at any time. For Paid plans, we will not materially reduce core functionality of the purchased Service during the subscription term without providing substantially equivalent functionality or a pro‑rata credit as described in your SLA or Order (if applicable).

Suspension. We may suspend or limit access immediately if we believe

• you breached these Terms;
• your use risks the security, availability, or integrity of the Service; or
• suspension is needed to comply with law.

• Termination. Either party may terminate at any time for convenience for Free plans by closing the account or giving notice. Paid plans may be terminated as stated in the Order/Subscription or CSA (including for breach, insolvency, or law). Upon termination, your access stops and we may delete data per Section 4.6.

• Effect of Termination; Data Export. Upon termination or expiration of a Paid plan, Customer will have thirty (30) days to export its Customer Content using the then-available self-service or API tools, unless such export is prohibited by law, regulation, or security restrictions. After this period, MultiSet may delete any remaining Customer Content in accordance with Section 4.6 (Data Retention & Deletion) and standard backup schedules. MultiSet has no obligation to retain or return data beyond this period.

• Export. You will comply with all applicable export and sanctions laws (including U.S. Export Administration Regulations, ITAR, and OFAC programs). You will not use the Service in or for the benefit of embargoed or sanctioned countries or parties.

• Anti‑corruption. You will comply with anti‑bribery and anti‑corruption laws (e.g., U.S. FCPA, UK Bribery Act) in connection with your use of the Service.

• Government users. The Service is commercial computer software. Government end‑users acquire rights only as set forth in these Terms.

• Disclaimers. THE SERVICE, BETAS, AND ALL RELATED MATERIALS ARE PROVIDED “AS IS” AND “AS AVAILABLE,” WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON‑INFRINGEMENT, AND ACCURACY. MULTISET DOES NOT WARRANT CONTINUOUS, UNINTERRUPTED, OR ERROR‑FREE OPERATION OR THAT THE SERVICE WILL MEET YOUR REQUIREMENTS OR PREVENT ALL MISLOCALIZATION OR DRIFT. AR/VR APPLICATIONS MAY CREATE SAFETY RISKS; YOU ARE RESPONSIBLE FOR TESTING AND MITIGATION.

• Limitation of liability. TO THE MAXIMUM EXTENT PERMITTED BY LAW, MULTISET WILL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR FOR LOSS OF PROFITS, REVENUE, BUSINESS, DATA, OR GOODWILL. FOR FREE PLANS, MULTISET’S TOTAL AGGREGATE LIABILITY FOR ALL CLAIMS ARISING OUT OF OR RELATING TO THE SERVICE WILL NOT EXCEED US $100. FOR PAID PLANS, MULTISET’S TOTAL AGGREGATE LIABILITY WILL NOT EXCEED THE AMOUNTS PAID BY CUSTOMER FOR THE SERVICE IN THE 12 MONTHS PRECEDING THE EVENT GIVING RISE TO LIABILITY (OR SUCH OTHER AMOUNT EXPRESSLY STATED IN THE ORDER/SUBSCRIPTION). NOTHING IN THESE TERMS LIMITS LIABILITY THAT CANNOT BE LIMITED BY LAW.

‍

• Cap. For Free plans, MultiSet’s total aggregate liability is US$100; for Paid plans, it is limited to fees paid in the 12 months before the event giving rise to liability (in the aggregate). The foregoing applies even if a remedy fails of its essential purpose.”

• Exclusions. The limitations above do not apply to liability that cannot be limited by law.

• Indemnity by Customer. You will defend and indemnify MultiSet and its affiliates, officers, directors, and employees against third‑party claims, damages, and costs (including reasonable legal fees) arising from (a) your apps’ or content’s infringement of third‑party rights or violation of law; (b) your breach of Sections 3 (Acceptable Use), 4.5 (Prohibited Data), or 8 (Compliance); or (c) your misuse of the Service. If an IP indemnity from MultiSet is included for a Paid plan, it will be set forth in the applicable CSA or Paid Addendum and will govern that plan.

• Informal resolution. Before filing a claim, the party must send a detailed notice to the other party and work in good faith to resolve the dispute for 60 days.

• Arbitration. Except for claims for injunctive/equitable relief (including IP/confidentiality/security) or small-claims matters, any dispute arising out of or relating to these Terms will be resolved by binding arbitration administered by the American Arbitration Association (AAA) under its Commercial Arbitration Rules and, if 25 or more substantially similar demands are filed by or with the same counsel, its Mass Arbitration Supplementary Rules. The seat is Delaware, proceedings in English, and the arbitrator may award individual relief only.

• Fees. Each party pays its own attorneys’ fees; AAA administrative/arbitrator fees will be allocated under the applicable AAA rules; the arbitrator may award fees/costs as permitted by law.

• Batch administration. For any mass/multiple filings involving substantially similar claims: (a) filing and administrative proceedings may be batched; (b) bellwether cases may be selected; and (c) arbitration of remaining cases is stayed pending bellwethers.

• Waivers. No class or representative actions or consolidation absent written consent. Jury trial waived to the extent any matter proceeds in court.

• Time limit. Claims must be filed within 1 year after they accrue.

Notice of alleged infringement: send to contact@multiset.ai with all elements of 17 U.S.C. 512(c)(3). MultiSet may remove or disable access to content and terminate repeat infringers.

• Entire agreement. These Terms, together with any applicable Order/Subscription and Paid Addenda (e.g., SLA, DPA, CSA), are the entire agreement for the Service and supersede prior or contemporaneous understandings relating to the same subject.

• Notices. We may provide notices by email, console message, or posting on our site. Your legal notices to us must be sent to contact@multiset.ai with a copy to our registered agent.

• Severability; waiver. If a provision is unenforceable, it is modified to the minimum extent necessary; the remainder remains in effect. Failure to enforce is not a waiver.

• Force majeure. Neither party is liable for delays or failure due to events beyond reasonable control (e.g., internet failure, power outages, labor disputes, acts of God, war, terrorism, epidemics, governmental actions).

Publicity

• Free plan. By accepting these Terms and using the Free plan, Customer permits MultiSet to identify Customer by company name and logo on MultiSet websites, product interfaces, sales and investor decks, presentations, social channels, and public customer lists. No separate written consent is required. This does not include testimonials, executive quotes, performance claims, press releases, or case studies without Customer’s prior written approval. No personal data will be used.
• Opt-out (Free plan). Customer may opt out at any time by emailing contact@multiset.ai. Upon receipt, MultiSet will stop new uses within ten (10) business days and will use commercially reasonable efforts to remove existing uses from MultiSet-controlled digital properties thereafter. Opt-out is prospective only.
• Paid plans. For Paid plans, any identification by name/logo or use in marketing, press releases, testimonials, or case studies requires Customer’s prior written consent under the existing terms.

• Precedence. If there is a conflict, the order in Section 1.4 controls. Documentation and FAQs are for convenience only and do not create commitments.

• Assignment. Either party may assign these Terms in connection with a merger, reorg, or sale of substantially all assets, with notice; Customer may not assign to a direct competitor of MultiSet AI without consent.

• WebXR endpoints. You must implement client‑side controls to prevent unauthorized access to API keys and to enforce geofencing and rate limits.

• Import of third‑party scans (e.g., E57, Matterport, NavVis, Leica). You are responsible for ensuring you have rights to any scans you upload, and for compliance with the third‑party capture vendor’s terms.

• Multi‑map transitions & routing. Provide manual fallbacks if localization fails; do not rely on automated routing in safety‑critical scenarios.

• Object Tracking & 3D model ingestion (GLB/GLTF). The Service may allow you to upload 3D models (e.g., GLB/GLTF) to generate tracking targets and to use Object Tracking features. The same obligations as in Section 12.2 (Import of third‑party scans) apply: you are responsible for ensuring you have sufficient rights to any models or assets you upload, for compliance with any third‑party capture/vendor or asset‑license terms, and for the accuracy, safety, and legality of the resulting targets and experiences.

MultiSet AI Inc. operates a coordinated vulnerability disclosure program for the Service. This Section 14 describes the scope of the program, how to report a suspected vulnerability, the protections afforded to good-faith security researchers, and the disclosure timeline expectations. Submission of a report under this Section constitutes the reporter’s acceptance of the terms set forth herein.

• Reporting Channel - Suspected security vulnerabilities should be reported to support@multiset.ai. A machine-readable security policy is published at https://multiset.ai/.well-known/security.txt in accordance with RFC 9116. Reports should include a clear description of the vulnerability, the affected asset, reproduction steps, the potential impact, and any supporting evidence (such as proof-of-concept code, screenshots, or network captures). MultiSet does not currently support encrypted submissions; reporters who require encrypted communications should request a public key in their initial outreach.

• Program Scope - The following MultiSet-operated assets are within the scope of this program:
  
  
  • api.multiset.ai
  • developer.multiset.ai
  • multiset.ai and www.multiset.ai
  • docs.multiset.ai
  • The MultiSet Unity, iOS native, Android native, WebXR, and Meta Quest SDKs distributed through MultiSet’s official channels

• The following are out of scope:
  
  • Third-party services, sites, and infrastructure relied upon by MultiSet (including, without limitation, Amazon Web Services, MongoDB Atlas, Stripe, GitHub, Google, and HubSpot). Reports concerning third-party assets should be directed to the operator of those assets.
  • Social engineering of MultiSet employees, contractors, partners, or customers.
  • Physical attacks against MultiSet facilities, personnel, or hardware.
  • Denial-of-service testing, load testing, volumetric attacks, or any activity that could degrade Service availability for other customers.
  • Findings that require prior compromise of an end-user device, customer account, or supply-chain component outside MultiSet’s control.
  • Reports of issues that have already been disclosed publicly or for which a remediation has been published.
  • Vulnerabilities in software versions that have reached end-of-life or end-of-support.
  • Best-practice or hardening recommendations without an associated demonstrable security impact (for example, missing security headers in the absence of an exploitable condition).

• “Customer Content” means content or data you or your users submit to the Service.
• “High‑Risk Activities” means uses where a failure could lead to death, personal injury, or severe damage.
• “Personal Data” has the meaning given by applicable data protection laws.
• “Service” means MultiSet’s hosted cloud services (Free and Paid), developer console, APIs, SDKs, WebXR endpoints, and related hosted features that MultiSet makes available.
• “Usage Data” means operational metrics, telemetry, logs, and similar data generated by or about the use of the Service.​