Terms of Service

Mailbox.bot — Outbound Mail API for AI Agents, Businesses, and Developers
Operated by Golden Ratio, LLC, a Utah Limited Liability Company
Effective Date: February 7, 2026 · Last Updated: May 3, 2026

1. Introduction and Definitions

1.1 Agreement Overview

Welcome to Mailbox.bot (the "Service," "Platform," "we," "us," "our"), an outbound mail API and (for users expressly enrolled in our restricted private beta) a managed mail and package logistics platform for individuals, businesses, and AI agents, operated by Golden Ratio, LLC, a Utah limited liability company doing business as "Mailbox.bot" (the "Company"). The Company's generally-available offering is its outbound mail service, through which you submit a document, recipient, and service class and the Company arranges for printing, enveloping, postage, and carrier tender. Inbound mail, virtual mailbox, package receiving, content scanning, forwarding, and CMRA-related features are offered only under a separate Private Beta Addendum to Members who have been expressly enrolled. Where these Terms refer to such features, those provisions apply only to enrolled beta Members and do not apply to outbound-only users. By accessing or using our website, API, mobile applications, agent protocols, and services, you ("Member," "Operator," "you," "your") agree to be bound by these Terms of Service ("Terms"), the Acceptable Use Policy incorporated by reference at mailbox.bot/aup, and (if applicable to you) any private beta or facility-operator addendum you have separately accepted.

1.2 Key Definitions

• "Agent" means any artificial intelligence system, autonomous software agent, bot, or automated process registered on the Platform by a Member. Agents can autonomously order products, manage logistics, and interact with physical commerce through the Platform.
• "Member" or "Operator" means the verified human individual or authorized representative of a business entity who creates an account, completes the applicable Verification process (Section 5), and is responsible for all Agents, credentials, outbound mail dispatched, charges incurred, and (for Members enrolled in the Private Beta Addendum) all Endpoints and inbound activity under their account.
• "Endpoint" means a logistics intake point provisioned by the Platform for an Agent at a Company-operated Facility, identified by a unique Reference Code, for private carrier package receiving purposes.
• "Reference Code" means the unique alphanumeric identifier assigned to an Endpoint for package routing purposes at the Facility (e.g., Ref: GR-7F3A).
• "Facility" or "Node" means any physical location on the mailbox.bot network operated by an independently licensed facility operator for the purpose of receiving, storing, processing, and forwarding packages and mail. Facilities may be CMRA-registered mail centers or warehouse/fulfillment operators.
• "Package" means any physical item, parcel, envelope, or document received at a Facility on behalf of a Member or their Agent. Packages are the property of the Member; the Facility holds them under custodial care.
• "Bailee" / "Bailment" means the legal relationship in which the Facility (bailee) holds temporary custody of the Member's property (the Package) under a duty of reasonable care, while the Member (bailor) retains ownership. This is the same model used by warehouses, fulfillment centers, and 3PL providers.
• "Private Carrier" means any non-USPS delivery service, including but not limited to FedEx, UPS, DHL, Amazon Logistics, OnTrac, LaserShip, GSO, Spee-Dee, and regional carriers.
• "CMRA" means a Commercial Mail Receiving Agency registered with the United States Postal Service under 39 CFR Part 111 to receive USPS mail on behalf of customers.
• "Form 1583" means USPS Form 1583 (Application for Delivery of Mail Through Agent), required for virtual mailbox service at CMRA facilities. Form 1583 must be completed and notarized (in-person or remote notarization) before USPS mail can be received.
• "Operator Dashboard" means the web-based interface through which Members manage their account, Agents, Endpoints, and Packages with human oversight.
• "Webhook" means an HTTP POST callback notification sent by the Platform to a Member's or Agent's designated endpoint with JSON payload upon occurrence of a package event or tracking update.
• "KYC" or "Verification" means the Company's tiered identity-verification and anti-fraud process, applied at account creation and (where applicable) prior to enabling specific Service tiers. The outbound mail tier requires (i) capture of the Member's legal name, (ii) authorization of a real-bank-issued debit or credit card with Stripe Radar fraud screening, and (iii) successful Twilio Lookup carrier verification of a real-carrier mobile, landline, or fixed-VoIP phone number. The private-beta inbound tier additionally requires document-based identity verification via Stripe Identity (government photo ID + live selfie + name/DOB/address confirmation) and, for CMRA-based virtual mailbox service, a completed and witnessed USPS Form 1583. "KYC" as used in these Terms is a fraud-prevention and platform-integrity measure, not a regulated Customer Identification Program ("CIP") under the Bank Secrecy Act or any equivalent regulatory regime.
• "Prohibited Items" has the meaning set forth in Section 8.
• "Content Scan" means the process of opening a Package, photographing or digitizing its contents, and delivering the resulting images and structured data to the Member or Agent via the Platform.
• "Outbound Mail" means a physical letter mailed by the Company on behalf of a Member or Agent, produced from a PDF document submitted via API or MCP, printed, enveloped, stamped, and deposited with USPS.
• "Outbound Only" means the service plan ($0/mo base, $0.30/page printing + carrier postage) that provides outbound mail capabilities without an inbound receiving address, Form 1583, or notarization.
• "API" means the Application Programming Interface through which Members and Agents interact programmatically with all Platform services.
• "Agent Protocol" means standardized discovery and communication protocols including MCP, A2A, OpenClaw, REST, and others supported by the Platform.
• "Logistics Intake Node" means a physical facility on the mailbox.bot network used for package and mail receiving, storage, and forwarding purposes.
• "Provenance Chain" means the documented chain of custody from carrier delivery through intake, storage, and disposition, attributed to a specific client via Reference Code.
• "Acceptable Use Policy" or "AUP" means the acceptable use policy incorporated herein by reference and available at mailbox.bot/aup.

2. Nature of Service

2.1 Service Description — Outbound Mail (Generally Available)

Mailbox.bot's generally-available offering is an outbound mail API. You (or your authorized AI agent, MCP client, A2A peer, or REST consumer) submit (a) a document, (b) a recipient address, (c) a return address, and (d) a service class (e.g., USPS First Class, USPS Priority, USPS Certified, USPS Certified with Return Receipt, FedEx, UPS). The Company arranges, through its production network, for the document to be printed, enveloped, weighed, postage-applied, photo-documented, and tendered to the selected carrier. Photo proof of mailing documents the drop-off event only and is not proof of delivery. The Company does not guarantee mail-piece dispatch or delivery deadlines; risk allocation for outbound mail is governed by Section 9A.

The Outbound Only plan ($0/mo base) requires no inbound address, no Form 1583, and no notarization. Members provide their own return address and pay per-page printing plus actual carrier postage. The full outbound mail risk allocation, agent-credential responsibility, and customer-content rules in Sections 6.4, 9A, 9B, 12, and 14 apply to all outbound users.

2.2 Inbound, Virtual Mailbox, Package Receiving, Scanning, Storage, and Forwarding — Private Beta Only

The following features are described in these Terms for completeness and for the benefit of enrolled beta Members, but are not made available to outbound-only Members and are not part of the generally-available Service:

• Virtual mailbox at CMRA-registered facilities (USPS letter mail and flats only); USPS Form 1583 and notarization required
• Warehouse / package receiving at fulfillment facilities (private carriers: FedEx, UPS, DHL, Amazon Logistics, and others)
• Endpoint provisioning with Reference Codes and physical facility addresses
• Bailee custody, intake documentation, exterior photography, package logging
• Content scanning (open, photograph, digitize, reseal)
• Storage, forwarding, consolidation, return-routing services
• Shipping portal for third-party senders (ship.mailbox.bot)

Enrollment in the private beta is at the Company's sole discretion and may be modified, suspended, or withdrawn at any time. The Private Beta Addendum, where in force, controls over conflicting provisions of these Terms with respect to inbound services.

2.3 What We Provide (Outbound Mail)

• Outbound mail submission via REST API, MCP, A2A, OpenClaw, dashboard, and webhook callbacks
• Document printing (B&W or color), enveloping, postage application, and carrier tender
• Photo proof of drop-off (not proof of delivery)
• Choice of service class (USPS First Class, Priority, Certified, Certified Return Receipt, FedEx, UPS)
• Cost-cap, daily-piece-cap, force-approval, dry-run, idempotency, and test-mode controls
• Webhook event delivery for outbound mail lifecycle events
• Operator Dashboard for human oversight and management of outbound activity
• Agent identity management, agent-scoped API keys, and standing-instructions versioning (MAILBOX.md)

2.4 What We Do NOT Provide

• Virtual office services, registered agent services, or business registration addresses
• Residential addresses or addresses suitable for establishing residency
• Licensed professional services (legal advice, tax/accounting advice, financial planning, real estate brokerage)
• Customs brokerage or international import/export services
• Hazardous materials handling, storage, or disposal
• Insurance coverage for mail or package contents (Members are responsible for insuring their own property)
• Guaranteed delivery times or outcomes from any carrier
• Direct supervision or control of Agent activities (Members are solely responsible for their Agents)
• Process service, notarization (except for Form 1583 notarization offered through third-party providers under the Private Beta Addendum), apostille, or certified-copy services

2.5 Intended Use Cases (Outbound Mail)

The outbound mail service is designed to support a range of programmatic and human-driven mailing workflows, including but not limited to:

• Transactional and operational mail: receipts, statements, invoices, notices, customer letters
• Compliance, legal, and contractual correspondence (subject to Sections 9A.5 and 9B.3 — the Company does not guarantee deadlines)
• Marketing, retention, and re-engagement mail (subject to applicable law)
• Agent-driven document delivery (e.g., autonomous agents that mail forms, letters, or filings on a Member's behalf)
• Batch and high-volume mailings via the batch-mail API

The Company does not endorse, verify, or guarantee the success of any particular use case. Members are responsible for ensuring their use of the Platform complies with all applicable laws and regulations.

2.6 Platform Provider Status

The Company provides software, an outbound mail API, and (for enrolled beta Members) connections to independently operated facilities. The Company is NOT the principal, employer, partner, joint venturer, or agent of any Member, Facility Operator, or AI Agent. The Company does not direct, control, or supervise the activities of any Agent. Members are solely responsible for the actions, omissions, and conduct of their autonomous agents, including all mail dispatched, orders placed, and logistics decisions made by AI agents operating through the Platform.

3. Waitlist and Early Access

3.1 Waitlist Registration

The Platform is currently in limited launch. Prospective Members may join the waitlist by providing an email address via the website (mailbox.bot) or API endpoint (POST /api/v1/waitlist). Waitlist registration does not guarantee access to the Platform and creates no binding obligation on either party.

3.2 AI Agents on Waitlist

AI agents and autonomous systems may join the waitlist programmatically via the API without captcha verification (rate limited to 5 requests per minute). When live outbound mail is enabled for an agent, the agent will require a verified human or legal entity sponsor to complete the applicable Verification process (Section 5) before production credentials are issued. Inbound Endpoints and Reference Codes are available only to Members enrolled in the Private Beta Addendum and require completion of the inbound-tier Verification process. Waitlist registration by an agent does not waive any Verification requirement.

3.3 Launch Notification

The Company will notify waitlist members via email when the Platform is ready for registration. Early access will be granted to waitlist members in the order of registration, subject to KYC verification and the Company's sole discretion. The Company reserves the right to grant priority access to certain users, use cases, or partnerships.

4. Member Eligibility and Registration

4.1 Eligibility Requirements

To register as a Member, you must:

• Be at least 18 years of age
• Have the legal capacity to enter into a binding contract
• Provide the account, payment, phone, and verification information required for the applicable Service tier, as described in Section 5. For outbound-only users, this generally includes legal name, account email, a real-bank-issued debit or credit card (prepaid cards, gift cards, and other anonymous or non-reloadable funding sources are not accepted), and successful Twilio Lookup carrier verification of a phone number. For private-beta inbound services (virtual mailbox, package receiving, content scanning, forwarding, CMRA), and for higher-risk or higher-limit use, this additionally includes Stripe Identity document-based verification, USPS Form 1583 where applicable, business verification, and any other documentation reasonably requested by the Company.
• Successfully complete the Company's verification process at the applicable Service tier (Section 5)
• Provide a valid physical address for billing and account-recovery purposes
• Not be listed on any U.S. government sanctions list, including but not limited to the OFAC Specially Designated Nationals (SDN) List
• Not have been previously terminated from the Platform for violations of these Terms

4.2 Business Entity Registration

If you are registering on behalf of a business entity, you represent and warrant that you have the authority to bind that entity to these Terms, and that the entity is duly organized, validly existing, and in good standing under the laws of its jurisdiction of formation. The entity must provide its legal name, jurisdiction of formation, EIN or equivalent tax identification number, and registered agent information.

4.3 Account Security

You are responsible for maintaining the confidentiality of your account credentials, API keys, and webhook secrets. You are responsible for all activities that occur under your account, whether or not authorized by you. You must immediately notify the Company of any unauthorized use of your account or any other breach of security.

5. Know Your Customer (KYC) and Identity Verification

5.1 Mandatory Verification — Tiered by Service

Before issuing production credentials, enabling live outbound mail, or provisioning any inbound Reference Code, the Member must complete the Company's verification process. The level of verification depends on the Service tier the Member is using:

(a) Outbound mail (generally available). The Company verifies, prior to issuing production credentials and enabling live outbound mail:

• Capture of the Member's legal name and account email
• Authorization of a real-bank-issued debit or credit card via Stripe, with Stripe Radar fraud screening (prepaid cards, gift cards, virtual cards not linked to a bank account, and other anonymous or non-reloadable funding sources are rejected)
• Successful Twilio Lookup carrier verification of a phone number identified as a real-carrier mobile, landline, or fixed-VoIP line (nonFixedVoip, pager, voicemail, and similar non-carrier numbers are rejected)

(b) Private-beta inbound services (virtual mailbox, package receiving, content scanning, forwarding). Members enrolled in the Private Beta Addendum must additionally complete, prior to provisioning of any Reference Code:

• Document-based identity verification via Stripe Identity, including a valid, unexpired government-issued photo identification document (driver's license, passport, state ID, or equivalent), a live selfie photograph for biometric liveness check and comparison against the identification document, and confirmation of the Member's full legal name, date of birth, and physical address
• For CMRA-based virtual mailbox service, a completed and witnessed USPS Form 1583 in accordance with applicable USPS regulations

Nature of the verification process. The Company's verification is a fraud-prevention and platform-integrity measure designed to deter abuse, sanctions exposure, and impersonation. It is not a regulated Customer Identification Program under the Bank Secrecy Act, FinCEN rules, or any equivalent regulatory regime, and the Company does not represent that verification establishes a Member's true legal identity for any purpose other than account creation and Service eligibility. The Company is not a financial institution, money services business, or money transmitter.

Upon successful verification at the applicable tier, the Member may immediately register Agents and use the corresponding Service capabilities. Agents inherit identity from their verified operator — autonomous agents cannot self-register without a verified human or legal entity sponsor.

5.2 Sanctions, Watchlist, Fraud, and Risk Screening

Where applicable, the Company or its verification, payment, identity, or compliance providers (which currently include Stripe and Stripe Radar for payment-method screening, Stripe Identity for inbound-tier document-based identity verification and any sanctions/watchlist screening offered through that product, and Twilio Lookup for phone-carrier verification) may perform sanctions, watchlist, fraud, or risk screening on a Member, the Member's payment method, phone number, or other Member-provided information. The depth and scope of any such screening varies by Service tier and by provider. For the inbound tier, screening typically includes a check intended to flag matches against the U.S. Department of the Treasury Office of Foreign Assets Control (OFAC) Specially Designated Nationals and Blocked Persons List (SDN List) through the identity-verification provider. For the outbound tier, the Company relies primarily on payment-method authorization, fraud-signal screening, and carrier-verification signals; the Company does not represent that a customer-facing OFAC sweep is performed on every outbound-only Member.

Any screening performed is advisory. The Company does not warrant that screening identifies every sanctions, watchlist, fraud, or risk match, and the absence of a flag is not a representation that any Member is in compliance with sanctions or other law. Where the Company learns that a Member appears on a sanctions list or is otherwise prohibited from receiving the Service, the Company will refuse, suspend, or terminate the account and may report or cooperate with authorities to the extent required or permitted by applicable law.

5.3 Right to Refuse Service

The Company is not required to provide reasons for refusal of service except where required by applicable law. Fees paid by rejected applicants will be refunded for unused services only.

5.4 Ongoing Verification

The Company may, at any time and without prior notice, require Members to re-verify their identity, provide additional documentation, or answer questions about their account activity. Failure to comply with re-verification requests within 48 hours may result in immediate account suspension.

5.5 Verification Record Retention

The Company retains verification records (including the verification result, processor session identifiers, captured name, masked card and phone identifiers, and, for the inbound tier, Stripe Identity verification result and Form 1583 record where applicable) for a minimum of five (5) years after account closure. This retention supports fraud investigation, dispute resolution, audit, sanctions inquiry response, and lawful cooperation with law enforcement. The Company does not retain copies of underlying government-issued identity documents after Stripe Identity has completed verification, except where required by law. You consent to this retention period by creating an account.

6. Agents and Endpoints

6.1 Agent Registration and Scope of Agent Capabilities

Members may use the outbound mail Service directly through the Operator Dashboard, or register AI agents to automate outbound mail and related API workflows. Agent registration is optional — outbound mail is fully accessible through the dashboard without automation.

For Members who choose to automate: AI agents and autonomous systems may be registered on the Platform. Each Agent registration requires a unique name, a slug for subdomain assignment (e.g., agent-slug.mailbox.bot), and optionally a webhook URL, framework identifier, capability declarations, and Agent Protocol configurations (MCP, A2A, OpenClaw, REST).

Outbound-only Members: Agents may submit outbound mail, query mail status, consume webhooks, and use the related agent-credential, cost-cap, and standing-instructions APIs. Package receiving, content scanning, package forwarding, consolidation, and Reference-Code-based intake apply only to Members enrolled in the Private Beta Addendum and are not available to outbound-only Members. References elsewhere in these Terms to Agents receiving packages, requesting scans, or initiating forwarding describe private-beta inbound capabilities only.

Members are encouraged to implement spending caps (X-Max-Cost-Cents), daily-piece caps (max_daily_pieces), force-approval routing, and monitoring for autonomous agents to maintain control over Agent activities.

6.2 Member Responsibility for Agents — Inherited Identity Model

The Company does not monitor, supervise, or control Agent behavior. Members must implement their own monitoring, spending limits, and approval workflows for autonomous agents. The Member agrees to indemnify and hold the Company harmless for all claims arising from Agent activity.

6.3 Endpoint Provisioning — Instant Reference Code Assignment (Private Beta Inbound Services Only)

This Section 6.3 describes Endpoint provisioning at a physical Facility. It applies only to Members enrolled in the Private Beta Addendum and does not apply to outbound-only Members, who do not receive a Reference Code or facility address.

Upon Agent registration for an enrolled beta Member, the Platform provisions an Endpoint consisting of:

• A unique Reference Code at the active Facility (e.g., Ref: GR-7F3A)
• A physical shipping address formatted for Private Carrier delivery (Facility address + Reference Code)
• A vanity subdomain for agent identity (agent-slug.mailbox.bot)
• API credentials scoped to the Agent
• Webhook endpoint configuration for instant package notifications
• Public profile hosting with Agent Protocol support (MCP, A2A, OpenClaw, REST)

Endpoint provisioning typically occurs within seconds of Agent registration, enabling the Agent to immediately begin using the Reference Code for shipping workflows. The physical facility address associated with an Endpoint may change if the Company relocates a Facility. Where commercially practicable, the Company will use commercially reasonable efforts to provide advance notice before any Facility relocation and to arrange forwarding from the prior address for a reasonable transition period. The Company does not guarantee any particular notice period or forwarding window and shall have no liability for the consequences of an address change. (Inbound features described in this Section apply only to Members enrolled in the private beta for inbound services.)

6.4 Agent Credentials, API Keys, and MCP Tokens

The Platform issues several classes of credentials, including (i) member-scoped API keys, (ii) agent-scoped API keys (sk_agent_* and test keys sk_agent_test_*), (iii) facility API keys (sk_facility_*), (iv) MCP installation tokens, (v) webhook signing keys (whsk_*), and (vi) session cookies for the Operator Dashboard. The secret portion of each key is shown to you only once, at creation; the Company stores only a salted hash and cannot recover the original secret if it is lost.

Without limiting the foregoing, you agree to: (a) treat every API key, MCP token, and webhook signing key as a high-sensitivity production secret; (b) never embed credentials in source code, public repositories, public agent profiles, marketing materials, screenshots, screen recordings, or third-party prompts; (c) restrict credentials to the minimum scope required and prefer agent-scoped keys over member-scoped keys for autonomous workflows; (d) implement appropriate spending caps using X-Max-Cost-Cents, max_daily_pieces, and similar policy controls before granting an agent the ability to send live mail; (e) immediately rotate or revoke any credential you suspect has been disclosed, copied, intercepted, leaked through prompt injection, or misused; and (f) cooperate with the Company's investigation of any suspected credential incident.

The Company has no obligation to detect compromised credentials on your behalf, and the Company shall not be liable for any charges, mail dispatched, data accessed, or other actions taken using a credential that was valid at the time of use, regardless of how the credential came into the hands of the actor that used it.

6.5 Agent Identity and Protocol Support

Each Agent receives a public profile hosted at [agent-slug].mailbox.bot, including support for standard agent discovery and communication protocols:

• MCP (Model Context Protocol): For context-aware agent interactions
• A2A (Agent-to-Agent): Discovery and interoperability protocol support
• OpenClaw: Agent discovery and capability declaration via /.well-known/agent.json
• REST: Standard RESTful API access for programmatic interaction

The Company provides the infrastructure for agent identity and protocol hosting but does not verify, endorse, or guarantee any information in an Agent's profile, protocol declarations, or capability claims. Members are solely responsible for the accuracy, security, and compliance of their Agent's profile information and protocol implementations.

7. Facility and Physical Operations

7.1 Facility Address

The Company operates one or more physical Facilities for package receiving in connection with its private-beta inbound services. Facility addresses are provided to enrolled beta Members via the API and Operator Dashboard. The Company reserves the right to change Facility addresses at any time, subject to the notice and transition procedures in Section 7.1.2.

Sections 7.x address inbound mail and package services that are currently offered only under the Private Beta Addendum. They apply only to Members expressly enrolled in the applicable beta and do not apply to outbound-only users.

7.1.1 Facility Risk Acknowledgment

Facilities on the mailbox.bot network are independently owned and operated businesses. They are not employees, agents, subsidiaries, or affiliates of the Company. The Company provides software infrastructure that connects you with these independent operators but does not own, manage, or control any facility's day-to-day operations, staffing, or business decisions.

By using the Platform, you acknowledge and accept the following risks:

• Facility Underperformance — A facility may fail to meet expected standards for timeliness, accuracy, communication, or package handling. While the Company enforces service level standards and a performance accountability process against facility operators (see the Facility Operator Agreement), the Company cannot guarantee any particular level of service from an independent operator.
• Facility Removal — The Company may suspend or remove a facility from the network at any time for underperformance, renter complaints, compliance failures, or any other reason. If your assigned facility is removed, your Endpoint address will change and you will need to update your shipping arrangements.
• Facility Closure — A facility may voluntarily withdraw from the network or cease business operations entirely, with or without advance notice. Economic conditions, lease terminations, staffing issues, or other factors outside the Company’s control may cause a facility to close.
• Address Changes — Any of the above events may require you to change the shipping address you have provided to vendors, senders, and other parties. The Company will make commercially reasonable efforts to provide advance notice and facilitate a transition to a replacement facility, including maintaining mail forwarding from the prior address for a reasonable period, but cannot guarantee uninterrupted service during the transition.

7.1.2 Service Address Relocation and CMRA Portability

The Company does not guarantee that any Facility address will remain at the same physical location for the duration of your subscription or for any particular period of time. The Company reserves the right, in its sole discretion, to relocate any Facility to a different physical address at any time, for any reason, including but not limited to: lease expiration or termination, changes in business conditions, network optimization, capacity planning, regulatory requirements, or any other operational reason.

Notice: The Company will use commercially reasonable efforts to provide affected Members with advance written notice prior to any Facility address change, targeting at least sixty (60) days where practicable. Notice will be sent via email and/or webhook notification to Members with active Endpoints at the affected Facility. Shorter notice may be necessary in cases of involuntary lease termination, force majeure, regulatory action, or facility loss.

Mail and Package Forwarding During Transition: Upon relocation, the Company will use commercially reasonable efforts to arrange forwarding from the prior Facility address to the new Facility address for a reasonable transition period, targeting ninety (90) days where practicable. The Company does not guarantee any particular forwarding period or uninterrupted service and shall not be liable for any lapse, delay, or failure of forwarding during transition.

CMRA Compliance During Relocation: Where a Facility relocation involves a CMRA-registered facility serving Members enrolled in private-beta virtual mailbox service, the Company and/or its facility operator will use commercially reasonable efforts to:

• File an updated CMRA registration with the USPS Program Office reflecting the new Facility address
• Comply with applicable USPS regulations under 39 CFR Part 111 during and after the relocation
• Notify affected Members of the address change and coordinate execution of new Form 1583 authorizations for the new Facility address

The Company does not warrant that any particular CMRA registration will remain in good standing throughout any transition and shall not be liable for any lapse, gap, suspension, or revocation of CMRA status that affects mail receiving during a relocation.

New Form 1583 Required at New Address: Under USPS regulations, PS Form 1583 is address-specific. A Form 1583 executed for one CMRA address does not transfer to a different address. In the event of a Facility relocation, each virtual mailbox Member will need to execute a new Form 1583 for the new Facility address. The Company will handle this process to make it as simple as possible:

• The Company or its CMRA operator is authorized to verify Member identity and witness Form 1583 execution directly — no third-party notary visit is required
• The Company will initiate the re-execution process, prepare the new Form 1583 with the updated address, and deliver it to Members electronically for signature
• Members will need to sign the new Form 1583 and present valid government-issued photo identification to the Company or its CMRA operator for verification — the same identification used during initial onboarding is acceptable
• There is no additional fee for Form 1583 re-execution required solely due to a Company-initiated Facility relocation

Authorization for Address Change Processing: By enrolling in virtual mailbox service, you authorize the Company and/or its CMRA operator to prepare updated Form 1583 documents on your behalf in connection with any Facility address change, using the identity verification records and personal information you provided during onboarding. You agree to promptly sign any such updated Form 1583 and present valid identification when requested. This authorization remains in effect for the duration of your subscription.

Completion Deadline: Members must complete the new Form 1583 within thirty (30) days of receiving notice of the address change. The Company will send reminders during this period. If a Member does not complete the new Form 1583 within thirty (30) days, USPS regulations require the Company to suspend mail receiving for that Member at the new address until a valid Form 1583 is on file. This is a regulatory requirement, not a penalty — the Company will promptly restore mail service as soon as the updated form is completed. Members whose mail service is suspended due to an incomplete Form 1583 will not be charged for the virtual mailbox service during the suspension period.

7.2 Carrier Policy

Carrier acceptance depends on your facility type. See Section 2.4 for details. Virtual mailbox customers at CMRA facilities may receive USPS letter mail, flats, and documents only. USPS packages and parcels will be refused or returned to sender by the carrier. Private carrier packages are not accepted on the virtual mailbox plan. Warehouse space customers at fulfillment facilities may receive from private carriers (FedEx, UPS, DHL, Amazon Logistics, OnTrac, LaserShip, GSO, Spee-Dee, and regional carriers). USPS mail is not accepted at warehouse facilities.

7.3 Package Intake Procedures (Private-Beta Inbound Services Only)

Upon receipt of a Package at a Facility, the facility operator follows a standardized intake process establishing a documented provenance chain:

• RECEIVE: Sign for and accept the Package from the carrier, establishing bailee custody
• SCAN: Photograph the exterior of the Package from multiple angles
• LOG: Record Package details in the Platform including carrier, tracking number, dimensions, weight, and timestamp
• ATTRIBUTE: Route the Package to the appropriate Endpoint based on the Reference Code — no commingling of client property
• STORE: Place the Package in a designated storage area within the Facility under bailee custody
• NOTIFY: Immediately send webhook notification with JSON payload to the Agent's configured endpoint, and/or email notification to the Member

Webhook notifications include structured data: tracking number, carrier name, package photos (URLs), weight, dimensions, timestamp, Reference Code, and Agent identifier. This enables autonomous agents to make immediate logistics decisions upon package arrival. All packages are attributed to a specific client via Reference Code throughout the provenance chain.

7.4 Package Storage (Private-Beta Inbound Services Only)

Packages are stored at the Facility under bailee custody for the duration specified by the Member's subscription plan. Storage periods begin on the date of receipt. The Member retains ownership of all Packages at all times during storage. Packages not retrieved, forwarded, or otherwise disposed of before the storage period expires will be subject to the abandonment procedure described in Section 7.7.

7.5 Content Scanning (Private-Beta Inbound Services Only)

Members may request a Content Scan for any Package. Content Scanning involves opening the Package, photographing or digitizing the contents, delivering the resulting images and/or extracted data to the Member via the Platform, and resealing the Package. Content Scan requests are subject to additional fees per the applicable pricing plan. The Company reserves the right to refuse Content Scanning for any Package that appears to contain Prohibited Items.

7.5.1 Sensitive and Regulated Content

Mail and packages opened through Content Scanning or other handling services may contain sensitive, confidential, or regulated information, including but not limited to:

• Protected health information (PHI) such as medical records, insurance statements, explanation of benefits (EOBs), prescriptions, lab results, and healthcare correspondence
• Financial information such as bank statements, credit card numbers, tax documents, account numbers, PINs, and investment records
• Authentication credentials such as passwords, security codes, access tokens, and multi-factor authentication materials
• Business confidential information such as trade secrets, proprietary data, customer lists, contracts, and intellectual property
• Legal documents such as court filings, attorney correspondence, settlement agreements, and regulatory notices
• Government-issued documents such as Social Security cards, passports, immigration documents, and benefit notices

Consent to Handle Sensitive Content: By requesting a Content Scan, mail opening, or any service that involves accessing the contents of your mail or packages, you expressly consent to the Company and its facility operators viewing, photographing, digitizing, and transmitting the contents to you via the Platform — including any sensitive or regulated information contained therein. You acknowledge that this consent is necessary for the Company to perform the services you have requested and that the Company cannot selectively redact or exclude sensitive content during scanning without prior specific instruction from you.

No HIPAA Covered Entity Status: The Company is not a healthcare provider, health plan, healthcare clearinghouse, or business associate as defined under the Health Insurance Portability and Accountability Act (HIPAA). The Company does not hold itself out as HIPAA-compliant and is not subject to HIPAA regulations. If you receive mail containing protected health information (PHI) and request that it be scanned, you acknowledge that the scanning, storage, and transmission of that information through the Platform is not subject to HIPAA safeguards. Members who require HIPAA-compliant mail handling should not use Content Scanning for mail that may contain PHI, or should make alternative arrangements for the receipt of healthcare-related correspondence.

No SOC 2 Certification: The Company does not currently hold SOC 2 Type I or Type II certification. While the Company implements commercially reasonable security measures (encryption at rest and in transit, access controls, audit logging, and secure infrastructure providers — several of which are themselves SOC 2 certified), the Company's own operations have not been independently audited under the SOC 2 framework. Members who require SOC 2-certified document handling for regulatory or compliance purposes should evaluate whether the Platform meets their requirements before using Content Scanning services.

Data Protection Commitment: Notwithstanding the above, the Company commits to the following with respect to all content obtained through Content Scanning and mail handling services:

• The Company will not sell, rent, license, or otherwise commercially distribute the contents of your mail, packages, or scanned documents to any third party — ever
• The Company will not use the contents of your mail or scanned documents for advertising, marketing, data mining, AI model training, or any purpose other than delivering the requested service to you
• Scanned content is accessible only to you (the Member), your authorized Agents, and authorized Company personnel with a legitimate operational need (e.g., quality review, troubleshooting, or fulfilling your service request)
• The Company will not voluntarily disclose the contents of your mail or scanned documents to any third party except: (a) as required by law, valid court order, subpoena, or other legal process; (b) to law enforcement pursuant to Section 9 of these Terms; (c) to protect the safety of Company personnel, other Members, or the public; or (d) with your explicit written consent
• The Company will apply the same security measures to scanned content as it applies to all other Member data, including encryption at rest and in transit, access controls, and audit logging

7.6 Package Forwarding (Private-Beta Inbound Services Only)

Members may request that Packages be forwarded to a designated address. Forwarding is subject to additional fees including the cost of shipping via the selected carrier. The Company is not liable for Packages lost, damaged, or delayed during forwarding by the carrier.

7.7 Abandoned Packages (Private-Beta Inbound Services Only)

Packages that remain in bailee custody beyond the applicable storage period without instruction from the Member are deemed abandoned. The Company will send a notification to the Member at least seven (7) days before declaring a Package abandoned. Upon abandonment, the bailment terminates and Packages become the property of the Company and may be disposed of, donated, recycled, or destroyed at the Company's sole discretion without liability to the Member.

7.8 Package Condition and Chain of Custody (Private-Beta Inbound Services Only)

The Company accepts Packages in the condition delivered by the carrier and establishes bailee custody at the point of intake. The Company makes no representations or warranties regarding the condition of a Package upon arrival, including but not limited to damage, tampering, or partial delivery that may have occurred during carrier transit. Exterior photographs taken at intake document the Package's condition at the time of receipt and establish the provenance chain. The Company is not liable for any condition issues attributable to carrier handling prior to Facility receipt.

7.9 No Climate or Environmental Controls (Private-Beta Inbound Services Only)

Unless specifically agreed to in writing under an Enterprise plan, the Company's Facilities do not provide climate-controlled, temperature-regulated, humidity-controlled, or environmentally sealed storage. Members who ship items that are sensitive to temperature, humidity, light, vibration, or other environmental conditions do so entirely at their own risk. The Company is not liable for damage, degradation, spoilage, or loss of functionality caused by environmental conditions during storage.

7.10 Right to Refuse or Dispose of Dangerous Packages (Private-Beta Inbound Services Only)

If any Package received at a Facility is leaking, emitting fumes, producing unusual odors, making sounds, generating heat, or otherwise presenting an actual or perceived safety risk to Facility personnel, other Packages, or the Facility itself, the Company may immediately quarantine, remove, or dispose of the Package without prior notice to the Member. The Company may also contact emergency services or hazardous materials response teams at its sole discretion. The Member is liable for all costs incurred by the Company in responding to a dangerous Package, including cleanup, decontamination, emergency response fees, and any damage to the Facility or other Members' Packages.

7.11 Cross-Contamination and Shared Facility Risk (Private-Beta Inbound Services Only)

Members acknowledge that Packages are stored in a shared Facility alongside Packages belonging to other Members. The Company takes reasonable precautions to segregate Packages by Reference Code with no commingling of client property, but does not guarantee complete physical isolation from other Packages. The Company is not liable for any cross-contamination, pest infestation, odor transfer, moisture damage, or other harm caused by proximity to other Members' Packages in the shared Facility environment.

7.12 Carrier Misdelivery (Private-Beta Inbound Services Only)

The Company is not liable for Packages that are misdelivered by a carrier to the wrong Facility, wrong address, or wrong Reference Code. If a Package addressed to a Member's Reference Code is delivered to a different location by the carrier, the Member's sole remedy is against the carrier. If a Package addressed to a different recipient is delivered to the Facility, the Company will make reasonable efforts to return it to the carrier or correct the delivery, but assumes no liability for such misdelivered Packages.

7.13 Photography and Documentation Accuracy (Private-Beta Inbound Services Only)

Exterior and Content Scan photographs are provided on an "as-is" basis. Photographs may not capture all damage, defects, or details of a Package or its contents. Lighting, camera limitations, and human error may affect photograph quality. The Company does not warrant that photographs are complete, accurate, or sufficient for any particular purpose including insurance claims, legal proceedings, or inventory management. Members should not rely solely on Company-provided photographs for critical assessments of Package condition or contents.

7.14 Package Size and Weight Limits (Private-Beta Inbound Services Only)

Standard subscription plans accept Packages up to the following limits:

• Maximum weight: 70 pounds per Package
• Maximum size: 108 inches in combined length + girth (length + 2×width + 2×height)
• Standard carrier package dimensions accepted by FedEx, UPS, DHL, and Amazon

Packages exceeding these limits may be refused at intake, require special handling fees, or require upgrade to an Enterprise plan. Enterprise plans with reserved facility space can accommodate larger items including server racks, pallets, and oversized equipment. Members should contact before shipping oversized items.

7.15 Physical Operations Risk Acknowledgment (Private-Beta Inbound Services Only)

The Company and its facility operators handle postal mail and packages in real-world environments staffed by human beings and assisted by automated systems. Despite commercially reasonable care, security measures, training, and operational procedures, the following risks exist and are inherent to any physical logistics operation:

• Package Loss — Packages may be lost during any phase of the logistics lifecycle, including carrier transit to the facility, intake processing, internal storage, retrieval, forwarding preparation, or outbound carrier handoff. Loss may result from human error, mislabeling, misattribution to the wrong Reference Code, system errors, inventory discrepancies, or circumstances that cannot be identified or explained. The Company will make commercially reasonable efforts to locate lost Packages but cannot guarantee recovery.
• Package Theft — Packages may be stolen by facility personnel, contractors, co-tenants, visitors, delivery drivers, or unknown third parties. While the Company implements access controls, surveillance, and personnel screening at its facilities, no physical security system eliminates the risk of theft entirely. The Company is not an insurer of your property against theft.
• Package Damage — Packages may be damaged during intake handling, storage, content scanning, resealing, movement within the facility, forwarding preparation, or outbound shipping. Damage may result from drops, crushing, stacking, water exposure, equipment malfunction, or ordinary wear associated with handling physical goods. The Company exercises reasonable care but does not guarantee that Packages will remain in the same condition as received.
• Mail and Package Misattribution — Packages may be attributed to the wrong Member or Reference Code due to illegible labels, missing reference codes, human sorting errors, barcode scanning failures, or similar intake errors. The Company follows standardized attribution procedures but cannot guarantee error-free routing in a high-volume physical environment.
• Delayed Processing — Package intake, scanning, content scanning, forwarding, and other facility actions may be delayed due to staffing shortages, high volume, equipment failure, weather, facility access issues, or other operational factors. Published processing times are estimates, not guarantees.
• Mail Handling Errors — For virtual mailbox customers at CMRA facilities, mail may be opened in error, delivered to the wrong box, delayed in processing, misrouted during forwarding, or lost during internal handling. Mail handling involves manual processes performed by facility staff and is subject to human error at every step.
• Forwarding and Outbound Errors — Packages forwarded to a destination address may be shipped to the wrong address due to data entry errors, label printing errors, or incorrect information provided by the Member or their Agent. Outbound mail submitted for print-and-mail may contain printing defects, be sent to an incorrect address, or be lost or delayed by the postal carrier. The Company is not liable for errors in outbound delivery once a Package or mail piece is tendered to a carrier.
• Content Scan Limitations — Content scanning involves physically opening Packages, which inherently risks damage to contents or packaging. Scanned images may not capture all items, may be blurry or poorly lit, and may miss small, hidden, or layered contents. Resealing may not restore the Package to its original condition.
• Facility Security Limitations — Facilities are commercial spaces, not vaults, armored depositories, or high-security installations. They are protected by commercially reasonable measures (locks, cameras, access controls, personnel screening) but are not impervious to break-ins, natural disasters, fire, flooding, power loss, or other events. Shared facilities house Packages from multiple Members in proximity.
• Personnel Risk — Facility operations require human personnel who have physical access to your Packages and mail. Despite background checks, training, and oversight, the Company cannot guarantee the conduct of every individual who may handle your property. This includes facility employees, temporary workers, contractors, maintenance personnel, and cleaning staff.
• Operational Errors — In any physical logistics operation, errors occur. Labels are misread, packages are placed on wrong shelves, scans fail, notifications are delayed, forwarding labels are printed incorrectly, and items are occasionally overlooked. The Company implements quality controls and process checks to minimize errors but does not warrant error-free operations.

The Company's sole obligation upon loss of or damage to a Package in its bailee custody (where such loss or damage is attributable to the Company's failure to exercise reasonable care) is limited to the remedies set forth in Section 14.6 (Bailee Liability). The Company shall have no liability whatsoever for loss, theft, damage, delay, or misdelivery attributable to carriers, third parties, force majeure events, or circumstances beyond the Company's reasonable control.

7.16 Member Insurance Responsibility (Private-Beta Inbound Services Only)

The Company does not provide insurance coverage for the contents or value of Packages or mail received, stored, or forwarded through the Platform. Members are solely responsible for obtaining and maintaining their own insurance coverage, including but not limited to: declared value coverage or shipping insurance through the originating carrier; renter's insurance, homeowner's insurance, or business property insurance that covers goods in the custody of a third-party bailee; and any specialized coverage for high-value, fragile, perishable, or irreplaceable items. The Company will cooperate with Members in filing insurance claims by providing intake photographs, chain of custody records, and other documentation available through the Platform, but assumes no responsibility for the outcome of any insurance claim.

8. Prohibited Items and Activities

8.1 Prohibited Activities

Members may not use the Platform to:

• Receive, store, or forward any Prohibited Items (defined below)
• Facilitate any illegal activity, including but not limited to fraud, money laundering, drug trafficking, weapons trafficking, or terrorism
• Evade law enforcement or regulatory oversight
• Circumvent sanctions, embargoes, or export controls
• Misrepresent the identity of any Member, Agent, or sender
• Use the Platform endpoint as a residential address or to establish residency in any jurisdiction
• Use the Platform endpoint as a registered business address, for government filings, banking, or legal registrations
• Use the Platform endpoint for vehicle registration, government identification, voter registration, tax filings, banking applications, or any purpose requiring a physical address where the Member does not actually conduct business or reside
• Use the Endpoint Only plan for active shipping workflows without upgrading to a receiving plan (Endpoint Only plans are subject to activity review)
• Interfere with the Platform's operations or other Members' use of the Platform
• Reverse engineer, decompile, or disassemble any part of the Platform
• Use the Platform for any purpose that violates the Acceptable Use Policy

8.2 Prohibited Items

The following items may NOT be received, stored, or forwarded through the Platform:

• Controlled substances, illegal drugs, and drug paraphernalia
• Firearms, ammunition, explosives, and weapons of any kind
• Hazardous materials, including flammable, corrosive, toxic, radioactive, or biohazardous substances
• Perishable goods (unless pre-approved in writing by the Company)
• Live animals or human remains
• Counterfeit goods, stolen property, or goods that infringe intellectual property rights
• Currency, bearer instruments, precious metals, or gemstones exceeding $1,000 in value
• Items subject to U.S. export controls, ITAR restrictions, or sanctions
• Items requiring special licenses, permits, or certifications to possess or transport
• Any item whose receipt, possession, or transport is prohibited by federal, state, or local law

8.3 Right to Inspect

The Company reserves the right, but not the obligation, to inspect any Package received at a Facility if the Company has reasonable suspicion that the Package contains Prohibited Items, if the Package is damaged, leaking, or emitting unusual odors, if required by law enforcement or pursuant to a lawful order, or if the Company determines inspection is necessary to protect the safety of its employees, other Members, or the public.

8.4 Consequences of Violation

Violation of this Section may result in: immediate account termination without refund; seizure and disposal of the offending Package; reporting to law enforcement (see Section 9); and permanent ban from the Platform.

9. Law Enforcement Cooperation and Reporting

9.1 Permissive Reporting

The Company may, in its good-faith judgment and without prior notice to you, report to an appropriate federal, state, local, or foreign law-enforcement agency, regulator, prosecutor, carrier, payment processor, or other party any activity that the Company suspects to involve any of the following: (a) fraud, identity theft, payment-card abuse, money laundering, terrorism financing, or sanctions evasion; (b) hacking, credential theft, unauthorized access, denial-of-service, prompt-injection, scraping, or other computer-misuse offenses against the Platform or its users; (c) use of the Platform to send threatening, harassing, extortionate, stalking, scam, phishing, defamatory, or fraudulent mail; (d) impersonation of a government agency, court, attorney, healthcare provider, or financial institution; (e) trafficking in Prohibited Items, controlled substances, weapons, or counterfeit goods; (f) child exploitation material, non-consensual intimate imagery, or other content whose creation or transmission is criminally prohibited; (g) sanctions, OFAC, or watchlist matches; (h) attempts to provide false identity documentation, evade KYC, or misuse another person's identity; or (i) any other conduct that the Company, in its sole judgment, deems necessary or appropriate to report. The Company has no duty to investigate, validate, or substantiate suspected conduct prior to reporting and is not obligated to report any particular activity.

9.2 Law Enforcement Requests

The Company will comply with valid subpoenas, court orders, search warrants, and other lawful legal process. In response to such process, the Company may produce records in its possession including, where applicable, Member identity verification records, package intake logs and photographs, agent registration information, API access logs and webhook event logs, communication records, and other responsive information. The Company reserves the right to challenge or seek narrowing of any process it believes to be overbroad, defective, or otherwise improper before producing records.

9.3 No Obligation to Notify

The Company is NOT obligated to notify Members of law enforcement requests, investigations, or reporting unless required by law. In many cases, the Company is prohibited from providing such notification. Members waive any right to advance notice of law enforcement cooperation to the extent permitted by law.

9.4 Preservation Requests

The Company will honor lawful preservation requests from law enforcement and will preserve relevant records for the period specified in such requests, or for 180 days if no period is specified.

9.5 Member Cooperation

Members agree to cooperate with the Company and with law enforcement in connection with any investigation related to their account, their Agents, or Packages received on their behalf. Failure to cooperate may result in immediate account termination.

9A. Outbound Mail Service — Specifications, Tracking, and Risk Allocation

This Section 9A applies to the Company's outbound mail service, which is the Platform's primary generally-available offering and is the service governed by the Outbound Only and Outbound add-on plans. Your use of the outbound mail service is subject to all other provisions of these Terms in addition to this Section 9A; in the event of a conflict between this Section 9A and any other Section, this Section 9A controls solely with respect to outbound mail.

9A.1 Service Description

You (or your authorized AI agent, MCP client, A2A peer, or REST consumer) submit (a) a document file (PDF or other supported format), (b) a recipient address, (c) a return address, and (d) a service class (e.g., USPS First Class, USPS Priority, USPS Certified, USPS Certified with Return Receipt, FedEx, UPS) along with optional flags (color printing, double-sided, page count, max-cost cap, idempotency key, dry-run, test mode). The Company arranges, through its facility network, for the document to be printed, enveloped, weighed, postage-applied, photo-documented, and tendered to the selected carrier.

9A.2 Carrier Custody Transfer — Risk Allocation

Specifically, the Company is not liable for, and you accept the risk of: (a) any delay, non-delivery, mis-delivery, partial delivery, return-to-sender, opened-in-transit, damaged, destroyed, or lost mail piece once the piece has been tendered to the carrier; (b) any failure of the carrier to scan, track, or generate timely tracking events; (c) any inaccuracy or staleness in carrier-provided tracking data surfaced through the Platform; (d) any service-class downgrade, address-correction surcharge, or postage adjustment imposed by the carrier; (e) any holiday, weather, labor-action, force-majeure, or operational delay attributable to the carrier or its subcontractors; and (f) any consequence of the carrier's loss, destruction, or refusal of the mail piece for any reason.

9A.3 Tracking Information

Where the selected service class includes a tracking number, the Company surfaces carrier-provided tracking events to you via the dashboard, REST API, MCP, A2A, and webhooks on a best-effort basis. Tracking data is generated by the carrier, not by the Company. The Company does not warrant that tracking events will be timely, complete, accurate, or available for any particular service class, and the Company shall not be liable for any decision you or your agent make in reliance on a tracking event (or the absence of one). For service classes that do not include tracking (e.g., USPS First Class letters without tracking add-on), no tracking event will be available and the only proof of mailing the Company can produce is the photo proof described in Section 9A.4.

9A.4 Photo Proof of Mailing

For each outbound mail piece, the facility may capture photo evidence of one or more steps in the production lifecycle, including printed pages, sealed envelope, postage label, and carrier drop-off. Photo proof documents the drop-off event only. Photo proof is not, and shall not be construed as, proof of delivery, proof of receipt by the recipient, proof of contents, certified mail return receipt (which is a separate USPS service available as a service class), notarization, or any form of legal service of process.

9A.5 No Guaranteed Mailing or Delivery Deadlines

You acknowledge that postal mail is inherently subject to lead time, queueing, batching, weather, holidays, carrier capacity, and human handling. If you have a hard deadline for delivery (court filing, regulatory submission, contract option, tax filing, election deadline, etc.), you must build your own buffer, use a higher-tier service class, or arrange direct delivery through a different vendor. Use of the Company's service for time-sensitive mail is at your sole risk. The Company expressly disclaims any role as your "deadline backstop" and shall not be liable for missed deadlines under any theory.

9A.6 Customer Responsibility for Document Content and Recipient Data

You are solely responsible for the contents of every document you submit and for the accuracy and completeness of every recipient address, return address, and instruction you provide. The Company does not review, edit, fact-check, redact, legally-vet, or compliance-screen the content of your documents. You represent and warrant that each document you submit (i) is your property or has been submitted with the lawful authorization of the rights-holder; (ii) does not violate any law, court order, regulatory rule, or third-party right; (iii) does not contain content prohibited by Section 8 (including without limitation child sexual abuse material, threats of violence, fraudulent communications, instruments of identity theft, weapons-trafficking communications, controlled-substance solicitations, or election-disinformation campaigns); (iv) does not impersonate any government agency, court, financial institution, healthcare provider, attorney, or other regulated entity in a manner reasonably likely to deceive recipients; and (v) is suitable for the service class you have selected.

9A.6.1 Customer License to the Company

You grant the Company and its service providers, facility operators, print and mail partners, postage vendors, carriers, cloud and storage providers, identity providers, payment processors, and other processors a worldwide, non-exclusive, royalty-free, sublicensable (solely to such service providers and partners) license to host, copy, transmit, render, convert, format, print, envelope, weigh, address, label, photograph, audit, log, retain, and otherwise process the documents, recipient and return addresses, instructions, metadata, and related content you submit through the Service, solely as necessary to provide, secure, support, bill, audit, troubleshoot, and improve the Service for you. This license terminates when the Company no longer needs the content to provide or support the Service or comply with its retention obligations under Section 16.5, whichever is later. This Section does not transfer ownership of your content; it grants the operating permissions the Company and its partners need to physically execute the Service you requested.

9A.7 Customer Responsibility for Agent and Tool Use

The Company provides cost caps (X-Max-Cost-Cents), daily-piece caps (max_daily_pieces), force-approval routing (force_approval), test-mode endpoints, dry-run pricing, and standing-instructions versioning (MAILBOX.md) as guardrails you may use to constrain agent behavior. The Company strongly recommends that you enable these guardrails before granting any autonomous tool live-send capabilities. The Company has no duty to enable, configure, or monitor these guardrails on your behalf, and shall have no liability for the consequences of agent behavior that you have not adequately constrained.

9A.7.1 Customer-Built Software, Scripts, and Internal Tools

The Company has no visibility into, and accepts no responsibility for, the design, architecture, security, testing, deployment, monitoring, or runtime behavior of your software. Without limiting the generality of the foregoing, the Company shall have no liability for: (a) any defect, bug, regression, race condition, infinite loop, runaway retry, mis-paginated batch, mis-mapped CSV, mis-templated document, or other malfunction in your software that causes unintended API calls, unintended outbound mail pieces, unintended charges, or unintended disclosure of recipient data; (b) any compromise, breach, exfiltration, or unauthorized use of your credentials, secrets, environment variables, or service accounts that occurs outside the Platform's control plane; (c) any harm caused by an LLM or model you operate (whether self-hosted, hosted by a third-party inference provider, or accessed through a model gateway), including hallucinations, jailbreaks, prompt-injection cascades, tool-use mistakes, mis-routed function calls, or autonomous decisions that produce unintended Platform activity; (d) any failure of your software to honor cost caps, daily-piece caps, force-approval routing, or other guardrails the Platform exposes; (e) any failure of your software to consume webhooks, ingest API responses, retry idempotently, or reconcile state with the Platform; or (f) any third-party harm or claim arising from a mail piece your software caused to be produced and dispatched. Every mail piece, charge, and API call originating from your software is deemed authorized by you and billable to you on the same terms as if you had executed the call yourself.

9A.8 Customer Responsibility for Tracking and Reconciliation

If your business workflow requires confirmation of dispatch or delivery for any outbound mail piece, you are responsible for monitoring the events the Platform surfaces (via webhook, REST, MCP, or dashboard) and for reconciling those events with your downstream system of record. The Company does not push redundant notifications, generate compliance reports, file delivery affidavits, monitor for missed deliveries, or escalate stalled tracking. If your agent fails to consume a webhook, your CRM fails to ingest a status update, or your downstream automation fails for any reason, the Company shall have no liability for the missed reconciliation.

9B. Not a Professional, Regulated, or Compliance Service

This Section 9B applies to all Members, all plans, and all uses of the Platform.

9B.1 Not a Tax, Accounting, Legal, Healthcare, or Government-Compliance Provider

The Company does not provide, and nothing on the Platform constitutes: legal advice; tax advice; accounting advice; healthcare advice; financial planning, investment, or fiduciary advice; immigration, visa, or naturalization advice; benefits administration; election, campaign, or lobbying compliance services; KYC/AML services for your business; OFAC sanctions screening of your recipients; corporate registered-agent services; service of process; certified copy services; apostille services; or any other regulated professional service.

9B.2 No HIPAA, GLBA, PCI-DSS, FERPA, ITAR, or Other Regulatory Coverage

The Company is not a HIPAA covered entity or business associate, has not entered into and will not enter into a HIPAA Business Associate Agreement with any Member, and is not configured for the handling of Protected Health Information (PHI). The Company is not a Gramm-Leach-Bliley Act (GLBA) financial institution. The Company is not PCI-DSS-certified for any data you submit (the Company's payment processing is handled by Stripe, which is PCI-DSS Level 1 certified, but documents you submit through the Platform are not handled under PCI-DSS controls). The Company is not FERPA-compliant. The Company does not handle ITAR-controlled technical data. The Company does not provide SOC 2 Type I or Type II attestation reports for its own operations.

If the contents of any document you submit through the outbound mail service are subject to HIPAA, GLBA, PCI-DSS, FERPA, ITAR, GDPR, the EU AI Act, state privacy laws, or any other regulatory framework that imposes specific data-handling, retention, or security obligations, you are solely responsible for determining whether the Platform's capabilities and security posture satisfy those obligations before you submit the document. The Company expressly disclaims responsibility for, and you indemnify the Company against, any regulatory enforcement action, agency penalty, civil fine, audit finding, breach-notification cost, or third-party claim arising out of or related to your use of the Platform to print or mail content subject to any such framework.

9B.3 No Responsibility for Your Deadlines, Filings, or Business Outcomes

You are solely responsible for: identifying, calendaring, and meeting any legal, regulatory, contractual, financial, governmental, court, tax, election, or business deadline that depends on the timely production, dispatch, or delivery of a mail piece sent through the Platform; building appropriate buffer into your workflow; selecting an appropriate service class; and arranging fallback delivery (e.g., hand delivery, courier, certified-mail-with-return-receipt, e-filing, or in-person filing) where the consequence of a missed deadline is material. The Company will use commercially reasonable efforts to print and dispatch your mail promptly, but, as set forth in Section 9A.5, makes no guarantee of timing and accepts no liability for missed deadlines, lost causes of action, foreclosed contractual rights, statutory penalties, late-filing fees, default judgments, missed elections, missed tax filings, or any other consequence of late or non-delivery.

9B.4 Use At Your Own Risk — All Tools and Interfaces

10.1 Plans — Outbound Mail (Generally Available)

The Company's generally-available plan is:

• Outbound Only ($0/mo base): Outbound mail API access. No inbound address, no Form 1583, no notarization. Member supplies return address. Pay-per-use: per-page printing plus actual carrier postage at published retail rates. Photo proof of mailing included. Color printing available as a per-page surcharge. Cost-cap, daily-piece-cap, dry-run, idempotency, and test-mode controls included.

Current pricing for printing, postage, color, and any other per-piece line items is published on the Platform's website and in API responses. The Company may modify per-piece pricing with thirty (30) days' notice; pre-existing prepaid balances and any in-flight mail piece priced before the change are honored at the original rate.

10.1.A Plans — Private Beta Inbound Services (Not Generally Available)

• Virtual Mailbox (private beta): Limited monthly pieces of USPS postal mail and documents at a CMRA-registered facility. USPS letters and flats only; packages are not accepted. Form 1583 + notarization + KYC required. Scan-on-arrival, dashboard, and webhook/API access. Storage window per the beta agreement.
• Business / Business+ (private beta): Package-receiving plans at fulfillment facilities. Limits on monthly pieces, weight, storage, and consolidation per the beta agreement.
• Enterprise (private beta, custom pricing): Reserved facility space, custom workflows, dedicated support, and custom integrations under a separately negotiated agreement.

Beta plans are billed in advance per the beta agreement. The Company may modify, suspend, or withdraw beta plans at any time. Where the Private Beta Addendum conflicts with this Section, the Addendum controls.

10.1.1 Automatic Renewal — Notice of Auto-Renewal Terms

• Renewal cadence and amount: Your subscription will renew at the cadence and amount displayed at checkout and on your billing summary in the Operator Dashboard.
• How to cancel: You may cancel at any time, online and without speaking to the Company, through the Operator Dashboard (Account → Billing → Cancel Subscription) or by emailing the support address listed in Section 26 before the next renewal date. Cancellation takes effect at the end of the then-current billing period; you will retain access to paid features until that date.
• Pricing changes: The Company will notify you in advance of any change to the renewal price as required by applicable law and will obtain any consent required by law before charging a higher renewal amount.
• California residents: This Section is intended to satisfy California Business and Professions Code §§ 17600 et seq. (the Automatic Renewal Law) and equivalent state laws. You may cancel online by the same method described above; no telephone call or written letter is required.

10.2 Usage-Based Fees

The Platform operates on a pay-for-what-you-use model. Outbound mail charges are computed and charged at submission via Stripe; inbound usage fees (where applicable to enrolled beta Members) are billed in arrears.

Outbound mail (generally available):

• Printing: per-page rate (B&W, envelope, photo proof included)
• Postage: actual carrier rate (USPS, FedEx, UPS at published retail)
• Color printing: per-page surcharge
• Service-class surcharges (Certified, Certified + Return Receipt, Priority, etc.) at carrier rate

Inbound (private beta only — applies only to enrolled beta Members):

• Extra package received beyond plan limit
• Content scan (open + photo)
• Package forwarding (handling fee plus actual carrier shipping)
• Package consolidation (handling fee plus actual carrier shipping)
• Return label generation (handling fee plus actual carrier shipping)
• Additional receiving address (per address per month)
• Bailee storage beyond plan limit (per package per day)

Current line-item pricing is published on the Platform's website and in API responses, and may be modified with thirty (30) days' notice.

10.3 Payment Method

Members must maintain a valid payment method on file at all times. Accepted payment methods are debit cards and credit cards issued by a financial institution. Prepaid cards, gift cards, virtual cards not linked to a bank account, and other anonymous or non-reloadable funding sources are not accepted and will be rejected during onboarding. The Company reserves the right to reject or remove any payment method that does not meet these requirements. By providing a payment method, you authorize the Company to charge your payment method for all fees incurred under your account. Failed payments may result in immediate service suspension.

10.4 Late Payments

Payments not received by the due date are subject to a late fee of 1.5% per month (18% per annum) or the maximum rate permitted by law, whichever is less. Accounts with payments more than thirty (30) days past due may be suspended or terminated.

10.5 Refund Policy

Subscription fees are non-refundable except as required by applicable law. Usage-based fees are non-refundable for services rendered. If the Company terminates your account for reasons other than a violation of these Terms, you will receive a prorated refund of prepaid subscription fees for the unused portion of the current billing period.

10.6 Taxes

All fees are exclusive of applicable taxes. You are responsible for all taxes, duties, and levies imposed by any governmental authority with respect to your use of the Platform, except for taxes based on the Company's net income.

11. Shipping Portal

11.1 Shipping Portal Service (ship.mailbox.bot)

The Platform provides a public shipping portal at ship.mailbox.bot that enables third-party senders (vendors, suppliers, contractors, or other parties) to ship Packages to a Member's Agent without knowing the Facility's physical address. The shipping portal generates pre-addressed shipping labels that automatically route Packages to the correct Reference Code and Endpoint at the appropriate Facility.

This enables Agents to provide shipping instructions to external parties using their agent endpoint (e.g., agent-slug.mailbox.bot) while maintaining privacy of the physical Facility location.

11.2 Privacy of Physical Address

The physical Facility address is not publicly displayed on Agent profile pages or the shipping portal interface. The address is provided only to Members via authenticated API calls and the Operator Dashboard. The shipping portal may display only the Agent's name and the information necessary for the sender to generate a shipping label.

11.3 No Guarantee of Privacy

While the Company takes reasonable measures to limit public exposure of Facility addresses, the Company cannot guarantee that Facility addresses will remain confidential. Physical addresses may be discoverable through carrier tracking information, public records, or other means. The Company is not liable for any disclosure of Facility addresses through third-party systems or processes.

12. AI and Automated Systems

12.1 AI-Assisted Operations

The Platform utilizes artificial intelligence technologies, including large language models, computer vision systems, and automated workflows, in the provision of services. AI systems may be used for: document scanning and data extraction (OCR, field recognition); Package classification and routing; webhook payload generation; Agent profile and protocol configuration; customer support and communication; and anomaly detection and security monitoring.

12.2 Human-in-the-Loop

The Company employs human oversight for critical operations, including Package intake verification, Content Scan quality review, suspicious activity assessment, and law enforcement reporting decisions. However, human oversight does not guarantee detection of all errors, anomalies, or prohibited items.

12.3 AI Limitations

You acknowledge that AI-generated information may contain inaccuracies or errors, automated scanning may not detect all contents of a Package, AI systems may occasionally misclassify or misroute Packages, and the Company is not liable for errors attributable to AI processing.

12.4 Autonomous Agent Risk Acknowledgment

Mailbox.bot enables AI agents that can write code, manage budgets, close deals, and interact with physical commerce. Members who configure Agents to operate autonomously (e.g., automatically ordering hardware, receiving components, managing inventory, requesting forwarding, or initiating Content Scans via API without human review) acknowledge that they bear full responsibility for all actions taken by such Agents.

The Company is not liable for Packages ordered, received, forwarded, or disposed of by an Agent operating autonomously, even if the Agent's behavior is unintended, erroneous, or the result of a security compromise of the Agent's credentials. This includes but is not limited to: autonomous procurement decisions, budget overruns, incorrect forwarding destinations, or unintended content scan requests.

Members are strongly encouraged to implement spending limits, approval workflows, budget controls, and real-time monitoring for autonomous Agents. The Operator Dashboard provides human oversight capabilities for reviewing and controlling Agent activities.

12.5 Agentic Protocol and Third-Party Integration Risks

By using the Platform's agentic protocol integrations, you acknowledge and accept the following:

• Emerging Technology Risk — MCP, A2A, OpenClaw, and similar agentic protocols are experimental, open-source projects with many contributors and known and unknown security considerations. These protocols have not undergone the decades of hardening that traditional web standards have received. Security vulnerabilities, breaking changes, and protocol-level exploits may be discovered at any time.
• Third-Party Code and Dependencies — The Platform incorporates third-party libraries, SDKs, protocol implementations, and open-source components. The Company does not author, audit, or guarantee the security of third-party code. Vulnerabilities in upstream dependencies, protocol specifications, or third-party integrations may affect the Platform.
• Agent-to-Agent Communication Risks — When your Agent communicates with other agents, external services, or third-party systems via agentic protocols, the Company has no visibility into, control over, or responsibility for the security, behavior, or intent of external agents, endpoints, or services your Agent interacts with.
• Prompt Injection and Adversarial Inputs — AI agents operating through the Platform may be susceptible to prompt injection, adversarial inputs, data poisoning, jailbreaking, or other AI-specific attack vectors. The Company does not warrant that the Platform or its protocol integrations are resistant to such attacks.
• Credential and API Key Exposure — Agentic workflows involve API keys, bearer tokens, webhook secrets, and other credentials that traverse multiple systems and protocols. The Company is not liable for credential leakage, unauthorized access, or security breaches resulting from how your Agent, its framework, or third-party integrations handle credentials.
• Data Leakage Through Agentic Channels — AI agents may inadvertently transmit, expose, or log sensitive data (including personal information, package contents, addresses, and business data) through webhook payloads, protocol responses, agent-to-agent communications, or third-party integrations. The Company is not liable for data exposure that occurs through agentic channels, third-party protocol implementations, or your Agent's own behavior.
• Autonomous Decision-Making Errors — AI agents may make incorrect, unintended, or harmful decisions due to model hallucinations, misinterpretation of instructions, software bugs, or adversarial manipulation. The Company does not monitor, validate, or override autonomous agent decisions.
• No Security Guarantees for Open-Source Protocols — OpenClaw, MCP, A2A, and similar projects are community-driven with distributed contributor bases. The Company cannot guarantee that any protocol version, implementation, or update is free of security vulnerabilities, backdoors, or malicious contributions.

12.6 Contractors, Employees, and Personnel Disclaimer

The Company engages independent contractors, service providers, and personnel in the operation of the Platform, including but not limited to facility operators, software developers, security consultants, and support staff. The Company is not liable for the individual acts, omissions, errors, negligence, or misconduct of any contractor, employee, service provider, or personnel, except to the extent required by applicable law. This includes but is not limited to: unauthorized access to or disclosure of Member data by any individual; errors in package handling, scanning, or processing attributable to human or automated error; and any security breach or data incident caused by the acts or omissions of any individual associated with the Platform or its facilities.

13. Warranties and Disclaimers

13.1 Limited Warranty

The Company warrants that it will perform services in a professional and workmanlike manner consistent with general industry standards. This limited warranty is expressly in lieu of all other warranties, express or implied.

13.2 Comprehensive Disclaimer

The Company does not warrant that: the Platform will be uninterrupted, error-free, or secure; that Packages will be received, stored, or forwarded without loss, damage, or delay; that Content Scans will be complete, accurate, or error-free; that the physical Facility will be accessible at all times; that webhooks will be delivered successfully or in real time; or that AI-generated data will be accurate or complete.

13.3 Third-Party Infrastructure and Service Provider Disclaimer

The Platform relies on third-party infrastructure and service providers including, but not limited to: cloud database and authentication providers; payment processors; identity verification services; email delivery services; phone carrier verification services; job queue and caching providers; cloud storage and hosting providers; AI model providers and inference APIs; notarization service providers; and domain registrars and DNS providers. These providers are independent companies with their own security practices, terms of service, and vulnerabilities.

The Company does not own, operate, audit, or control the infrastructure, source code, security practices, personnel, or data centers of any third-party provider. A security breach, data leak, service outage, data loss, unauthorized access, insider threat, or other incident at any third-party provider could affect the Platform and your data, even if the Company has implemented commercially reasonable security measures on its own systems.

By using the Platform, you acknowledge and accept the following:

• Third-Party Breach Risk — If a third-party provider used by the Platform suffers a security breach, data leak, or unauthorized access event, your data (including personal information, package records, identity verification data, payment information, and agent configurations) may be exposed, compromised, or lost. The Company is not liable for breaches originating at third-party providers, even where such breaches affect data the Company transmitted to or stored with that provider in the ordinary course of operating the Platform.
• Supply Chain Vulnerabilities — The Platform depends on a chain of third-party software, libraries, APIs, and services. A compromise at any point in this supply chain — including malicious updates to open-source dependencies, compromised API keys at a provider, or insider threats at a third-party company — could affect the Platform. The Company cannot guarantee the integrity of its entire supply chain.
• Service Availability — The Platform's availability depends on the availability of its third-party providers. Outages, degraded performance, rate limiting, API changes, or discontinuation of service by any third-party provider may cause the Platform to become temporarily or permanently unavailable, in whole or in part, without advance notice.
• Data Handling by Third Parties — When you use the Platform, your data is transmitted to and processed by third-party providers according to their own terms of service and privacy policies. The Company is not responsible for how third-party providers handle, store, retain, or dispose of your data once it is in their systems.
• AI Model Provider Risks — The Platform may use third-party AI models and inference APIs for features including auto-responder, content extraction, and document processing. These AI providers may log, retain, or train on data submitted through their APIs according to their own policies. The Company does not control third-party AI provider data retention or training practices.
• Evolving Cybersecurity Landscape — The cybersecurity threat landscape is evolving rapidly, particularly with the advent of AI-powered attacks, zero-day exploits, advanced persistent threats, and novel attack vectors that did not exist when the Platform or its third-party providers were designed. The Company implements commercially reasonable security practices but cannot guarantee protection against all current or future threats.

13.4 No Warranty on Package Contents

The Company makes no warranty or representation regarding the contents, value, condition, or fitness for purpose of any Package received at a Facility. The Company is a bailee, not an insurer, of Packages. The Member retains ownership; the Company holds temporary custody under a duty of reasonable care.

14. Limitation of Liability

14.1 Maximum Liability

14.2 Liability Cap

SUBJECT TO SECTION 14.2.1, THE COMPANY'S TOTAL AGGREGATE LIABILITY TO YOU FOR ALL CLAIMS ARISING FROM OR RELATED TO THESE TERMS, THE PLATFORM, ANY OUTBOUND MAIL PIECE, ANY API KEY, MCP TOKEN, OR WEBHOOK, OR THE SERVICES SHALL NOT EXCEED THE GREATER OF (A) THE TOTAL FEES PAID BY YOU TO THE COMPANY IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM, OR (B) FIVE HUNDRED DOLLARS ($500). THIS CAP APPLIES IN THE AGGREGATE TO ALL CLAIMS, ACROSS ALL THEORIES OF LIABILITY, AND IS NOT MULTIPLIED BY THE NUMBER OF MAIL PIECES, API CALLS, AGENTS, KEYS, OR INCIDENTS INVOLVED.

14.2.1 No Per-Mail-Piece Liability

Without limiting Section 14.2, the Company's liability for any individual outbound mail piece — including any allegation of late dispatch, late delivery, non-delivery, mis-delivery, return-to-sender, damage in transit, lost tracking, missed deadline, or consequential harm to your business or recipient relationship — shall not exceed the actual fees you paid for that specific mail piece (i.e., printing plus postage, plus any color or service-class surcharge). The Company shall have no liability for any indirect, special, incidental, consequential, exemplary, or punitive damages arising from any mail piece, including without limitation lost profits, lost contracts, missed deadlines, default judgments, statutory penalties, late fees, foreclosed legal rights, missed elections, missed tax-filing deadlines, business interruption, or harm to reputation, regardless of the theory of liability.

14.3 Specific Exclusions

The Company is specifically not liable for: loss, damage, or destruction of Packages due to fire, flood, earthquake, theft, vandalism, or other events beyond the Company's reasonable control; carrier delays, losses, or damages during transit; contents of Packages received on behalf of Members; actions taken by Agents or third parties; government or regulatory actions affecting Members or their Agents; or actions taken in cooperation with law enforcement.

The Company is also specifically not liable for any loss, cost, inconvenience, or damage arising from the acts, omissions, negligence, or underperformance of any independent facility operator, including but not limited to: late or inaccurate package scanning; failure to fulfill action requests in a timely manner; poor communication or unresponsiveness; mishandling, misattribution, or loss of Packages while in the facility's custody; facility closure, withdrawal from the network, or removal by the Company; the cost or inconvenience of changing your shipping address due to any facility change; delayed, returned, or lost Packages during a facility transition; and any business interruption resulting from a change in your assigned facility. The Company provides software infrastructure connecting you with independently operated facilities and is not a guarantor of any facility's performance, continuity, or solvency.

14.4 Agentic Protocol and Security Liability Exclusion

The agentic AI ecosystem is an emerging and rapidly evolving space. New attack vectors, security vulnerabilities, and failure modes are regularly discovered across all agentic protocols and frameworks. By using the Platform, you accept that perfect security is not achievable and that the Company cannot anticipate or prevent all potential security incidents in this evolving landscape. You use the Platform's agentic capabilities at your own risk.

14.5 Third-Party Infrastructure Provider Liability Exclusion

The Company selects third-party providers based on commercially reasonable evaluation of their security practices, compliance certifications, and industry reputation. However, the Company does not and cannot guarantee the security or reliability of any third-party provider. The Company's diligence in selecting providers does not create any warranty, guarantee, or additional liability with respect to those providers' performance or security. You acknowledge that your use of the Platform necessarily involves the transmission of your data to and through third-party systems, and you accept the inherent risks of that architecture.

14.6 Bailee Liability (Private Beta Inbound Services Only)

For private-beta inbound services in which the Company or its facility operator takes physical custody of a Member's package or mail, the Company acts as bailee and owes a duty of reasonable care to client property. The Company does not warrant that it carries any particular form or amount of bailee's, warehouse-legal-liability, cargo, or other insurance coverage; any insurance the Company elects to carry is for the Company's own benefit and does not create third-party-beneficiary rights in any Member. The Company's liability for loss of or damage to a package while in the Company's bailee custody (where such loss is attributable to the Company's failure to exercise reasonable care) is limited to the lesser of: the actual value of the package contents or $500 per package. Members retain ownership of all packages and are responsible for maintaining their own insurance for high-value items.

14.7 Physical Operations, Mail, and Package Liability Exclusion (Private-Beta Inbound Services Only)

The Company's maximum liability for any Package or mail piece lost, stolen, damaged, or destroyed while in bailee custody — where such loss is attributable to the Company's failure to exercise reasonable care — is strictly limited to the amounts set forth in Section 14.6. The Company shall not be liable for consequential, incidental, special, or indirect damages arising from the loss, theft, damage, or delay of any Package or mail, including but not limited to: lost profits or revenue; cost of replacement goods; missed deadlines or contractual penalties; supply chain disruptions; business interruption; emotional distress; or the sentimental or subjective value of any item. Members who ship items of value exceeding $500 per Package through the Platform do so at their own risk and are responsible for maintaining their own insurance.

14.8 USPS Mail and CMRA-Specific Liability Exclusion (Private-Beta Inbound Services Only)

For Members enrolled in virtual mailbox service at CMRA-registered facilities, the following additional limitations apply:

• USPS Compliance — The CMRA facility operator is independently responsible for maintaining its USPS registration, complying with 39 CFR Part 111, and following all USPS regulations for mail receipt, storage, and forwarding. The Company provides software infrastructure and does not hold or operate the CMRA registration itself. The Company is not liable for any CMRA compliance failure, USPS regulatory action, or mail service interruption caused by the facility operator's failure to maintain its CMRA registration or comply with postal regulations.
• Mail Loss and Mishandling — USPS mail handling involves manual sorting by facility staff. First-class mail, certified mail, priority mail, and other USPS products are subject to the same physical operations risks described in Section 7.15. The Company is not liable for mail that is lost, delayed, opened in error, delivered to the wrong box, or misrouted during internal facility handling. The Company is not a postal carrier and does not guarantee mail delivery.
• Legal Documents and Time-Sensitive Mail — Members who receive legal notices, court documents, tax correspondence, government communications, regulatory filings, or other time-sensitive documents through their virtual mailbox do so at their own risk. The Company does not guarantee timely processing, scanning, or notification of any mail piece, regardless of its legal significance or time sensitivity. Failure to receive or timely process a legal document does not create any liability for the Company.
• Check and Financial Instrument Handling — Members who receive checks, money orders, financial instruments, negotiable documents, or other items of monetary value through their virtual mailbox do so at their own risk. The Company is not liable for theft, loss, alteration, or misdelivery of financial instruments. Members should arrange for secure delivery of high-value financial instruments through alternative means.
• Mail Forwarding by USPS — When mail is forwarded from a CMRA facility via USPS, the Company is not liable for loss, delay, damage, or misdelivery by USPS during transit. Members' sole remedy for USPS mail issues in transit is through USPS directly.
• Form 1583 and Authorization — The Member is solely responsible for maintaining a valid, current Form 1583 on file with the CMRA facility. If the Member's Form 1583 expires, is revoked, or becomes invalid for any reason, the CMRA facility may be required to stop receiving mail on the Member's behalf or return mail to sender. The Company is not liable for mail returned, held, or refused due to Form 1583 issues.

14.9 Virtual Mailbox Package Exclusion and Liability Waiver (Private-Beta Inbound Services Only)

Any packages shipped to a virtual mailbox address may be refused at intake, returned to sender, or left uncollected at the Member's sole risk and expense. The Company is not responsible for and expressly disclaims all liability for any packages shipped to a virtual mailbox address, including but not limited to:

• Loss, damage, theft, or destruction of packages shipped to a virtual mailbox address
• Packages refused at intake or returned to sender by the facility
• Packages left uncollected, abandoned, or disposed of by the carrier or facility
• Carrier fees, return shipping costs, or storage charges incurred as a result of packages shipped to a virtual mailbox address
• Business interruption, missed deliveries, or consequential damages arising from the Company's inability to receive packages on the virtual mailbox plan
• Any claim by third parties (including senders, carriers, or recipients) arising from packages shipped to a virtual mailbox address

Members who require package receiving services must enroll in a Business plan ($35/mo) or higher. The Company reserves the right to suspend or terminate the account of any Member who repeatedly ships packages to a virtual mailbox address in violation of this section.

15. Indemnification

You agree to defend, indemnify, and hold harmless the Company and its affiliates, parents, subsidiaries, members, managers, governors, owners, founders, shareholders, officers, directors, employees, independent contractors, agents, representatives, licensors, service providers, payment processors, identity-verification providers, facility operators, print and mail partners, postage vendors, carriers, cloud and storage providers, successors, and assigns (collectively, the "Indemnitees") from and against any and all claims, demands, actions, suits, proceedings, damages, losses, liabilities, judgments, settlements, fines, penalties, costs, and expenses of every kind (including without limitation reasonable attorneys' fees, expert fees, and investigative and audit costs) arising from or related to, or alleged to arise from or relate to:

• Your use of, or any access to, the Platform, including its REST API, MCP server, A2A endpoint, OpenClaw integration, webhook system, dashboard, and outbound mail service
• Any document, recipient, return address, instruction, metadata, or other content you (or any agent, framework, MCP client, A2A peer, third-party tool, or person using your credentials) submitted to the Platform
• Any mail piece printed, dispatched, or delivered (or not delivered, or delayed, or returned) through the outbound mail service on your behalf, including all consequential, business, financial, contractual, or personal effects of such mail piece on you or any third party
• Any business dealing, contract, transaction, dispute, demand, debt-collection effort, marketing campaign, fundraising solicitation, real-estate offer, legal notice, settlement communication, employment communication, or other private or commercial matter that you used the Platform to communicate, regardless of outcome and regardless of whether the recipient ultimately received the mail piece
• Any matter involving any government agency, regulatory body, court, taxing authority, election authority, immigration authority, healthcare regulator, or other governmental actor — including without limitation tax filings, tax payments, tax disputes, IRS or state-revenue communications, court filings, court-ordered service, regulatory submissions, license renewals, permit applications, government-benefits communications, immigration filings, voter communications, and any other government-facing matter — that you used or attempted to use the Platform to facilitate, regardless of whether the matter was timely, properly addressed, properly served, or successful
• Any service, transaction, or relationship between you and any third party (vendor, customer, recipient, partner, employer, employee, contractor, attorney, accountant, healthcare provider, financial institution, landlord, tenant, family member, or other) that you used the Platform to support
• Any deadline, due date, statute of limitations, contractual option, election deadline, election day, tax-filing deadline, court-filing deadline, regulatory deadline, opt-out deadline, or other time-sensitive obligation that you missed or failed to satisfy, regardless of whether the Platform was used in connection with that obligation
• Any consequence to you arising out of your use of the Platform for HIPAA-regulated, GLBA-regulated, PCI-DSS-regulated, FERPA-regulated, ITAR-regulated, GDPR-regulated, state-privacy-law-regulated, or otherwise specially-regulated content, where you elected to submit such content despite the Company's express disclaimers in Section 9B.2
• Your violation of these Terms or the Acceptable Use Policy
• Your violation of any applicable law, regulation, court order, contractual obligation, or third-party right
• The actions, omissions, decisions, errors, or misconduct of any Agent, agent framework, MCP client, A2A peer, OpenClaw integration, webhook receiver, or other tool or third-party software acting under your account or with your credentials, whether or not you intended such action
• Inaccurate, incomplete, expired, or fraudulent information you provided during registration, KYC, agent configuration, or at any other time
• Any claim that content you submitted infringed, misappropriated, or violated the intellectual-property, privacy, publicity, or other rights of any person or entity
• Any claim by any recipient, intended recipient, third-party sender, carrier, postal authority, or other party arising from a mail piece you sent or attempted to send
• Any compromise, leak, theft, phishing, prompt-injection, social-engineering, or other unauthorized use of any API key, MCP token, webhook signing key, session cookie, or other credential issued to you, regardless of how the credential came into the hands of the actor that used it
• Any security breach, data leak, unauthorized access, or data exposure arising from your Agent's use of MCP, A2A, OpenClaw, REST, or any other protocol, framework, third-party tool, or open-source dependency
• Any loss or damage caused by prompt injection, adversarial inputs, model hallucinations, or other AI-specific attack vectors affecting your Agent or its operations on the Platform
• Any claim arising from your Agent's autonomous transmission, exposure, or mishandling of personal data, business data, recipient data, or other sensitive information through agentic communication channels
• Any claim arising from the acts, omissions, errors, or misconduct of your employees, contractors, service providers, or personnel in connection with the Platform
• Any claim against the Company arising from a security breach, data leak, or service failure at a third-party infrastructure provider, where your data was affected as a result of being stored on or transmitted through the Platform in the ordinary course of service
• (Private-beta inbound services only) Any claim arising from the loss, theft, damage, delay, misdelivery, or misattribution of any Package or mail piece received, stored, or forwarded through the Platform, including claims by third-party senders, recipients, or carriers; the contents of any mail received at a CMRA facility on your behalf; your failure to maintain valid Form 1583 authorization, adequate insurance coverage, or timely retrieval of Packages and mail; and any claim by any third party arising from your use of inbound mail or package receiving, storage, or forwarding

The Company shall have the right, but not the obligation, to assume the exclusive defense and control of any matter subject to indemnification by you, in which case you shall fully cooperate with the Company in asserting any available defenses. You shall not settle any claim without the Company's prior written consent.

16. Data Security and Privacy

16.1 Data Collection — Privacy Snapshot

The Company collects and processes personal data as described in its Privacy Policy, available at mailbox.bot/privacy. By using the Platform, you consent to the collection and processing described therein. In summary: (a) the Company uses Google Analytics and PostHog as its only two analytics providers, both for its own first-party measurement; (b) the Company does not sell your personal information; (c) the Company does not share your personal information with any third party for that third party's own advertising, marketing, model-training, or data-brokerage purposes; (d) document content you submit through the outbound mail service is not used to train AI models, is not licensed to any third party, and is not commercially distributed; and (e) the Company will disclose your information only to its operational service providers (under contractual protections), to law enforcement under valid legal process, or as otherwise required by law.

16.2 Security Measures and Limitations

The Company implements commercially reasonable security measures to protect Member data, including: encryption of data at rest and in transit; access controls and authentication; security monitoring and logging; and regular security assessments.

The Company commits to: promptly investigating security incidents upon discovery; notifying affected Members as required by applicable law; cooperating with law enforcement in the event of a data breach; and taking commercially reasonable steps to remediate vulnerabilities within its own systems. However, the Company cannot remediate vulnerabilities in third-party provider systems and is dependent on those providers to secure their own infrastructure.

16.3 Verification Data

Verification data is processed by the Company's third-party providers (Stripe and Stripe Identity for payment-method authorization, Radar fraud screening, and document-based identity verification; Twilio for phone-carrier verification) and is subject to those providers' privacy policies and data-handling practices. The Company stores verification results, session identifiers, captured name, and masked card and phone identifiers, and (for the inbound tier) Stripe Identity verification results and Form 1583 records where applicable. The Company does not store copies of underlying government-issued identity documents after Stripe Identity has completed verification, except where required by law.

16.4 Package and Mail Content Data

Package photographs, Content Scan images, mail scan images, OCR-extracted text, outbound mail documents, recipient and return addresses, provenance chain data, and associated metadata are stored on the Platform and are accessible to you (the Member), your authorized Agents, and authorized Company personnel with a legitimate operational need.

Service-provider disclosure (necessary to operate the Service). You acknowledge that delivery of the Service necessarily requires sharing certain content and metadata with service providers and partners. The Company may disclose your documents, recipient and return addresses, instructions, metadata, and related information to its service providers, print and mail partners, facility operators, postage vendors, carriers (USPS, FedEx, UPS, and others), cloud and storage providers, identity-verification providers, payment processors, communications providers, support and customer-service vendors, security and fraud-prevention vendors, analytics providers (limited to Google Analytics and PostHog as described in Section 16.1), and other processors, in each case solely as necessary to provide, secure, support, bill, audit, troubleshoot, or improve the Service. Such disclosures are made under contractual confidentiality and use-restriction protections appropriate to the data involved.

What we will not do. The Company will not sell, rent, license, or commercially distribute the contents of your mail, packages, scanned documents, or outbound documents to any third party for that party's own marketing, advertising, profiling, data-brokerage, or AI-model-training purposes. Content data will not otherwise be disclosed to any third party except (a) to the service providers and partners described above, (b) as required by valid legal process or applicable law, (c) pursuant to the cooperation provisions in Section 9, (d) to protect the safety of personnel, Members, or the public, or (e) with your consent. See Section 7.5.1 for the additional data-protection commitments applicable to scanned content under the private-beta inbound services.

16.5 Data Retention

The Company retains Member data, Package records, and activity logs for the duration of the account plus five (5) years, or as required by law. KYC records are retained for a minimum of five (5) years after account closure.

17. Intellectual Property

17.1 Company Property

All content, features, functionality, trademarks, service marks, and trade dress of the Platform are the exclusive property of the Company and are protected by applicable intellectual property laws. "Mailbox.bot," the Mailbox.bot logo, and related marks are trademarks of Golden Ratio, LLC.

17.2 License to Use

The Company grants you a limited, non-exclusive, non-transferable, revocable license to access and use the Platform in accordance with these Terms. This license does not include the right to sublicense, resell, or distribute access to the Platform.

17.3 Aggregated Operational Telemetry

What we do not use to train AI. The Company does not use the contents of your documents, mail pieces, packages, scanned content, recipient names, recipient or return addresses, or other Customer Content to train, fine-tune, evaluate, or improve any artificial-intelligence or machine-learning model, whether operated by the Company or by any third party.

What we do use. You grant the Company a perpetual, royalty-free, worldwide license to use aggregated operational telemetry derived from your use of the Platform — for example, latency, error rates, queue depth, postage-class mix, conversion-tier outcomes, anonymized product analytics, and similar engineering and reliability metrics — for the purposes of operating, securing, and improving the Service and producing anonymized internal or industry reports that do not identify you or expose Customer Content. Aggregated telemetry will not include document contents, recipient PII, or other identifying details about specific mail pieces. You may opt out of inclusion of your account in non-essential aggregated reporting (security, billing, fraud-prevention, and reliability telemetry are essential to the Service and not subject to opt-out) by emailing with the subject "Opt-Out: Aggregated Telemetry."

18. Termination

18.1 Termination by Member

You may terminate your account at any time through the Operator Dashboard or by emailing . Upon termination, you must arrange for the retrieval or forwarding of all Packages within fourteen (14) days. Packages remaining after fourteen (14) days will be treated as abandoned per Section 7.7.

18.2 Termination by Company

Without limiting the foregoing, examples of conduct or circumstances that may, in the Company's good-faith judgment, lead to immediate suspension or termination include: (a) actual or attempted hacking, credential stuffing, brute-force, scraping, automation abuse, denial-of-service, prompt-injection attacks, or other unauthorized access to the Platform or to other Members' accounts, agents, mail, or data; (b) fraud, money laundering, terrorism financing, sanctions evasion, identity theft, payment-card abuse, or chargeback abuse; (c) use of the Platform to send threatening, harassing, defamatory, fraudulent, deceptive, extortionate, scam, phishing, or stalking mail, or mail intended to facilitate any unlawful act; (d) impersonation of a government agency, court, attorney, healthcare provider, financial institution, or other party in a manner reasonably likely to deceive recipients; (e) violation of these Terms or the AUP; (f) failed, expired, or fraudulent KYC verification; (g) sanctions or watchlist match; (h) lawful law-enforcement, regulatory, or court request; (i) repeated chargebacks or non-payment of fees; or (j) other risk, compliance, carrier, payment, security, or platform-integrity concerns identified by the Company.

The Company is not required to disclose the reason for any suspension or termination, except where disclosure is required by applicable law, and may decline to disclose where required by law or by an active investigation. Nothing in this Section limits any non-waivable right or remedy you may have under applicable law.

18.3 Effect of Termination — Outbound Mail (Generally Available)

Upon cancellation or termination of an outbound-mail account, the following operational rules apply:

• Credential revocation. All API keys, MCP tokens, agent credentials (including sk_agent_, sk_agent_test_, and webhook signing keys), and active sessions are revoked at the effective time of cancellation. Subsequent API calls using revoked credentials will be rejected.
• Pending mail pieces. Mail pieces that have not yet entered production at the effective time of cancellation will be cancelled. Mail pieces in production (printing, enveloping, or postage-applied) may, at the Company's option, be (a) completed and dispatched and charged in full, or (b) cancelled with a partial refund of any cost components not yet incurred. Mail pieces already tendered to a carrier are non-cancellable and non-refundable; carrier custody and Section 9A.2 risk allocation control.
• Non-refundability. Postage and printing costs already incurred are non-refundable. Subscription fees follow Section 10.5. Approved-and-charged outbound mail is non-refundable except as set forth above or as required by law.
• Pre-cancellation liability. You remain liable for all fees, charges, postage, printing, surcharges, and reasonable costs incurred prior to the effective time of cancellation, including any charges that settle after cancellation but relate to activity prior to cancellation.
• Data retention. Account, transaction, audit, and content data are retained per Section 16.5 (account duration plus five years, or as required by law). Webhook event records, audit logs, and KYC records are retained as described elsewhere in these Terms and the Privacy Policy.
• Account reactivation. Reactivation of a cancelled account, where permitted by the Company, may require re-verification of identity and acceptance of then-current Terms.

18.3.1 Effect of Termination — Private Beta Inbound Services

For Members enrolled in the private beta for inbound services (virtual mailbox, package receiving, content scanning, forwarding, or related features), the following additional rules apply on cancellation or termination:

• Endpoint deactivation. Agent profiles and Endpoints will be deactivated; the Reference Code will be released and may be reassigned.
• Mail and package retrieval window. All packages and mail in bailee custody (your property) must be forwarded to a destination address you specify, or retrieved in person, within fourteen (14) days after cancellation. The Company may charge applicable forwarding, postage, and handling fees against the payment method on file.
• Abandonment. Packages and mail that remain in custody after the fourteen (14)-day retrieval window will be treated as abandoned under Section 7.7 and may be disposed of without further notice or liability to you.
• USPS Form 1583 / CMRA mail (where applicable). For Members enrolled in CMRA-based virtual mailbox service, mail addressed to the Endpoint after cancellation may be returned to sender or otherwise handled in accordance with applicable USPS regulations.

18.4 Survival

The following provisions survive termination: KYC record retention (Section 5.5); Law Enforcement Cooperation (Section 9); Limitation of Liability (Section 14); Indemnification (Section 15); Data Retention (Section 16.5); Dispute Resolution (Section 20); and Governing Law (Section 21).

19. Force Majeure

The Company shall not be liable for any failure or delay in performance due to causes beyond its reasonable control, including but not limited to: acts of God, natural disasters, pandemics, epidemics; government actions or orders, war, terrorism, civil unrest; strikes, labor disputes; carrier service interruptions; power or internet outages; cyberattacks, ransomware, distributed denial-of-service attacks, data breaches, or other malicious cyber activity targeting the Company or any of its third-party infrastructure providers; security breaches, outages, data loss, or service failures at any third-party provider, cloud service, database provider, authentication service, payment processor, or other infrastructure component used by the Platform; zero-day exploits, novel AI-powered attack vectors, or advanced persistent threats that were not reasonably foreseeable or preventable at the time of occurrence; supply chain compromises, including malicious updates to open-source software dependencies or third-party libraries; regulatory actions, sanctions, or compliance requirements imposed by any government authority that affect the Company or its providers; or any other event beyond the Company's reasonable control.

20. Dispute Resolution and Arbitration

20.1 Mandatory Arbitration

Applicable AAA rules. If you are an individual using the Service for personal, family, or household purposes, the arbitration will be administered under the AAA Consumer Arbitration Rules. If you are using the Service in a business, commercial, or developer capacity (including any business-entity Member, any Member operating an AI agent for commercial purposes, and any Member using the outbound mail API or MCP server in production workflows), the arbitration will be administered under the AAA Commercial Arbitration Rules. The current rules are available at adr.org. The Federal Arbitration Act governs the interpretation and enforcement of this Section.

20.2 Class Action Waiver

20.3 Pre-Arbitration Resolution

Before initiating arbitration, the party with a dispute must give the other party written notice describing the dispute and the relief sought, sent to the address in Section 26 (for the Company) or your account contact information (for you). The parties shall attempt in good faith to resolve the dispute informally for sixty (60) days before either party may commence arbitration.

20.4 Arbitration Fees

Filing, administrative, and arbitrator fees will be allocated as set forth in the applicable AAA rules. For consumer arbitrations governed by the AAA Consumer Arbitration Rules, the Company will pay the portion of fees designated as the business's responsibility under those rules; you remain responsible only for the consumer filing fee (or such lesser amount as the AAA rules require). Each party otherwise bears its own attorneys' fees and costs unless a statute or court order allocates fees differently.

20.5 Carveouts — Court May Hear Certain Matters

Notwithstanding the arbitration agreement, either party may: (a) bring an individual action in small-claims court in the county of the responding party's residence (or, for a business, principal place of business), so long as the action remains in small-claims court and is not removed or appealed to a court of general jurisdiction; and (b) seek injunctive or other equitable relief in a court of competent jurisdiction to address actual or threatened infringement, misappropriation, or violation of intellectual-property rights, unauthorized access to or misuse of the Service, credential theft, or breaches of confidentiality, security, or data-protection obligations, pending the appointment of an arbitrator and selection of an arbitral seat. The filing of such an action does not waive the right to compel arbitration of all other claims.

20.6 Opt-Out

You may opt out of this Section 20 (other than the small-claims and injunctive-relief carveouts in Section 20.5, which remain available to both parties) by sending written notice to Golden Ratio, LLC, 3556 S 5600 W, Suite #1-1038, Salt Lake City, UT 84120, within thirty (30) days of first accepting these Terms. The notice must include your name, account email, and a clear statement that you opt out of arbitration.

20.7 Statute of Limitations

Any claim must be filed within one (1) year after the cause of action accrued, or it will be permanently barred, except where applicable law prohibits a contractual reduction of the statute of limitations.

20.8 Non-Waiver of Statutory Consumer Rights

Nothing in these Terms or in this Section 20 limits or waives any right or remedy that, under applicable law, may not be limited or waived by contract, including any non-waivable rights under state or federal consumer-protection law. To the extent any provision of Section 20 is held unenforceable as applied to a particular claim or party, that provision shall be modified to the minimum extent necessary to make it enforceable, and the remainder of Section 20 shall continue in full force.

21. Governing Law

These Terms shall be governed by and construed in accordance with the laws of the State of Utah, without regard to conflict of law principles. For matters not subject to arbitration, you submit to the exclusive jurisdiction of the courts in Salt Lake County, Utah.

22. Special Provisions for California Residents

22.1 California Consumer Rights Notice

Pursuant to California Civil Code §1789.3, California residents may contact the Complaint Assistance Unit of the Division of Consumer Services at 1625 North Market Blvd., Suite N 112, Sacramento, CA 95834, or by telephone at (800) 952-5210.

22.2 CCPA Rights

If the California Consumer Privacy Act applies, additional terms may apply as set forth in the Company's Privacy Policy.

23. SMS Communications

By opting in to SMS communications during account registration, you consent to receive text messages from mailbox.bot (operated by Golden Ratio, LLC) at the phone number you provide. These messages may include:

• Alerts when new mail or packages arrive at your mailbox
• Account and service updates (e.g., mail forwarded, scanned, or dispatched)
• Replies from our support team when you text us with questions

Message frequency varies based on your mail volume and support interactions. Message and data rates may apply depending on your mobile carrier and plan. You can opt out at any time by replying STOP to any message. Reply HELP for assistance. Consent to receive SMS is not a condition of purchasing any service.

We will not sell, rent, or share your phone number with third parties for marketing purposes. SMS messages are sent via Twilio, our telecommunications provider, solely for the purposes described above.

24. Changes to Terms

The Company reserves the right to modify these Terms at any time. Material changes will be posted at least thirty (30) days before the effective date and communicated via email and/or webhook notification. Continued use of the Platform after the effective date of changes constitutes acceptance. If you do not accept material changes, you may terminate your account within thirty (30) days without penalty.

25. Miscellaneous Provisions

25.1 Entire Agreement

These Terms, together with the Privacy Policy and Acceptable Use Policy, constitute the entire agreement between you and the Company regarding the Platform.

25.2 Severability

If any provision of these Terms is held invalid, illegal, or unenforceable, the remaining provisions shall be enforced to the fullest extent permitted by law.

25.3 No Waiver

The Company's failure to enforce any provision of these Terms does not constitute a waiver of that provision or any other provision.

25.4 Assignment

You may not assign or transfer these Terms without the Company's prior written consent. The Company may freely assign these Terms.

25.5 Electronic Communications

You consent to receive communications from the Company electronically, including via email, webhook, API response, and the Operator Dashboard. You agree that all agreements, notices, disclosures, and other communications provided electronically satisfy any legal requirement that such communications be in writing.

25.6 Relationship of Parties

Nothing in these Terms creates a partnership, joint venture, employment, or agency relationship between you and the Company. The Company is an independent contractor providing platform services.

25.7 Third-Party Beneficiaries

These Terms do not create any third-party beneficiary rights in any individual or entity that is not a party to these Terms.

25.8 Headings

Section headings are for convenience only and do not affect the interpretation of these Terms.

26. Contact Information

If you have questions regarding these Terms, please contact us at:

Golden Ratio, LLC dba Mailbox.bot
3556 S 5600 W, Suite #1-1038
Salt Lake City, UT 84120
Email: