Terms of Service

Auri Auth (Mobile App and Chrome Extension)

Effective Date: March 20, 2026
Last Revised: May 3, 2026 (added Chrome Extension scope)

These Terms of Service ("Terms") govern your use of the Auri Auth product family — the Auri Auth & Tool mobile application for iOS and Android (the "Mobile App") and the Auri Auth Chrome browser extension (the "Extension"), collectively referred to as the "Service" — provided by ff Inc. (hereinafter "Company"). By downloading, installing, or using the Service, you agree to be bound by these Terms. If you do not agree to these Terms, do not use the Service.

1. Acceptance of Terms

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by these Terms. If you are using the Service on behalf of an organization, you represent and warrant that you have the authority to bind that organization to these Terms.

2. Definitions

• "Service" refers collectively to the Mobile App and the Extension.
• "Mobile App" refers to the Auri Auth & Tool mobile application for iOS and Android.
• "Extension" refers to the Auri Auth Chrome browser extension.
• "User" refers to any individual who downloads, installs, or uses the Service.
• "Paired Service" refers to a server or system that pairs with the Mobile App for push-based authentication.
• "Pairing" refers to the process of linking the Mobile App with a Paired Service via QR code scanning.
• "Push Authentication" refers to the mechanism by which the Mobile App receives authentication requests from a Paired Service and allows the User to approve or deny them.
• "TOTP" refers to the Time-based One-Time Password generation mechanism defined in RFC 6238.
• "Master Password" refers to the password the User configures in the Extension for the purpose of deriving the encryption key used to protect stored data.
• "Company" refers to ff Inc. (株式会社ff), the operator of the Service.

3. Use of the Service

3.1. The Service is provided free of charge. The Company reserves the right to modify or discontinue the Service at any time without prior notice.

3.2. The Mobile App provides the following features:

• Push-based authentication (approve or deny requests from Paired Services)
• End-to-end encrypted communication using X25519 key exchange, AES-256-GCM encryption, and Ed25519 digital signatures
• QR code pairing with Paired Service servers
• Network tools including LAN scanner and Bluetooth scanner
• Biometric authentication for local device security

3.3. The Extension provides the following features:

• TOTP code generation (RFC 6238)
• Local encrypted storage of TOTP secrets using AES-256-GCM with PBKDF2 key derivation from the Master Password
• Synchronization of encrypted account data across the User's Chrome instances via the standard chrome.storage.sync API

3.4. The User is responsible for maintaining the security of their device and credentials, including any biometric credentials, device passcodes, and the Extension's Master Password.

3.5. The User acknowledges that:

• Push authentication functionality depends on the availability of push notification services provided by third-party platform operators (such as Apple or Google) and network connectivity.
• The Extension's cross-device synchronization depends on the availability and correct operation of Chrome's sync feature, which is operated by Google. The Company has no control over Chrome's sync infrastructure.

3.6. The User is responsible for all actions taken through the Service, including the approval or denial of authentication requests and the management of TOTP secrets.

3.7. The Master Password is not transmitted to the Company or any third party, and the Company has no means of recovering it. If the User forgets the Master Password, the encrypted account data stored by the Extension cannot be decrypted, and the Company cannot restore it.

4. Prohibited Activities

Users shall not engage in any of the following activities:

• Reverse engineering, decompiling, disassembling, or otherwise attempting to derive the source code of the Service
• Modifying, adapting, or creating derivative works based on the Service
• Using the Service for any unlawful purpose or in violation of any applicable laws or regulations
• Attempting to gain unauthorized access to any systems or networks connected through the Service
• Interfering with or disrupting the integrity or performance of the Service or related systems
• Using the network tools provided by the Mobile App to scan, probe, or access networks or devices without proper authorization
• Impersonating another person or entity, or falsely representing your affiliation with any person or entity
• Distributing, selling, or sublicensing the Service or any part thereof

5. Disclaimer of Warranties

5.1. THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

5.2. The Company does not warrant that the Service will be uninterrupted, error-free, secure, or free of viruses or other harmful components.

5.3. The Company does not warrant the accuracy, reliability, or completeness of any authentication processes, network scan results, TOTP outputs, or other information provided through the Service.

5.4. While the Service employs end-to-end encryption and digital signatures, the Company does not guarantee absolute security of data transmitted through the Service.

6. Limitation of Liability

6.1. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE COMPANY SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES ARISING OUT OF OR IN CONNECTION WITH THE USE OF OR INABILITY TO USE THE SERVICE.

6.2. The Company shall not be liable for any damages resulting from:

• Unauthorized access to or alteration of the User's data or transmissions
• The approval or denial of authentication requests by the User
• Loss of data, device malfunction, or network connectivity issues
• Loss of Extension account data caused by the User forgetting the Master Password
• Defects, outages, or specification changes of Chrome's sync feature, or any resulting data loss or inconsistency
• Actions of third-party platform operators or Paired Service providers
• The User's failure to maintain adequate device or credential security

6.3. In no event shall the Company's total liability exceed the amount paid by the User for the Service (which is zero, as the Service is provided free of charge).

7. Intellectual Property

7.1. All intellectual property rights in and to the Service, including but not limited to copyrights, trademarks, patents, and trade secrets, are owned by the Company or its licensors.

7.2. These Terms do not grant the User any rights to the Company's trademarks, logos, or other brand features.

7.3. The User is granted a limited, non-exclusive, non-transferable, revocable license to use the Service in accordance with these Terms.

8. Service Modifications

8.1. The Company reserves the right to modify, suspend, or discontinue the Service or any part thereof at any time, with or without notice.

8.2. The Company shall not be liable to the User or any third party for any modification, suspension, or discontinuation of the Service.

9. Changes to Terms

9.1. The Company may revise these Terms at any time by updating this document. Changes become effective upon posting.

9.2. Continued use of the Service after any changes to these Terms constitutes acceptance of the revised Terms.

9.3. The Company encourages Users to review these Terms periodically for any updates.

10. Governing Law and Jurisdiction

10.1. These Terms shall be governed by and construed in accordance with the laws of Japan.

10.2. Any disputes arising out of or in connection with these Terms shall be subject to the exclusive jurisdiction of the Tokyo District Court as the court of first instance.

11. Contact

If you have any questions or concerns regarding these Terms, please contact us at:

ff Inc.
https://auri.itsherpa.net/

---

Last updated: May 3, 2026