Acceptable Use Policy (AUP)

AI Form Copilot

Last Updated: 2025-11-12

Service Provider: Fundacja Rozwoju Przedsiębiorczości „Twój StartUp" (operating the organized business part: Artur Kuzmenka) ul. Żurawia 6/12, office 766 00-503 Warsaw, Poland VAT ID (EU): PL5213641211 Email: info@webappski.com

1. PURPOSE AND SCOPE

This Acceptable Use Policy ("AUP") defines prohibited uses of AI Form Copilot services ("Services"). By using Services, you agree to comply with this AUP, the Terms of Service, and the Data Processing Agreement.

Order of precedence: If this AUP conflicts with the DPA or ToS, the DPA/ToS prevail.

Monitoring and enforcement: We may monitor usage, collect security logs, and take protective measures (including throttling, blocking, or suspension) to enforce this AUP and protect our infrastructure and other clients.

Violation of this AUP may result in:

• Account suspension or termination
• Legal action
• Notification to law enforcement (for illegal activities)
• No refund of fees paid

2. PROHIBITED USES

2.1 Illegal Activities

You shall NOT use Services for:

• Fraud: Phishing, identity theft, financial fraud, credit card fraud
• Hacking: Unauthorized access to systems, networks, or data
• Malware: Distributing viruses, trojans, ransomware, or other malicious code
• Spam: Sending unsolicited bulk emails or messages
• Copyright infringement: Distributing pirated content, plagiarism
• Illegal surveillance: Recording conversations without consent (where required by law)
• Money laundering: Using Services to facilitate illegal financial transactions
• Terrorism: Promoting, planning, or facilitating terrorist activities
• Child exploitation: Any content involving minors in illegal or harmful situations
• Human trafficking: Facilitating illegal human trafficking or slavery
• Illegal drugs: Promoting or selling illegal drugs or controlled substances
• Weapons: Selling illegal weapons or explosives

2.2 Data Protection Violations

You shall NOT:

• Collect personal data without consent (GDPR Article 6 violation)
• Process Special Categories of Personal Data (Article 9) without lawful basis:
  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data, biometric data
  • Health data
  • Data concerning sex life or sexual orientation
• Target children without compliance:
  • Under 13 (US): COPPA violations (no parental consent)
  • Under 16 (EU): GDPR Article 8 violations (no parental consent)
• Scrape or harvest data without authorization
• Share personal data with unauthorized third parties
• Sell personal data to data brokers or advertisers
• Use Services for profiling or automated decision-making without transparency and opt-out

2.3 Harmful Content

You shall NOT use Services on websites containing:

• Hate speech: Content promoting violence or discrimination based on race, ethnicity, religion, gender, sexual orientation, disability, or nationality
• Harassment or bullying: Intimidating, threatening, or stalking individuals
• Violence or gore: Graphic violent content or extreme gore (exceptions: news, educational contexts)
• Self-harm or suicide promotion: Encouraging self-injury or suicide
• Exploitation: Exploiting vulnerable individuals (elderly, disabled, minors)
• Deceptive practices:
  • Fake products or services
  • Pyramid schemes or multi-level marketing scams
  • False testimonials or reviews
  • Misleading health claims (fake cures, miracle drugs)
• Adult content (conditional):
  • Pornography: PROHIBITED unless you notify us and obtain written approval
  • Escort services: PROHIBITED
  • Sex trafficking: PROHIBITED (illegal activity)

2.4 Technical Abuse

You shall NOT:

• Reverse engineer, decompile, or disassemble the widget or APIs
• Bypass rate limits or technical protections:
  • Using multiple accounts to circumvent limits
  • IP rotation to avoid detection
  • API scraping or automated abuse
• Launch DDoS attacks or attempt to overload our infrastructure
• Attempt to gain unauthorized access to our systems, servers, or databases
• Interfere with other clients' use of Services
• Use Services to test security of third-party systems without authorization
• Extract or copy source code of the widget
• Create derivative works or competing products based on our Services
• Remove or obscure attribution (copyright notices, branding)

2.5 Resale and Unauthorized Distribution

You shall NOT:

• Resell Services without written authorization from us
• Offer Services as white-label or under different branding
• Sub-license Services to third parties
• Distribute widget source code to competitors
• Bundle Services with competing products without disclosure

2.6 Misrepresentation

You shall NOT:

• Impersonate others: False identity, fake company, spoofed emails
• Misrepresent relationship with us: Claiming partnership, endorsement, or affiliation without authorization
• False advertising: Misleading claims about Service capabilities
• Fake reviews or testimonials: Writing fake reviews for compensation

2.7 High-Risk Applications (Restrictions)

You shall NOT use Services for high-risk applications unless you provide clear disclaimers:

• Medical diagnosis or treatment (AI is not a doctor; seek professional medical advice)
• Financial advice (AI is not a financial advisor; consult licensed professionals)
• Legal advice (AI is not a lawyer; consult licensed attorney)
• Safety-critical systems (aviation, automotive, industrial control) - NOT RECOMMENDED

PROHIBITED (No Exceptions):

• Emergency services or life-or-death decisions (911 dispatch, emergency response, critical medical decisions)

If used for informational purposes (e.g., symptom checker), you MUST display prominent disclaimers:

• "This is not medical advice. Consult a healthcare professional."
• "This is for informational purposes only."

2.8 Privacy and Security Abuse

You shall NOT:

• Collect sensitive information via voice without explicit consent and warnings:
  • Passwords, PINs, security codes
  • Government IDs (SSN, passport numbers)
  • Credit card numbers, CVV codes
  • Health records, medical diagnoses
• Fail to educate users about risks of voice input for sensitive data
• Omit data-ai-private attribute on fields you know contain confidential company information
• Disable or obscure Privacy Policy from end users
• Fail to obtain consent for voice input processing
• Disable, hide, or bypass consent modals or warning UI elements
• Encourage or instruct users to speak sensitive information by voice despite our warnings

3. REPORTING VIOLATIONS

3.1 How to Report

If you suspect AUP violation by another client:

• Email: abuse@webappski.com (or info@webappski.com)
• Subject: "AUP Violation Report - [Client Domain]"
• Include: Evidence (screenshots, URLs, timestamps)

3.2 Our Investigation

We will:

• Investigate reported violations within 7 business days
• Notify you of outcome (if you are the reporter)
• Take action if violation confirmed (warning, suspension, or termination)

3.3 False Reports

Do NOT file false reports. If we determine a report is made in bad faith:

• Reporter's account may be suspended
• Legal action may be taken for defamation

4. CONSEQUENCES OF VIOLATION

4.1 Warning (First Offense)

For minor violations:

• Email warning sent
• 7 days to cure violation
• Account remains active

4.2 Suspension (Second Offense or Moderate Violation)

For repeat or moderate violations:

• Account suspended for 30 days
• No access to Services during suspension
• No refund of fees
• Must cure violation before reactivation

4.3 Permanent Termination (Third Offense or Severe Violation)

For severe violations or 3+ offenses:

• Permanent account termination
• Client Account Data (domain, API key, settings) deleted within 30 days
• Security logs (IP, timestamps, error codes) retained for 90 days, then auto-deleted
• Consent receipts (pseudonymous UUID, timestamps) retained for up to 24 months to satisfy GDPR Art. 7(1) proof-of-consent requirements, then permanently deleted
• End User Personal Data (if any was processed) follows Data Subject rights under GDPR - contact Website Owner (Data Controller) for erasure requests
• No refund of fees
• Blacklisted (cannot create new account)

Immediate Termination (No Warning) for:

• Illegal activities (fraud, hacking, child exploitation)
• GDPR breaches exposing us to liability
• Malware distribution
• DDoS attacks
• Reverse engineering or IP theft

4.4 Legal Action

We reserve the right to:

• Report illegal activities to law enforcement
• Cooperate with investigations (provide logs, data)
• Pursue civil damages for breach of contract
• Seek injunctive relief for IP violations

5. YOUR RESPONSIBILITIES

5.1 Monitor Your Use

You are responsible for:

• Ensuring your website complies with this AUP
• Monitoring content on your website
• Promptly addressing violations
• Training your staff on acceptable use

5.2 Educate End Users

You must educate end users (via Privacy Policy, disclaimers, or UI warnings):

• What NOT to speak (passwords, SSN, credit cards, medical data)
• Data retention (30-day log retention, OpenAI processing)
• Risks (Our PII detection uses pattern-based filtering and AI analysis. While effective for standard sensitive fields (passwords, SSN, credit cards), it cannot catch all variations of company-specific confidential data. Detection is not perfect - use data-ai-private attribute for critical fields.)
• Consent (obtain consent before enabling voice input)

5.3 Implement Safeguards

You should:

• Use data-ai-private attribute on sensitive fields
• Display disclaimers for high-risk applications
• Obtain parental consent for child-directed content (COPPA, GDPR Article 8)
• Comply with accessibility requirements (WCAG, ADA)

6. CHANGES TO THIS AUP

We may update this AUP with 30 days' notice via:

• Email to your registered address
• Dashboard notification
• Updated AUP posted at https://webappski.com/legal/aup

Exception: Changes required for urgent security, legal compliance, or to prevent active abuse may take effect immediately without prior notice.

Examples of immediate-effect changes:

• Emergency security patches for zero-day vulnerabilities
• Compliance with urgent law enforcement requests
• Blocking active DDoS attacks or malware distribution
• Adding fields to data-ai-private denylist in response to discovered leaks

Not immediate (30 days notice required):

• Expanding prohibited content categories
• Changing rate limits or pricing
• Modifying consent requirements
• Adding new monitoring capabilities

Continued use after effective date = acceptance.

7. CONTACT

For AUP Questions: Email: info@webappski.com Subject: "AUP Inquiry"

To Report Violations: Email: abuse@webappski.com Subject: "AUP Violation Report - [Domain]"

For Legal Matters: Fundacja Rozwoju Przedsiębiorczości „Twój StartUp" (Artur Kuzmenka) ul. Żurawia 6/12, office 766 00-503 Warsaw, Poland

APPENDIX: EXAMPLES OF VIOLATIONS

Example 1: GDPR Violation (Immediate Termination)

Scenario: Client collects voice input from users without consent. Violation: GDPR Article 6 (no lawful basis) Action: Immediate termination + report to UODO (Polish data protection authority)

Example 2: Illegal Content (Immediate Termination)

Scenario: Client uses widget on website promoting illegal drugs. Violation: Illegal activity (Section 2.1) Action: Immediate termination + report to law enforcement

Example 3: Reverse Engineering (Warning → Termination)

Scenario: Client decompiles widget JavaScript to extract source code. Violation: IP violation (Section 2.4) Action: Warning, then termination if continues

Example 4: Adult Content Without Approval (Suspension)

Scenario: Client uses widget on pornography website without notifying us. Violation: Content restriction (Section 2.3) Action: 30-day suspension, reactivation if client provides age verification + disclaimers

Example 5: Rate Limit Abuse (Warning → Suspension)

Scenario: Client creates 5 free accounts to bypass 100-request limit. Violation: Technical abuse (Section 2.4) Action: Warning, all accounts suspended if continues

Example 6: Medical App Without Disclaimers (Warning)

Scenario: Client uses widget for symptom checker without "not medical advice" disclaimer. Violation: High-risk application (Section 2.7) Action: Warning + 7 days to add disclaimers

Example 7: Collecting Children's Data (Immediate Termination + Report)

Scenario: Client's website targets children under 13 (US) without COPPA compliance. Violation: Data protection + illegal activity (Section 2.2) Action: Immediate termination + report to FTC (US) or UODO (Poland)

BY USING AI FORM COPILOT SERVICES, YOU AGREE TO COMPLY WITH THIS ACCEPTABLE USE POLICY.

Last Updated: 2025-11-12 Version: 1.0