Effective Date: {Effective Date}
Last Updated: {Last Updated Date}
This Acceptable Use Policy ("AUP" or "Policy") governs your use of {Service Name} and any related websites, applications, and services we provide (the "Service"), operated by {Company Name} ("we", "us", or "our"). This Policy is part of, and is incorporated by reference into, our Terms of Service. By accessing or using the Service, you agree to this Policy.
(Customize this policy to your service. Products with user-generated content, messaging, an API, hosting, a marketplace, AI features, regulated industries, or EU users may need additional terms; enable the relevant optional clauses or add your own.)
1. Overview
This Policy sets out the rules for acceptable use of the Service. It applies in addition to our Terms of Service: where the Terms of Service describe the overall agreement, this Policy defines the specific conduct that is and is not permitted. If there is a conflict between this Policy and the Terms of Service on a question of acceptable use, this Policy controls. A violation of this Policy is a violation of our Terms of Service. We may update this Policy as described below. The version posted at the time of your use applies to that use, and material changes apply prospectively after we post or otherwise provide notice as required by law or our Terms of Service.
About this section
What's in this section
States what the Policy covers and ties it to your Terms of Service: the Terms set the overall agreement, this Policy defines the specific conduct that is and is not allowed.
Why this section is here
An AUP is enforceable because it is part of the contract the user accepted. Saying it is incorporated into the Terms, and which document controls on use questions, keeps it binding rather than advisory.
Common mistake
Publishing the AUP as a standalone page that no agreement references. If nothing the user accepted points to it, you may not be able to enforce it.
Pair this with your Terms of Service โ2. Who This Policy Applies To
This Policy applies to everyone who accesses or uses the Service, including account holders, their authorized users, and anyone acting on their behalf. If you provide access to the Service to others (for example, your own employees, contractors, or end users), you are responsible for their compliance with this Policy and for any use of the Service through your account.
Use by minors. The Service is intended for users who meet the minimum age stated in our Terms of Service. You may not allow anyone below that age to use the Service through your account, and you are responsible for any such use.
About this section
What's in this section
Names everyone bound by the Policy: account holders, their authorized users, and anyone acting through their account.
Why this section is here
Most abuse arrives through a customer's own users or downstream access. Making the account holder responsible for everyone they let in gives you one party to hold accountable.
Common mistake
Limiting the Policy to the signed-up account holder. Without a pass-through obligation, you have no clear claim when the abuse comes from someone they invited.
3. Prohibited Activities
You may use the Service only for lawful purposes and in accordance with this Policy and our Terms of Service. You may not use the Service, and may not assist or permit any person to use the Service, to:
- violate any applicable law or regulation, or infringe or misappropriate any intellectual property, privacy, or other right;
- engage in fraud, deception, or misrepresentation, or impersonate any person or entity;
- gain or attempt to gain unauthorized access to any system, account, network, or data;
- introduce, transmit, or distribute malware, ransomware, or other harmful code;
- interfere with, disrupt, or place an unreasonable load on the Service or its infrastructure;
- circumvent or attempt to circumvent any security, authentication, rate-limiting, or access control;
- collect, scrape, or harvest data from the Service except as we expressly permit in writing;
- collect, process, disclose, or attempt to obtain personal data without a lawful basis, required consent, or other authorization, or use the Service to dox, track, profile, or surveil individuals unlawfully;
- use or export the Service in violation of any applicable export control, sanctions, anti-boycott, or trade compliance laws, or for the benefit of any person, entity, or jurisdiction subject to applicable sanctions or restrictions;
- circumvent billing, usage limits, metering, seat or feature restrictions, trial limits, or other plan limitations; or
- engage in any other conduct that is abusive, deceptive, harmful to the Service or other users, or otherwise objectionable as we reasonably determine.
This list is not exhaustive. We may treat any use that threatens the security, integrity, availability, or lawful operation of the Service as a violation of this Policy.
Messaging and anti-spam. If the Service lets you send email, SMS, or other messages, you may only message recipients who have consented to hear from you, must identify yourself accurately as the sender, must include a working opt-out in every commercial message and honor unsubscribe requests promptly, and must comply with applicable anti-spam and telemarketing laws (such as CAN-SPAM, CASL, and the TCPA), including any sender or number registration those laws or carriers require. You may not send unsolicited bulk or commercial messages or disguise the origin of any message.
Marketplace and commerce abuse. If the Service supports listings, transactions, or payments between users, you may not list or sell counterfeit, stolen, recalled, or otherwise prohibited or regulated goods, misrepresent items, prices, or availability, post fake or incentivized reviews, manipulate ratings or search ranking, or engage in payment fraud, money laundering, or transactions that evade sanctions or applicable law.
Sanctions and export representations. You represent that you are not located in, ordinarily resident in, or organized under the laws of any country or territory subject to comprehensive sanctions, and that you are not identified on any government list of restricted or prohibited parties. You will not use, export, or re-export the Service in violation of any applicable export control or sanctions laws, including those of the United States and the European Union.
High-risk and regulated use. Unless we expressly agree in writing, you may not use the Service for activities where failure could lead to death, personal injury, or severe environmental or property damage, or as the sole basis for decisions in regulated areas such as healthcare, financial or legal advice, employment, credit, housing, insurance, or emergency and safety-critical systems.
About this section
What's in this section
The core list of banned conduct: illegal use, fraud, IP infringement, unauthorized access, malware, interference, and circumventing security or limits.
Why this section is here
This is the list you point to when you suspend or terminate a bad actor. Enforcement is only as strong as the specific conduct you named here.
Common mistake
A single vague line like 'do not misuse the Service.' Name the conduct you actually want the right to act on, since that is the wording an enforcement decision relies on.
4. Content Standards
To the extent the Service allows you to submit, upload, post, or transmit content, you are responsible for that content and must ensure it does not:
- infringe any intellectual property or other right;
- contain or promote unlawful, fraudulent, or deceptive material;
- contain malware or links to malicious resources;
- depict, promote, or facilitate child sexual abuse material, which we act on immediately and report to the authorities;
- harass, threaten, defame, or incite violence against any person or group; or
- contain material that is obscene, exploitative, hateful, abusive, or otherwise objectionable as we reasonably determine.
We are not obligated to monitor content, but we may review, remove, or disable access to any content that violates this Policy or that we are required to act on by law.
User-generated content and moderation. If the Service hosts content that users can share publicly or with others, we may operate notice-and-action and moderation processes to review reported content, remove violating material, and, where required, notify affected users and the relevant authorities. Decisions to remove content or restrict accounts are made under this Policy and any applicable platform rules. Where required by law, we will give affected users a statement of reasons for a content or account decision and an opportunity to appeal it.
AI and automated content. If the Service includes AI or generative features, you may not use them to generate or distribute unlawful, deceptive, or infringing material, to create child sexual abuse material, non-consensual intimate imagery, or deepfakes intended to deceive, or to make automated decisions about individuals (such as eligibility for employment, credit, housing, or insurance) without the human review and disclosures the law requires. You may not use the Service or its outputs to train a competing model or to extract or reconstruct the underlying models, prompts, or data.
About this section
What's in this section
The rules for any content users can submit or share: no infringing, unlawful, malicious, abusive, or otherwise objectionable material.
Why this section is here
If your Service carries user content, you need a stated basis to remove it and act on the account behind it. This section gives you that basis without committing you to monitor everything.
Common mistake
Promising to review all content, or omitting the illegal-content categories you are legally required to act on. Reserve the right to remove without taking on a duty to police every post.
5. System and Network Security
You may not violate or attempt to violate the security of the Service. Prohibited activities include accessing data not intended for you, probing, scanning, or testing the vulnerability of any system or network without authorization, breaching authentication or security measures, and interfering with service to any user, host, or network.
API and automated access. If we provide an API or allow automated access, you must stay within published rate limits and documented use, must not share, resell, or sublicense credentials or access without authorization, and must not use bots, scripts, or other automated means to access the Service except through interfaces we provide for that purpose. You may not run benchmarking or load testing intended for public comparison without our written consent.
Network and hosting abuse. If your use involves compute, storage, hosting, or network resources, you may not use the Service to run open mail relays or open proxies, conduct denial-of-service attacks, mine cryptocurrency without our written permission, host malware, phishing pages, or botnet command-and-control infrastructure, harvest or traffic in stolen credentials, or operate anything that places an abusive or disproportionate load on shared infrastructure.
Fair use and resource limits. Even where your plan does not state a fixed limit, you must use the Service consistent with normal, good-faith use. We may set or enforce reasonable limits on requests, storage, bandwidth, or other resources, and may throttle or suspend usage that materially exceeds normal patterns or degrades the Service for others.
Security testing. Do not conduct penetration testing, vulnerability scanning, or other security research against the Service without our prior written consent. If you believe you have found a security vulnerability, report it to {Email Address} and give us a reasonable opportunity to respond before any disclosure. We will not pursue good-faith research conducted in line with this paragraph.
About this section
What's in this section
Security and infrastructure rules: no unauthorized access, scanning, or interference, plus optional limits for APIs, hosting, messaging, and resource use.
Why this section is here
Technical abuse threatens every other customer on shared infrastructure. Naming it here lets you cut off an attack or a runaway integration before it degrades the Service for everyone.
Common mistake
Covering only 'hacking' and ignoring automated abuse. Scraping, bot traffic, and integrations that exceed limits cause most real-world load problems.
6. Monitoring and Enforcement
We may, but are not obligated to, monitor use of the Service and investigate any suspected violation of this Policy. If we reasonably determine that you have violated this Policy, we may take any action we consider appropriate, including issuing a warning, removing or disabling content, throttling or suspending access, terminating accounts, and reporting conduct to law enforcement. We may act without prior notice where the violation is severe, involves illegal content, or poses a risk to the Service, other users, or third parties. We may also preserve and disclose information about your use where we believe in good faith that doing so is necessary to enforce this Policy, comply with applicable law or legal process, or protect the rights, safety, or property of any person. Our failure to enforce this Policy in any instance does not waive our right to enforce it later, and we are not liable for any action taken in good faith to enforce this Policy. Any action we take under this Policy is in addition to any remedy available under our Terms of Service or applicable law.
We moderate use of the Service at our discretion and are generally not liable for content provided by users under Section 230 of the US Communications Decency Act. We handle copyright complaints through the reporting process below.
For users in the United Kingdom, we operate reporting and complaints mechanisms and act on illegal content in line with the Online Safety Act 2023.
For users in the European Union, where we remove content or restrict an account we provide a clear statement of reasons and an internal complaint-handling and appeal process, and we operate notice-and-action mechanisms, applying and enforcing this Policy diligently, objectively, and proportionately, as the EU Digital Services Act requires.
About this section
What's in this section
What you can do about a violation: warn, remove content, throttle, suspend, terminate, or report to authorities, and that you may act without notice in severe cases.
Why this section is here
The right to act has to be reserved before you use it. Spelling out the range of responses, including immediate action for severe abuse, lets you respond proportionately and on record.
Common mistake
Promising notice or a cure period in every case. Keep the right to act immediately when the conduct is illegal or threatens the Service or other users.
Platform duties under the DSA โ7. Reporting Abuse
If you become aware of any use of the Service that violates this Policy, report it to us at {Email Address} with enough detail for us to identify the issue, such as the account, content, or activity involved and the nature of the violation. We review reports and take the action we consider appropriate.
Copyright and DMCA notices. If you believe content on the Service infringes your copyright, send a notice to {Email Address} that includes the information required by applicable law: identification of the work, the material you say infringes it, your contact details, and a good-faith statement. We respond to valid notices, may remove or disable the reported material, and may terminate the accounts of repeat infringers. (US providers seeking DMCA safe-harbor protection should set out the full notice process and designated-agent details in their Terms of Service and register the agent with the U.S. Copyright Office.)
About this section
What's in this section
How users and third parties report a violation, and where copyright or DMCA notices go. It routes problems to a monitored channel you control.
Why this section is here
Abuse you never hear about is abuse you cannot act on. A named reporting address, and a process for legal notices, turns outside reports into enforceable action.
Common mistake
Listing no abuse contact, or an unmonitored inbox. Reports that go nowhere become the incidents and takedown demands you find out about too late.
8. Changes to This Policy
We may update this Policy from time to time to reflect new features, new types of misuse, or changes in the law. The version posted at the time of your use applies to that use, and material changes apply prospectively after we post or otherwise provide notice as required by law or our Terms of Service. We will post changes on this page and update the "Last Updated" date above.
About this section
What's in this section
Reserves the right to update the Policy and fixes which version governs: the one in effect when the user accessed the Service.
Why this section is here
Abuse rules change faster than the main contract. Tying each use to the version then in effect lets you tighten the Policy without re-papering the entire Terms of Service.
Common mistake
Editing the live Policy with no notice and assuming it binds past conduct. Keep dated versions and give notice of material changes so each one is defensible.
Re-acceptance after changes โ9. Contact Us
If you have questions about this Policy or need to report a violation, contact us at:
{Company Name}
Email: {Email Address}
{Website URL}
About this section
What's in this section
Where users send questions about the Policy and where violation reports go: a named company and a monitored address.
Why this section is here
A policy with no working contact stalls every report and notice. A monitored abuse address keeps incidents from escalating into legal or platform complaints.
Common mistake
Using a generic inbox no one watches. Abuse and legal notices need a route that is actually read and acted on.