Acceptable Use Policy

This Acceptable Use Policy ("AUP") forms an integral part of the Terms of Service. Capitalised terms not defined here have the meanings given in the Terms. By using the Service, you agree to comply with this AUP.

1. Purpose

The Service exists to help individuals, freelancers, small and medium-sized businesses, associations and enterprises build, publish and operate digital applications and websites with AI assistance. This AUP defines uses we do not permit, in order to protect users, our infrastructure providers, third parties and the integrity of the Service.

2. General Prohibitions

You may not use, and you may not allow any third party to use, the Service to:

• violate any applicable law, regulation or third-party right, including intellectual-property, privacy, publicity, contractual or data-protection rights;
• infringe, misappropriate or dilute trademarks, copyrights, trade secrets or other IP;
• upload, host, generate or distribute content that is unlawful, defamatory, harassing, threatening, fraudulent, obscene, hateful, glorifies violence, sexualises minors, or constitutes incitement;
• engage in spam, phishing, smishing, pharming, scraping (without consent), credential stuffing, or large-scale unsolicited messaging;
• distribute malware, ransomware, spyware, viruses, worms, trojans, cryptominers or other harmful code;
• conduct vulnerability scans, penetration tests or load tests against the Service or against third parties without our prior written authorisation;
• circumvent or attempt to circumvent authentication, rate-limiting, billing, quota or security mechanisms of the Service;
• interfere with, disrupt or place an undue burden on the Service, our networks or our Sub-Processors' infrastructure;
• use the Service in life-critical environments (e.g. medical devices, nuclear control, aviation, life-support) without independent, certified safety systems and human oversight.

3. AI-Specific Restrictions

In addition to the general prohibitions, you may not use the Service to:

• Train competing models. Use the Service, AI Output, prompts or any data accessed via the Service to train, fine-tune, distill, evaluate, benchmark or otherwise develop any AI or machine-learning model that competes with the Service.
• Extract model internals. Attempt to discover, extract or reconstruct the weights, hyperparameters, system prompts, internal logic, training data, or proprietary algorithms of the Service or its underlying models.
• Misrepresent AI Output. Pass off AI Output as human-authored in contexts where this would mislead, defraud or harm — for example in academic submissions where disclosure is required, in journalistic content presented as original reporting, or in political campaigning that misleads voters.
• Generate harmful content. Produce or distribute content that promotes self-harm, terrorism, child sexual abuse material, non-consensual sexual content, biological, chemical, radiological, nuclear or cyber weapons of mass harm.
• Bias-amplifying high-risk decisions. Use AI Output as the sole basis for high-stakes decisions about individuals (e.g. medical diagnosis, hiring, credit, insurance, housing, criminal justice, social services) without qualified human review and conformity with applicable law, including the EU AI Act.
• Deceptive content at scale. Operate disinformation campaigns, generate deepfakes of real people without consent or clear labelling, or produce coordinated inauthentic behaviour.

4. Your Responsibility for Generated Code

AI Output is generated probabilistically and may contain bugs, security vulnerabilities, license-incompatible patterns, similarities to existing works, or content that is not suitable for your context. Before deploying AI Output to production or to third parties, you are responsible for:

• Review. Reading and understanding the generated code, configuration, prompts and documentation.
• Testing. Running unit, integration, end-to-end and where appropriate load tests in environments comparable to production.
• Security. Performing dependency, secrets, SAST and DAST checks; rotating any credentials accidentally generated or committed; reviewing access policies and CORS, CSP, authentication and authorisation rules.
• Licence compliance. Ensuring compatibility with open-source licences of any third-party dependencies suggested or installed by the Service and complying with attribution and copyleft requirements.
• Data protection. Conducting a data-protection impact assessment where Article 35 GDPR applies, documenting lawful bases, and configuring retention, deletion and data-subject-rights workflows.
• Accessibility. Meeting accessibility requirements applicable to your jurisdiction and audience (e.g. WCAG 2.2, EAA from 2025).
• Regulated industries. Obtaining required certifications and approvals before use in regulated sectors.

5. Prompt and Content Hygiene

You shall not submit to the Service personal data of special categories under Article 9 GDPR (e.g. health, biometric, political opinion, sexual orientation) or data of children under 16 except where you have a clear lawful basis. Avoid submitting credentials, API keys or production secrets in prompts; use the Service's secrets-management features.

6. Subdomain and Custom-Domain Conduct

Names of *.xaio.app subdomains and any custom domains connected to the Service must not infringe trademarks, impersonate persons or organisations, host illegal content, distribute malware, conduct phishing, or expose unprotected critical infrastructure. We may reclaim or disable subdomains as described in Section 15 of the Terms.

7. Reporting Violations

To report abuse, security issues or copyright complaints, contact abuse@xaio.dev (general abuse / illegal content), security@xaio.dev (responsible-disclosure vulnerabilities) or legal@xaio.dev (copyright / trademark / data-protection complaints). Include URLs, timestamps and a description of the violation.

8. Enforcement

We may investigate suspected violations, request additional information from you, remove or disable access to offending content, throttle or suspend Accounts, terminate Accounts, or report illegal activity to law-enforcement authorities. Where reasonable, we will give you an opportunity to cure before taking irreversible action; in cases of imminent harm, security incidents, or legal compulsion we may act immediately.

9. Changes

We may update this AUP from time to time. Material changes will be communicated as provided in Section 27 of the Terms. The version effective at the time of your use applies.