Acceptable Use Policy
Effective date: [date] · Last updated: [date]
Moonlight Array B.V.
This Acceptable Use Policy is incorporated into and forms part of the Terms of Service.
Draft pending legal review
This document is a starting point for legal review, not legal advice. It should be reviewed by a qualified Dutch/EU technology lawyer before publication. Bracketed items [like this] must be completed before use.
Introduction
This Acceptable Use Policy ("AUP") applies to your use of AIDO, including accounts, Hosted Instances, Agents, integrations, APIs, workflows, outputs, and any related services provided by Moonlight Array B.V. This AUP is incorporated into the Terms of Service by reference. You are responsible for ensuring that your Agents, users, employees, contractors, clients, and end users comply with this AUP. Capitalised terms not defined here have the meanings given in the Terms of Service. We may update this AUP from time to time. Where changes are material, we will provide reasonable notice. Continued use of the Service after the effective date of changes constitutes acceptance.
1. General Rule
You must not use the Service, or allow any Agent, Hosted Instance, credential, integration, workflow, output, or connected account to be used, for unlawful, harmful, deceptive, abusive, privacy-invasive, infringing, unsafe, or unauthorised purposes. We may suspend, restrict, block, or terminate access for suspected or actual violations, in accordance with the Terms of Service.
2. Illegal Activity and Harm
You must not use the Service to violate any applicable law, regulation, sanctions rule, court order, contractual obligation, platform rule, or third-party right. This includes, without limitation, EU and Dutch law, the laws of any jurisdiction in which your Agent operates or produces effects, and any foreign sanctions or export-control regimes. You must not use the Service to plan, facilitate, encourage, conceal, automate, or commit illegal activity, fraud, scams, tax evasion, money laundering, terrorist financing, harassment, threats, abuse, exploitation, or harm to any person, entity, or system.
3. Unauthorised Access, Cyber Abuse, and Infrastructure Misuse
You must not use the Service to:
- access, probe, scan, test, attack, disrupt, overload, scrape, bypass, or compromise any system, account, API, network, website, application, or service without authorisation from the system owner;
- exploit vulnerabilities or assist others in exploiting vulnerabilities in any system, whether or not that system is connected to the Service;
- create, deploy, distribute, host, or assist malware, ransomware, spyware, keyloggers, credential stealers, phishing kits, botnets, rootkits, exploit kits, or persistence mechanisms;
- conduct denial-of-service activity, traffic amplification, spam relays, proxy abuse, credential stuffing, password spraying, token theft, account takeover, session hijacking, or similar attacks;
- bypass CAPTCHAs, paywalls, access controls, anti-bot systems, account limits, rate limits, IP restrictions, geoblocking, platform safeguards, or security controls of any third-party service;
- use Hosted Instances as public proxies, VPNs, traffic relays, spam infrastructure, cryptocurrency mining infrastructure, unrelated bot hosting, open mail relays, or unrelated compute services;
- conceal or misrepresent the origin, source, or nature of traffic, communications, or automated actions.
Authorised security research requires our prior written approval and the prior written consent of the affected third party. We may offer a responsible-disclosure programme — contact [[email protected]] for details.
4. Spam, Deceptive Communications, and Platform Manipulation
You must not use the Service to:
- send spam, unsolicited bulk messages, phishing messages, scam messages, deceptive messages, or social-engineering content, whether by email, messaging platforms, social media, or any other channel;
- operate fake accounts, synthetic identities, sockpuppets, or coordinated inauthentic behaviour across any platform;
- generate fake engagement, fake reviews, fake likes, fake followers, fake clicks, fake traffic, poll manipulation, ranking manipulation, algorithmic manipulation, or platform manipulation;
- impersonate another person, company, government body, platform, service, employee, agent, or representative without authorisation;
- mislead recipients about whether they are interacting with an AI system or automated process, where disclosure is required by law (including the EU AI Act's transparency obligations), platform rules, or the context of the interaction;
- automate outreach, messaging, posting, commenting, liking, sharing, following, connection requests, or friend requests in violation of the applicable platform's terms of service or applicable law.
5. Privacy, Personal Data, and Surveillance
You must not use the Service to:
- collect, scrape, monitor, enrich, profile, infer, aggregate, sell, disclose, or use Personal Data without a lawful basis under the GDPR and any other applicable data protection law, and without providing the required notices to data subjects;
- conduct unauthorised surveillance, tracking, stalking, doxxing, harassment, intimidation, or monitoring of individuals;
- process special-category Personal Data (Article 9 GDPR), data concerning criminal convictions (Article 10 GDPR), children's data, biometric data, precise location data, health data, financial account data, government-issued identifiers, or similar sensitive data unless you have a valid lawful basis and appropriate safeguards in place;
- create or maintain databases of Personal Data in violation of data protection law, platform terms, or third-party rights;
- deanonymise, re-identify, or attempt to infer sensitive traits about identified or identifiable individuals without lawful authority;
- use data obtained from one context for another incompatible purpose without a valid lawful basis.
6. Scraping and Data Collection
You must not use the Service for unlawful, unauthorised, excessive, deceptive, or harmful scraping, crawling, monitoring, extraction, copying, or dataset creation. You are responsible for complying with applicable law (including copyright law, the EU Database Directive 96/9/EC, and the GDPR), intellectual-property rights, database rights, robots.txt instructions where applicable, platform terms, rate limits, contractual restrictions, and privacy obligations when using any data-collection or scraping features. Mass scraping of Personal Data, credentialed scraping of platforms without authorisation, systematic evasion of technical access controls, and resale of unlawfully scraped data are prohibited.
7. Regulated, High-Impact, and Professional Uses
You must not use the Service as the sole basis for decisions or actions that materially affect a person's legal rights, health, safety, finances, employment, education, housing, insurance, credit, immigration status, public benefits, access to essential services, or similar high-impact interests. You must not use the Service to provide or automate legal, medical, financial, tax, insurance, employment, housing, credit, immigration, or other regulated professional advice or services unless you have all required licences, lawful bases, disclosures, human review, supervision, and compliance controls. You must not automate legally significant communications (including contract formation, termination notices, formal complaints, regulatory filings, court submissions), financial transactions, purchases, cancellations, claims, or similar actions without appropriate authorisation and human review. If your Agent performs functions classified as high-risk under the EU AI Act (Regulation (EU) 2024/1689), you are responsible for meeting all applicable deployer obligations, including human oversight, logging retention, fundamental rights impact assessments, and transparency obligations.
8. Payments, Purchases, and Financial Activity
You must not use the Service to conduct unauthorised financial transactions or to manipulate markets, pricing, auctions, ticketing, purchasing systems, bookings, refunds, chargebacks, claims, or financial platforms. Agents that can initiate payments, purchases, orders, bookings, transfers, trades, refunds, cancellations, claims, subscriptions, or other financial or legally significant actions must have appropriate user authorisation, spending limits, comprehensive logging, and human confirmation unless we have expressly approved otherwise in writing.
9. Intellectual Property and Content Rights
You must not use the Service to infringe, misappropriate, or violate copyrights, database rights (including sui generis database rights under the EU Database Directive), trademarks, trade secrets, privacy rights, publicity rights, contractual rights, or other intellectual property or proprietary rights. You must not use the Service to remove rights-management information, bypass technical protection measures (including circumvention prohibited under the EU Copyright Directive 2001/29/EC and its Dutch implementation), generate counterfeit goods, impersonate brands, or distribute infringing materials.
10. Harmful, Exploitative, or Abusive Content
You must not use the Service to generate, store, publish, distribute, or facilitate content that is unlawful, hateful, harassing, threatening, sexually exploitative, child-safety-related (including child sexual abuse material), extremist, terrorist, self-harm-promoting, or graphically violent. You must not use the Service to exploit, sexualise, groom, endanger, or identify minors. You must not use the Service to generate deepfake content (non-consensual synthetic media depicting real individuals) for harassment, fraud, defamation, or sexual exploitation.
11. Weapons, Dangerous Goods, and Physical Harm
You must not use the Service to design, develop, produce, obtain, deploy, or optimise weapons, explosives, chemical, biological, radiological, or nuclear (CBRN) materials, dangerous devices, precursor chemicals, illegal drugs, or other systems or substances intended to cause physical harm. You must not use the Service to facilitate human trafficking, trade in illegal goods or services, unlicensed real-money gambling, or other activities that are illegal in the Netherlands or the EU.
12. Evasion and Abuse of the Service
You must not:
- create multiple accounts to evade enforcement actions, usage limits, suspension, payment obligations, or these Terms;
- hide the true operator or beneficiary of an Agent;
- resell, sublicence, rent, share, or provide access to the Service in violation of the Terms;
- remove, disable, or circumvent safety, logging, permission, rate-limit, or abuse-detection controls in the Service;
- interfere with our ability to monitor, secure, or enforce the Service;
- submit false, vexatious, or bad-faith abuse reports or misuse notice-and-action mechanisms;
- use the Service in a manner designed to test the boundaries of these Terms rather than for legitimate productive purposes.
13. Enforcement
We may investigate suspected violations using technical monitoring, log analysis, abuse reports, third-party notifications, and other reasonable means. Where an investigation involves Personal Data, we will process it in accordance with our Privacy Policy and applicable law. We may suspend, restrict, throttle, disable, quarantine, terminate, or block accounts, Agents, Hosted Instances, integrations, workflows, API access, traffic, or data access. Where we restrict or remove content or suspend access based on a notice, we will provide a statement of reasons to the affected user in accordance with Article 17 of the DSA where applicable. We may preserve relevant logs or records for a reasonable period; notify affected third-party providers, platforms, or services; notify law enforcement, regulatory authorities, or national competent authorities where required or appropriate; and refuse future service to the individual or entity involved. For serious, repeated, intentional, illegal, security-sensitive, or harmful violations, termination may be immediate and permanent, without refund to the maximum extent permitted by applicable law.
14. Reporting Abuse
Report abuse to [[email protected]] or via the reporting form at [abuse reporting URL]. A valid report should include: (a) a sufficiently substantiated explanation of why the content or activity is allegedly illegal or in violation of this AUP; (b) the exact electronic location of the content or activity (URL, instance identifier, or similar reference); (c) your name and email address (except for reports of child sexual abuse material, in accordance with DSA Article 16(2)(c)); and (d) a statement confirming your good-faith belief that the information in the report is accurate and complete. We will acknowledge receipt of reports without undue delay and will process them in a timely, diligent, non-arbitrary, and objective manner, in accordance with Article 16 of the DSA.
15. Questions
If you have questions about whether a specific use case complies with this AUP, contact us at [[email protected]] before deploying your Agent. We will use reasonable efforts to provide guidance, but pre-clearance does not constitute a waiver of our enforcement rights.