1. Purpose & Relationship to Other Documents
This Acceptable Use Policy (the “AUP”) sets the minimum rules of conduct for everyone who uses the Teamly platform (the “Service”). It is incorporated by reference into the Terms of Service and a breach of the AUP is a breach of the Terms. In the event of conflict, the AUP controls in respect of conduct on or through the Service; the Terms otherwise prevail.
The AUP applies to your direct use of the Service and equally to any action taken by any AI agent you instruct, configure, or authorise — including standing authorisations through skills, presets, or policy configurations. You are responsible for ensuring that every action that occurs under your account complies with this AUP, even if an Agent executed it on your behalf.
2. Prohibited Content
You must not use the Service to create, store, process, transmit, or solicit:
- content that is unlawful in the jurisdiction where it is hosted or where it is received, including content that infringes intellectual property, privacy, publicity, defamation, consumer-protection, anti-discrimination, or trade-secret law;
- child sexual abuse material (“CSAM”) or any content that sexualises minors, in any form;
- non-consensual intimate imagery or any content that depicts sexual acts with a real, identifiable person without that person's freely-given, specific consent;
- content that promotes, incites, or instructs the commission of terrorism, mass violence, genocide, torture, or self-harm;
- content designed to facilitate fraud, identity theft, money laundering, sanctions evasion, or other financial crime;
- content designed to facilitate human trafficking, forced labour, or the sale of restricted goods (firearms, drugs, regulated chemicals) where such sale would be illegal at origin or destination;
- malware, exploit code, ransomware, command-and-control servers, phishing pages, credential-harvesting kits, or any other tool whose primary use is to compromise the security of another system;
- content that misrepresents authorship in a way intended to deceive (impersonation, sock-puppetry, manufactured grassroots/“astroturfing” campaigns), or that interferes with elections, referendums, or other democratic processes;
- personal data of a third party in violation of data-protection law (e.g. without a lawful basis under GDPR Art. 6, or special-category data without an Art. 9 basis).
3. Prohibited Uses of Agents
You must not configure, instruct, or otherwise cause an Agent to:
- send unsolicited bulk communications (spam) over any channel, including email, messaging platforms, SMS, or social media;
- engage in coordinated harassment, mass-reporting, brigading, stalking, or targeting of any individual or group;
- scrape, crawl, or extract data from a third-party service in violation of that service's terms of service, robots.txt directives, or technical access controls;
- attempt to bypass a CAPTCHA, rate limit, paywall, geo-block, or other access control imposed by us or by a third party;
- create, fork, or coordinate multiple accounts to evade limits or enforcement;
- attempt to obtain another user's data, secrets, prompts, or Cell contents, or to compromise the isolation between Cells;
- reverse-engineer, decompile, or attempt to extract weights, training data, or prompts from any third-party model invoked through the Service, beyond what is permitted by the provider's terms;
- make automated decisions in employment, credit, insurance, housing, education admissions, or other areas where applicable law (such as the EU AI Act's high-risk-system rules) imposes mandatory human oversight, unless you have implemented such oversight;
- generate or amplify content that targets individuals on the basis of a protected characteristic (race, religion, sexual orientation, disability, etc.) with hostility or intimidation;
- generate misleading deepfakes of real persons that could reasonably be mistaken for genuine content of that person, without their explicit consent and a clear disclosure that the content is synthetic;
- perform pen-testing, security research, or other adversarial probing against any system you do not own or are not expressly authorised in writing to test;
- engage in any practice prohibited under Article 5 of the EU AI Act, including: social scoring of natural persons; subliminal or manipulative techniques that materially distort behaviour or cause significant harm; exploitation of vulnerabilities based on age, disability or socio-economic situation; predictive policing based solely on profiling or personality traits; untargeted scraping of facial images from the internet or CCTV to build facial-recognition databases; inference of emotions in workplace or educational settings; biometric categorisation to infer race, political opinions, trade-union membership, religious beliefs, sex life or sexual orientation; or real-time remote biometric identification in publicly accessible spaces;
- where you direct an Agent to communicate with a natural person via any messaging channel, fail to ensure the recipient is informed that they are interacting with AI as required by California Senate Bill 1001 (Cal. Bus. & Prof. Code § 17940 et seq.), the EU AI Act Art. 50, and any equivalent chatbot-disclosure law — you are the “operator” or “deployer” under those statutes, and you are responsible for the disclosure.
4. Integration-Specific Obligations
When you connect a third-party service as an Integration (Slack, Gmail, Google Sheets, Stripe, Notion, GitHub, Salesforce, HubSpot, and others — see our Subprocessors page), you remain solely responsible for ensuring that:
- you have the authority to connect that account (your own, or with the express authorisation of the account holder);
- you are deemed to have read, accepted, and to be solely bound by the third party's terms of service, acceptable use policy, and developer policy as those terms apply to the Agent's actions, whether or not you have actually reviewed them — including obligations specific to bot accounts, API consumers, or messaging applications;
- you keep the access scope tightly bounded — grant the Agent only the minimum scope required for the work you want done (e.g. read-only where write is not needed; specific channels rather than full workspace);
- you have a lawful basis under GDPR or equivalent law for any personal data the Agent will access, process, or transmit through the Integration, including data belonging to third parties (customers, leads, employees, subscribers);
- you do not use the Integration to circumvent a third party's usage limits, rate limits, pricing tier, or feature restrictions;
- you promptly revoke the Integration if a third-party account holder withdraws their authorisation, if the third-party service issues a warning or suspension, or if you become aware that the Agent is acting outside its intended scope.
Teamly is not a party to any breach of the third-party service's terms. If a third-party service suspends your account, files a billing claim, removes content, or pursues legal action against you because of how you or your Agents used the Integration, that is between you and the third party. The indemnification in Terms of Service § 14 applies in full.
Data Protection Impact Assessment (DPIA). Where your use of the Service or its Integrations involves systematic monitoring of data subjects, large-scale processing of special-category data, or other processing likely to result in a high risk to the rights and freedoms of natural persons, you may be required to perform a DPIA under GDPR Art. 35 (or an equivalent assessment under your local law). We will provide reasonable assistance where you have an executed Data Processing Addendum with us.
5. Rate Limits & Fair Use
You must use the Service within the rate limits, concurrency limits, and storage limits published on your pricing tier. You may not employ techniques designed to evade these limits, including parallel accounts, distributed clients, or token-rotation schemes. Where soft limits exist (Cell sizing, agent concurrency), you must not impose load that materially degrades the experience of other users.
We may, at our discretion, throttle, rate-limit, queue, or temporarily refuse requests from accounts that exhibit abusive patterns. We may also charge for usage that exceeds your plan's included allowance, at the rates published in the in-product checkout flow.
6. Your Security Obligations
You must:
- keep your authentication credentials confidential and never share them;
- enable multi-factor authentication on your Teamly account and on any Integration that supports it;
- store your “Bring Your Own Key” (BYOK) API keys securely (the Service encrypts them at rest, but you are responsible for the keys themselves);
- promptly revoke an Integration token at the third party if you suspect the token has been exposed;
- notify us at security@teamly.to within 72 hours of discovering a suspected security incident affecting your account or the Service;
- cooperate with us in investigating suspected security incidents and abuse;
- comply with applicable data-breach notification obligations where you are the controller of personal data processed through the Service.
Good-faith security research conducted in accordance with a coordinated-disclosure programme is welcome; please contact us at the address above before testing the production Service so that we can authorise the scope.
7. Reporting Abuse
If you become aware of any conduct that breaches this AUP — by you, by an Agent acting under your account, or by another user — please report it to abuse@teamly.to. Reports of suspected CSAM should additionally be made to the National Center for Missing & Exploited Children (NCMEC) CyberTipline or your local equivalent.
Notices under the EU Digital Services Act (DSA). EU-resident users and persons affected by content stored or processed through the Service may submit a notice under Art. 16 of Regulation (EU) 2022/2065 by emailing abuse@teamly.to with the subject line “DSA Notice”. We will acknowledge receipt, decide on the notice without undue delay, provide a statement of reasons under Art. 17, and submit relevant statements of reasons to the EU Transparency Database where required.
We acknowledge abuse reports within five (5) business days and act on the most serious categories (CSAM, imminent threat of harm, critical security incidents) without delay.
8. Enforcement
We may, in our sole discretion and without prior notice, take any of the following actions in response to an actual or suspected breach of this AUP:
- remove or restrict access to the offending Content;
- disable a specific Agent, skill, or Integration;
- throttle or rate-limit your account;
- suspend or terminate your account in line with Terms of Service § 15;
- preserve and disclose data to law-enforcement or other authorities where we are legally required to do so or where, in our good-faith judgement, disclosure is necessary to prevent imminent harm.
Our enforcement options are cumulative and not exclusive. Choice of one remedy does not waive another. We typically follow a graded response (warning → restriction → suspension → termination) for less serious matters, but for serious abuses we may move directly to suspension or termination without notice.
Processor-relationship carve-out. Where you are an organisational customer under an executed Data Processing Addendum and the offending Content is personal data for which we act as your processor, our enforcement actions are subject to the Art. 28(3) obligations in that DPA, including the duty to follow your documented instructions on deletion or retention before unilaterally modifying that data.
9. Indemnification
A breach of this AUP — by you or by any Agent acting under your account, with or without your express direction for each individual action — is a breach of the Terms of Service and triggers your indemnification obligations under Terms of Service § 14, including with respect to any third-party claims, regulatory investigations, fines, and reasonable legal fees incurred by us or by the other Indemnified Parties named in that Section.
