Draft — not yet counsel-reviewed. Some values below are bracketed placeholders that resolve through environment variables. Set them in your production env and have an attorney review this Acceptable Use Policy before any paid customer is onboarded.
Acceptable Use Policy

Acceptable Use Policy

Last updated: 2026-07-10. This policy is incorporated by reference into the Terms of Service. It applies to the public v1 application, the public v1 API, the QuickBooks Online integration, the extraction and OCR pipelines, and to every person and automated system acting on your behalf.

1. Prohibited uses

You may not use the Service to:

  • Break any law, regulation, or third-party right.
  • Infringe intellectual property, privacy, or publicity rights.
  • Harass, threaten, defame, or discriminate against any person.
  • Upload, distribute, or facilitate malware, ransomware, phishing, or unsolicited bulk communication.
  • Resell the Service, run a competing product on top of it, or build a database of ProofRows data for any external use.
  • Reverse engineer, decompile, benchmark against, or attempt to extract the source code or model weights of the Service.
  • Probe, scan, or test the vulnerability of the Service, or bypass any rate limit, authentication, or access control, except as part of a coordinated vulnerability disclosure.
  • Use the Service to launder money, evade sanctions, or finance terrorism.

2. Prohibited content

You may not upload, and the Service is not designed or licensed to process:

  • Payment cardholder data — primary account numbers (PAN), cardholder names, expiration dates, CVV / CVC, magnetic stripe data, PINs, or EMV chip data. The Service is not PCI-DSS certified. Exception: the last four digits of a card number that appear on a bank statement are processed as part of the statement text.
  • Protected Health Information (PHI) subject to HIPAA, the UK clinical-confidentiality duty, Quebec Law 25 health provisions, or any analogous law. ProofRows is not a HIPAA Business Associate and does not execute Business Associate Agreements.
  • Government-issued identifiers — Social Security numbers, Individual Taxpayer Identification Numbers, driver’s-licence numbers, state identification numbers, passport numbers, military ID numbers — except to the extent they appear incidentally on a legitimate bank statement.
  • Data of anyone under 18. The Service is a B2B workspace for working bookkeepers, accountants, and tax preparers.
  • Data of sanctioned parties under the laws of the United States (OFAC), the European Union, the United Kingdom, Canada (SEMA / JVCIT), the United Nations, or any other applicable sanctions regime. You represent and warrant that the data you upload is not subject to a sanctions prohibition.
  • Data you do not have the lawful right to process. You must have obtained every authorisation required from the data subject, your client, or your principal to upload the data to the Service.

3. API and developer use

The public v1 API at /api/v1 is for use by you and the personnel you authorise. To use it, create at least one API key from Settings → API keys. API key secrets are hashed-at-rest and shown to you exactly once at creation.

You agree to:

  • Keep your API keys confidential and secret.
  • Rotate any key you suspect has been compromised, immediately, by revoking the old key and creating a new one.
  • Revoke keys that are no longer in use, including on personnel departures.
  • Honor the rate limits described in our API documentation.
  • Not share keys across organizations, customers, or unaffiliated parties.
  • Not attempt to discover undocumented endpoints or bypass rate limits.
  • Not use the API to scrape, mine, or build a database of ProofRows data for use outside your organization.

We may revoke any API key at any time, for any reason, on 30 days’ notice (or immediately for cause, including violation of this policy).

4. Automated access

You may not use any bot, scraper, crawler, or other automated means to access the Service except as documented at /api/v1. General search engines may index the public marketing pages; they must not index the authenticated app, the API, or the demo tour. The marketing-site robots.txt is the canonical list of indexable surfaces.

5. Compliance with laws

You are responsible for compliance with all laws applicable to your use of the Service, in every jurisdiction where you operate or where the data you upload originates. This includes the GDPR, the UK GDPR, the Swiss FADP, the CCPA / CPRA and other US state privacy laws, PIPEDA, Quebec Law 25, the GLBA Safeguards Rule, anti-money-laundering laws, and sanctions regimes.

6. Enforcement

We may investigate any suspected violation of this policy, and we may take any of the following actions with or without prior notice:

  • Suspend or terminate the affected account.
  • Remove or quarantine uploaded content.
  • Revoke API keys, OAuth tokens, and session cookies.
  • Report the violation to law enforcement, regulatory bodies, or affected third parties (where we are legally required or where it is reasonable to do so).

We do not refund fees for accounts terminated under this section, except where a refund is required by mandatory consumer-protection law in your jurisdiction.

7. Reporting violations

To report a violation of this policy, illegal content on the Service, or a security vulnerability, email [ABUSE_EMAIL] (AUP / illegal content) or [SECURITY_EMAIL] (vulnerabilities and key compromise). We acknowledge within 3 business days and aim to resolve within 14 days. Reporters in good faith are protected by our anti-retaliation commitment; we do not pursue legal action against good-faith research that stays within our coordinated-disclosure policy.

Please include:

  • The URL or workspace identifier, if any.
  • A clear description of the violation or vulnerability.
  • Evidence sufficient for us to reproduce (steps, screenshots, request/response). Do not include full statement PDFs in your report.
  • Your contact details so we can follow up.

8. No monitoring obligation

We may, but are not obligated to, monitor activity on the Service for violations of this policy. We are not liable for false positives. The absence of action does not constitute endorsement of any behaviour.

9. Changes to this policy

We may update this policy from time to time. Material changes will be notified to active subscribers at least 30 days in advance by email and an in-app banner. Continued use after the effective date constitutes acceptance. If you do not agree to a material change, you may close your account before it takes effect (see Terms).

10. Relation to other policies

This policy is incorporated by reference into the Terms of Service. In any conflict between this policy and the Terms on a matter of acceptable use, this policy prevails. How we handle personal data is described in the Privacy Policy and the Data Processing Addendum; those documents control on data protection matters.

Questions? legal@proofrows.com