Acceptable Use Policy (AUP)

Provider: Valiquest AB · Org.nr 559577-0347 · Stockholm, Sweden Service: Virtual Customer Version: v1 — 2026-04-22 (DRAFT — pre-counsel review) Public URL (after publication): https://app.virtualcustomer.io/legal/aup.html

This Acceptable Use Policy ("AUP") forms part of the Terms of Service. By using Virtual Customer, you and every authorised user in your organisation agree to follow these rules. Violations may result in suspension or termination, on the timelines described in §6.

1. Who this applies to

This AUP applies to:

• Customers — the legal entity that signed up for the Service.
• Authorised users — employees, contractors, and partners of the Customer who hold an active seat.
• Respondents — end users invited by the Customer to participate in a study (only sections marked "(R)").
• Visitors — anyone using public surfaces (e.g. /legal/*, /billing/plans.html).

If you administer an account, you are responsible for ensuring everyone in your organisation follows this AUP.

2. Things you must NOT do (general prohibitions)

You may not, and may not allow anyone to:

1. Break the law. Use the Service in violation of any applicable law, including export-control law, sanctions, intellectual-property law, data-protection law (including GDPR), or consumer-protection law.
2. Harm Valiquest infrastructure. Probe, scan, penetration-test, or attack our systems without prior written permission from info@valiquest.com. Coordinated, good-faith vulnerability research is welcome via responsible disclosure (see §8).
3. Circumvent technical limits. Bypass authentication, rate limits, billing meters, entitlement gates, IP filters, or any other security or commercial control. (Includes using stolen credentials, sharing seats outside your organisation, or running the Service through proxies to evade geographic restrictions.)
4. Misuse identifiers. Forge headers, spoof IP addresses, impersonate Valiquest, or impersonate another customer or user.
5. Distribute malware or harmful code. Upload, store, or transmit viruses, worms, ransomware, cryptominers, browser exploits, or any other malicious code.
6. Send spam or unauthorised commercial messages. Use Virtual Customer email surfaces (e.g. study invitations) to send messages to recipients who have not given an appropriate basis under applicable e-marketing law (e.g. ePrivacy + GDPR Art. 6 in the EU/UK; CAN-SPAM in the US).
7. Interfere with other customers. Take any action that degrades the experience of other customers (excessive load, denial-of-service, repeated abuse reports against unrelated customers, etc.).
8. Reverse-engineer the Service. Decompile, reverse-engineer, or attempt to derive source code, model weights, or proprietary logic, except to the extent permitted by mandatory law (e.g. interoperability under EU Software Directive 2009/24/EC).
9. Train competing models on Service outputs. You may not use AI-generated outputs from Virtual Customer to train, fine-tune, or evaluate a model that competes with Virtual Customer. (Internal benchmarking of your own work product is fine.)
10. Resell or sublicense without permission. You may not resell, white-label, or sublicense the Service unless you have a separate written agreement with Valiquest permitting it.

3. Things you must NOT do with AI features (specific prohibitions)

In addition to the general rules in §2, you may not use Virtual Customer to engage in any practice prohibited by Article 5 of the EU AI Act (Regulation (EU) 2024/1689), including:

1. Subliminal or manipulative techniques that distort behaviour in a way likely to cause significant harm.
2. Exploitation of vulnerabilities of specific groups (age, disability, social/economic situation).
3. Social scoring by public authorities or on their behalf.
4. Real-time remote biometric identification in publicly accessible spaces.
5. Untargeted scraping of facial images from the internet or CCTV to build face recognition databases.
6. Emotion-recognition in workplaces or educational institutions (except for safety/medical reasons).
7. Predictive policing based solely on profiling.
8. Biometric categorisation to deduce sensitive personal data (race, political opinions, sexual orientation, etc.).

You also may not use the Service for any of the following high-risk deployments under Annex III of the EU AI Act without first telling Valiquest in writing and entering a separate written agreement:

• Employment, worker management, or access to self-employment (recruiting, screening, performance evaluation).
• Education or vocational training (admissions, evaluation, fraud detection).
• Access to essential public or private services (credit scoring, insurance pricing, public benefits).
• Law enforcement, migration / asylum / border control, or administration of justice.
• Critical infrastructure (water, gas, electricity, traffic) safety functions.

4. Things you must NOT do with content (Customer Content rules)

You may not upload, generate, store, or transmit content that:

1. Infringes intellectual-property rights — including copyrighted text, code, audio, or images that you do not have permission to use.
2. Discloses personal data without a legal basis — particularly special-category data under GDPR Art. 9 (race, ethnicity, religion, political views, union membership, genetic / biometric data, health, sex life or sexual orientation), unless you have a valid Art. 9(2) basis and have configured your study accordingly.
3. Discloses information about children under 16 without verifiable parental consent.
4. Is sexually explicit, violent-graphic, or hateful when used in interactions with respondents. (Researching such content as a study topic is permitted; using the Service to deliver such content to a respondent is not.)
5. Is harassing, defamatory, or threatening towards an identifiable person.
6. Is regulated content (medical advice, legal advice, financial advice, securities offers, prescription pharmaceuticals, gambling, firearms, controlled substances) where your use lacks the necessary licences.
7. Is misleading. Do not present AI-generated content to respondents as if it came from a human, except in clearly disclosed simulation contexts (and never in a way that misleads the respondent's free and informed participation).

5. Things respondents (R) must NOT do

If you are participating in a Virtual Customer study (a "respondent"):

1. Do not provide false personal information about another person.
2. Do not upload content that you do not have the right to share.
3. Do not attempt to attack or probe the Service.
4. Do not share invitation links publicly. Invitation links are personal to you.

If you do not agree to participate, simply close the session — your data will not be retained beyond the technical minimum needed to record that the session was abandoned.

6. Enforcement

We aim to apply this AUP proportionately. Generally:

We may, without notice, take immediate action (suspension, removal of content, or termination) where:

• continued operation poses an immediate security risk,
• the law requires us to act,
• a Subprocessor (see Subprocessor List) requires us to act under their AUP cascade, or
• continued operation harms a third party (e.g. respondent safety).

After enforcement, we will tell you what we did and why, unless doing so would itself be unlawful (e.g. tipping off in a money-laundering investigation) or would itself create a security risk.

7. Reporting abuse

To report someone else's abuse of the Service:

• General abuse: info@valiquest.com
• Intellectual-property complaints: info@valiquest.com (we follow a notice-and-takedown procedure modelled on the EU Digital Services Act and the US DMCA where applicable; EU customers can use the Article 16 DSA procedure described at the report email address).
• AI-safety concerns: info@valiquest.com
• Data-protection complaints: info@valiquest.com

We aim to acknowledge abuse reports within 5 business days.

8. Responsible vulnerability disclosure

If you believe you have found a security vulnerability:

• Email info@valiquest.com with reproducible steps.
• Do not publish details until we confirm a fix has shipped.
• Do not access, modify, or download data that does not belong to you. Stop at the minimum proof-of-concept.
• We will acknowledge within 3 business days and publish a fix and acknowledgement (with your consent) when ready.

We do not currently operate a paid bug bounty programme. We will, in good faith, mention reporters in release notes (with consent) and provide a Valiquest swag pack for material findings.

9. Changes to this AUP

We may update this AUP from time to time. Material changes will be:

• announced at least 30 days in advance via the in-product changelog and via the email address on file for the billing contact, except where the change is required by law or by a Subprocessor's downstream AUP, in which case the change becomes effective when we are required to apply it.

Reviewer flags

For the external Swedish data protection / IT lawyer (G4.6.13):

• [REVIEW] §2(7) Confirm that "interfere with other customers" is broad enough to capture e.g. wage-and-hour scraping experiments without being so broad that it covers legitimate stress-testing of one's own org.
• [REVIEW] §3 Cross-check Article 5 EU AI Act enumeration against the final published text and any AI Office guidance available at publication date.
• [REVIEW] §4(2) Confirm Art. 9 GDPR cross-reference and whether to explicitly call out children's data and biometric data inline.
• [REVIEW] §6 Confirm the "tipping-off" carve-out in line with Swedish AML / FIU obligations.
• [REVIEW] §7 Confirm DSA Art. 16 reference is in line with Valiquest's DSA classification (we are not a "very large online platform"; we are most likely a "hosting service provider").
• [REVIEW] §9 Confirm whether 30-day notice for AUP changes is acceptable as the default in B2B in Sweden (some sources suggest 60 days for material changes that introduce new restrictions).

End of draft v1 — 2026-04-22