Acceptable Use Policy

• Send only to people who have asked to hear from you.
• Don't impersonate someone or pretend an email is something it isn't.
• Don't use Mailapp to distribute malware, run phishing campaigns, or harass people.
• Don't scrape, jailbreak, or DDoS the platform.
• If you're in a regulated industry, follow your industry rules (HIPAA, GLBA, FERPA, etc.) — and turn on the relevant Mailapp protections.

This Acceptable Use Policy ("AUP") applies to all use of the Mailapp Services, including by Customer's employees, contractors, agents, and any User invited to a workspace. The AUP is incorporated by reference into the Terms of Service and the DPA.

You will not use Mailapp to host, send, store, or process content that:

• is illegal where you, the recipient, or Mailapp operate;
• infringes intellectual-property or privacy rights;
• promotes or facilitates terrorism, violent extremism, or violence against any group;
• depicts or facilitates the sexual exploitation of minors (CSAM) — reported immediately and unconditionally to NCMEC and equivalent authorities;
• contains or distributes malware, ransomware, spyware, or scareware;
• is intended to defraud, including phishing, smishing, business-email-compromise, or fake-invoice schemes;
• promotes unlawful gambling, unregistered securities, pyramid schemes, or get-rich-quick scams;
• promotes the sale of prescription drugs without a valid prescription, controlled substances, or counterfeit goods;
• incites hatred or harassment on the basis of race, ethnicity, national origin, religion, sexual orientation, gender identity, disability, or similar protected characteristic;
• doxes or threatens a person with the disclosure of their personal information.

• Send commercial email to anyone who has not given permission or who you cannot demonstrate a clear pre-existing business relationship with.
• Buy, rent, or scrape email lists. We block uploads from known list-broker patterns and may demand list provenance.
• Conceal or falsify the sender identity, header fields, originating system, or routing information.
• Use deceptive subject lines or pre-headers (CAN-SPAM, ePrivacy).
• Misuse a Mailapp domain or IP to send through your own infrastructure as a relay.
• Use Mailapp to harvest, scrape, or otherwise collect personal information.
• Use Mailapp to send to an end-recipient who has unsubscribed or whose address is on a suppression list.

• Permission. Send only to people who opted in or who have a clear, demonstrable business relationship with you.
• Identification. Every marketing email must identify the sender, including a physical postal address.
• Unsubscribe. Every marketing email must contain a clear, working unsubscribe link that takes effect within ten business days (Mailapp processes most within seconds).
• One-click unsubscribe header. Mailapp adds List-Unsubscribe and List-Unsubscribe-Post headers (RFC 8058) automatically.
• Honest subject lines. Subject lines and pre-headers must accurately reflect the email content.
• Authentication. Mailapp requires SPF, DKIM (RSA 2048-bit), and DMARC alignment on every sending domain.
• Bounce hygiene. Hard bounces are auto-suppressed; you must not re-add them.
• Complaint thresholds. Spam-complaint rates above 0.3% trigger automatic review; 0.5% triggers automatic suspension.

• Healthcare (HIPAA, HITECH). Don't send protected health information (PHI) through Mailapp.
• Financial services (GLBA, NYDFS Part 500). Use signed sending domains and require MFA on all admin accounts.
• Education (FERPA). Limit student personally identifiable information; use educational-records workspaces where available.
• Cannabis, alcohol, firearms, tobacco. Comply with all jurisdictional restrictions and age-gating. You may not target jurisdictions where your product is illegal.
• Charities and political. Comply with local registration, transparency, and opt-out laws (e.g., FEC rules in the US, PECR in the UK).
• Crypto and securities. No unregistered offers or solicitations. No promotion of yield-farm Ponzis or rug-pulls. Disclose risks where required.

• Do not attempt to gain unauthorised access to any account, system, or data.
• Do not probe, scan, or test the vulnerability of any Mailapp system except through our public bug bounty.
• Do not interfere with or disrupt the integrity or performance of the Services, including via denial-of-service, slowloris, or volumetric attacks.
• Do not circumvent any rate limit, sending limit, or use-metering control.
• Do not use Mailapp to mine cryptocurrency or otherwise consume disproportionate compute.

• Do not use Mailapp as command-and-control infrastructure, data-exfiltration pipeline, or callback URL for malware.
• Do not use Mailapp to host or link to credential-harvesting pages.
• Do not use Mailapp to send unsolicited password-reset emails or to test the existence of an email address (account enumeration).
• Do not reuse Mailapp-issued credentials, API keys, or webhooks outside the intended scope.

• Don't use the AI assistant to draft prohibited content (phishing copy, malware, CSAM, etc.).
• Don't prompt the AI assistant to reveal model weights, system prompts, or internal Mailapp configuration.
• Don't use the AI assistant to make automated decisions about individuals that have legal or similarly significant effect without a human-in-the-loop.
• Don't feed copyrighted full-text bodies into the assistant for republication; quote-and-link is fine.

You may not direct marketing communications to children under 13 (or the equivalent age of digital consent in the recipient's jurisdiction, which may be up to 16) without verifiable parental consent and full COPPA / GDPR-K compliance. Mailapp's Children's Content workspace mode disables behavioural analytics, requires parental-consent verification artefacts, and prohibits third-party tag insertion.

If we believe you've violated the AUP, we may take one or more of the following actions:

• Send a warning and require remediation;
• Disable the offending content, list, automation, or feature;
• Suspend sending capacity until remediation is complete;
• Suspend the workspace;
• Terminate the account with no refund of unused Fees in the case of repeated or severe violations;
• Refer the matter to law enforcement or regulators where required by law (CSAM, terrorism, large-scale fraud).

Egregious violations (CSAM, active phishing, ongoing fraud) result in immediate termination with no warning and full cooperation with authorities. The factors we consider include severity, intent, recidivism, the scale of the affected audience, and whether you self-reported and mitigated.

• Forward suspicious emails to hello@mailapp.app.
• Include full headers when possible.
• Children's safety reports: hello@mailapp.app — these are triaged 24/7 within one hour.
• Security vulnerabilities: hello@mailapp.app or our bug bounty.
• You can also report unsubscribe failures or sender-impersonation directly from any Mailapp-sent email via the "Report" link in the footer.

If your account is suspended or terminated and you believe the action was incorrect, you may appeal by emailing hello@mailapp.app with your workspace ID, the relevant context, and any evidence you have. A senior member of Trust and Safety (not the original reviewer) will review the appeal within five business days. Appeals are tracked in our transparency report.

We may update this AUP to reflect new regulations, new abuse patterns, or new product capabilities. Material additions (new prohibitions) will be announced at least 30 days before they take effect. Updates that simply clarify existing prohibitions are effective on posting.