Acceptable use

1. Purpose of this policy

The purpose of this Acceptable Use Policy is to ensure that Flowpath's Services are used in a manner that is safe, lawful, ethical and respectful of the rights of others. Our Services are designed to help teams automate workflows and improve productivity — we want every user to benefit from a reliable, secure and trustworthy platform.

This policy applies to all users of the Services, including individuals on free plans, paid subscribers, API users, enterprise customers and any third parties who access the Services through integrations or embedded features.

2. Lawful use

2.1 General compliance

You must use the Services in compliance with all applicable local, national and international laws and regulations, including but not limited to laws governing data protection and privacy, electronic communications, intellectual property, anti-spam, consumer protection, financial services regulation, and export controls.

If you are unsure whether a particular use of the Services is lawful in your jurisdiction, you are responsible for seeking appropriate legal advice before proceeding.

2.2 Export controls

The Services may be subject to export control laws and regulations of the United States and other jurisdictions. You agree not to export, re-export, or transfer the Services or any data processed through the Services to any country, individual or entity in violation of applicable export control laws, including those administered by the US Department of Commerce Bureau of Industry and Security and the US Department of the Treasury Office of Foreign Assets Control (OFAC).

You represent and warrant that you are not located in, under the control of, or a national or resident of any country subject to US embargo, and that you are not on any US government list of prohibited or restricted parties.

2.3 Sanctions compliance

You agree not to use the Services in connection with any transaction or activity involving a person or entity subject to economic sanctions administered by the United States, European Union, United Kingdom, or United Nations.

3. Prohibited content

You may not use the Services to create, transmit, store, process or distribute any content that:

3.1 Is illegal or harmful

— Violates any applicable law or regulation — Facilitates, promotes or encourages illegal activity of any kind — Constitutes, facilitates or promotes child sexual abuse material (CSAM) or any content that sexually exploits or endangers minors — Promotes, glorifies or incites violence, terrorism, or acts of mass harm — Facilitates human trafficking, forced labour or modern slavery — Promotes or facilitates the manufacture, sale or distribution of illegal weapons, controlled substances or other regulated goods without appropriate authorisation

3.2 Violates third-party rights

— Infringes the intellectual property rights of any third party, including copyrights, trademarks, patents or trade secrets — Violates the privacy rights of any individual, including through unauthorised collection, processing or sharing of personal data — Constitutes defamation, libel, slander or malicious falsehood — Breaches any contractual obligation owed to a third party, including non-disclosure agreements or non-compete clauses

3.3 Is deceptive or fraudulent

— Is false, misleading or deceptive in any material respect — Impersonates any person or entity, or falsely represents an affiliation with any person or entity — Constitutes phishing, pretexting or any other form of social engineering intended to deceive individuals into disclosing sensitive information — Facilitates financial fraud, identity theft or any other form of fraudulent scheme

3.4 Is abusive or harassing

— Constitutes harassment, stalking, bullying or intimidation of any individual — Contains hate speech targeting individuals or groups on the basis of race, ethnicity, national origin, religion, gender, gender identity, sexual orientation, disability, or any other protected characteristic — Is designed to threaten, coerce or intimidate any individual or organisation

4. Prohibited technical conduct

4.1 Security violations

You must not use the Services to:

— Attempt to gain unauthorised access to any system, network, account or data, whether belonging to Flowpath or any third party — Probe, scan or test the vulnerability of any system or network without express written authorisation from the system owner — Exploit, circumvent or disable any security controls, authentication systems or access restrictions implemented by Flowpath or any third party — Intercept, monitor or capture network traffic without authorisation — Introduce, transmit or distribute malware, ransomware, spyware, adware, viruses, trojan horses, worms, logic bombs or any other malicious code or software

4.2 Infrastructure abuse

You must not use the Services to:

— Engage in any activity that places a disproportionate or unreasonable load on Flowpath's infrastructure, including denial of service (DoS) attacks, distributed denial of service (DDoS) attacks, or any activity designed to overwhelm, degrade or disrupt the Services — Use automated tools, scripts or bots to access the Services in a manner that exceeds normal usage patterns or circumvents rate limits, unless expressly permitted by our API terms — Mine or extract data from the Services through scraping, crawling or any other automated means, except through our published API and in accordance with our API usage terms — Attempt to reverse engineer, decompile, disassemble or otherwise derive the source code of any software component of the Services — Modify, adapt, translate or create derivative works of the Services without our express written consent — Use the Services to benchmark or performance-test our platform for the purpose of publishing results without our prior written consent

4.3 API and integration misuse

If you access the Services through our API or through third-party integrations, you must comply with our API Terms of Service in addition to this policy. Specific prohibited conduct includes:

— Using the API to access data or functionality beyond what is authorised by your subscription plan — Sharing API keys, access tokens or authentication credentials with unauthorised parties — Using the API in a manner that degrades the experience of other users of the platform — Circumventing API rate limits or usage quotas through multiple accounts or other technical means

5. Data and privacy requirements

5.1 Personal data handling

If you use the Services to collect, process or store personal data of individuals located in the European Economic Area, United Kingdom, United States, or any other jurisdiction with applicable data protection laws, you are responsible for ensuring that your use of the Services complies with those laws.

This includes, but is not limited to, ensuring you have a lawful basis for processing, providing appropriate notice to data subjects, honouring data subject rights requests, and entering into a Data Processing Agreement with Flowpath where required.

5.2 Sensitive data categories

You must not use the Services to process special categories of sensitive personal data — including health data, biometric data, genetic data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, or data concerning criminal convictions — unless you have entered into a specific Data Processing Agreement with Flowpath that covers such processing and have implemented appropriate safeguards.

5.3 HIPAA compliance

The Services are not configured for HIPAA compliance by default. If you intend to use the Services to process Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA), you must first enter into a Business Associate Agreement (BAA) with Flowpath and operate solely on our HIPAA-compliant Enterprise infrastructure tier. Processing PHI without a signed BAA is a material violation of this policy.

5.4 Children's data

You must not use the Services to knowingly collect, process or store personal data of children under the age of 13, or under the applicable age of digital consent in your jurisdiction, without verifiable parental consent. If you operate a service directed at children, you must contact us before using Flowpath to process any data related to that service.

5.5 Spam and unsolicited communications

You must not use the Services to send, facilitate or enable unsolicited bulk commercial communications, including email spam, SMS spam, or any other form of unsolicited mass messaging. All outbound communications facilitated through Flowpath workflows must comply with applicable anti-spam legislation, including the US CAN-SPAM Act, the Canadian CASL, and the EU ePrivacy Directive.

6. Competitive and reputational restrictions

6.1 Competitive intelligence

You may not use the Services to systematically collect information about Flowpath's features, pricing, performance, or business operations for the purpose of developing a competing product or service, or for providing such information to a third party developing a competing product or service.

6.2 Benchmarking

You may not publish performance benchmarks, comparative analyses, or security assessments of the Services without our prior written consent. This restriction does not prevent you from evaluating the Services for your own internal purposes.

6.3 Reputational harm

You may not use the Flowpath name, logo, or brand assets in any way that could reasonably be construed as disparaging, defamatory or damaging to Flowpath's reputation, without our prior written consent. Permitted uses of our brand assets are governed by our Brand Guidelines, available on request.

7. Agent and workflow requirements

7.1 Responsible automation

When building and deploying automated Agents through the Services, you are responsible for ensuring that those Agents operate in a lawful, ethical and responsible manner. Specifically, you must ensure that:

— Agents do not automate actions that would violate any applicable law or regulation — Agents do not interact with third-party services in a manner that violates the terms of service of those services — Agents that send communications to individuals comply with applicable consent and opt-out requirements — Agents that make consequential decisions affecting individuals — such as credit decisions, hiring decisions, or medical recommendations — comply with applicable laws governing automated decision-making, including Article 22 of the GDPR

7.2 AI step usage

When using AI steps powered by large language models within your Agents, you must ensure that the outputs of those AI steps are not used to:

— Generate or distribute misinformation, disinformation or deliberately misleading content at scale — Produce content that violates any provision of Section 3 of this policy — Circumvent or manipulate AI safety measures implemented by Flowpath or its AI providers — Impersonate individuals or organisations without their consent — Generate content that is defamatory, harassing or harmful to identifiable individuals

7.3 Third-party service compliance

When connecting third-party services to your Agents through Flowpath's integration library, you are responsible for ensuring that your use of those integrations complies with the terms of service and acceptable use policies of the relevant third-party providers. Flowpath is not liable for any breach of third-party terms caused by your use of the Services.

8. Reporting violations

8.1 How to report

If you become aware of any use of the Services that violates this Acceptable Use Policy, we encourage you to report it to us promptly. Reports can be submitted by email to abuse@flowpath.ai or through the in-app reporting mechanism available in your account settings.

Please include as much detail as possible, including the nature of the violation, the account or content involved, and any supporting evidence.

8.2 Good faith reporting

We take all reports seriously and will investigate promptly. We will not take any retaliatory action against individuals who report violations in good faith. However, submitting false or malicious reports is itself a violation of this policy.

9. Consequences of violations

9.1 Enforcement actions

We reserve the right to take any of the following actions in response to a violation of this policy, at our sole discretion and without prior notice where circumstances require it:

— Issue a formal warning — Temporarily suspend access to some or all features of the Services — Terminate the offending account and all associated accounts — Remove or disable access to content that violates this policy — Report the violation to relevant law enforcement authorities or regulatory bodies — Pursue civil or criminal legal action where appropriate

9.2 No obligation to monitor

We are not obligated to actively monitor the Services for violations of this policy. However, we may do so and may use automated systems, third-party tools and human review to identify potential violations.

9.3 Appeals

If you believe your account has been suspended or terminated in error, you may appeal by contacting support@flowpath.ai within 14 days of the enforcement action. We will review your appeal and respond within 10 business days. Our decision on appeal is final.

10. Changes to this policy

We reserve the right to update this Acceptable Use Policy at any time to reflect changes in our Services, applicable law, or industry standards. We will provide at least 30 days' written notice of material changes by email or by displaying a prominent notice within the Services.

Your continued use of the Services after the effective date of any update constitutes your acceptance of the revised policy. If you do not agree to the updated policy, you must stop using the Services before the effective date of the change.

11. Contact us

If you have questions about this Acceptable Use Policy or wish to report a violation, please contact us at:

Flowpath, Inc. Email: abuse@flowpath.ai Legal inquiries: legal@flowpath.ai Address: 548 Market Street, Suite 100, San Francisco, CA 94104, United States

For data protection enquiries from users in the European Union or United Kingdom, please contact our data protection representative at: dpo@flowpath.ai