Note: This Acceptable Use Policy is incorporated by reference into the Commercial License Agreement and applies to all Validibot Cloud and Validibot Pro self-hosted customers. It defines prohibited data categories (including PHI, PCI, GDPR special category data, and controlled technical data) and prohibited activities. Breach of this AUP is a material breach of the Agreement.

Acceptable Use Policy

Version 1.0 โ€” Effective 16 April 2026

Copyright (c) 2025-2026 McQuillen Interactive Pty. Ltd. (ABN 49 600 623 069)

This Acceptable Use Policy ("AUP") governs your use of Validibot Cloud and any Validibot software licensed under the Commercial License Agreement (the "Agreement"). Capitalised terms not defined here have the meanings given in the Agreement.

The AUP is incorporated into the Agreement by reference. A breach of the AUP is a material breach of the Agreement and entitles McQuillen Interactive Pty. Ltd. ("Licensor", "we", "us") to suspend or terminate your access under Section 5.3 of the Agreement.

1. PURPOSE AND SCOPE

Validibot is a data validation platform operated by a small Australian team. The Service is designed for basic data validations workflows. It is not designed, certified, or suitable for processing regulated, classified, or highly sensitive data.

This AUP exists to:

(a) keep the Service safe, lawful, and useful for every Licensee;

(b) set out categories of data that you must not upload or transmit through the Service; and

(c) give Licensor a clear basis to suspend or terminate access where the AUP is breached.

2. PROHIBITED DATA

You warrant that you will not upload, transmit, store, process, or cause to be processed through the Service any of the following categories of data:

2.1 Protected Health Information (PHI) as defined by the US Health Insurance Portability and Accountability Act (HIPAA, 42 USC ยง1320d et seq.) and implementing regulations, including individually identifiable health information in any form. Validibot is not a HIPAA Business Associate and does not offer a Business Associate Agreement at any tier.

2.2 Payment card data (full primary account numbers, card verification values, magnetic stripe or chip data, PIN data, or any other "cardholder data" or "sensitive authentication data" as defined by the PCI Data Security Standard), except to the extent such data is entered directly into the Stripe-hosted checkout flow integrated into the Service. Licensor's systems are out of scope for PCI-DSS and must remain so.

2.3 GDPR special category data as defined by Article 9 of the EU General Data Protection Regulation 2016/679 and the equivalent provisions of the UK GDPR, including personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.

2.4 Personal information of children under the age of 16 (or under the applicable age of digital consent in your jurisdiction, whichever is higher), including data subject to the US Children's Online Privacy Protection Act (COPPA), the Australian privacy rules applicable to minors, or equivalent provisions elsewhere.

2.5 Controlled technical data subject to the US International Traffic in Arms Regulations (ITAR, 22 CFR Parts 120โ€“130), the US Export Administration Regulations (EAR, 15 CFR Parts 730โ€“774) above Commerce Control List classification EAR99, the Australian Defence Trade Controls Act 2012, or any equivalent export-control or dual-use regime.

2.6 Classified or government-restricted information of any jurisdiction, including material marked "Confidential", "Secret", "Top Secret", "Protected", "Restricted", or any equivalent classification under Australian, US, UK, EU, or other government information-handling frameworks.

2.7 Critical infrastructure data regulated under the Australian Security of Critical Infrastructure Act 2018 (SOCI Act) or the equivalent critical-infrastructure regimes of other jurisdictions, where upload to a non-accredited service would breach those obligations.

2.8 Financial account credentials (online banking passwords, brokerage login credentials, wallet seed phrases, private keys, full account numbers where disclosure would enable fraud).

2.9 Government-issued identification numbers where disclosure would materially enable identity theft, including full Social Security Numbers, Tax File Numbers, Medicare numbers, passport numbers, driver licence numbers, or equivalent national identifiers, except to the extent incidentally required to complete Licensor's own billing or compliance obligations.

2.10 Any data whose unauthorised access, disclosure, loss, or alteration would trigger a mandatory breach-notification obligation on Licensor under Applicable Data Protection Law, other than in respect of the routine categories of personal data described in the DPA (e.g. names, email addresses, IP addresses, and validation workflow metadata).

2.11 Unlawful content or content that infringes the intellectual property, privacy, publicity, or other rights of any third party.

2.12 Malware or any code, file, or content designed to disrupt, damage, or gain unauthorised access to any system, network, or data.

If you are uncertain whether data falls within a Prohibited Data category, you must contact Licensor at licensing@mcquilleninteractive.com before uploading it. Silence from Licensor does not constitute approval.

3. PROHIBITED ACTIVITIES

You must not, and must not permit any Authorised User or third party to:

(a) access or attempt to access any account, data, or system belonging to another Licensee;

(b) probe, scan, or test the vulnerability of the Service or any system or network connected to the Service, except under a written responsible-disclosure agreement with Licensor;

(c) circumvent, disable, or interfere with any authentication, rate-limiting, billing, usage-tracking, or security feature of the Service;

(d) use the Service to send unsolicited commercial messages, to conduct bulk marketing, or to send messages that violate the Australian Spam Act 2003, the US CAN-SPAM Act, or equivalent laws;

(e) use the Service to develop, train, or improve a product or service that directly competes with Validibot's core functionality as a building-simulation validation platform (this does not prevent you from using the Service for your own internal benchmarking);

(f) use automated means to access the Service beyond rates reasonably expected of an interactive user or documented API client, or to scrape, harvest, or extract data from other Licensees;

(g) use the Service to host, distribute, or deliver content or services to unaffiliated third parties where the primary value delivered is access to the Service itself (this does not restrict legitimate consultancy use; contact Licensor for an OEM/Embedded Licence if in doubt);

(h) use the Service to engage in activity that is unlawful in Australia, in Licensee's jurisdiction, or in the jurisdiction of the end user; or

(i) misrepresent your identity, your affiliation, or the origin of any data submitted to the Service.

4. YOUR RESPONSIBILITIES

4.1 Account security. You are responsible for the confidentiality of your credentials and for all activity under your account. Notify Licensor promptly at security@validibot.com of any suspected unauthorised access.

4.2 Your users. You are responsible for ensuring that your Authorised Users comply with this AUP. Your acts and omissions include those of your Authorised Users.

4.3 Your data. You represent and warrant that you have all rights, licences, consents, and authorisations necessary to upload, process, and store each item of Customer Data through the Service, and that doing so does not and will not infringe any third-party right or violate any applicable law.

4.4 Your backups. While Licensor takes reasonable steps to protect Customer Data against loss, you remain responsible for maintaining independent backups of any Customer Data the loss of which would cause you material harm. The availability and integrity commitments in Schedule B of the Agreement are not a substitute for your own backup regime, particularly during any period in which the Service is labelled as Early Access, Beta, Preview, or Experimental.

4.5 Compliance in your jurisdiction. You are responsible for ensuring that your use of the Service complies with all laws, regulations, industry standards, and contractual obligations applicable to you, including data-protection, export-control, sanctions, tax, and sector-specific requirements.

5. ENFORCEMENT

5.1 Investigation. Licensor may investigate suspected breaches of this AUP. In doing so, Licensor will access Customer Data only to the minimum extent reasonably necessary.

5.2 Suspension. Licensor may immediately suspend your access to the Service, without prior notice, where Licensor reasonably believes that:

(a) Prohibited Data has been uploaded to the Service;

(b) a Prohibited Activity is occurring or imminent;

(c) continued access would expose Licensor, other Licensees, or third parties to material legal, regulatory, reputational, or security risk; or

(d) suspension is required by law or by a binding order of a regulator or court.

Licensor will notify you of the suspension and, where practicable, give you an opportunity to cure before termination.

5.3 Termination. A material or repeated breach of this AUP entitles Licensor to terminate the Agreement under Section 5.3 of the Agreement, without refund of any pre-paid fees for the period from the date of breach.

5.4 Deletion of Prohibited Data. If Licensor identifies Prohibited Data within the Service, Licensor may quarantine, redact, or delete that data with notice to you, and may retain a forensic record of the incident for legal and regulatory purposes.

5.5 Reporting to authorities. Where required by law, or where Licensor reasonably believes a breach of this AUP involves the commission of a serious criminal offence or a serious threat to life or safety, Licensor may report the breach to the relevant authorities.

5.6 Indemnity. Without limiting Section 8.1 of the Agreement, you indemnify Licensor for any loss, damage, cost, or expense (including reasonable legal fees and the costs of any regulatory notification, investigation, or remediation) arising out of or in connection with any breach of this AUP.

6. REPORTING ABUSE

If you become aware of a breach of this AUP by another Licensee, a security vulnerability in the Service, or any use of the Service that you reasonably believe to be unlawful, please report it to abuse@validibot.com.

7. CHANGES TO THIS AUP

Licensor may update this AUP from time to time. Where a change is material and adverse to Licensees, Licensor will provide at least thirty (30) days' notice by email to the address on Licensee's Account and by posting the revised AUP at https://validibot.com/legal/aup. Continued use of the Service after the effective date of a revised AUP constitutes acceptance.

8. CONTACT

McQuillen Interactive Pty. Ltd. ABN 49 600 623 069 Bentleigh, Victoria 3204, Australia Email: licensing@mcquilleninteractive.com Abuse reports: abuse@validibot.com Security: security@validibot.com

This AUP forms part of the Commercial License Agreement and the Data Processing Addendum. Governing law: Victoria, Australia.