Acceptable Use Policy

Last Updated: May 2026 | Version 1.0

This Acceptable Use Policy (the "AUP") sets out the practices you must follow when using the GatiFlow Service. It is incorporated by reference into the Terms of Service and forms an integral part of the contract between GatiFlow and each Customer. Defined terms in this AUP have the meanings given in the Terms of Service.

1. Purpose and scope

The AUP exists for three reasons:

1. To protect the natural persons whose public signals are aggregated into the Service. Although the signals are public, their combination and analysis create heightened risks of harm to the data subjects, and certain uses are prohibited by data-protection and anti-discrimination law.

2. To protect the public data sources from which GatiFlow draws signals (open-source repositories, package registries, public job boards, public technical communities). Misuse of the Service that violates the source terms exposes the entire ecosystem and may force GatiFlow to terminate the collector for that source.

3. To protect the Service itself from abuse that would degrade availability or accuracy for other Customers.

2. Permitted uses

Subject to your Subscription plan and the restrictions in this AUP, you may use the Service to:

• Inform market intelligence and competitive-research workstreams within your organization

• Identify trends in technology adoption, open-source ecosystems, and developer hiring relevant to your business

• Generate internal reports, dashboards, and briefings supporting investment, product, or talent-strategy decisions

• Feed signals (via the API or webhooks) into your internal systems for human-reviewed analysis

• Share Output excerpts internally and, with attribution to GatiFlow and within the limits of the Terms of Service, externally

All permitted uses presume that any Output concerning natural persons is subject to meaningful human review before any decision affecting that person is taken (see §5).

3. Prohibited uses — general

You must not, and must not permit any user, contractor, or other party acting on your behalf, to use the Service:

(a) In violation of any applicable law, regulation, court order, or third-party right (including intellectual-property, privacy, publicity, anti-discrimination, employment, and consumer-protection law)

(b) To deceive, defraud, or mislead any person, including by passing off Outputs as originating from a source other than GatiFlow, or by altering Outputs in a manner that materially changes their meaning

(c) To engage in or facilitate any unlawful, fraudulent, or deceptive activity, or any activity that would expose GatiFlow to legal liability or reputational harm

(d) In any manner that violates the terms of service or acceptable-use policy of any third-party source from which GatiFlow derives signals

(e) To transmit or store any malicious code, ransomware, worm, virus, or similar software

(f) To scan, probe, test, attack, or attempt to gain unauthorized access to the Service, its infrastructure, other Customers' accounts, or any system that the Service connects to

(g) In a manner that imposes a load on the Service materially in excess of what is reasonable for your Subscription plan, including by circumventing rate limits or quotas

(h) To disclose to a third party (other than your professional advisers under confidentiality) any credentials, API keys, webhook secrets, or other authentication artifact

4. Prohibited uses — talent intelligence and individual signals

The Service produces signals concerning natural persons (developers, maintainers, candidates, employees, applicants). Although these signals are derived from public sources, their aggregation creates a profile that the data subject has not necessarily anticipated. You must not:

(a) Use any Output to harass, stalk, intimidate, dox, defame, or otherwise target a natural person

(b) Use any Output to discriminate against a natural person on any ground prohibited by applicable law, including race, ethnicity, national origin, religion, age, sex, sexual orientation, gender identity, disability, pregnancy, marital or family status, veteran status, or political opinion

(c) Use any Output to monitor a current employee or contractor of yours in a manner that violates applicable employment, privacy, or labor law

(d) Re-identify a natural person whose data has been anonymized or pseudonymized in any source, including by combining Outputs with private data sources to reverse pseudonymization

(e) Use signals about an individual's employment status, location, or activity to publicly speculate about that individual's circumstances or plans (e.g. publishing that a developer is about to be laid off based on signal patterns)

(f) Use the Service for unsolicited mass outreach to natural persons identified in Outputs, including unsolicited recruiting campaigns, except where you have a lawful basis for outreach under applicable law (e.g. legitimate interest under GDPR Art. 6(1)(f), or applicable consent rules under ePrivacy or CAN-SPAM equivalents) and the outreach complies with that law's transparency, opt-out, and frequency rules

(g) Submit Outputs (or any data derived from Outputs) as evidence in any legal, regulatory, or administrative proceeding involving a natural person without first independently verifying the underlying facts

5. Automated decision-making and AI Act compliance

This Section reflects, among other instruments, Article 22 of the EU General Data Protection Regulation (GDPR), the EU Artificial Intelligence Act, the EU's prohibition of certain AI practices in the employment context, and analogous provisions in other jurisdictions (e.g. the New York City Local Law 144 on automated employment decision tools, the Illinois Artificial Intelligence Video Interview Act, and the Colorado AI Act). You remain responsible for compliance with all such laws applicable to you.

5.1 Decisions concerning natural persons

You must not use any Output as the sole or primary basis for any decision producing legal effects concerning, or similarly significantly affecting, a natural person, without meaningful human review. "Meaningful human review" requires (i) a qualified human reviewer with the authority and competence to override the Output, (ii) consideration of additional information beyond the Output, and (iii) a documented basis for the resulting decision. A perfunctory click-through, sign-off, or rubber-stamp does not constitute meaningful human review.

The following uses are absolutely prohibited regardless of any human-review process:

(a) Using the Service to score, rank, screen, shortlist, reject, hire, promote, terminate, set the compensation of, or otherwise make a final personnel decision about a natural person, where the Output is the determining factor

(b) Using the Service to evaluate the creditworthiness, insurance risk, housing eligibility, or law-enforcement risk of a natural person

(c) Using the Service for any practice listed as a "prohibited AI practice" under Article 5 of the EU Artificial Intelligence Act, including social scoring, real-time biometric identification, predictive policing, emotion recognition in workplace or education, and exploitation of vulnerabilities

(d) Using the Service to assess the eligibility of a natural person to access an essential private or public service

5.2 High-risk uses under the EU AI Act

The Service is not provided for use as a high-risk AI system within the meaning of Annex III of the EU AI Act (employment, education, access to essential services, law enforcement, migration, and similar contexts) without an explicit written supplemental agreement with GatiFlow. Where you intend such a use, you must contact compliance@gatiflow.io before use, complete a Data Protection Impact Assessment (DPIA), and execute a supplemental agreement that allocates obligations under Articles 16–27 of the AI Act and Article 35 GDPR.

5.3 Mandatory disclosure to data subjects

Where you use Outputs to assist any decision that may significantly affect a natural person, you must (i) inform the data subject of the use of automated processing in accordance with GDPR Articles 13–15 and analogous provisions of applicable law, (ii) provide meaningful information about the logic involved, and (iii) explain the significance and envisaged consequences of the processing for the data subject. You must enable the data subject to exercise the rights of access, rectification, erasure, objection, and human review.

5.4 Transparency of AI-generated content

Outputs that include AI-generated narratives are flagged in the Service interface and in the API response (via a metadata field). You must not remove, alter, or obscure these flags when republishing or sharing Outputs.

5.5 Training prohibition

You must not use Outputs, raw signals, or any data extracted from the Service to train machine-learning models, foundation models, or other AI systems, whether for your own use or for distribution to third parties, except with the prior written consent of GatiFlow.

6. Data-source compliance

The Service derives signals from public third-party sources. You must not use the Service in a manner that would cause GatiFlow or any other Customer to breach the terms of service of any source. In particular, you must not:

(a) Attempt to use the Service to circumvent any access restriction, rate limit, or authentication requirement of a third-party source

(b) Use Outputs to build a product that competes with the third-party source in a manner that the source's own terms prohibit

(c) Attempt to extract the raw underlying data from a source by interrogating the Service in patterns designed to reconstruct that source's database

GatiFlow makes commercially reasonable efforts to comply with source terms in its collectors. Where a source updates its terms in a manner that renders continued collection non-compliant, GatiFlow may suspend or remove the affected signals from the Service without notice and without liability to you.

7. Technical abuse and Service integrity

You must not:

(a) Exceed the rate limits or quotas applicable to your Subscription plan, or attempt to do so by rotating credentials, sharing accounts across persons, or distributing requests across multiple accounts owned or controlled by the same legal person

(b) Submit malformed, recursive, or adversarial requests intended to exhaust Service resources

(c) Probe for vulnerabilities in the Service except under an explicit written authorization from GatiFlow (see §11 for responsible-disclosure rules)

(d) Interfere with another Customer's use of the Service

(e) Embed the Service in any product or interface that obscures from end users that the Service is the source of Outputs

(f) Share an account, credentials, or API keys across multiple legal entities except where expressly authorized by your order form

You are responsible for all activity occurring under your account.

8. Reselling and redistribution

Except as expressly permitted in the Terms of Service or in a written order form executed by GatiFlow, you must not resell, sublicense, redistribute, syndicate, or otherwise make available the Service, Service Data, or Outputs (in whole or in substantial part) to any third party. This restriction includes:

(a) Including Outputs as a chargeable component of your own product or service

(b) Reposting daily reports or weekly digests, in whole or in substantial part, to a public website or newsletter

You may share individual Output excerpts internally without restriction and externally with attribution as set out in the Terms of Service.

9. Content that is prohibited regardless of context

You must not use the Service to ingest, store, transmit, or generate any content that:

(a) Is unlawful, defamatory, threatening, abusive, or invasive of another's privacy

(b) Contains sexually explicit material involving any minor, or any other content prohibited by child-protection law

(d) Infringes a third party's intellectual-property rights

(e) Contains personal data of children below the age of digital consent under applicable law, processed in violation of that law

(f) Constitutes regulated health, financial, or biometric data subject to legal regimes (e.g. HIPAA, PCI DSS) that you are not contractually entitled to share with GatiFlow

10. Reporting and enforcement

10.1 Reporting misuse

Any person who believes that a Customer is using the Service in violation of this AUP may report the matter to abuse@gatiflow.io. GatiFlow investigates reports of material misuse and may take action up to and including immediate suspension or termination of the offending account.

10.2 Right to act

GatiFlow reserves the right, but not the obligation, to investigate any suspected violation of this AUP. GatiFlow may (a) suspend your access to the Service pending investigation, (b) require you to remediate within a defined period, (c) terminate your Subscription for material breach in accordance with the Terms of Service, (d) report the violation to law-enforcement or regulatory authorities where required by law or where the violation creates a credible risk of harm to a third party, and (e) take any other action available to GatiFlow at law or in equity.

10.3 No waiver

GatiFlow's failure to enforce any provision of this AUP in any given instance is not a waiver of GatiFlow's right to enforce that or any other provision in any future instance.

10.4 Cooperation with investigations

You must cooperate in good faith with any reasonable GatiFlow investigation of suspected AUP violations, including by providing requested logs, access records, and documentation of your compliance controls.

11. Responsible disclosure (security research)

GatiFlow welcomes good-faith security research. Researchers who identify a security vulnerability are encouraged to report it to security@gatiflow.io with sufficient detail to reproduce. GatiFlow commits to:

(a) Acknowledging the report within five (5) business days

(b) Not pursuing legal action against researchers who act in good faith, do not access, modify, or delete Customer Data beyond what is strictly necessary to demonstrate the vulnerability, do not publicly disclose before a coordinated disclosure window has elapsed (default ninety (90) days from the acknowledgment), and otherwise comply with this Section

Researchers must not violate any other provision of this AUP in the course of their research. Authorized security research is the only context in which technical probing of the Service is permitted.

12. Changes to this AUP

GatiFlow may update this AUP from time to time. Material changes are notified to active Customers in accordance with the Terms of Service. Non-material changes (clarifications, formatting) may take effect immediately upon posting. Continued use after the effective date of a material change constitutes acceptance.

13. Contact

AUP violations and abuse reports: abuse@gatiflow.io

Security vulnerabilities: security@gatiflow.io

Compliance / AI Act / high-risk uses: compliance@gatiflow.io

General legal inquiries: legal@gatiflow.io