All legal documents
Legal & Compliance
Acceptable Use Policy
Version1.0UpdatedJul 4, 2026Reading time12 min read
1. Introduction
This Acceptable Use Policy ("AUP") sets forth the rules and guidelines for using FlowFn ("Service"), operated by FLOW FN PTE. LTD. (UEN 202617303Z), a company incorporated in Singapore ("we", "us", or "our"). This AUP is incorporated into and forms part of our Terms of Service. Violations of this AUP may result in suspension or termination of your account. By using the Service, you agree to comply with this AUP.
2. Prohibited Uses - Illegal Activities
You may not use the Service for any illegal purpose or in violation of any applicable laws, regulations, or rules. Prohibited activities include but are not limited to: (a) fraud, theft, or financial crimes; (b) harassment, stalking, or threats; (c) distribution of illegal content; (d) violation of intellectual property rights; (e) unauthorized access to computer systems; (f) money laundering or terrorist financing; (g) violation of export control laws; or (h) any activity that could subject us to legal liability.
3. Prohibited Uses - Spam and Unsolicited Communications
You may not use the Service to send spam, unsolicited bulk messages, or unsolicited commercial communications. Prohibited activities include: (a) sending emails to recipients who have not opted in; (b) using harvested or purchased email lists; (c) sending messages that violate CAN-SPAM Act, GDPR, PDPA, or similar laws; (d) failing to include unsubscribe mechanisms; (e) using misleading subject lines or sender information; (f) sending messages that could be classified as spam by recipients or filters; or (g) using the Service to facilitate spam operations. Sender liability for user-configured outbound communications: when you configure a workflow or integration to send emails, SMS, push notifications, or other messages to third parties (whether through FlowFn-provided email, your bring-your-own-key SMTP / messaging providers, Slack, Twilio-style integrations, or any other channel), you are the sender of those messages for purposes of CAN-SPAM, GDPR, PDPA marketing consent rules, TCPA, and any other applicable anti-spam, telemarketing, or messaging laws. FlowFn acts as a technical conduit, does not pre-review or approve message content, and is not liable for your violations of these laws. You agree to maintain valid consent and unsubscribe mechanisms, identify yourself accurately as the sender, honour opt-outs, and indemnify FlowFn for any claims arising from messages you send through the Service.
4. Prohibited Uses - Abuse and Harmful Content
You may not use the Service to create, transmit, or store content that: (a) is defamatory, libelous, or slanderous; (b) promotes violence, hate speech, or discrimination; (c) contains malware, viruses, or harmful code; (d) infringes intellectual property rights; (e) violates privacy rights or contains personal information without consent; (f) is pornographic, obscene, or sexually explicit (unless legally permitted and properly labeled); (g) promotes illegal activities; (h) could cause harm to individuals, systems, or organizations; (i) authors or hosts in a Playground any malicious code, drive-by exploits, browser-fingerprinting beyond what is required for the Playground's stated purpose, cryptocurrency miners, or code designed to attack, phish, deceive, or compromise users of any third-party site on which the Playground is embedded; or (j) uses Playgrounds to facilitate unauthorized access to or data exfiltration from embedding third-party domains. Where we have a reasonable basis to believe a Playground breaches this Section, we may disable or restrict access to it. Wherever practicable, we will (1) restrict access only to the extent reasonably necessary to address the suspected violation; (2) notify the Playground owner of the action and the reasons for it; and (3) provide the Playground owner with a meaningful opportunity to respond, in line with our Content Moderation Policy. Where the suspected violation poses an imminent risk of serious harm to users, third parties, or our infrastructure, we may act without prior notice and notify the Playground owner promptly thereafter.
4A. Public Hosting and Subdomain Use
FlowFn assigns each app a subdomain of the form <name>.flowfn.com and lets eligible plans attach a custom domain — and, on a custom domain, lets each non-root Playground in the app take its own subdomain of that domain (<label>.your-domain.com) — which host your public Forms, Visualizers, and Playgrounds. You may not claim, use, or attempt to claim a subdomain, a per-Playground subdomain label, or a custom domain (or configure any of them) that: (a) impersonates, or is confusingly similar to, a real company, product, service, public figure, or government body in a way likely to deceive visitors (for example, a name resembling a bank, payment provider, or well-known brand used to phish or defraud) — this applies equally to a label you carve under your own verified custom domain (such as a 'pay' or 'login' subdomain used to deceive); (b) infringes a third party's trademark or other rights; or (c) is intended to shadow, intercept, or misdirect traffic meant for another site. We maintain a list of reserved names (operational, security-sensitive, and platform terms) that cannot be claimed, and we may refuse, reclaim, rename, or release any subdomain, per-Playground subdomain label, or custom domain that we reasonably believe violates this Policy or is used for abuse, with notice where practicable. Subdomains are provided for use, not ownership: they remain part of the Service, are unique across FlowFn (or, for a per-Playground label, within the app) on a first-come basis, and a subdomain is released for re-use when the app holding it is deleted; a per-Playground subdomain is released when its Playground is deleted or its label is changed or cleared, or when the app's custom domain is removed.
5. Automation Restrictions
While FlowFn is an automation platform, you must use automation responsibly: (a) Do not create workflows that violate rate limits of third-party services; (b) Do not use automation to circumvent security measures or access controls; (c) Do not create workflows that could overload or disrupt third-party services; (d) Respect robots.txt and terms of service of websites you interact with; (e) Implement appropriate delays and error handling in workflows; (f) Do not use automation to scrape websites without permission; and (g) Ensure your automation complies with applicable laws and third-party terms.
6. Third-Party Service Usage Rules
When using third-party integrations, you must: (a) comply with the terms of service of each third-party service; (b) obtain necessary permissions and authorizations; (c) respect rate limits and usage restrictions; (d) not use integrations to violate third-party policies; (e) not share OAuth tokens or credentials with unauthorized parties; (f) promptly disconnect integrations if requested by third parties; and (g) ensure your use of third-party services is lawful and ethical. We are not responsible for your violations of third-party terms.
7. AI Model Usage Restrictions
When using AI models through the Service, you must: (a) comply with AI provider terms of service and usage policies; (b) not use AI to generate illegal, harmful, or infringing content; (c) not use AI to impersonate others or create deepfakes without disclosure; (d) not use AI to generate spam or misleading content; (e) respect content policies of AI providers; (f) not attempt to reverse engineer or extract training data from AI models; (g) ensure AI-generated content is properly reviewed and validated before use; and (h) not include Singapore NRIC, FIN, work-permit, or birth-certificate numbers, or other special-category personal data, in prompts, file attachments, or workflow AI inputs except where Section 11 of this AUP permits.
8. Rate Limiting and Abuse Prevention
We implement rate limits and usage restrictions to ensure fair use and prevent abuse. You must not: (a) attempt to circumvent rate limits or usage restrictions; (b) create multiple accounts to exceed limits; (c) use automated tools to bypass restrictions; (d) share accounts to circumvent individual limits; (e) engage in activities that could degrade Service performance; or (f) use the Service in a manner that could harm other users or the Service infrastructure.
8A. Public Usage Limits and Cost Controls
Your public, third-party-facing surfaces — published Playgrounds, Forms, Visualizers, Agents (embed chat widget and webhook), Streams, MCP server endpoints (the external MCP host you expose to third-party AI clients), and webhook-triggered Workflows — are subject to per-plan daily usage limits on traffic driven by visitors and other third parties, so that anonymous or automated traffic cannot run up costs beyond what your plan covers. When a public resource reaches its daily limit, we may temporarily pause new public requests to that resource for the remainder of the day; access resumes automatically at the daily reset. Your own authenticated use from the dashboard is not affected by these public limits. You may not attempt to circumvent these limits, for example by sharding traffic across multiple resources, Sheets, or accounts. On free and other no-cost plans, AI features exposed on public surfaces (such as a public Agent's chat widget or webhook) must run on your own AI provider API key (bring-your-own-key); FlowFn does not fund AI inference driven by anonymous third parties on no-cost plans. You can review your public usage, your limits, and any currently paused resources under Billing, and you can raise your limits by upgrading your plan. We may adjust these limits and add new metered surfaces from time to time, with notice where practicable.
9. Security and Access Restrictions
You may not: (a) attempt to gain unauthorized access to the Service or other users' accounts; (b) probe, scan, or test vulnerabilities of the Service; (c) interfere with or disrupt the Service or servers; (d) use the Service to launch attacks against other systems; (e) attempt to reverse engineer, decompile, or disassemble the Service; (f) bypass security measures or authentication systems; (g) share your account credentials with others; or (h) use the Service to facilitate security breaches.
10. Intellectual Property and Content Restrictions
You may not: (a) use the Service to infringe copyrights, trademarks, or other intellectual property rights; (b) upload or process content you do not have rights to; (c) use the Service to create derivative works without authorization; (d) remove or alter copyright notices or proprietary markings; (e) use the Service to distribute pirated content; or (f) violate any intellectual property rights of third parties.
11. Data Protection and Privacy
You must: (a) comply with applicable data protection laws (GDPR, CCPA, PDPA, etc.); (b) obtain necessary consents before collecting or processing personal data; (c) implement appropriate security measures for data you process; (d) not process sensitive personal data without proper safeguards; (e) respect privacy rights of individuals; (f) not use the Service to collect data without consent; and (g) handle data subject requests appropriately. You are responsible for ensuring your use of the Service complies with data protection laws. Singapore-specific guidance: in line with the Personal Data Protection Commission's Advisory Guidelines on the Personal Data Protection Act for NRIC and Other National Identification Numbers, you must not collect, use, disclose, or otherwise process Singapore NRIC numbers, FIN numbers, work-permit numbers, or birth-certificate numbers through the Service (including in workflow inputs, form responses, AI prompts, or file attachments) unless: (i) you are required to do so by law or pursuant to an exception listed in the Guidelines; (ii) collection is necessary to accurately establish or verify the identity of the individual to a high degree of fidelity; or (iii) you have obtained the individual's express consent for a specifically notified purpose. The same restriction applies to other special-category data (health data, financial account numbers, biometric data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, sex life or sexual orientation) unless you have an appropriate lawful basis and have notified the affected individuals.
12. Form and Data Collection Restrictions
When creating forms or collecting data through the Service, you must: (a) obtain proper consent from form respondents; (b) provide clear privacy notices; (c) comply with applicable laws regarding data collection; (d) not collect sensitive information without proper safeguards; (e) not use forms to collect data for illegal purposes; (f) respect opt-out requests; and (g) securely handle collected data. You are responsible for the data you collect through forms.
12A. Playground Visitor Uploads and Public Sheet Writes
Playgrounds offer two opt-in primitives that let anonymous visitors send data into your workspace: (i) visitor file uploads via the in-Playground flowfn.upload primitive, gated by the per-Playground "Allow visitor uploads" toggle; and (ii) public writes to a Data Sheet, served through a Playground you have published that links the Database, via flowfn.data.insert / update / delete and gated by per-sheet "Allow public insert / update / delete" toggles. Each toggle defaults to off. When you turn one on, you become responsible for everything visitors submit through it, on the same footing as the Form and Data Collection Restrictions above. Specifically, you must: (a) display a visible privacy notice in the Playground UI describing what you collect and how you will use it; (b) obtain consent where required by the visitor's jurisdiction (GDPR, CCPA, PDPA, etc.); (c) not solicit Singapore NRIC, FIN, work-permit, or birth-certificate numbers, or other special-category personal data, from visitors except where Section 11 of this AUP permits; (d) not solicit material that would breach Section 4 (Abuse and Harmful Content) of this AUP or Section 2 of the Trust & Safety / Content Moderation Policy; (e) take reasonable steps to monitor what visitors submit and to delete unlawful, infringing, or out-of-policy submissions through the dashboard's Uploads pane and Sheet Manager; (f) honour data-subject deletion requests from visitors who can prove their submission; and (g) understand that the public update and delete sheet toggles allow ANY visitor to mutate ANY row in that sheet — there is no per-visitor authorship enforcement, so only enable those toggles where any-visitor-can-edit-any-row is acceptable for your use case. We apply per-Playground rate limits and per-team daily / per-plan caps to visitor uploads and public sheet writes to limit accidental and intentional abuse; you may not attempt to circumvent these limits (for example, by sharding writes across multiple Playgrounds or Sheets). Allowed visitor upload file types are restricted by MIME prefix (images, audio, video, plain text, common document and archive formats) and by a per-team / per-plan maximum file size. We may, without prior notice, disable the visitor-upload toggle, public sheet write toggles, or the entire Playground where we reasonably believe these primitives are being used to host or collect unlawful, harmful, or out-of-policy content, in line with our Content Moderation Policy.
13. Team Collaboration Restrictions
When using team features, you must: (a) only invite authorized team members; (b) respect team member privacy and data; (c) not share team access with unauthorized parties; (d) comply with your organization's policies; (e) not use team features to circumvent individual account restrictions; and (f) ensure team members comply with this AUP.
14. Monitoring and Enforcement
We reserve the right to: (a) monitor Service usage to detect violations; (b) investigate suspected violations; (c) suspend or terminate accounts that violate this AUP; (d) remove or disable content that violates this AUP; (e) report violations to law enforcement; (f) cooperate with legal investigations; and (g) take any other action we deem necessary to protect the Service and users. We are not obligated to monitor but may do so at our discretion.
15. Consequences of Violation
Violations of this AUP may result in: (a) warnings and requests to correct violations; (b) temporary suspension of account or features; (c) permanent termination of account; (d) deletion of content or data; (e) legal action if violations are illegal; (f) reporting to law enforcement; or (g) any combination of the above. We determine violations and consequences at our sole discretion. We are not required to provide warnings before taking action.
16. Reporting Violations
If you become aware of violations of this AUP, please report them to support@flowfn.com. Include as much detail as possible, including: (a) description of the violation; (b) account or content involved; (c) evidence of the violation; and (d) your contact information. We will investigate reports promptly and take appropriate action.
17. Changes to This Policy
We may update this AUP from time to time. Material changes will be notified via email or through the Service. Your continued use of the Service after changes become effective constitutes acceptance of the updated AUP. If you do not agree to changes, you must stop using the Service.
18. Contact Information
Questions about this AUP should be directed to support@flowfn.com. Reports of violations should be sent to support@flowfn.com. For general support, visit https://www.flowfn.com/dashboard/support.