HeadsDown

Counsel-ready draft

Acceptable Use Policy draft

Draft acceptable use policy for prohibited content submission, unlawful monitoring, integration misuse, security abuse, high-risk uses, and enforcement.

Draft version
0.1
Effective date
Pending counsel review
Last updated
May 2, 2026

Draft publication status

This page is counsel-ready draft content, not final legal advice and not a final published policy. It must stay draft-labeled until legal, security, product, subprocessor, and cookie/analytics reviews are complete.

1. Purpose

This Acceptable Use Policy protects HeadsDown users, integrations, customers, infrastructure, and the public. It applies to use of HeadsDown websites, apps, APIs, SDKs, command-line tools, agent integrations, public pages, and related services.

HeadsDown is designed to call the play for agent runs and routing decisions using privacy-safe metadata. Do not use HeadsDown to collect sensitive work content, monitor people unlawfully, or bypass consent.

2. Prohibited content submission

You must not submit or attempt to submit the following to metadata-only agent-run, outcome-reporting, or routing-decision surfaces:

  • Prompts, model responses, transcripts, or message bodies.
  • Source code, diffs, patches, file contents, snippets, stack traces, or tracebacks.
  • File paths, directory paths, repository names, remote URLs, branch names, commit messages, PR bodies, issue bodies, ticket bodies, or ticket descriptions.
  • Terminal output, stdout, stderr, test logs, build logs, compiler logs, screenshots, or screen recordings.
  • Calendar event titles, descriptions, attendees, locations, or conferencing links.
  • Slack messages, email bodies, chat messages, notification bodies, direct-message content, or other human message contents.
  • Secrets, API keys, access tokens, passwords, cookies, environment variables, or credential values.

Use categories, counts, buckets, booleans, call/action keys, reason codes, validation states, outcomes, and opaque identifiers instead.

3. No unlawful monitoring or surveillance

You must not use HeadsDown to unlawfully monitor employees, contractors, customers, candidates, users, or other people.

You must not use HeadsDown to infer protected characteristics, evaluate employee productivity, rank employees, make employment decisions, or conduct hidden surveillance unless a separate legal basis, notice, and product agreement expressly permit the use. The product framing is agent-run governance and routing decisions, not employee monitoring.

TODO: Counsel to confirm employment, biometric, workplace monitoring, and jurisdiction-specific language.

4. No sensitive-data extraction or privacy-boundary bypass

You must not use HeadsDown to bypass privacy controls, smuggle content into metadata fields, reverse-engineer workspace identifiers, derive identifiers from paths or repository names, evade safe-token validation, or force integrations to send data HeadsDown does not need.

You must not hash prompts, code, file paths, repository names, branch names, URLs, messages, or logs and send those hashes to HeadsDown unless a separate written contract and implemented product surface explicitly allow it.

5. Integration misuse

You must not connect integrations you are not authorized to use, impersonate another integration, misrepresent client identity, misuse API keys or tokens, ignore revocation, exceed rate limits, or use overrides as a routine way to bypass user rules.

You must not build an integration that depends on HeadsDown receiving prohibited content, unsupported fields, or final API behavior that has not shipped.

6. Security abuse

You must not:

  • Probe, scan, attack, disrupt, overload, or degrade HeadsDown systems.
  • Attempt unauthorized access to accounts, data, tokens, API keys, admin tools, logs, or infrastructure.
  • Circumvent authentication, authorization, rate limits, privacy validation, security controls, or feature flags.
  • Introduce malware, credential-stealing code, exfiltration tools, spam, phishing, or harmful automation.
  • Use HeadsDown to coordinate abuse of third-party systems.
  • Publicly disclose vulnerabilities without following responsible disclosure practices.

TODO: Counsel/security to confirm vulnerability disclosure process and contact path.

7. Legal and regulated-use restrictions

You must not use HeadsDown for illegal activity or to violate third-party rights.

You must not use HeadsDown as the sole control for emergency response, medical decisions, legal decisions, financial trading, safety-critical systems, weapons, law enforcement surveillance, or other high-risk use cases unless a separate written agreement expressly permits the use and required safeguards are implemented.

8. Prohibited automation and scraping

You must not scrape, crawl, bulk harvest, enumerate, or copy HeadsDown accounts, public handles, public pages, APIs, or data except as allowed by documented APIs, robots rules, or a written agreement.

You must not use automation to create fake accounts, evade bans, generate spam, simulate fake usage, manufacture value evidence, or manipulate outcome learning.

9. Harassment and harmful conduct

You must not use HeadsDown to harass, threaten, abuse, stalk, dox, intimidate, or harm others. You must not use HeadsDown to route, suppress, or automate communications in a way that violates law, consent, or safety expectations.

TODO: Counsel to confirm content moderation, public-handle abuse, and takedown process.

10. Enforcement

HeadsDown may investigate suspected violations and may suspend accounts, revoke API keys, disable integrations, reject events, remove access, limit traffic, preserve evidence, notify affected users or customers, or report activity to authorities where appropriate.

HeadsDown may also require remediation, such as changing integration behavior, removing prohibited fields, rotating credentials, or disabling unsafe automation.

TODO: Counsel to confirm notice, appeal, data preservation, and enterprise contract interaction.

11. Reporting abuse

Report abuse, security concerns, or privacy-boundary issues to TODO. Current product contact is [email protected].

Publication workflow and prior versions

Before any draft label is removed, the page needs legal review, security review of technical claims, product review for shipped-versus-planned behavior, subprocessor verification, and analytics/cookie audit where applicable.

Prior versions are archived manually in source control before publication changes: create a dated copy under `docs/legal/archive/`, record the version, effective date, last updated date, reviewer approvals, and the public route changed, then update this page in the same pull request.