Acceptable Use Policy

Last Updated: February 24, 2026 Effective Date: February 24, 2026

1. Scope and Applicability

This Acceptable Use Policy ("AUP") governs your use of the CRM SaaS platform ("Service") provided by CMG FRAMEWORKS SRL ("Company," "we," "us," or "our"). This AUP is incorporated by reference into our Terms of Service and applies to all users, including organization owners, administrators, team members, agents, and any person or system accessing the Service on your behalf.

By using the Service, you agree to comply with this AUP. If you do not agree, you must discontinue use of the Service immediately.

This AUP applies to all activities conducted through the Service, including but not limited to:

Content you upload, store, or transmit
Messages you send via WhatsApp Business API or email integrations
Data you import, process, or export
AI features you invoke or configure
API calls and integrations you establish

2. Prohibited Content

You may NOT use the Service to create, store, transmit, distribute, or make available any content that:

2.1 Illegal Content

Violates any applicable local, national, or international law or regulation
Facilitates, promotes, or instructs criminal activity
Constitutes or facilitates fraud, identity theft, or financial crimes
Involves child sexual abuse material (CSAM) or exploitation of minors
Relates to terrorism, terrorist financing, or violent extremism

2.2 Harmful Content

Contains malware, viruses, trojans, ransomware, spyware, or other malicious code
Includes phishing pages, credential harvesting forms, or social engineering material
Promotes self-harm, suicide, eating disorders, or dangerous activities
Contains threats of violence, intimidation, or harassment against any individual or group

2.3 Discriminatory Content

Promotes discrimination based on race, ethnicity, national origin, religion, gender, sexual orientation, disability, or age
Contains hate speech or incites hatred against protected groups
Violates anti-discrimination laws of the European Union or Romania

2.4 Intellectual Property Violations

Infringes copyrights, trademarks, patents, or trade secrets of third parties
Contains pirated software, media, or other copyrighted material without authorization
Misuses third-party brands, logos, or proprietary information

2.5 Deceptive Content

Contains false, misleading, or deceptive information intended to defraud
Impersonates any person, business, or entity
Creates fake reviews, testimonials, or endorsements

3. Prohibited Conduct

You may NOT engage in any of the following activities:

3.1 Unauthorized Access

Attempting to gain unauthorized access to the Service, other user accounts, or connected systems
Probing, scanning, or testing the vulnerability of the Service or its infrastructure without prior written authorization
Circumventing, disabling, or interfering with security features, authentication mechanisms, or access controls
Accessing data belonging to other organizations or tenants within the multi-tenant platform

3.2 Reverse Engineering and Exploitation

Decompiling, disassembling, reverse engineering, or attempting to derive the source code of the Service
Modifying, adapting, translating, or creating derivative works based on the Service
Removing, altering, or obscuring proprietary notices, labels, or marks on the Service

3.3 Scraping and Data Extraction

Using automated tools, bots, crawlers, or scrapers to extract data from the Service
Systematically downloading, copying, or harvesting user data, content, or metadata
Building or populating databases using data obtained from the Service without authorization

3.4 Competitive and Commercial Misuse

Using the Service to develop, train, or improve a competing product or service
Benchmarking the Service for competitive purposes without prior written consent
Reselling, sublicensing, or redistributing access to the Service without authorization
Using the Service on behalf of a third party without a valid subscription

3.5 Service Disruption

Overloading, flooding, or deliberately degrading the performance of the Service
Launching or facilitating denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks
Interfering with other users' ability to access or use the Service
Introducing code, scripts, or agents designed to disrupt the Service's operation

4. WhatsApp Business API Rules

Use of WhatsApp messaging features through the Service is subject to additional requirements. You must comply with Meta's Business Messaging Policy and WhatsApp Business Policy at all times.

4.1 Meta Business Messaging Policy Compliance

You must maintain an active, verified Meta Business Manager account
All WhatsApp messaging must comply with Meta's Commerce Policy and Business Messaging Policy
You must not use WhatsApp features for purposes prohibited by Meta
Quality rating must be maintained at acceptable levels; repeated violations may result in messaging restrictions

4.2 No Spam or Unsolicited Messaging

You must NOT send unsolicited bulk messages, spam, or promotional content to recipients who have not opted in
All marketing and promotional messages require prior explicit opt-in consent from the recipient
You must provide clear and functional opt-out mechanisms in every marketing message
You must honor opt-out requests within 24 hours

4.3 Message Template Approval

All outbound message templates must be submitted to and approved by Meta before use
You must NOT circumvent the template approval process by sending templated content as free-form messages
Rejected templates must be revised and resubmitted; do not attempt to bypass rejection reasons

4.4 24-Hour Messaging Window

Free-form (session) messages may only be sent within the 24-hour customer service window following the last user-initiated message
Outside the 24-hour window, only pre-approved message templates may be sent
You must NOT use artificial techniques to reopen or extend the messaging window

4.5 Opt-In Requirements

You must obtain verifiable opt-in consent before initiating WhatsApp conversations
Opt-in must clearly identify your business name and the purpose of messaging
Records of consent must be maintained and available for audit
You must comply with GDPR consent requirements (freely given, specific, informed, unambiguous)

Disclaimer: CMG FRAMEWORKS SRL is not responsible for any restrictions, suspensions, quality rating downgrades, or bans imposed on your WhatsApp Business Account by Meta Platforms. You are solely responsible for maintaining compliance with Meta's policies, and any loss of revenue, leads, or business opportunities resulting from Meta's enforcement actions is not compensable by the Company.

5. AI and Gemini Usage Restrictions

The Service provides AI-powered features using Google Gemini Enterprise API. The following restrictions apply:

5.1 Prohibited AI Usage

No prompt injection attempts - You must NOT attempt to manipulate, override, or circumvent AI system instructions, safety filters, or operational boundaries through crafted inputs
No illegal content generation - You must NOT use AI features to generate content that is illegal, harmful, discriminatory, or otherwise prohibited under this AUP
No safety filter bypassing - You must NOT attempt to bypass, disable, or circumvent AI safety mechanisms, content filters, or moderation systems
No automated decision-making without oversight - AI outputs must be reviewed by a human before being used for decisions that significantly affect individuals (as required by GDPR Article 22)

5.2 AI Content Responsibility

You are solely responsible for reviewing, approving, and sending all AI-generated content
AI-generated responses are suggestions only and may contain errors, biases, or inaccuracies
You must verify the accuracy of AI-extracted data (names, emails, phone numbers) before acting on it
You must NOT represent AI-generated content as human-authored when legally required to disclose AI involvement

5.3 AI Data Handling

You must NOT input sensitive personal data categories (Article 9 GDPR) into AI features unless you have a valid legal basis
You must NOT use AI features to process health, biometric, genetic, or criminal conviction data without appropriate safeguards
AI processing of personal data is subject to the Data Processing Agreement between you and CMG FRAMEWORKS SRL

Your Responsibility for AI Outputs: You are solely liable for any damages, penalties, fines, or claims resulting from acting on AI-generated suggestions, recommendations, or data extractions without independent human review. This includes, without limitation, GDPR fines for non-compliant messaging, claims arising from inaccurate contact information extracted by AI, and any discrimination or bias claims arising from AI-generated lead scoring or qualification. AI features are assistive tools — not replacements for professional judgment.

6. Email and Communication Rules

6.1 CAN-SPAM Compliance

If you use the Service to send commercial emails to recipients in the United States, you must comply with the CAN-SPAM Act:

Include a valid physical postal address in every commercial email
Provide a clear and conspicuous opt-out mechanism
Honor opt-out requests within 10 business days
Do not use deceptive subject lines or misleading header information
Clearly identify the message as an advertisement where required

6.2 GDPR Consent for Marketing

For recipients in the European Economic Area (EEA), you must:

Obtain prior explicit consent before sending marketing communications (GDPR Article 6(1)(a))
Maintain records of consent (who, when, how, what was consented to)
Provide a simple mechanism to withdraw consent at any time
Cease processing for marketing purposes immediately upon withdrawal of consent
Not use pre-ticked boxes, silence, or inactivity as consent

6.3 General Communication Standards

All communications sent through the Service must accurately identify the sender
You must NOT spoof, forge, or manipulate sender information or message headers
You must NOT send communications that violate applicable telecommunications laws
Transactional messages must not be disguised as marketing communications

7. Spam and Bulk Messaging Limits

To protect the integrity of the Service and its shared infrastructure, the following limits apply:

7.1 WhatsApp Messaging Limits

Business-initiated conversations are subject to Meta's messaging tier limits (1K, 10K, 100K, unlimited per 24 hours based on quality rating)
Template messages must maintain a quality rating of "Medium" or above; consistently "Low" ratings may result in feature suspension
Broadcast lists must not exceed 1,000 recipients per batch without prior arrangement
Message frequency must not exceed reasonable limits; excessive messaging to the same recipient may be flagged

7.2 Email Messaging Limits

Daily sending limits are determined by your subscription plan
Bounce rate must remain below 5%; accounts exceeding this threshold may have email features suspended
Spam complaint rate must remain below 0.1% of sent messages
List hygiene - You must regularly clean contact lists to remove invalid addresses and unsubscribed contacts

7.3 API Rate Limits

API calls are subject to rate limits as documented in the Service's technical documentation
Exceeding rate limits will result in temporary throttling (HTTP 429 responses)
Persistent rate limit violations may result in API access suspension

8. Data Handling Obligations

8.1 Personal Data Responsibility

As a user of the Service, you act as the Data Controller for personal data you import, create, or process through the platform. You must:

Have a valid legal basis (GDPR Article 6) for processing each category of personal data
Provide appropriate privacy notices to your leads, clients, and contacts
Respond to data subject access requests (DSARs) within the statutory timeframe
Implement appropriate data minimization practices

8.2 Consent Collection

You must collect and document consent where required before importing contact data
Consent records must be accessible within your organization for audit purposes
You must NOT upload purchased, scraped, or otherwise illicitly obtained contact lists
Imported data must be lawfully collected and you must have the right to process it

8.3 No PII Misuse

Personal data must be used only for the purposes for which it was collected
You must NOT share, sell, or transfer personal data to unauthorized third parties through the Service
You must NOT use the Service to build profiles for purposes incompatible with the original collection purpose
Sensitive personal data (Article 9 GDPR) requires explicit consent or another valid legal basis under Article 9(2)

9. Multi-Tenant Resource Fair Use

The Service operates as a shared, multi-tenant platform. To ensure fair resource allocation for all tenants, the following fair use guidelines apply:

9.1 Storage Limits

File uploads and attachments are subject to storage limits defined by your subscription plan
Exceeding storage limits may result in the inability to upload new files until usage is reduced
Excessively large individual files (over 25 MB) may be rejected

9.2 API and Request Limits

Each organization is allocated API request quotas based on their subscription plan
Background processing jobs (imports, exports, bulk operations) are subject to concurrency limits
Organizations that consistently exceed fair use thresholds will be contacted before enforcement action

9.3 Concurrent Connections

The number of concurrent active sessions per organization is subject to reasonable limits
Automated or scripted sessions that remain idle consume shared resources and may be terminated
WebSocket connections for real-time features are limited per organization

9.4 Database and Query Limits

Complex or long-running queries that degrade performance for other tenants may be terminated
Bulk data operations should be scheduled during off-peak hours when possible
Data export requests are subject to size and frequency limits

10. Account Security Obligations

10.1 Password and Credential Security

Use strong, unique passwords for your Service account (minimum 8 characters, mix of uppercase, lowercase, numbers, and symbols recommended)
Do NOT reuse passwords from other services
Do NOT share account credentials with unauthorized individuals
Change passwords immediately if you suspect a compromise

10.2 Two-Factor Authentication (2FA)

We strongly recommend enabling two-factor authentication on all accounts
Organization owners and administrators should enforce 2FA for all team members when available
You are responsible for maintaining the security of your 2FA device or recovery codes

10.3 Session and Access Management

Log out of the Service when using shared or public devices
Review and revoke access for former team members promptly
Monitor account activity for unauthorized access
Report suspected unauthorized access to support@cmgworkflow.com immediately

10.4 API Keys and Tokens

API keys, tokens, and webhooks secrets must be stored securely and NOT hardcoded in public repositories
Rotate API keys periodically and immediately if compromised
Assign minimum necessary permissions to API keys and integrations

11. Compliance with Applicable Laws

11.1 General Legal Compliance

You must comply with all applicable laws, regulations, and industry standards when using the Service, including but not limited to:

EU General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679
Romanian Data Protection Law 190/2018
Romanian E-Commerce Law 365/2002
ePrivacy Directive (Directive 2002/58/EC as amended)
CAN-SPAM Act (for US-directed communications)
Consumer protection laws applicable in your jurisdiction

11.2 Industry-Specific Regulations

If you operate in a regulated industry, you are responsible for ensuring your use of the Service complies with applicable industry regulations, including but not limited to:

Financial services regulations (PSD2, anti-money laundering directives)
Healthcare data regulations (where applicable)
Telecommunications regulations

11.3 Export Controls

You must NOT use the Service in violation of applicable export control laws, sanctions, or embargoes, including those imposed by the European Union, Romania, or the United Nations.

12. Monitoring and Enforcement

12.1 Right to Monitor

We reserve the right, but are not obligated, to monitor use of the Service for compliance with this AUP. Monitoring may include:

Automated detection systems for spam, abuse, and policy violations
Review of messaging patterns and volume anomalies
Analysis of reported violations and abuse complaints
Security scanning and threat detection

12.2 Automated Detection

We employ automated systems to detect and prevent:

Spam and bulk unsolicited messaging
Malware distribution and phishing attempts
Abnormal usage patterns that may indicate abuse
Potential security threats to the platform or its users

12.3 Investigation Rights

We may investigate suspected violations of this AUP. During an investigation, we may:

Temporarily restrict access to specific features
Request additional information or documentation from the account holder
Preserve data relevant to the investigation as required by law

13. Enforcement Actions

Violations of this AUP may result in enforcement actions at our sole discretion, following a graduated approach where appropriate.

13.1 Enforcement Ladder

Level 1: Warning

Trigger: First-time or minor violations
Action: Written notice via email identifying the violation and required corrective action
Timeline: You must remedy the violation within 7 calendar days of receiving the warning
Record: Warning is documented on your account

Level 2: Temporary Suspension

Trigger: Repeated violations, failure to remedy after warning, or moderate severity violations
Action: Temporary suspension of the affected features or entire account
Duration: Typically 7 to 30 days, depending on severity
Restoration: Access restored upon confirmation that the violation has been remedied and preventive measures implemented

Level 3: Permanent Termination

Trigger: Severe violations, continued violations after suspension, or violations that pose a risk to other users or the platform
Action: Permanent termination of your account and all associated services
Data: You will have 30 days to export your data before permanent deletion, unless prohibited by law
Effect: Termination under this section does not entitle you to a refund

Data Protection During Enforcement: During account suspension (Level 2), your data remains stored and accessible for export upon request. However, the Company shall not be liable for any data loss, corruption, or inaccessibility that occurs incidentally during the enforcement process, provided the Company exercised reasonable care. During permanent termination (Level 3), the 30-day data export window begins on the date of the termination notice. It is your sole responsibility to maintain independent backups of your critical business data at all times.

13.2 Immediate Action

We reserve the right to bypass the enforcement ladder and take immediate action (including suspension or termination without prior notice) in cases involving:

Illegal activity or content
Imminent threat to the Service, its users, or third parties
Court order or legal requirement
Severe security incidents or data breaches caused by user conduct

14. Appeal Process

14.1 Right to Appeal

If you believe an enforcement action was taken in error, you may submit an appeal.

14.2 How to Appeal

Send a written appeal to abuse@cmgworkflow.com within 14 calendar days of the enforcement action
Include your account information, the enforcement action reference, and a detailed explanation of why you believe the action was unjustified
Provide any supporting evidence or documentation

14.3 Appeal Review

Appeals will be reviewed by a member of our compliance team who was not involved in the original enforcement decision
We will acknowledge receipt of your appeal within 3 business days
A final decision will be communicated within 7 business days of receiving the appeal
The appeal decision is final and binding

14.4 Effect During Appeal

Unless the violation involves illegal content or an immediate security threat, we will make reasonable efforts to maintain limited access to data export functionality during the appeal period.

Disclaimer: The Company shall not be liable for any damages, losses, or expenses incurred during the period between enforcement action and appeal resolution. Account suspension remains in effect during the appeal process. The Company will use commercially reasonable efforts to resolve appeals within the stated timeline but does not guarantee a specific resolution date.

15. Reporting Violations

15.1 How to Report

If you become aware of a violation of this AUP, please report it to:

Email: abuse@cmgworkflow.com
Subject line: "AUP Violation Report - [Brief Description]"

15.2 What to Include

Description of the violation
Relevant account information (if known)
Evidence or documentation supporting the report
Your contact information (optional but recommended for follow-up)

15.3 Reporter Protection

We will treat reports confidentially to the extent permitted by law
We will not retaliate against good-faith reporters
Anonymous reports are accepted but may limit our ability to investigate or follow up

16. Changes to This Policy

16.1 Modification Rights

We may update this AUP from time to time to address new threats, legal requirements, or changes in the Service.

16.2 Notification of Changes

Material changes will be communicated via email at least 30 days before the effective date
Non-material changes (clarifications, formatting) will be reflected in the "Last Updated" date
We may provide additional notice through in-app notifications for significant changes

16.3 Continued Use

Your continued use of the Service after the effective date of any changes constitutes acceptance of the updated AUP. If you do not agree with the changes, you must stop using the Service before the effective date.

17. Contact Information

For questions about this Acceptable Use Policy, contact us at:

CMG FRAMEWORKS SRL Drumul NISIPOASA, Nr. 46-52, Lot 1/2, Bl. C, Scara C7, Etaj P, Ap. 3 București, Romania

General inquiries: support@cmgworkflow.com
Abuse reports: abuse@cmgworkflow.com
Data protection: dpo@cmgworkflow.com
Phone: +40 772 125 155

18. Governing Law

This Acceptable Use Policy is governed by and construed in accordance with the laws of Romania and applicable European Union regulations, including the General Data Protection Regulation (GDPR). Any disputes arising from or in connection with this AUP shall be subject to the exclusive jurisdiction of the courts of București, Romania.

This Acceptable Use Policy is effective as of February 24, 2026.

Acceptable Use Policy

Last Updated: February 24, 2026 Effective Date: February 24, 2026

1. Scope and Applicability

By using the Service, you agree to comply with this AUP. If you do not agree, you must discontinue use of the Service immediately.

This AUP applies to all activities conducted through the Service, including but not limited to:

Content you upload, store, or transmit
Messages you send via WhatsApp Business API or email integrations
Data you import, process, or export
AI features you invoke or configure
API calls and integrations you establish

2. Prohibited Content

You may NOT use the Service to create, store, transmit, distribute, or make available any content that:

2.1 Illegal Content

Violates any applicable local, national, or international law or regulation
Facilitates, promotes, or instructs criminal activity
Constitutes or facilitates fraud, identity theft, or financial crimes
Involves child sexual abuse material (CSAM) or exploitation of minors
Relates to terrorism, terrorist financing, or violent extremism

2.2 Harmful Content

Contains malware, viruses, trojans, ransomware, spyware, or other malicious code
Includes phishing pages, credential harvesting forms, or social engineering material
Promotes self-harm, suicide, eating disorders, or dangerous activities
Contains threats of violence, intimidation, or harassment against any individual or group

2.3 Discriminatory Content

Promotes discrimination based on race, ethnicity, national origin, religion, gender, sexual orientation, disability, or age
Contains hate speech or incites hatred against protected groups
Violates anti-discrimination laws of the European Union or Romania

2.4 Intellectual Property Violations

Infringes copyrights, trademarks, patents, or trade secrets of third parties
Contains pirated software, media, or other copyrighted material without authorization
Misuses third-party brands, logos, or proprietary information

2.5 Deceptive Content

Contains false, misleading, or deceptive information intended to defraud
Impersonates any person, business, or entity
Creates fake reviews, testimonials, or endorsements

3. Prohibited Conduct

You may NOT engage in any of the following activities:

3.1 Unauthorized Access

Attempting to gain unauthorized access to the Service, other user accounts, or connected systems
Probing, scanning, or testing the vulnerability of the Service or its infrastructure without prior written authorization
Circumventing, disabling, or interfering with security features, authentication mechanisms, or access controls
Accessing data belonging to other organizations or tenants within the multi-tenant platform

3.2 Reverse Engineering and Exploitation

Decompiling, disassembling, reverse engineering, or attempting to derive the source code of the Service
Modifying, adapting, translating, or creating derivative works based on the Service
Removing, altering, or obscuring proprietary notices, labels, or marks on the Service

3.3 Scraping and Data Extraction

Using automated tools, bots, crawlers, or scrapers to extract data from the Service
Systematically downloading, copying, or harvesting user data, content, or metadata
Building or populating databases using data obtained from the Service without authorization

3.4 Competitive and Commercial Misuse

Using the Service to develop, train, or improve a competing product or service
Benchmarking the Service for competitive purposes without prior written consent
Reselling, sublicensing, or redistributing access to the Service without authorization
Using the Service on behalf of a third party without a valid subscription

3.5 Service Disruption

Overloading, flooding, or deliberately degrading the performance of the Service
Launching or facilitating denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks
Interfering with other users' ability to access or use the Service
Introducing code, scripts, or agents designed to disrupt the Service's operation

4. WhatsApp Business API Rules

Use of WhatsApp messaging features through the Service is subject to additional requirements. You must comply with Meta's Business Messaging Policy and WhatsApp Business Policy at all times.

4.1 Meta Business Messaging Policy Compliance

You must maintain an active, verified Meta Business Manager account
All WhatsApp messaging must comply with Meta's Commerce Policy and Business Messaging Policy
You must not use WhatsApp features for purposes prohibited by Meta
Quality rating must be maintained at acceptable levels; repeated violations may result in messaging restrictions

4.2 No Spam or Unsolicited Messaging

You must NOT send unsolicited bulk messages, spam, or promotional content to recipients who have not opted in
All marketing and promotional messages require prior explicit opt-in consent from the recipient
You must provide clear and functional opt-out mechanisms in every marketing message
You must honor opt-out requests within 24 hours

4.3 Message Template Approval

All outbound message templates must be submitted to and approved by Meta before use
You must NOT circumvent the template approval process by sending templated content as free-form messages
Rejected templates must be revised and resubmitted; do not attempt to bypass rejection reasons

4.4 24-Hour Messaging Window

Free-form (session) messages may only be sent within the 24-hour customer service window following the last user-initiated message
Outside the 24-hour window, only pre-approved message templates may be sent
You must NOT use artificial techniques to reopen or extend the messaging window

4.5 Opt-In Requirements

You must obtain verifiable opt-in consent before initiating WhatsApp conversations
Opt-in must clearly identify your business name and the purpose of messaging
Records of consent must be maintained and available for audit
You must comply with GDPR consent requirements (freely given, specific, informed, unambiguous)

5. AI and Gemini Usage Restrictions

The Service provides AI-powered features using Google Gemini Enterprise API. The following restrictions apply:

5.1 Prohibited AI Usage

No prompt injection attempts - You must NOT attempt to manipulate, override, or circumvent AI system instructions, safety filters, or operational boundaries through crafted inputs
No illegal content generation - You must NOT use AI features to generate content that is illegal, harmful, discriminatory, or otherwise prohibited under this AUP
No safety filter bypassing - You must NOT attempt to bypass, disable, or circumvent AI safety mechanisms, content filters, or moderation systems
No automated decision-making without oversight - AI outputs must be reviewed by a human before being used for decisions that significantly affect individuals (as required by GDPR Article 22)

5.2 AI Content Responsibility

You are solely responsible for reviewing, approving, and sending all AI-generated content
AI-generated responses are suggestions only and may contain errors, biases, or inaccuracies
You must verify the accuracy of AI-extracted data (names, emails, phone numbers) before acting on it
You must NOT represent AI-generated content as human-authored when legally required to disclose AI involvement

5.3 AI Data Handling

You must NOT input sensitive personal data categories (Article 9 GDPR) into AI features unless you have a valid legal basis
You must NOT use AI features to process health, biometric, genetic, or criminal conviction data without appropriate safeguards
AI processing of personal data is subject to the Data Processing Agreement between you and CMG FRAMEWORKS SRL

6. Email and Communication Rules

6.1 CAN-SPAM Compliance

If you use the Service to send commercial emails to recipients in the United States, you must comply with the CAN-SPAM Act:

Include a valid physical postal address in every commercial email
Provide a clear and conspicuous opt-out mechanism
Honor opt-out requests within 10 business days
Do not use deceptive subject lines or misleading header information
Clearly identify the message as an advertisement where required

6.2 GDPR Consent for Marketing

For recipients in the European Economic Area (EEA), you must:

Obtain prior explicit consent before sending marketing communications (GDPR Article 6(1)(a))
Maintain records of consent (who, when, how, what was consented to)
Provide a simple mechanism to withdraw consent at any time
Cease processing for marketing purposes immediately upon withdrawal of consent
Not use pre-ticked boxes, silence, or inactivity as consent

6.3 General Communication Standards

All communications sent through the Service must accurately identify the sender
You must NOT spoof, forge, or manipulate sender information or message headers
You must NOT send communications that violate applicable telecommunications laws
Transactional messages must not be disguised as marketing communications

7. Spam and Bulk Messaging Limits

To protect the integrity of the Service and its shared infrastructure, the following limits apply:

7.1 WhatsApp Messaging Limits

Business-initiated conversations are subject to Meta's messaging tier limits (1K, 10K, 100K, unlimited per 24 hours based on quality rating)
Template messages must maintain a quality rating of "Medium" or above; consistently "Low" ratings may result in feature suspension
Broadcast lists must not exceed 1,000 recipients per batch without prior arrangement
Message frequency must not exceed reasonable limits; excessive messaging to the same recipient may be flagged

7.2 Email Messaging Limits

Daily sending limits are determined by your subscription plan
Bounce rate must remain below 5%; accounts exceeding this threshold may have email features suspended
Spam complaint rate must remain below 0.1% of sent messages
List hygiene - You must regularly clean contact lists to remove invalid addresses and unsubscribed contacts

7.3 API Rate Limits

API calls are subject to rate limits as documented in the Service's technical documentation
Exceeding rate limits will result in temporary throttling (HTTP 429 responses)
Persistent rate limit violations may result in API access suspension

8. Data Handling Obligations

8.1 Personal Data Responsibility

As a user of the Service, you act as the Data Controller for personal data you import, create, or process through the platform. You must:

Have a valid legal basis (GDPR Article 6) for processing each category of personal data
Provide appropriate privacy notices to your leads, clients, and contacts
Respond to data subject access requests (DSARs) within the statutory timeframe
Implement appropriate data minimization practices

8.2 Consent Collection

You must collect and document consent where required before importing contact data
Consent records must be accessible within your organization for audit purposes
You must NOT upload purchased, scraped, or otherwise illicitly obtained contact lists
Imported data must be lawfully collected and you must have the right to process it

8.3 No PII Misuse

Personal data must be used only for the purposes for which it was collected
You must NOT share, sell, or transfer personal data to unauthorized third parties through the Service
You must NOT use the Service to build profiles for purposes incompatible with the original collection purpose
Sensitive personal data (Article 9 GDPR) requires explicit consent or another valid legal basis under Article 9(2)

9. Multi-Tenant Resource Fair Use

The Service operates as a shared, multi-tenant platform. To ensure fair resource allocation for all tenants, the following fair use guidelines apply:

9.1 Storage Limits

File uploads and attachments are subject to storage limits defined by your subscription plan
Exceeding storage limits may result in the inability to upload new files until usage is reduced
Excessively large individual files (over 25 MB) may be rejected

9.2 API and Request Limits

Each organization is allocated API request quotas based on their subscription plan
Background processing jobs (imports, exports, bulk operations) are subject to concurrency limits
Organizations that consistently exceed fair use thresholds will be contacted before enforcement action

9.3 Concurrent Connections

The number of concurrent active sessions per organization is subject to reasonable limits
Automated or scripted sessions that remain idle consume shared resources and may be terminated
WebSocket connections for real-time features are limited per organization

9.4 Database and Query Limits

Complex or long-running queries that degrade performance for other tenants may be terminated
Bulk data operations should be scheduled during off-peak hours when possible
Data export requests are subject to size and frequency limits

10. Account Security Obligations

10.1 Password and Credential Security

Use strong, unique passwords for your Service account (minimum 8 characters, mix of uppercase, lowercase, numbers, and symbols recommended)
Do NOT reuse passwords from other services
Do NOT share account credentials with unauthorized individuals
Change passwords immediately if you suspect a compromise

10.2 Two-Factor Authentication (2FA)

We strongly recommend enabling two-factor authentication on all accounts
Organization owners and administrators should enforce 2FA for all team members when available
You are responsible for maintaining the security of your 2FA device or recovery codes

10.3 Session and Access Management

Log out of the Service when using shared or public devices
Review and revoke access for former team members promptly
Monitor account activity for unauthorized access
Report suspected unauthorized access to support@cmgworkflow.com immediately

10.4 API Keys and Tokens

API keys, tokens, and webhooks secrets must be stored securely and NOT hardcoded in public repositories
Rotate API keys periodically and immediately if compromised
Assign minimum necessary permissions to API keys and integrations

11. Compliance with Applicable Laws

11.1 General Legal Compliance

You must comply with all applicable laws, regulations, and industry standards when using the Service, including but not limited to:

EU General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679
Romanian Data Protection Law 190/2018
Romanian E-Commerce Law 365/2002
ePrivacy Directive (Directive 2002/58/EC as amended)
CAN-SPAM Act (for US-directed communications)
Consumer protection laws applicable in your jurisdiction

11.2 Industry-Specific Regulations

If you operate in a regulated industry, you are responsible for ensuring your use of the Service complies with applicable industry regulations, including but not limited to:

Financial services regulations (PSD2, anti-money laundering directives)
Healthcare data regulations (where applicable)
Telecommunications regulations

11.3 Export Controls

You must NOT use the Service in violation of applicable export control laws, sanctions, or embargoes, including those imposed by the European Union, Romania, or the United Nations.

12. Monitoring and Enforcement

12.1 Right to Monitor

We reserve the right, but are not obligated, to monitor use of the Service for compliance with this AUP. Monitoring may include:

Automated detection systems for spam, abuse, and policy violations
Review of messaging patterns and volume anomalies
Analysis of reported violations and abuse complaints
Security scanning and threat detection

12.2 Automated Detection

We employ automated systems to detect and prevent:

Spam and bulk unsolicited messaging
Malware distribution and phishing attempts
Abnormal usage patterns that may indicate abuse
Potential security threats to the platform or its users

12.3 Investigation Rights

We may investigate suspected violations of this AUP. During an investigation, we may:

Temporarily restrict access to specific features
Request additional information or documentation from the account holder
Preserve data relevant to the investigation as required by law

13. Enforcement Actions

Violations of this AUP may result in enforcement actions at our sole discretion, following a graduated approach where appropriate.

13.1 Enforcement Ladder

Level 1: Warning

Trigger: First-time or minor violations
Action: Written notice via email identifying the violation and required corrective action
Timeline: You must remedy the violation within 7 calendar days of receiving the warning
Record: Warning is documented on your account

Level 2: Temporary Suspension

Trigger: Repeated violations, failure to remedy after warning, or moderate severity violations
Action: Temporary suspension of the affected features or entire account
Duration: Typically 7 to 30 days, depending on severity
Restoration: Access restored upon confirmation that the violation has been remedied and preventive measures implemented

Level 3: Permanent Termination

Trigger: Severe violations, continued violations after suspension, or violations that pose a risk to other users or the platform
Action: Permanent termination of your account and all associated services
Data: You will have 30 days to export your data before permanent deletion, unless prohibited by law
Effect: Termination under this section does not entitle you to a refund

13.2 Immediate Action

We reserve the right to bypass the enforcement ladder and take immediate action (including suspension or termination without prior notice) in cases involving:

Illegal activity or content
Imminent threat to the Service, its users, or third parties
Court order or legal requirement
Severe security incidents or data breaches caused by user conduct

14. Appeal Process

14.1 Right to Appeal

If you believe an enforcement action was taken in error, you may submit an appeal.

14.2 How to Appeal

Send a written appeal to abuse@cmgworkflow.com within 14 calendar days of the enforcement action
Include your account information, the enforcement action reference, and a detailed explanation of why you believe the action was unjustified
Provide any supporting evidence or documentation

14.3 Appeal Review

Appeals will be reviewed by a member of our compliance team who was not involved in the original enforcement decision
We will acknowledge receipt of your appeal within 3 business days
A final decision will be communicated within 7 business days of receiving the appeal
The appeal decision is final and binding

14.4 Effect During Appeal

Unless the violation involves illegal content or an immediate security threat, we will make reasonable efforts to maintain limited access to data export functionality during the appeal period.

15. Reporting Violations

15.1 How to Report

If you become aware of a violation of this AUP, please report it to:

Email: abuse@cmgworkflow.com
Subject line: "AUP Violation Report - [Brief Description]"

15.2 What to Include

Description of the violation
Relevant account information (if known)
Evidence or documentation supporting the report
Your contact information (optional but recommended for follow-up)

15.3 Reporter Protection

We will treat reports confidentially to the extent permitted by law
We will not retaliate against good-faith reporters
Anonymous reports are accepted but may limit our ability to investigate or follow up

16. Changes to This Policy

16.1 Modification Rights

We may update this AUP from time to time to address new threats, legal requirements, or changes in the Service.

16.2 Notification of Changes

Material changes will be communicated via email at least 30 days before the effective date
Non-material changes (clarifications, formatting) will be reflected in the "Last Updated" date
We may provide additional notice through in-app notifications for significant changes

16.3 Continued Use

17. Contact Information

For questions about this Acceptable Use Policy, contact us at:

CMG FRAMEWORKS SRL Drumul NISIPOASA, Nr. 46-52, Lot 1/2, Bl. C, Scara C7, Etaj P, Ap. 3 București, Romania

General inquiries: support@cmgworkflow.com
Abuse reports: abuse@cmgworkflow.com
Data protection: dpo@cmgworkflow.com
Phone: +40 772 125 155

18. Governing Law

This Acceptable Use Policy is effective as of February 24, 2026.

Legal Documents

Acceptable Use Policy

Acceptable Use Policy

Company Information

1. Scope and Applicability

2. Prohibited Content

2.1 Illegal Content

2.2 Harmful Content

2.3 Discriminatory Content

2.4 Intellectual Property Violations

2.5 Deceptive Content

3. Prohibited Conduct

3.1 Unauthorized Access

3.2 Reverse Engineering and Exploitation

3.3 Scraping and Data Extraction

3.4 Competitive and Commercial Misuse

3.5 Service Disruption

4. WhatsApp Business API Rules

4.1 Meta Business Messaging Policy Compliance

4.2 No Spam or Unsolicited Messaging

4.3 Message Template Approval

4.4 24-Hour Messaging Window

4.5 Opt-In Requirements

5. AI and Gemini Usage Restrictions

5.1 Prohibited AI Usage

5.2 AI Content Responsibility

5.3 AI Data Handling

6. Email and Communication Rules

6.1 CAN-SPAM Compliance

6.2 GDPR Consent for Marketing

6.3 General Communication Standards

7. Spam and Bulk Messaging Limits

7.1 WhatsApp Messaging Limits

7.2 Email Messaging Limits

7.3 API Rate Limits

8. Data Handling Obligations

8.1 Personal Data Responsibility

8.2 Consent Collection

8.3 No PII Misuse

9. Multi-Tenant Resource Fair Use

9.1 Storage Limits

9.2 API and Request Limits

9.3 Concurrent Connections

9.4 Database and Query Limits

10. Account Security Obligations

10.1 Password and Credential Security

10.2 Two-Factor Authentication (2FA)

10.3 Session and Access Management

10.4 API Keys and Tokens

11. Compliance with Applicable Laws

11.1 General Legal Compliance

11.2 Industry-Specific Regulations

11.3 Export Controls

12. Monitoring and Enforcement

12.1 Right to Monitor

12.2 Automated Detection

12.3 Investigation Rights

13. Enforcement Actions

13.1 Enforcement Ladder

Level 1: Warning

Level 2: Temporary Suspension

Level 3: Permanent Termination

13.2 Immediate Action

14. Appeal Process

14.1 Right to Appeal

14.2 How to Appeal

14.3 Appeal Review

14.4 Effect During Appeal

15. Reporting Violations

15.1 How to Report

15.2 What to Include

15.3 Reporter Protection

16. Changes to This Policy

16.1 Modification Rights

16.2 Notification of Changes

16.3 Continued Use

17. Contact Information

18. Governing Law

Legal Documents

Acceptable Use Policy