Acceptable Use Policy

Effective date: February 10, 2026

This is a sample acceptable use policy for product development and review — not legal advice. Have counsel review it before launch.

Overview

This Acceptable Use Policy (AUP) governs access to and use of Matte's websites, hosted application, APIs, workspaces, custom domains, email workflows, imports, exports, and related services.

This AUP forms part of the agreement, order form, terms of service, or other written agreement governing use of the Services. By using the Services, Customer and each Authorized User agree to comply with this AUP.

Customer is responsible for its Authorized Users, workspace members, API users, contractors, agents, integrations, and any other person or system that accesses the Services through Customer's account, workspace, custom domain, credentials, or API keys.

General Rule

The Services are designed for lawful business inventory tracking, workspace data management, team administration, imports, exports, API access, and related operational workflows.

Customer may not use the Services in a way that is unlawful, unsafe, abusive, deceptive, harmful, or disruptive, or in a way that interferes with Matte, other customers, third-party services, or the security and integrity of the Services.

Illegal or Harmful Content and Conduct

Customer may not use the Services to create, upload, store, import, transmit, display, facilitate, support, or promote prohibited content, activity, or transactions.

Matte may remove or restrict access to content, preserve information, notify Customer, notify law enforcement, or report to appropriate authorities when Matte becomes aware of activity involving child exploitation, imminent harm, illegal conduct, or threats to the Services.

  • Content, activity, or transactions that violate applicable law or regulation.
  • Child sexual abuse material, sexual exploitation of minors, grooming, online enticement, child trafficking, or any attempt to solicit, obtain, create, distribute, or preserve such material or activity.
  • Non-consensual intimate imagery, sexual exploitation, human trafficking, harassment, stalking, threats, intimidation, or abuse.
  • Credible threats of violence, incitement to violence, terrorist activity, violent extremist activity, or instructions for evading law enforcement in connection with violent or unlawful conduct.
  • Fraud, scams, phishing, impersonation, forged identity, deceptive business practices, or misrepresentation of source, affiliation, endorsement, or authority.
  • Unlawful discrimination, harassment, or exclusion in employment, housing, credit, education, public accommodation, or similarly regulated contexts.
  • Content or activity that infringes, misappropriates, or violates intellectual property, publicity, privacy, confidentiality, contractual, or proprietary rights.
  • Unlawful gambling, regulated financial activity, controlled substances, weapons, counterfeit goods, stolen goods, or other regulated goods or services unless expressly permitted in writing by Matte and lawful in all applicable jurisdictions.
  • Content designed to exploit, shame, extort, dox, expose, or endanger a person or organization.

Regulated and Sensitive Data

Customer may not submit, store, import, process, or transmit certain regulated or sensitive data through the Services unless the agreement expressly permits it and the parties have signed any required additional terms.

Customer is responsible for configuring fields, imports, notes, JSON values, rich text, attachments, exports, and API payloads so they do not contain prohibited data. Matte may require Customer to delete, export and remove, or migrate data that violates this section.

  • Protected health information subject to HIPAA.
  • Payment card data subject to PCI DSS.
  • Bank account credentials, private keys, seed phrases, or authentication secrets not intended to be managed in the Services.
  • Government identification numbers, tax identifiers, background-check data, biometric identifiers, or precise geolocation data used for tracking individuals.
  • Children's data or student education records subject to child privacy or education privacy laws.
  • Criminal offense data or special categories of personal data under GDPR.
  • Export-controlled technical data, classified information, or data subject to government security restrictions.

Security Abuse

Customer may not use the Services to compromise security controls, access unauthorized systems or data, disrupt other users, or conceal abusive behavior.

  • Access or attempt to access accounts, workspaces, systems, networks, data, APIs, custom domains, sessions, cookies, tokens, credentials, or object storage that Customer is not authorized to access.
  • Bypass, disable, degrade, or interfere with authentication, authorization, MFA, CSRF protection, rate limits, permission checks, workspace isolation, logging, monitoring, security headers, or other security controls.
  • Probe, scan, penetration test, load test, stress test, or vulnerability test the Services except as allowed in the vulnerability research section.
  • Introduce malware, ransomware, spyware, backdoors, botnets, worms, credential harvesters, malicious scripts, or destructive code.
  • Use the Services to attack, scan, spam, overload, scrape, disrupt, or compromise any third party.
  • Attempt to extract source code, underlying models, system architecture, non-public APIs, credentials, secrets, or information about other customers except as permitted by law and the agreement.
  • Share accounts, API keys, passwords, session tokens, recovery codes, passkeys, or credentials except through authorized administrative workflows.
  • Use automated systems to create accounts, bypass signup controls, evade rate limits, or generate abusive traffic.
  • Hide or misrepresent origin through proxying, spoofing, forged headers, misleading domains, or other deceptive routing.

Platform Integrity and Service Limits

Customer may not use the Services in a way that threatens service reliability, security, availability, capacity, or fair use by other customers.

Matte may throttle, rate-limit, queue, disable, or suspend activity that threatens service reliability, security, or availability.

  • Degrade, disable, or interfere with the Services or infrastructure used by Matte or other customers.
  • Consume excessive bandwidth, storage, compute, API capacity, email capacity, or database resources disproportionate to Customer's plan or normal business use.
  • Circumvent quotas, billing limits, workspace limits, feature limits, retention limits, storage limits, API rate limits, or technical restrictions.
  • Run crypto mining, bulk scraping, bot operations, open proxies, relay services, traffic resale, benchmark farms, or unrelated high-volume computation.
  • Use the Services as a general-purpose file host, malware repository, backup dump, content distribution network, or anonymous data drop unless expressly permitted by Matte.
  • Repeatedly create and abandon workspaces, custom domains, API keys, imports, or accounts to evade enforcement, limits, payment, or abuse review.

Email, Invitations, and Messaging

Customer may not use the Services, email verification flows, workspace invitations, notification settings, support channels, custom domains, or integrations to send or facilitate abusive or unlawful communications.

Customer is responsible for ensuring that emails, invitations, and notifications sent through Customer's workspace comply with applicable law and accurately identify the sender and purpose of the message.

  • Spam, unsolicited bulk email, or messages that violate anti-spam, telemarketing, or electronic communications laws.
  • Phishing, credential harvesting, malware delivery, deceptive attachments, malicious links, or social engineering.
  • Messages with false or misleading sender information, headers, subject lines, domain names, or affiliation claims.
  • Messages to recipients who have not consented where consent is required or who have opted out.
  • Harassment, threats, extortion, or other abusive communications.

Custom Domains and Workspace Identity

Customer may use custom domains and workspace subdomains only for workspaces Customer owns or is authorized to operate.

Matte may reject, remove, or disable any workspace slug, domain, logo, or identifier that violates this AUP or creates legal, security, operational, or reputational risk.

  • Connect, claim, verify, or use a domain without authorization from the domain owner.
  • Impersonate another person, company, product, government agency, or brand.
  • Use confusingly similar workspace names, slugs, logos, avatars, custom emoji, domains, or sender identities to mislead others.
  • Host or route deceptive, malicious, infringing, or unlawful content through a custom domain.
  • Interfere with certificate issuance, DNS validation, or domain verification processes.

Privacy and Data Rights

Customer may not use the Services to collect, import, process, export, disclose, or enrich personal data unless Customer has all required rights, notices, consents, legal bases, and authorizations.

Customer may not use the Services for unlawful surveillance, tracking, profiling, data brokerage, scraping, re-identification, or combining datasets in a way that violates privacy laws or individual rights.

Customer is responsible for honoring applicable privacy requests, retention obligations, deletion obligations, confidentiality obligations, and restrictions on use of Customer Data.

APIs, Imports, Exports, and Integrations

Customer may use Matte APIs, CSV imports, exports, and integrations only for lawful internal business purposes and in accordance with the agreement and documentation.

Customer must promptly revoke compromised API keys and notify Matte of suspected unauthorized access that may affect the Services.

  • Use APIs or automation to evade UI controls, permissions, auditability, workspace isolation, billing, or usage limits.
  • Import or export data in violation of law, contract, confidentiality obligations, privacy rights, intellectual property rights, or this AUP.
  • Use API keys or exports to build an unauthorized competing service, replicate the Services, or provide service bureau access without Matte's written approval.
  • Submit malformed, oversized, recursive, malicious, or intentionally disruptive payloads.
  • Continue using revoked, leaked, expired, unauthorized, or compromised API keys.

Sanctions, Export Controls, and Restricted Parties

Customer may not use the Services if Customer or any Authorized User is barred from receiving the Services under applicable sanctions, export control, or trade restriction laws.

Customer may not use the Services for the benefit of a sanctioned person, embargoed region, prohibited end use, or prohibited end user.

Customer is responsible for ensuring that Customer Data, exports, custom fields, files, technical information, and API activity do not violate export control, sanctions, anti-boycott, or trade compliance laws.

AI and Automated Decisioning

If Matte offers AI, automation, assistant, data enrichment, or recommendation features, Customer may not use those features for unlawful, harmful, deceptive, or restricted purposes.

Matte may require additional terms, restrictions, or customer configuration before enabling AI or external integration features for Customer workspace data.

  • Make decisions that are unlawful, discriminatory, deceptive, or materially harmful.
  • Generate malware, phishing, credential theft, evasion techniques, or instructions for wrongdoing.
  • Create or facilitate child sexual abuse material, sexual exploitation, non-consensual intimate imagery, or abusive content.
  • Infer sensitive attributes, re-identify individuals, or conduct unlawful surveillance.
  • Process regulated data in violation of the agreement, DPA, BAA, or applicable law.

Vulnerability Research

Matte welcomes good-faith vulnerability reports sent to security@trymatte.com. Customer and researchers may test only accounts, workspaces, custom domains, data, API keys, and systems they own or are explicitly authorized to test.

This section does not authorize testing of third-party systems, infrastructure providers, customer workspaces without consent, denial-of-service testing, or activity that violates law.

  • Avoid accessing, modifying, deleting, exfiltrating, or disclosing data that does not belong to the researcher.
  • Avoid privacy violations, service disruption, degradation, social engineering, phishing, physical attacks, spam, malware, persistence, or destructive activity.
  • Stop testing and report promptly if the researcher encounters non-public data, credentials, or a vulnerability that could affect other customers.
  • Give Matte a reasonable opportunity to investigate and remediate before public disclosure.
  • Comply with applicable law.

Enforcement

Matte may investigate suspected violations of this AUP and may take action it reasonably believes is necessary to protect the Services, Customer, other customers, third parties, or the public.

Matte is not required to monitor Customer Data or activity, but may do so to operate, secure, support, and enforce the Services and the agreement.

  • Warning Customer or workspace administrators.
  • Requiring Customer to remove content, revoke API keys, change configuration, disable integrations, or remediate misuse.
  • Limiting, throttling, disabling, or suspending features, accounts, workspaces, domains, imports, exports, API keys, email workflows, or access.
  • Removing or disabling access to content.
  • Preserving information as required or permitted by law.
  • Reporting illegal or harmful activity to law enforcement, regulators, NCMEC, or other appropriate authorities.
  • Terminating the agreement for material or repeated violations.

Remediation and Appeals

Unless urgent action is required, Matte will generally try to notify Customer and provide an opportunity to remediate a violation.

Immediate action may be taken without notice where Matte reasonably believes there is a legal risk, security risk, service availability risk, risk of harm, risk to another customer, risk involving child exploitation, or risk that notice would undermine investigation or enforcement.

Customer may appeal an enforcement action by contacting abuse@trymatte.com with the workspace name, affected account or domain, description of the issue, remediation steps taken, and any supporting context. Matte will review appeals in good faith but may maintain restrictions where necessary to protect the Services or comply with law.

Reporting Abuse

To report abuse, unlawful content, phishing, impersonation, spam, domain misuse, or other AUP violations, contact abuse@trymatte.com.

To report security vulnerabilities, contact security@trymatte.com.

For privacy requests, contact privacy@trymatte.com.

Changes

Matte may update this AUP from time to time. Material changes will be communicated through reasonable notice channels, such as posting an updated version, notifying workspace administrators, or other notice permitted by the agreement.

Continued use of the Services after the effective date of an updated AUP constitutes acceptance of the updated AUP.