Acceptable Use Policy

1. Introduction and Scope

This Acceptable Use Policy (the "AUP") governs your use of the NorthStar AI platform and services (the "Platform") provided by NorthStar AI S.R.L. ("NorthStar," "we," "us," or "our").

NorthStar provides artificial intelligence tools designed to augment business decision-making and automate workflows for small and medium enterprises. The Platform is powered by third-party AI providers (Anthropic, OpenAI) operating under their respective terms of service.

This AUP applies to all customers, account holders, end-users, and any other persons accessing or using the Platform ("you," "your," or "Customer"). By using the Platform, you agree to comply with this AUP.

This AUP is incorporated by reference into our Terms of Service and the Master Services Agreement (where applicable). In case of conflict between this AUP and the Terms of Service, this AUP prevails for AI-specific use restrictions in Section 4.

2. Definitions

• AI Output: any content, analysis, recommendation, score, ranking, or other material generated by the Platform's AI systems
• Customer Data: data submitted to or processed through the Platform by you
• Digital Employee: an AI-powered tool provided through the Platform with a defined role, capabilities, and personality (e.g., the Recruitment Assistant, Company DNA strategic consultant)
• High-Risk AI System: an AI system classified as high-risk under Annex III of EU Regulation 2024/1689 (EU AI Act)
• Special Category Data: personal data as defined in Article 9 of the General Data Protection Regulation (GDPR)

3. General Use Restrictions

When using the Platform, you shall not:

3.1 Illegal or Harmful Activity

• Violate any applicable law, regulation, or third-party rights
• Engage in fraud, money laundering, sanctions evasion, or any criminal activity
• Use the Platform to plan, facilitate, or promote violence, terrorism, or harm to others
• Generate, store, transmit, or distribute child sexual abuse material (CSAM) or other illegal content

3.2 Security and System Integrity

• Attempt to gain unauthorized access to the Platform, other accounts, or any systems or networks connected to the Platform
• Probe, scan, or test the vulnerability of the Platform without prior written authorization
• Interfere with or disrupt the Platform's services, servers, or networks
• Use bots, crawlers, scrapers, or other automated means to access the Platform except as expressly permitted (e.g., via documented APIs with valid credentials)
• Circumvent any access controls, rate limits, usage limits, or other technical restrictions

3.3 AI Safety and Integrity

You shall not attempt to:

• Bypass safety controls or content filters of the underlying AI models
• Extract training data, system prompts, or instructions from Digital Employees through prompt injection or other techniques
• Use jailbreak techniques or adversarial inputs to circumvent AI safety measures
• Generate content that violates the underlying AI providers' usage policies (Anthropic, OpenAI — see Section 3.6)

3.4 Misuse of AI Outputs

• Present AI-generated outputs as human-created work in contexts where the human origin of work is required by law or professional standards
• Use AI Outputs to generate spam, mass unsolicited communications, or fraudulent content
• Use AI Outputs to impersonate real persons or organizations
• Use AI Outputs to generate disinformation, defamatory content, or content designed to mislead

3.5 Service Abuse

• Resell, sublicense, lease, or redistribute the Platform or AI Outputs to third parties without written authorization
• Use the Platform to develop or train competing AI products or services
• Use the Platform to extract or accumulate AI capabilities for benchmarking or competitive analysis without authorization

3.6 Third-Party AI Provider Compliance

By using the Platform, you acknowledge that AI processing is performed via third-party providers (Anthropic, OpenAI). Your use must comply with the providers' usage policies:

• Anthropic Acceptable Use Policy: https://www.anthropic.com/legal/aup
• OpenAI Usage Policies: https://openai.com/policies/usage-policies

Violations of these third-party policies may result in immediate suspension of your access to the Platform, as we have obligations to the underlying AI providers.

4. AI-Specific Use Restrictions

This Section 4 sets additional restrictions specific to AI features. These restrictions reflect our obligations and yours under EU Regulation 2024/1689 (the "EU AI Act"), GDPR, and other applicable laws.

4.1 Prohibited AI Practices (EU AI Act Article 5)

You shall never use the Platform for any practice prohibited under Article 5 of the EU AI Act, including:

• Social scoring of natural persons by public or private actors leading to discriminatory outcomes
• Exploitation of vulnerabilities of specific groups of persons due to age, disability, or social/economic situation
• Subliminal manipulation beyond a person's consciousness to materially distort behavior causing harm
• Real-time remote biometric identification in publicly accessible spaces for law enforcement (with limited legal exceptions)
• Emotion recognition in workplace and educational institutions
• Predictive policing based solely on profiling or assessment of personality traits
• Untargeted scraping of facial images from the internet or CCTV footage to create or expand facial recognition databases
• Biometric categorisation systems that infer race, political opinions, trade union membership, religious or philosophical beliefs, sex life, or sexual orientation
• Risk assessment of natural persons for predicting criminal offences based solely on profiling

We reserve the right to terminate accounts engaged in any prohibited practice without prior notice, in accordance with our termination rights in Section 7.

4.2 High-Risk AI Restrictions — Recruitment Assistant

The Recruitment Assistant is a high-risk AI system under Annex III point 4(a) of the EU AI Act. If you use the Recruitment Assistant, you assume Deployer obligations under Article 26 of the EU AI Act, including:

(a) Human Oversight (Art. 14 EU AI Act): All CV screening results, candidate scoring, and ranking outputs generated by the Recruitment Assistant are RECOMMENDATIONS ONLY. A qualified human decision-maker at your organization must review and approve all hiring, rejection, or shortlisting decisions. No candidate may be automatically rejected based solely on AI output. This complies with the GDPR Article 22 prohibition on solely automated decisions producing legal or similarly significant effects.

(b) Transparency to Candidates (Art. 13 GDPR + Art. 50 EU AI Act): You must inform candidates that their CVs will be processed by an AI system. This disclosure should be made before or at the time of CV submission.

(c) Non-Discrimination: The Recruitment Assistant must not be used to discriminate against candidates based on protected characteristics, including race, ethnicity, gender, age, disability, religion, sexual orientation, political opinion, marital status, or any other characteristic protected by applicable law (EU Charter of Fundamental Rights Art. 21, Romanian Anti-Discrimination Law).

(d) Right to Contest: Candidates must have the right to contest AI-assisted decisions and to request human review. You must provide candidates with a clear mechanism to exercise this right.

(e) Record-Keeping (Art. 26(6) EU AI Act): You must maintain records of how AI outputs were used in hiring decisions, for a minimum period aligned with applicable labor law requirements.

(f) Age Restriction: You must not submit CVs of candidates under the age of 18 to the Recruitment Assistant. Submissions in violation of this requirement constitute a material breach of this AUP.

(g) Data Protection Impact Assessment: Where required by Article 35 GDPR, you must conduct a DPIA before deploying the Recruitment Assistant. We provide assistance and relevant technical information upon request.

NorthStar acts as Provider under Article 16 of the EU AI Act and maintains technical documentation, post-market monitoring, conformity assessment, and other Provider obligations.

For AI systems that interact with natural persons (Digital Employees more broadly), NorthStar implements transparency disclosures per EU AI Act Article 50, including AI identification at first interaction. You are responsible for any additional Article 50 transparency requirements specific to your use case.

4.3 AI Output Disclaimers and Responsible Use

The Platform's Digital Employees produce outputs that are advisory in nature. To use AI Outputs responsibly:

• Strategic analyses (Company DNA, PESTEL, SWOT, financial analyses, etc.): NorthStar recommends that AI-generated strategic analyses be reviewed by qualified personnel before being used as the basis for material business decisions (e.g., mergers and acquisitions, major investments, workforce reductions). You remain solely responsible for the appropriateness and consequences of any decision made based on AI Outputs and acknowledge that AI-generated analyses are advisory in nature.
• Legal, medical, financial, or other regulated advice: AI Outputs do not constitute professional advice. Where regulated advice is required, consult a qualified professional.
• AI hallucinations: AI systems may generate inaccurate, incomplete, or fabricated information ("hallucinations"). You must verify AI Outputs before relying on them in any context where accuracy is critical.
• Output attribution: when sharing or publishing AI Outputs externally, comply with any transparency obligations under applicable law (e.g., Article 50 EU AI Act for AI-generated text on matters of public interest).

The disclaimers in this Section 4.3 are recommendations to promote responsible use. The remaining points (a)-(g) of Section 4.2 are binding restrictions.

5. Data Submission Rules

5.1 Special Category Data (Article 9 GDPR)

If you submit data that may contain special categories of personal data (racial or ethnic origin, political opinions, religious beliefs, trade union membership, health data, sexual orientation, biometric or genetic data), you must:

• Have a valid legal basis under Art. 9(2) GDPR (typically Art. 9(2)(b) employment law obligations or Art. 9(2)(a) explicit candidate consent)
• Acknowledge in your account settings that you may submit special category data through Digital Employees designed for such purpose (e.g., the Recruitment Assistant)
• Activate the appropriate data handling settings in the Platform
• Ensure that data subjects have been properly informed by you (as Controller) in accordance with Articles 13 and 14 GDPR

Customers and end-users acknowledge that feedback submissions to the Platform may be retained in anonymized form after personal data erasure, under legitimate interest of the organization for operational record-keeping (Article 17(3)(b) GDPR).

5.2 Consent for Personal Data

You represent and warrant that you have obtained all necessary consents, authorizations, and legal bases from the individuals whose personal data you submit to the Platform, including candidates, employees, customers, and any other data subjects.

5.3 Third-Party Data

When you submit data about third parties (e.g., candidate CVs, customer records, employee information), you must:

• Have the legal right to do so under applicable law
• Have informed those third parties as required by applicable data protection law (Art. 13/14 GDPR)
• Not submit data obtained through unauthorized access, scraping, or other illegal means

5.4 Data Minimization

Submit only the data necessary for the intended Digital Employee function. Do not upload entire databases or data sets when only a subset is required.

5.5 Sensitive Content

Do not submit:

• Classified information (governmental classification)
• Trade secrets or confidential information of third parties without authorization
• Materials subject to legal privilege (attorney-client) where AI processing would breach privilege
• Materials subject to NDAs that prohibit AI processing
• Content that is illegal to possess or distribute in your jurisdiction

6. Monitoring and Enforcement

6.1 NorthStar's Right to Monitor

NorthStar reserves the right to:

• Monitor compliance with this AUP through automated systems and human review where appropriate
• Review usage patterns for anomalies that may indicate abuse, unauthorized access, or policy violations
• Investigate suspected violations
• Take action to enforce this AUP as detailed in Section 7

6.2 Automated Monitoring

Routine monitoring is performed by automated systems that analyze usage patterns and trigger alerts on anomalies. Such monitoring does not involve human review of conversation content unless a violation is detected or required by law (e.g., responding to a court order or regulatory inquiry).

6.3 Customer Cooperation

You agree to cooperate with NorthStar's reasonable investigations into suspected violations of this AUP and to provide information requested by NorthStar to verify compliance.

6.4 Reporting Violations

If you believe another user is violating this AUP, please report to abuse@ns-ai.io. Include relevant details (account, behavior observed, evidence if available). We will investigate and take appropriate action.

7. Consequences of Violation

7.1 Graduated Response

Violations of this AUP are handled through a graduated response based on severity:

• Minor Violation: written notice describing the violation and requesting corrective action within 30 days, consistent with the cure period under the Master Services Agreement
• Moderate Violation: temporary suspension of specific features or capabilities for up to 30 days, pending corrective action
• Severe Violation: temporary suspension of full Platform access for up to 90 days
• Critical Violation: immediate suspension of full Platform access, with termination of the Agreement following 24-48 hours' notice and an opportunity to respond, except in cases involving verifiably illegal activity (e.g., CSAM, deliberate hacking attempts, criminal activity), where immediate termination without notice may apply to the extent permitted by Romanian law

Critical Violations include but are not limited to: illegal activity, deliberate data breach attempts, actions causing material harm to other customers, EU AI Act prohibited practices (Article 5), and material breaches of the third-party AI provider policies referenced in Section 3.6.

7.2 Investigation Process

Before taking action under Section 7.1, NorthStar will, where reasonably practicable:

• Notify you of the suspected violation
• Provide you with an opportunity to respond
• Allow corrective action where appropriate

We may proceed without prior notification if notification would compromise the investigation, is prohibited by law, or where immediate action is required to prevent imminent harm.

7.3 Appeals

If you disagree with a violation determination or enforcement action, you may submit an appeal to legal@ns-ai.io within 15 business days of the action. We will review the appeal within 10 business days of receipt and provide a written response.

7.4 Effect of Termination

Termination for AUP violation does not entitle you to a refund of pre-paid fees. NorthStar reserves all rights to pursue legal claims for damages caused by AUP violations, including violations of EU AI Act prohibited practices.

8. Contact for AUP Matters

• Report violations: abuse@ns-ai.io
• Security concerns: security@ns-ai.io
• General legal inquiries: legal@ns-ai.io
• Appeals: legal@ns-ai.io

9. Modifications to This AUP

NorthStar may update this AUP from time to time. For Customers under our standard Terms of Service:

• Minor updates (clarifications, typo fixes, regulatory alignment without substantive change): effective immediately upon publication at ns-ai.io/aup with notification provided through in-application notice
• Material updates (changes that materially restrict the Customer's use of the Platform): we will provide 30 days' prior notice before the updated AUP becomes effective. If you do not agree to material changes, you may terminate your subscription in accordance with the Terms of Service.

For Enterprise Customers under a Master Services Agreement (MSA), material changes to the AUP that materially restrict the Customer's use of the Platform shall require the Customer's prior written consent. Non-material updates may be made with 30 days' notice.

10. Relationship to Other Documents

This AUP is part of the legal agreement between you and NorthStar. The order of precedence in case of conflict is:

1. Master Services Agreement (where applicable) — for Enterprise Customers
2. Terms of Service
3. AI-specific restrictions in Section 4 of this AUP, which shall take precedence over conflicting provisions in the Terms of Service
4. Privacy Policy (for data protection matters)
5. Cookie Policy (for cookie-specific matters)