Acceptable Use Policy

Effective date: June 21, 2026 Last updated: June 21, 2026

This Acceptable Use Policy ("AUP") governs everyone who uses Droply ("Droply", "we", "us") to publish, host, deploy, or distribute any content, file, or site, and everyone who accesses our services through any account, API token, OAuth integration, browser extension, or other tool. It applies whether you publish through the dashboard, the public API, a third-party integration (such as ChatGPT, Zapier, the Chrome extension, or the VS Code extension), or any other means.

This AUP is part of, and incorporated into, our Terms of Service. Capitalized terms not defined here have the meaning given in the Terms. Copyright-specific procedures are governed by our DMCA & Copyright Policy, and our handling of personal data is described in our Privacy Policy. The current version of this AUP is also published in-app at droply.host/legal/acceptable-use. If there is a conflict between this AUP and the Terms on a use-of-service question, this AUP controls.

If you are not sure whether a use is permitted, do not proceed — contact us first at [email protected].

1. Why this policy is strict

Droply is a multi-tenant platform. Every customer site is served from shared edge infrastructure, and many sites share a single customer sites domain (droply.id), under which each site is published as <subdomain>.droply.id. Our dashboard, marketing, billing, and other brand functions live on a deliberately separate platform domain (droply.host). That shared model on the sites domain means abuse by one publisher can harm everyone else who publishes there:

Phishing, malware, or spam hosted under the shared customer sites domain can cause that domain (or large ranges of it) to be flagged, blocklisted, or filtered by browsers, email providers, security vendors, and search engines. That damages the reputation and deliverability of every other customer's site on the sites domain, not just the abuser's.
Resource abuse (oversized uploads, deploy floods, traffic floods) degrades performance and availability for other tenants who share the same edge and processing capacity.
Illegal or harmful content exposes Droply and our other customers to legal, regulatory, and reputational risk.

To protect the platform, its users, and visitors to hosted sites, we enforce this policy firmly and, where necessary, immediately and without prior notice. We deliberately keep the platform/brand domain (droply.host) separate from the customer sites domain (droply.id) precisely so that a reputation hit on hosted content does not contaminate our brand domain — but that separation is not a license to abuse the shared sites domain, and it does not protect you from the consequences of abuse landing on the sites domain you share with other customers.

Because every published site is tied to an identified, signed-in account, and we do not allow anonymous publishing, you are accountable for everything published under your account, including by your team members and by any integration or token you authorize.

[ASSUMPTION: this AUP intentionally supersedes contradictory published wording. The currently published AUP (resources/views/legal/aup.blade.php) states it applies "including anonymous publishers," and the current Terms (terms.blade.php) reference "Free and anonymous sites." Those statements conflict with our no-anonymous-deploy policy (routes/web.php: publishing is behind auth). The published AUP, Terms, and this document MUST be reconciled to the no-anonymous-publishing stance before launch; this AUP states the controlling, corrected position.]

2. Who this applies to

This AUP applies to:

the registered account owner;
every team member, collaborator, or admin you invite, and anyone acting under your account;
anyone using an API token, OAuth grant (e.g. ChatGPT), browser extension, or other credential issued to or authorized by your account; and
the content, files, sites, deployments, forms, and custom domains published or operated through your account.

You are responsible for ensuring that everyone and everything operating under your account complies with this AUP. Sharing your account or credentials in violation of your plan, or to evade limits or enforcement, is itself a violation (see Section 5).

3. Prohibited content

You may not upload, host, deploy, link to, distribute, or otherwise make available through Droply any content that falls into the categories below. This list is illustrative, not exhaustive — we may treat other harmful or unlawful content the same way.

3.1 Phishing and credential harvesting

Pages designed to impersonate any brand, login page, payment page, government service, or person in order to deceive visitors.
Forms, scripts, or pages that capture passwords, payment details, one-time codes, or other credentials under false pretenses.
Fake sign-in flows, spoofed checkout pages, or "verify your account" deception of any kind.

3.2 Malware and malicious code

Viruses, worms, trojans, ransomware, spyware, keyloggers, rootkits, cryptominers, exploit kits, or any other malicious or unwanted software.
Files or pages that drop, install, download, or stage such software, or that link or redirect to it.
Code intended to attack, compromise, or take control of a visitor's device, browser, or accounts.

We may scan uploads for malware (for example, using an antivirus engine) and may reject, suspend, or take down deployments that we detect as malicious. Scanning is not guaranteed: it may be disabled, it may not detect every threat, and some files (for example, very large files) may be served without a full scan. The absence of a scan, or a clean scan result, is not a representation that content is safe, and it does not relieve you of responsibility for what you publish. Attempting to evade or defeat scanning, or uploading content engineered to slip past it, is a violation in itself (see Section 5).

3.3 Child sexual abuse material (CSAM) and content sexualizing minors

Any child sexual abuse material, or any sexual or sexually suggestive content involving, depicting, or appearing to depict a minor, is absolutely prohibited.
This is a zero-tolerance category. We act immediately, we will preserve relevant data, and we will report to the National Center for Missing & Exploited Children (NCMEC) and/or other competent authorities and cooperate with law enforcement as required by law. [ASSUMPTION: reporting to NCMEC as a U.S.-based provider; confirm the reporting body for the chosen hosting/operating jurisdiction.]

3.4 Illegal content, incitement, and violent extremism

Content that is illegal under applicable law.
Content that incites, promotes, facilitates, or provides instructions for violence, terrorism, or serious physical harm.
Content that promotes or supports terrorist or violent extremist organizations or activities.

3.5 Intellectual-property infringement

Content that infringes the copyright, trademark, patent, trade-secret, publicity, or other intellectual-property or proprietary rights of any third party.
Copyright complaints are handled under our DMCA & Copyright Policy. Our designated agent for copyright notices is reachable at [email protected]. Repeat infringers will have their accounts terminated.

3.6 Spam, deceptive redirects, and search/link manipulation

Unsolicited bulk messaging, or pages built to support spam campaigns.
Cloaking, deceptive redirects, doorway/gateway pages, or content that shows one thing to visitors and another to crawlers.
Link schemes, private blog networks, or other manipulation of search-engine rankings or referral systems hosted on or routed through Droply.

3.7 Fraud, scams, and crypto abuse

Cryptocurrency "drainers," wallet-draining scripts, fake airdrops, fake token sales, and similar schemes.
Investment scams, advance-fee fraud, pyramid or Ponzi schemes, fake giveaways, and "get rich quick" deception.
Fake or fraudulent storefronts, counterfeit-goods sales, and pages designed to take money or data without delivering what is promised.

3.8 Non-consensual, harassing, threatening, or doxxing content

Non-consensual intimate imagery, or any sexual content involving a non-consenting person.
Content that harasses, bullies, threatens, or intimidates any person.
Doxxing — publishing another person's private or identifying information (home address, government IDs, financial details, etc.) without authorization.

3.9 Regulated-goods fraud and unlawful sales

Fraudulent or unlawful sale or promotion of regulated goods or services, including controlled substances, prescription drugs, weapons, or other items whose sale is restricted under applicable law.

3.10 Sexual content generally

We do not host a general adult-content service. [TO CONFIRM: whether lawful adult content (clearly age-restricted, fully consensual, no minors) is permitted, restricted, or prohibited platform-wide. Industry default for a shared-domain static host is to prohibit pornographic content to protect domain reputation.] Sexual content involving minors and non-consensual content are prohibited without exception under Sections 3.3 and 3.8.

4. You are responsible for your visitors' data

If you enable email/lead capture forms on your site, you are responsible for collecting any required consent from your visitors, for posting your own privacy notice, and for handling the data you collect lawfully (including under the GDPR/UK GDPR and CCPA/CPRA where applicable). Droply stores those submissions on your behalf so you can view and export them; you must not use Droply forms to collect data deceptively, to harvest credentials, or in violation of any law or this AUP. See our Privacy Policy for the respective roles of Droply and the site owner, and for where data is processed (see Section 11).

No private hosting / content is public at the edge. Hosted content is served directly from our edge to anyone with the URL. Droply does not currently provide a security or privacy boundary on hosted content — password protection and similar gating are not active on production-served sites. Do not publish anything to Droply that you need to keep confidential or restrict to specific viewers, and do not rely on obscurity of a URL to protect sensitive data.

5. Prohibited conduct and technical abuse

Regardless of the content involved, you may not:

5.1 Bypass limits, gates, or security controls

Circumvent or attempt to circumvent plan limits, feature gates, entitlement checks, quotas, or the custom-domain TLS authorization ("ask") gate.
Probe, scan, or test the vulnerability of the platform or its infrastructure, or breach or attempt to breach any security or authentication measure, without our prior written authorization.
Interfere with, disable, or attempt to defeat malware scanning, upload validation, or extraction guards.

5.2 Abuse uploads and extraction

Upload "zip bombs," decompression bombs, or archives crafted to exhaust extraction or storage limits (e.g. excessive file counts, oversized members, or abusive compression ratios).
Attempt path traversal, symlink tricks, or other manipulation of the extraction or storage pipeline.
Upload files in a format or manner designed to defeat our scanning or size/format controls.

5.3 Misuse Droply as infrastructure for abuse

Operate Droply as an open proxy, an open relay, an anonymizer, or a content-delivery network for content hosted elsewhere for the purpose of abuse.
Use Droply primarily as an unrelated file-drop, bulk file locker, or backup/distribution service that is not a hosted static site or file as intended by the service.
Hotlink or route abusive traffic through Droply to launder its origin.

5.4 Attack third parties

Use Droply to launch, facilitate, or participate in denial-of-service attacks, intrusion attempts, scraping at abusive scale, or any other attack on, or unauthorized access to, any third party or their systems, networks, or data.

5.5 Abuse email and harm deliverability

Use hosted pages, forms, or scripts to send, relay, or trigger unsolicited bulk or commercial email, or to support any email spam campaign.
Host content (such as spam landing pages, phishing pages, or scam targets) that is likely to get the shared customer sites domain reported, blocklisted, or filtered by mailbox providers or anti-spam services, thereby harming the email deliverability of that domain for other customers.
Configure or use forms in a way designed to harvest email addresses for unsolicited messaging.

5.6 Evade limits or takedowns through mass or automated creation

Create accounts, sites, or deployments en masse (manually or via automation) to evade plan limits, usage caps, suspensions, bans, or takedowns.
Re-publish or re-create content that we have removed or suspended, or register new accounts to bypass enforcement against a prior account.

5.7 Violate plan terms

Resell, sublicense, time-share, or share access to the service in violation of your plan or the Terms.
Use a single account or plan to provide service to multiple unrelated end customers in a way your plan does not permit.

5.8 Respect API and rate limits

Exceed, evade, or attempt to defeat API rate limits or any other rate limit or throttle we apply.
Keep your API tokens and OAuth grants confidential; you are responsible for all activity under them. Treat tokens as full account credentials and revoke any that are compromised.

6. Resource and fair use

Droply enforces metered, plan-based usage limits to keep the platform fair and available for all tenants. These limits are defined by your plan (see the Terms and the pricing page); they include, at minimum:

Monthly visit caps and bandwidth caps, measured account-wide across all of your sites against your billing cycle. If your account exceeds either the visit cap or the bandwidth cap, your sites are flipped to an "over-limit" placeholder page and your live content is temporarily unavailable until usage falls back under the cap (e.g. at the next billing cycle) or you upgrade to a higher plan. Over-limit is a service-availability state, not a punitive suspension, and your content is not deleted.
Per-deployment upload size limits, supported file formats, and ZIP extraction limits (maximum file count, total extracted size, per-file size, and compression ratio).
Concurrent in-flight deployment caps per account, to prevent any one account from starving shared processing capacity.
Anti-abuse traffic counting. To prevent a malicious actor from flooding a victim's site to drive it over its quota, we may cap how many visits a single source IP contributes to a given site's count per day; beyond that cap an IP's page views still serve but stop counting toward the visit cap. This control is operator-configurable and may be adjusted or disabled. Bandwidth is always counted as real bytes served.

You must not artificially inflate, deflate, or manipulate usage metering, and you must not deliberately consume resources to harm other tenants or the platform.

7. Enforcement

7.1 How we detect violations

We enforce this AUP through a combination of: malware scanning of uploads (where enabled); upload-format and extraction guards; rate limiting and quota enforcement; reserved-name and anti-abuse controls; and review of abuse reports submitted by the public, by other users, by rights holders, and by authorities.

7.2 What we may do

When we determine, in our reasonable judgment, that this AUP (or the Terms or DMCA Policy) has been or is likely to be violated, we may take any one or more of the following actions, with or without prior notice, and in any order:

Reject a deployment at scan or validation time, so the content never goes live.
Suspend a site, which redirects it to a suspension notice page and disables its custom domains and their TLS authorization. Suspension stops the content from being served without deleting the underlying files.
Apply over-limit serving where usage caps are exceeded (Section 6).
Remove, disable, or restrict access to specific content or features.
Suspend or disable an account, immediately revoking access to the dashboard and the API across all sessions, devices, and tokens.
Permanently ban an account.
Refuse, reclaim, or block subdomains, custom domains, or other identifiers.

7.3 Enforcement ladder

Our typical response scales with the severity and recurrence of the violation:

Notice and/or content/site suspension for first or lower-severity issues, where appropriate.
Account suspension for serious, repeated, or unresolved issues.
Permanent ban and termination for repeat violations or for severe violations.

For the most serious categories — including phishing, malware, CSAM, content sexualizing minors, violent-extremist/terrorist content, and other content posing imminent harm — we will skip the ladder and act immediately, typically by suspending the site and/or account without prior notice. CSAM and content sexualizing minors result in immediate removal and account termination with no warning.

We may act on the entire site or account even where only part of the content violates this policy, and we may keep enforcement in place until we are satisfied the violation is resolved.

7.4 Repeat violations

Accounts that repeatedly violate this AUP, or that are used to evade prior enforcement, will be permanently terminated. Copyright repeat-infringer termination is handled under the DMCA & Copyright Policy. [TO CONFIRM: the specific repeat-infringer threshold/ladder (e.g. number and timeframe of substantiated complaints before permanent termination); current enforcement is exercised case-by-case at our discretion.]

7.5 No obligation to monitor; right to act

We are not obligated to pre-screen or monitor content, and we do not do so as a matter of course. We do, however, reserve the right to investigate and act on any content or conduct that may violate this AUP. The absence of action on a particular item is not a waiver of our right to act later.

7.6 Preservation, law enforcement, and legal process

Because every site has an identified owner, we can attribute hosted content to an account. We may preserve data, disclose information, and cooperate with law enforcement, regulators, and other authorities, and respond to valid legal process, as permitted or required by applicable law. For severe abuse (especially CSAM) we will proactively report and preserve relevant records. How we handle personal data, including retention and where it is processed, is described in our Privacy Policy.

7.7 Effect of suspension or termination

Suspension makes your content unavailable; termination may result in deletion of your sites, deployments, and associated data, subject to the retention practices in our Privacy Policy and any records we must keep for legal, security, or compliance reasons. [ASSUMPTION: fees paid are non-refundable on enforcement-related termination. NOTE: this is a prerequisite, not merely a value to confirm — the current Terms (terms.blade.php) contain NO refund policy at all, so the prior cross-reference to "the refund terms in the Terms of Service" points at nothing. A refund policy (including the treatment of fees on AUP-related termination) MUST be added to the Terms, and this clause reconciled to it, before launch.]

7.8 Appeals

If you believe enforcement was a mistake (for example, a false-positive takedown), you may contact us at [email protected] to request review. [TO CONFIRM: formal appeals workflow and target response time; currently restoration is handled by staff on a case-by-case basis.]

8. How to report abuse

To report content or conduct that you believe violates this AUP:

Use our public abuse report form at droply.host/abuse; or
Email us at [email protected].

Please include the full URL of the offending site or page, the type of abuse (e.g. phishing, malware, copyright, illegal, other), and any details that help us investigate. You may report without an account, but providing your own contact details helps us follow up if we need more information. Abuse reports may be rate-limited to prevent misuse of the reporting channel.

Copyright/DMCA complaints should be submitted under our DMCA & Copyright Policy. Our designated agent for copyright notices is reachable at [email protected].
Privacy and data-protection requests should be directed to [email protected] (see our Privacy Policy).
Security vulnerabilities in the Droply platform. [ASSUMPTION: NEW address to be created — no security-reporting channel currently exists. Before this clause is published, establish a real channel (e.g. [email protected] plus a coordinated-disclosure policy, and optionally a /.well-known/security.txt) and reference that exact address here. Do not publish this clause asserting a reporting path until the address exists.] When a channel exists: do not test against live customer sites or attempt to access data that is not yours.

We review reports and act at our discretion. We may not provide individualized updates on the outcome of every report.

All of the contact points above currently route to a single mailbox, [email protected], on our platform domain. We may introduce dedicated per-function addresses (for example, a separate copyright or security address) in the future; if we do, we will update this policy.

9. Sanctions, export control, and geographic eligibility

You may not use Droply, and may not publish, host, or distribute content through Droply, in violation of applicable sanctions, export-control, or trade laws. In particular, you represent and warrant that:

you are not located in, ordinarily resident in, or organized under the laws of any country or territory subject to comprehensive sanctions or embargo;
you are not identified on any applicable government list of prohibited or restricted parties (including, without limitation, U.S. OFAC sanctions lists), and are not owned or controlled by, or acting on behalf of, any such party; and
you will not use the service for any purpose prohibited by applicable export-control or sanctions laws, including providing the service or hosted content to a prohibited party or embargoed destination.

We may block, suspend, or terminate access where we reasonably believe use would violate these laws. [ASSUMPTION: U.S./OFAC sanctions framework applies based on a U.S. operating posture; confirm the controlling sanctions/export regime once the operating entity and hosting jurisdiction are fixed. This clause is currently absent from all live legal docs and must be reconciled across the AUP and Terms.]

10. Relationship to other policies

This AUP supplements and is incorporated into the Terms of Service. It works together with the DMCA & Copyright Policy (which governs copyright notices and counter-notices) and the Privacy Policy (which governs personal data, retention, and your data-protection rights). In the event of a conflict regarding acceptable use of the service, this AUP controls; on all other matters, the Terms control.

11. Where your data is processed

Hosted content, uploads, account data, and visitor/form submissions are processed using third-party infrastructure and service providers (for example, cloud hosting/object storage, payment processing, and AI/automation providers), which may store or process data in jurisdictions different from yours. The specific processing locations, subprocessors, and your data-protection rights are described in our Privacy Policy. [TO CONFIRM: the Privacy Policy must include (a) the hosting/data region(s) for the control plane, edge, and object storage once chosen, and (b) a subprocessor list covering payment and AI providers; this AUP defers to that section, which must actually exist before publication.]

12. Changes to this policy

We may update this AUP from time to time to reflect changes in our service, the law, or the threat landscape. Material changes will be reflected in the "Last updated" date above and, where required, communicated as set out in the Terms. Continued use of the service after an update constitutes acceptance of the revised AUP. [TO CONFIRM: notice period and method for material AUP changes — industry default 30 days for material changes.]

Assumptions & items to confirm

Legal entity, governing law, and venue (HARD PREREQUISITE): the operating entity's legal name, registered address, governing law, and dispute venue must be named in the Terms of Service — and, where relevant, referenced here. NOTE: the current Terms (terms.blade.php) omit all of this; it is missing platform-wide and must be added before launch, not merely "confirmed." [ASSUMPTION/PREREQUISITE]
Refund policy (HARD PREREQUISITE): the Terms currently contain no refund policy at all, so this AUP's treatment of fees on enforcement termination (Section 7.7) cross-references nothing. A refund policy must be added to the Terms and reconciled with Section 7.7. [ASSUMPTION: non-refundable on AUP-related termination]
Sanctions/export-control regime (Section 9): absent from all live docs; assumed U.S./OFAC pending the operating entity and hosting jurisdiction. [ASSUMPTION/PREREQUISITE]
Security-reporting channel (Section 8): no dedicated security-reporting address or coordinated-disclosure policy exists yet; until one is established, security reports route to [email protected]. Standing up a formal channel (and optionally a /.well-known/security.txt) is a launch prerequisite. [ASSUMPTION/PREREQUISITE]
Anonymous-publishing reconciliation (Section 1): the published AUP ("anonymous publishers") and Terms ("anonymous sites") contradict the no-anonymous-deploy policy and must be corrected to match this document. [ASSUMPTION/PREREQUISITE]
Password protection is NOT a security boundary (Section 4): hosted content is public at the edge; password protection is off in production until the edge gate ships. No private-hosting capability may be implied until then.
Data-residency / subprocessors (Section 11): the Privacy Policy must state hosting region(s) and a subprocessor list (payment, AI); this AUP defers to that section, which must exist. [TO CONFIRM]
Hosting/data region: the jurisdiction(s) where data is stored (control plane, edge, object storage) affects which authorities we report to and cooperate with. [TO CONFIRM]
CSAM reporting body: assumed NCMEC (U.S.); confirm based on operating/hosting jurisdiction. [ASSUMPTION]
Lawful adult content: whether permitted, restricted, or prohibited platform-wide (Section 3.10). [TO CONFIRM]
Repeat-infringer / repeat-violation threshold: the specific number/timeframe that triggers each enforcement step (Section 7.4). [TO CONFIRM]
Appeals workflow and response times (Section 7.8). [TO CONFIRM]
AUP change-notice period (Section 12). [TO CONFIRM: default 30 days]
Contact addresses: all functions — general, abuse (form: droply.host/abuse), copyright/DMCA agent, privacy, and security — currently route to the single address [email protected]. [TO CONFIRM: whether to provision dedicated per-function mailboxes before launch.]

Note: This document is a draft prepared for internal use and is not legal advice. Have a qualified attorney review and adapt it for your jurisdiction, business, and risk profile before publishing or relying on it.