Acceptable Use Policy

Status: Version 1.1 effective 2026-05-14. These revisions are an internal editorial pass intended to make the document complete and accurate. The text remains under outside-counsel review. Material legal positions (entity definition, liability cap carve-outs, AI Article 22 disclosures, Transfer Impact Assessment) are flagged for counsel and may change before final publication.

You may not use the Service to distribute malware or any malicious code; attack, probe, or scan any network, system, or service; commit fraud or facilitate any illegal activity; host or transmit child sexual abuse material; host or transmit content that violates applicable law; or engage in any activity that materially degrades the Service for other users.

You may not use the Service to send high-volume unsolicited email, mass-scrape third-party sites, or circumvent rate limits, abuse controls, or security mechanisms.

You may not use the Service to circumvent trade sanctions, export controls, or any applicable legal restriction on access to technology.

You may not impersonate another person or entity, or misrepresent your affiliation with a person or entity.

You may not reverse engineer, decompile, disassemble, or attempt to derive the source code of the Service or any component, except to the extent that this restriction is expressly prohibited by applicable law (for example, certain interoperability rights under EU Directive 2009/24/EC).

You may not scrape, crawl, or harvest data from the QEHS marketing site, product application, or APIs by automated means except through the documented public APIs in accordance with their published rate limits.

You may not use the Service to train or fine-tune any machine-learning model that is not part of your own use of the Service, including without limitation any third-party large language model, except with QEHS's prior written consent.

Good-faith security research conducted under a published responsible-disclosure policy is permitted and is not a violation of this AUP. Researchers must: avoid accessing, modifying, or destroying any data other than test data they own; not exfiltrate or disclose any data they incidentally access; report findings privately to security@qehsethos.com; and give QEHS reasonable time to remediate before public disclosure.

QEHS commits to not pursuing legal action against researchers acting in good faith under this carve-out. Our published responsible-disclosure policy (forthcoming at qehsethos.com/security) governs scope and rewards.

Each user account is for one named individual. You may not share login credentials. If multiple individuals need access, create separate accounts within your tenant.

Customer is responsible for promptly disabling accounts of users who leave the organisation or who no longer require access.

Public APIs are subject to the rate limits documented in the developer portal. Automated account creation is prohibited. Bot traffic that does not comply with robots.txt or the developer-portal terms is prohibited.

For emergencies — active attack, ongoing harm, child sexual abuse material, or a violation creating immediate risk to QEHS or other customers — QEHS may throttle, suspend, or terminate access without prior notice.

For non-emergency violations, QEHS will give written notice describing the violation and a 15-day period to cure. If the violation is not cured within 15 days, QEHS may throttle, suspend, or terminate access. Where the violation has been cured, QEHS will restore access without delay.

Customer may appeal a suspension or termination by writing to legal@qehsethos.com. QEHS will respond within 10 business days.

To report abuse of the Service by another user or tenant, email abuse@qehsethos.com with evidence. We acknowledge within 2 business days and investigate.

To report a security vulnerability, email security@qehsethos.com (responsible-disclosure scope applies — see the security research carve-out).