This Acceptable Use Policy sets out what you may and may not do when you use any service provided by Oleksandr Koniev Strataforge (Jednoosobowa działalność gospodarcza), a sole proprietorship registered in CEIDG in Poland with its place of business in Warsaw (referred to here as "Strataforge", "we", or "us"). It covers our marketing site, the Strataforge Academy courses, the client platform, our APIs, and any AI features we make available, whether free or paid (together, the "Services").

This policy works alongside our Terms of Service and Disclaimer. Where this policy is more specific about prohibited conduct, it governs. Using the Services means you agree to follow these rules.

1. Who and what this covers

This policy applies to everyone who uses the Services: registered account holders, visitors using public features without an account, and anyone integrating with us through an API or automated client. It applies to all content, data, messages, and activity you create, upload, transmit, or generate through the Services, from any country you access us from.

Automated access (bots, crawlers) is permitted only where it follows our published rules, including any robots.txt file and the applicable API terms.

2. The core rule

You may use the Services only for lawful purposes and in line with this policy and our Terms of Service. You may not use the Services to provide unlawful content. This reflects a mandatory requirement of Polish law for online services under art. 8 of the Act on the Provision of Electronic Services (UŚUDE).

If a public authority or a credible report tells us your content breaks the law, we will disable access to it without delay. Polish and EU law require this.

We act on an official notice from a competent authority, or on a sufficiently substantiated report, under art. 14 UŚUDE and art. 16 of the Digital Services Act (Regulation (EU) 2022/2065).

3. Illegal and harmful content

You may not use the Services for anything prohibited by Polish law, EU law, or the law that applies to you. The list below is not exhaustive. Anything that breaks the law or the core rule in section 2 is prohibited even if it is not named here.

• Content involving the sexual exploitation of minors. We operate a zero-tolerance rule on content covered by art. 202 of the Penal Code. Any detected violation results in immediate account blocking, preservation of evidence, and notification of law enforcement and the relevant Polish authorities.
• Terrorist content, including incitement to or facilitation or financing of terrorist offences.
• Offering, selling, advertising, or facilitating access to narcotic drugs, psychotropic substances, or new psychoactive substances.
• Fraud, including phishing, account-takeover scams, business email compromise, investment scams, and pyramid or Ponzi schemes (art. 286 and art. 287 of the Penal Code).
• Defamation, insult, criminal threats, persistent harassment or stalking, and incitement to hatred on national, ethnic, racial, religious, or similar grounds.
• Content that infringes the personal rights of others under art. 23-24 of the Civil Code (such as honour, image, privacy of correspondence, or reputation).

4. Intellectual property

You may not use the Services to infringe anyone's intellectual property rights. Do not upload, store, share, or make available works you do not have the right to use.

• Copyright-protected works (video, music, code, articles, images, designs) without the rightsholder's permission.
• Trademarks, service marks, geographical indications, or trade names used in a way likely to mislead about the origin of goods or services.
• Third-party trade secrets and confidential business information.
• Performances, recordings, and other related rights used without authorisation.

You also may not reverse engineer, decompile, or extract protected components of the Services beyond what the law expressly permits, attempt to recover AI model parameters or API keys, or remove watermarks, authorship metadata, or origin markers from content the Services generate. The narrow decompilation that copyright law expressly allows for interoperability remains permitted within its statutory limits.

5. Privacy and security abuse

You may not use the Services to harm the privacy of others or the security of the platform. Probing, attacking, or abusing our systems or other users is prohibited.

• Doxxing: publishing someone's personal data to harm, intimidate, or expose them.
• Unauthorised scraping or mass collection of users' personal data without a lawful basis.
• Trying to access another user's account (credential stuffing, brute force, social engineering) or intercepting others' communications (art. 267 of the Penal Code).
• Creating or distributing non-consensual deepfakes of real people.
• DDoS or DoS attacks, distributing malware, or exploiting vulnerabilities for unauthorised access, privilege escalation, or data exfiltration.
• Producing or supplying tools, passwords, or access codes designed to commit computer offences (art. 269b of the Penal Code). Good-faith security research aimed at securing a system is treated separately, in line with the security-research carve-out in that provision.
• Port scanning, fingerprinting, network mapping, or similar reconnaissance against our infrastructure without our written consent.

We support coordinated, good-faith security research. If you contact us in advance in writing at alex@strataforge.co, stay within the scope you describe, do not access, modify, exfiltrate, or destroy data that is not your own, do not degrade the Services or other users, and give us a reasonable time to remediate before any disclosure, we will treat that research as authorised testing and will not pursue action against it. This route reflects the security-research carve-out under art. 269b of the Penal Code.

6. Service abuse and unauthorised resale

You may not abuse the Services or resell them outside the terms you agreed to.

• Circumventing rate limits or quotas by manipulating headers, rotating IP addresses, or using multiple accounts.
• Creating fake, fictitious, or automatically generated accounts to manipulate metrics or evade limits.
• Mass extraction of content (scraping) in a way that ignores our robots.txt, the API terms, or these rules.
• Reselling Services to third parties outside your plan, including pass-through resale of API access without a partner agreement with us.
• Using the Services for workloads far beyond their intended purpose, such as cryptocurrency mining on SaaS resources or training AI models on an API not designed for it.

7. Spam and unsolicited messaging

You may not use the Services to send, organise, or facilitate unsolicited messages. Outbound messaging must comply with the law that applies to your recipients.

• Poland and the EU: you may not use automatic calling systems or electronic communications terminal equipment, including email and other interpersonal communications services, to send commercial information, including direct marketing, without the recipient's prior consent (art. 398 of the Electronic Communications Law (PKE)). This applies whether the recipient is a private individual or a business. That consent must meet the data-protection standard applied through art. 400 PKE and art. 4(11) and art. 7 GDPR: freely given, specific, informed, unambiguous, and obtained before you send. Any commercial information you do send must be clearly identifiable as such and identify the sender on whose behalf it goes out (art. 9 UŚUDE).
• United States: commercial email to US recipients must not use false or misleading headers or deceptive subject lines, must offer a working opt-out honoured within 10 business days, and must identify itself as an advertisement with a valid postal address (15 U.S.C. 7704(a)).
• Canada: a commercial electronic message to a Canadian recipient requires consent and clear sender identification (CASL, sec. 6), and a clearly set-out, easily used unsubscribe mechanism with contact information valid for at least 60 days, with unsubscribe requests honoured without delay and no later than 10 business days (CASL, sec. 11(1)-(3)).

8. Misuse of AI features

Our AI features are for creating lawful content. The following are prohibited:

• Prompt injection or jailbreaking aimed at bypassing the model's system instructions, safety, or legal safeguards.
• Generating content that would be prohibited elsewhere in this policy, including child sexual abuse material, instructions for weapons of mass destruction, narcotics synthesis or malware, non-consensual deepfakes, or impersonation.
• Using outputs from our models to train a competing model in breach of the API terms.
• Using our AI outputs to make decisions about a person that produce legal or similarly significant effects, where that would breach art. 22 GDPR on automated decision-making.
• Removing, altering, or otherwise defeating any machine-readable marking that identifies content as artificially generated or manipulated, or presenting AI-generated output as human-made or as a genuine recording of real persons or events where you are required to disclose its artificial origin. These transparency and marking duties follow art. 50 of the EU AI Act (Regulation (EU) 2024/1689), whose obligations apply from 2 August 2026.

9. Enforcement, suspension, and termination

We apply proportionality and, for low or medium severity issues, give notice and a chance to fix the problem before acting. When we investigate a suspected violation, we register the report, review it, collect the technical evidence we need, and document the process.

For lower-severity issues we will normally tell you which rule was broken and give you at least 7 days to respond or cure it before applying a sanction. Depending on severity and whether it recurs, we may issue a warning, restrict specific features, suspend the account for a fixed period (up to 30 days), or permanently terminate the agreement and block the account. Where we find conduct that may be a criminal offence, we may refer the matter to the competent authorities and, where a personal-data breach is involved, notify the supervisory authority under art. 33-34 GDPR.

Where we become aware of information that gives rise to a suspicion that a criminal offence involving a threat to the life or safety of one or more people has taken place, is taking place, or is likely to take place, we will promptly inform the competent law enforcement or judicial authorities and provide the relevant information available, as required by art. 18 of the DSA.

When we restrict you because of content you provided, we give you a clear statement of reasons, in line with art. 17 of the DSA where it applies to us. This statement covers the restriction imposed and its scope, including any duration and territorial reach, the facts and circumstances we relied on, whether a notice under art. 16 or our own-initiative review triggered the action, whether automated means were used in detection or decision-making, the legal ground or the contractual ground (the specific rule of this policy) we relied on, and the redress available to you, including the appeal below and any out-of-court dispute settlement.

We may act immediately, without prior notice, where the violation involves content covered by section 3 (child sexual exploitation), poses a critical security threat, is the subject of an urgent official notice, requires immediate blocking to keep us within the safe harbour of art. 14 UŚUDE, or is so serious that even brief continuation could cause disproportionate harm.

If we apply a sanction and you believe it was wrong, you may appeal in writing within 14 days of being notified. We will review your appeal and respond, with reasons, within 30 days. Where these rights apply to us as an online platform, you may also use our internal complaint-handling system under art. 20 of the DSA and refer the dispute to a certified out-of-court dispute settlement body under art. 21 of the DSA. You keep any right to out-of-court dispute resolution and to pursue claims in court.

10. Reporting abuse

If you see content or activity on the Services that breaks this policy or the law, report it to us at alex@strataforge.co or through any structured electronic reporting form we make available. A report is most useful, and qualifies as a notice under art. 16 of the DSA, when it contains the elements below. These elements help us assess the report; only the explanation and the location are essential.

• A clear, substantiated explanation of why you believe the content or activity is unlawful or breaches this policy.
• The exact location of the content (a URL, resource identifier, message ID, or timestamp).
• The specific law or section of this policy you believe was broken, if known.
• Your name and email address, so we can acknowledge and follow up. This is optional, and reports concerning the sexual exploitation of minors may be made anonymously.
• A statement that, in good faith, you believe the information in your report is accurate and complete.

Where your report includes contact details, we will acknowledge it, handle it in a timely, diligent, non-arbitrary and objective way, and tell you the outcome with reasons and the available means of redress. Where these obligations apply to us as an online platform, we give priority to reports from trusted flaggers under art. 22 of the DSA and may suspend handling reports from anyone who repeatedly submits manifestly unfounded ones under art. 23 of the DSA.

11. Cooperation with authorities

We cooperate with competent law enforcement, supervisory bodies, and courts to the extent the law requires. Where we disclose personal data in response to a lawful request, we rely on art. 6(1)(c) GDPR (processing necessary to comply with a legal obligation), verify the requesting authority and the legal basis, and disclose only what the request covers.

When we receive an order to act against illegal content or an order to provide information from a competent national authority, we handle it under art. 9 and art. 10 of the DSA where they apply to us. We check that the order contains the required elements (including a statement of reasons and the legal basis), acknowledge receipt and give it effect without undue delay, inform the issuing authority of the effect given and when, and inform the affected user of the order and the redress available, unless the order or the law requires us to delay or withhold that information. We log how we responded.

We do not treat a court judgment or authority decision from a country outside the EU as, by itself, a basis to transfer data; such requests are handled through proper legal-assistance channels and the safeguards of EU data-protection law. Where the law allows, we inform a user whose data we have disclosed.

12. Changes and related documents

We may update this policy. We will notify you of changes through your account, by email, or on this page, with at least 14 days' notice before they take effect. If you are a consumer or a one-person business and you do not accept a change, you may reject it and terminate the agreement before the change takes effect, at no cost; rights and obligations that arose before the change took effect are not affected. If you keep using the Services after the change takes effect, that means you accept the updated policy.

This policy should be read together with our Terms of Service, Privacy Policy, and Disclaimer. It is governed by Polish law, without prejudice to the mandatory consumer protections that apply where you live.