Acceptable Use Policy

Effective April 27, 2026 Last updated May 16, 2026 Version 1.0

This Acceptable Use Policy (“AUP”) describes the things you may not do on or with Nova8. It is part of our Terms of Service; if you violate it, we may suspend or terminate your account, remove offending content, refund nothing, and report unlawful behaviour to the appropriate authorities.

1. Don’t use Nova8 to break the law

Don’t use the Services to do anything that violates an applicable law. Examples include — but are not limited to — fraud, identity theft, money laundering, sanctions-evasion, the unauthorised practice of a regulated profession, the sale of controlled substances, the sale of firearms or ammunition where prohibited, the sale of counterfeit goods, gambling without the required licence, securities fraud, and any conduct that would expose us to criminal or civil liability for hosting it.

1.1 Sanctions and embargoed regions

You may not access or use the Services from, or on behalf of any person ordinarily resident in, a country or region subject to comprehensive US sanctions (currently Cuba, Iran, North Korea, Syria, and the Crimea, so-called Donetsk People’s Republic, and so-called Luhansk People’s Republic regions of Ukraine). You may not use the Services if you are listed on the US Treasury OFAC Specially Designated Nationals List, the Commerce Department’s Denied Persons List, or any equivalent UN, EU, or UK restricted-party list. You may not use the Services to design, develop, produce, or proliferate weapons of mass destruction (nuclear, chemical, biological) or their delivery systems, or to support any sanctioned end-use.

2. Don’t hurt other people

Don’t use Nova8 to:

• Build apps or generate content that sexually exploits, abuses, or endangers a child — including any content that depicts a minor in a sexualised context, even if AI-generated. We have zero tolerance for this category; reports to the National Center for Missing & Exploited Children (NCMEC) and law-enforcement are mandatory.
• Harass, threaten, dox, or stalk any person.
• Promote violence against, or incite hatred toward, any group based on race, ethnicity, national origin, religion, disability, gender, sexual orientation, gender identity, age, or veteran status.
• Generate non-consensual intimate imagery, including AI-generated nude or sexual depictions of identifiable real people.
• Build apps that engage in deceptive impersonation of real people, brands, or government officials.
• Deceive users into sharing credentials, payments, or sensitive data through phishing, spoofing, or pretexting.

3. Don’t attack the platform

Don’t do anything that interferes with the integrity, availability, or security of Nova8 or any other user. Specifically, you may not:

• Probe, scan, or test the vulnerability of any system or network without our prior written authorisation. We welcome responsible security research at [email protected] — see our security-research safe harbor in Section 3.1.
• Bypass, disable, or interfere with rate limits, authentication, billing, sandbox isolation, or any other technical control.
• Attempt to extract, reverse-engineer, or replicate the platform’s proprietary prompts, model selection, or pipeline configuration via prompt injection, output exfiltration, or any other means.
• Use automated tools, scripts, or agents to send traffic to the Services in a way that exceeds reasonable individual use, except via documented APIs and within their published limits.
• Run distributed-denial-of-service attacks, send spam, or abuse our build sandboxes for cryptocurrency mining, password cracking, link-shortening for phishing, or any unrelated workload.

3.1 Security-research safe harbor

Nova8 considers good-faith security research to be authorised conduct. If you find a vulnerability and follow the rules below, we will not pursue claims against you under the US Computer Fraud and Abuse Act (CFAA), the anti-circumvention provisions of the Digital Millennium Copyright Act (DMCA § 1201), the equivalent provisions of any other jurisdiction, our Terms of Service, or this AUP, and we will treat your access as authorised for the purposes of those laws.

To qualify for the safe harbor, your research must:

• be conducted only against accounts you own or have explicit written permission to test — never against another customer’s data, projects, or end users;
• avoid disrupting or degrading the Services for other users (no DDoS, no brute force, no destructive payloads, no unnecessary load);
• access only the minimum data needed to demonstrate the issue, never exfiltrate, retain, or share third-party personal data, and delete any such data you may have incidentally accessed as soon as the issue is reported;
• not publicly disclose the vulnerability before we have had a reasonable time to remediate it (we aim for an initial response within 5 business days and to fix critical issues within 30 days, but we will agree a coordinated-disclosure timeline with you in writing); and
• be reported to [email protected] with the subject line Security Report and a clear, reproducible description.

If, in our reasonable judgement, your activity stops being good-faith research and becomes an attack — for example, you keep accessing the system after we’ve asked you to stop, or you go after another customer’s data — this safe harbor no longer applies to that activity. We do not currently operate a paid bug-bounty programme, but we will publicly credit researchers who ask for it.

4. Don’t infringe other people’s rights

Don’t upload, generate, or distribute content that infringes anyone’s intellectual-property rights, privacy rights, or rights of publicity. If you are not sure you have the rights to a piece of content, do not put it through the Services. We respond to valid DMCA takedown notices — see Section 8 below.

5. Don’t mishandle other people’s data

If your generated app collects personal information from end users, you are the data controller for that information. You must publish an accurate privacy policy (we generate a baseline one for you at /privacy/<projectId>; you remain responsible for keeping it accurate as you change the app), obtain any consents required in your users’ jurisdictions, and handle deletion and access requests in accordance with applicable law. Do not collect more personal data than your app actually needs.

6. Don’t use the AI in prohibited ways

The Services include AI code generation. You may not use it to:

• Generate malware, ransomware, spyware, key-loggers, credential-stealers, botnet command-and-control, or any other code intended to compromise systems or data without authorisation.
• Generate content that violates Section 2 above, regardless of whether you intend to publish it.
• Make consequential decisions about credit, employment, housing, education, insurance, healthcare, criminal justice, immigration, or essential public services without meaningful human review and any disclosures, audits, or impact assessments your jurisdiction requires.
• Misrepresent AI-generated output as the output of a real human in a context where the difference matters (for example, a regulated medical, legal, or financial consultation).

6.1 High-risk and life-safety applications

Nova8 is a general-purpose mobile-app development platform. It is not designed, validated, or certified for use as a component of a system on which human life or physical safety depends. You may not use the Services, and you may not ship apps built with the Services, into the following high-risk categories:

• Medical diagnosis, medical treatment recommendation, or any function regulated as a medical device by the FDA, EMA, MHRA, or comparable authority (Software-as-a-Medical-Device, SaMD).
• Operation of autonomous vehicles, drones, aircraft, watercraft, industrial machinery, or any other system whose failure could result in death or serious injury.
• Critical-infrastructure control or monitoring (electricity, water, gas, nuclear, telecommunications, financial-market clearing).
• Life-safety alerting (emergency dispatch, fall detection for medical response, suicide-prevention triage where the only response is automated, etc.).
• Real-time biometric identification in publicly accessible spaces, social-scoring systems, predictive-policing systems, or any other use that the EU AI Act classifies as “prohibited” under Article 5.

If you have a research or experimental use case in one of these areas, contact us at [email protected] first; we may be able to discuss limited, non-production access on appropriate terms.

6.2 No training competitor models

You may not use the Services, the output of the Services, or any data extracted from the Services to:

• train, fine-tune, distil, or evaluate any AI code-generation product (whether or not it is “competing” with Nova8 in the commercial sense);
• build a dataset of prompts and responses for the purpose of teaching another model to behave like the Nova8 build agent or to reproduce its proprietary prompts, model selection, or pipeline configuration;
• scrape, mass-export, or systematically harvest the output of the Services beyond what an individual user would generate in normal product use; or
• circumvent any technical measure that Nova8 uses to detect, rate-limit, or prevent the foregoing.

This restriction applies in addition to anything in our Terms of Service and survives termination of your account.

7. Apps you ship to end users

If you publish an app you built with Nova8 to the App Store, the Google Play Store, TestFlight, or any other channel:

• You are solely responsible for the app’s compliance with that channel’s own rules (Apple App Store Review Guidelines, Google Play Developer Policy, etc.).
• You must keep the per-project privacy policy and support pages we generate accurate. Do not link them and then ship behaviour that contradicts them.
• You must not impersonate Nova8 or imply that Nova8 endorses your app.

7.1 AI-output disclosure (EU AI Act and comparable rules)

If your shipped app uses Nova8 (or any third-party AI provider) at runtime to generate text, images, audio, video, or chat replies for your end users, you are responsible for complying with the transparency obligations of the jurisdictions where your app is offered. In particular:

• EU AI Act, Article 50. If your app generates synthetic audio, image, video, or text content, that output must be marked in a machine-readable format as artificially generated or manipulated, and an end user interacting with an AI system must be informed that they are interacting with an AI unless that is obvious from the context. If your app uses an “emotion-recognition” or “biometric-categorisation” component, you must inform the natural persons exposed to it.
• US state “chatbot” laws (e.g. California SB 1001, Utah AI Policy Act). If your app uses AI to interact with consumers in a way that could mislead them about whether they are talking to a human, you must disclose the AI nature of the interaction.
• Deepfake / synthetic-media rules. Where your jurisdiction (or the App Store / Google Play guidelines) requires labelling of AI-generated likenesses or voices, you must implement that labelling in the app.

Nova8 does not perform these disclosures on your behalf at the end-user layer; the per-project privacy and support pages we generate cover the data-processing side, but in-app AI-output labels are your responsibility as developer of record.

8. DMCA / copyright complaints

If you believe content hosted on Nova8 infringes your copyright, please send a notice that complies with 17 U.S.C. § 512(c) to [email protected] with the subject line DMCA Notice. Your notice must include:

1. Your physical or electronic signature.
2. Identification of the copyrighted work you claim has been infringed.
3. Identification of the material that is claimed to be infringing, with enough detail (URL is best) for us to find it.
4. Your contact information (address, phone, email).
5. A statement that you have a good-faith belief that the use is not authorised by the copyright owner, its agent, or the law.
6. A statement, under penalty of perjury, that the information in your notice is accurate and that you are the owner or authorised to act on the owner’s behalf.

We will remove or disable access to the material we judge to be infringing, notify the user who posted it, and forward your notice to that user. The user may submit a counter-notice. Repeat infringers will have their accounts terminated.

9. Reporting abuse

If you see content or behaviour on Nova8 that violates this AUP, please report it to [email protected]. Include the URL, a short description of the issue, and screenshots if you have them. We review reports within 1 business day for content that may endanger a person, and within 7 business days for everything else.

10. Enforcement

Violations of this AUP can result in any combination of: a warning, content takedown, account suspension, account termination, refund denial, and referral to law-enforcement. We try to be proportionate — first-time, low-severity violations usually get a warning — but we reserve the right to act immediately and without notice for serious or repeat violations, or where required by law.

11. Changes to this policy

We may update this AUP from time to time. The “Last updated” date at the top of this page reflects the current version. Continuing to use the Services after a change takes effect means you accept the updated policy.

12. Contact

Questions about this Acceptable Use Policy? Email [email protected].