Legal

Acceptable Use Policy

Last updated: May 2, 2026

This Acceptable Use Policy ("AUP") describes what you may and may not do with the Serge platform. By using the Service you agree to this AUP. This AUP is incorporated into the Serge Terms of Service by reference; if you have not read those, please do so first. Where this AUP and the Terms of Service overlap, the more restrictive provision applies. To report abuse of the Service, contact abuse@serge.ai.

01

1. What Serge is for

  • Serge is a measurement tool for e-commerce site owners. It helps you understand whether AI agents (ChatGPT, Claude, Operator, Perplexity, and similar) can find your products, navigate your site, and complete normal shopping tasks (adding to cart, checking out, selecting variants).
  • Serge is not a security testing tool, a vulnerability scanner, a scraper, an attack platform, or a load-testing service. Sections 3 and 4 below describe uses that fall outside what Serge is for and that are prohibited.
02

2. Permitted use

  • You may use Serge to run scans against domains you own or operate.
  • You may use Serge to run scans against domains for which you have written permission from the operator.
  • You may use Serge to run scans against publicly-accessible storefronts of competitor e-commerce sites for the purpose of comparing how AI agents experience your site versus theirs, subject to Section 4 (limits) and Section 3 (prohibited use).
  • You may submit task descriptions that describe a normal shopping workflow: finding a product, viewing variants, adding to cart, proceeding to checkout, completing a purchase, looking up shipping or return information.
  • You represent that you have legal authority to use Serge against any target you submit. We do not pre-clear targets. Any obligations the target site imposes on you (its terms of service, robots.txt, or otherwise) are between you and that site.
03

3. Prohibited use

  • 3.1 Security testing, vulnerability scanning, exploit development. You must not use Serge to probe for SQL injection, XSS, CSRF, SSRF, RCE, IDOR, path traversal, open redirect, or any other application vulnerability; to run penetration tests, security audits, or red-team exercises; or to discover, develop, weaponise, or sell exploits. If you need to security-test your own site, use a dedicated tool (Burp, OWASP ZAP, Nuclei) and a qualified provider.
  • 3.2 Authentication, authorisation, and protection bypass. You must not use Serge to bypass authentication, authorisation, captchas, paywalls, geo-blocks, rate limits, or bot protection; brute-force, guess, or enumerate credentials; or test, attempt, or perform account takeover, session hijacking, or cookie/session-token theft.
  • 3.3 Data extraction at scale. You must not use Serge to extract, scrape, harvest, or exfiltrate customer emails, phone numbers, postal addresses, payment information, government identifiers, login credentials, API keys, JWTs, or any other personal or authentication data; to dump database contents through any input field; or to aggregate publicly-displayed but non-public-by-design data (for example, copying every product page to rebuild a competitor's full catalogue without permission).
  • 3.4 Volumetric, availability, and resource attacks. You must not use Serge to perform denial-of-service or distributed-denial-of-service attacks; flood forms, APIs, contact endpoints, or order pipelines; or exhaust inventory, deplete coupon stocks, or otherwise consume a target's commercial resources to deny them to legitimate customers.
  • 3.5 Misrepresentation, impersonation, deception. You must not use Serge to misrepresent yourself, your organisation, or the agent's intent in task descriptions; impersonate Serge employees, the agent's user, or the target site's customers; or generate fraudulent reviews, fake order histories, or other deceptive content.
  • 3.6 Illegal activity. You must not use Serge for any purpose that violates applicable law in the jurisdiction of the target site, the target site's operator, you, or Superstellar LLC; or whose primary purpose is to harm the target site's operator, customers, or commercial interests beyond ordinary competitive comparison.
  • 3.7 Re-export of agent capability. You must not provide third parties with the ability to dispatch arbitrary agent tasks against arbitrary URLs through your Serge account, unless those third parties have separately accepted this AUP. Legitimate B2B integrations and resellers must flow this AUP through to their own end users.
  • 3.8 Anti-circumvention. You must not create multiple accounts, use disposable email addresses, or otherwise attempt to evade limits, suspensions, or termination imposed under this AUP.
04

4. Limits and identity

  • We operate technical safeguards including rate limits and content filters that may refuse a dispatch we believe falls outside permitted use. Persistent attempts to exceed these limits or evade these filters are an AUP violation regardless of whether any single attempt would otherwise be permitted.
  • Cross-domain replays (testing a domain other than the one on which you have installed the Serge tracking snippet) are restricted to active paid subscriptions.
  • You must use a real, working email address. Throwaway-email signups are not authorised.
  • Where Serge identifies the agent in a User-Agent header or via signed-agent infrastructure, you must not mask, spoof, or alter that identity.
05

5. Audit, retention, and cooperation

  • We retain dispatch metadata (task description, target URL, workspace, timestamps, replay outcome, content-scan flags) for as long as necessary to operate the Service, investigate abuse, and comply with our legal obligations — typically up to 12 months.
  • We retain platform logs of replay safety events for the same period.
  • We may share the relevant audit metadata in response to lawful requests, court orders, or where we have a good-faith belief that disclosure is necessary to prevent imminent harm. Privacy-related processing is described in our Privacy Policy.
06

6. Enforcement

  • We may, in our reasonable discretion and proportionate to the violation: refuse a dispatch, throttle or rate-limit a workspace, suspend access, or terminate the subscription. We will normally warn before suspending and suspend before terminating, except where the violation is severe or where prior notice would defeat the purpose of enforcement (for example, ongoing exfiltration).
  • Termination for AUP violation is without refund for the current billing period, except where applicable mandatory consumer-protection law requires otherwise.
  • We may report conduct to the relevant payment processor, the target site's operator, and law enforcement where the conduct appears unlawful.
  • We may publish anonymised aggregate statistics about AUP enforcement (for example, "this quarter we refused N dispatches matching pattern X") without identifying the workspace involved.
07

7. Reporting abuse

  • If you believe Serge is being used to attack your site, contact us at abuse@serge.ai with: the target hostname, the approximate time-window, and any evidence you have (User-Agent strings, log lines, IP-range observations).
  • We will acknowledge receipt of credible abuse reports within a reasonable time and investigate in good faith. We are a small team; please be patient with response timing on complex investigations.
08

8. Updates

  • We may update this AUP at any time to reflect new abuse vectors, regulatory changes, or product changes. The version published at https://www.serge.ai/aup is the current and binding version.
  • We will notify active customers by email of material changes at least 14 days before they take effect, except where a shorter notice period is required to address an active abuse vector or to comply with legal obligations.
09

9. Governing law and disputes

  • This AUP is governed by the substantive laws of Switzerland, excluding its conflict-of-laws principles and the United Nations Convention on Contracts for the International Sale of Goods (CISG). The exclusive place of jurisdiction is Zug, Switzerland.
  • If you are a consumer within the meaning of applicable EU, UK, or Swiss consumer protection law, nothing in this AUP deprives you of any mandatory consumer protections under the laws of your country of habitual residence, including any non-derogable right to bring proceedings in the courts of that country.
  • The dispute-resolution mechanism described in the Serge Terms of Service (good-faith negotiation before formal proceedings) applies to AUP disputes.
  • Where this AUP and the Terms of Service conflict on a specific point, the more restrictive provision applies.
10

10. Severability and waiver

  • If any provision of this AUP is held unenforceable, the remaining provisions stay in effect.
  • Our failure to enforce any provision is not a waiver of our right to enforce it later.
11

11. Contact

  • Abuse reports — abuse@serge.ai
  • Questions about this AUP — legal@serge.ai
  • Serge is operated by Superstellar LLC.