Skip to main content

Acceptable Use Policy

Last Updated – 15 July 2026

1. Purpose & scope

1.1 This Service Acceptable Use Policy (the "Policy") sets out what is, and is not, an acceptable use of the Bilt platform and website at https://bilt.me (the "Site") and of the services BuildingPP OÜ (operating as "Bilt") makes available through it — the AI application-generation pipeline, the hosting of generated applications, and application publishing (the "Services"). References in this Policy to use of the Services include use of the Site, unless the context requires otherwise.

1.2 Who it binds. This Policy applies to every Customer and, through the Customer, to the Customer's End-users and anyone the Customer permits to use the Services. The Customer is responsible for the acts and omissions of its End-users as if they were the Customer's own.

1.3 Incorporation & acceptance. This Policy is part of the Bilt Terms of Service (bilt.me/terms) and applies to all access to and use of the Services. By accepting the Terms of Service, or by accessing or using the Services, the Customer agrees to this Policy. Bilt may update this Policy from time to time (§11); the current version governs each use of the Services.

2. Definitions

Terms not defined here have the meaning given in the Bilt Terms of Service or, where used, in applicable data-protection law.

  • "Customer" — the person or entity that has entered into the Bilt Terms of Service and uses the Services (in the Bilt Data Processing Agreement, the Controller).
  • "End-user" — an individual who uses an application the Customer builds, hosts, or publishes through the Services.
  • "Services" — as defined in §1.
  • "Customer Content" — the data, code, prompts, inputs, schema, and other material the Customer or its End-users submit to, generate with, or store in the Services.
  • "Account" — the Customer's Bilt account and any associated workspaces, projects, or applications.

3. The acceptable-use principle

3.1 Lawful, authorised use. The Customer must use the Services only for lawful purposes and in accordance with the Bilt Terms of Service, this Policy, and all applicable laws.

3.2 Customer ownership of content and configuration. The Customer alone determines the content, schema, structure, and configuration of what it builds and stores through the Services, and is responsible for ensuring that its content and its End-users' use comply with this Policy (consistent with the Bilt Data Processing Agreement). Bilt does not pre-screen Customer Content.

3.3 Responsibility for End-users. The Customer is responsible for making its End-users aware of, and for enforcing against them, the restrictions in this Policy that are relevant to the application the Customer operates.

4. Prohibited activities

The Customer must not use, and must not permit any End-user to use, the Services to do any of the following. This list is illustrative, not exhaustive.

4.1 General

  • Engage in or facilitate any illegal activity, or violate the rights of others.
  • Infringe intellectual-property rights, publicity, or privacy rights, or misappropriate trade secrets.
  • Distribute malware, ransomware, or other harmful code, or host content that does so.
  • Degrade, overload, or interfere with the Services or the infrastructure of Bilt or its providers (e.g. excessive load beyond plan limits, resource-exhaustion patterns).
  • Circumvent or attempt to circumvent usage limits, quotas, access controls, billing, referral, affiliate, or other promotional or credit-program rules, or other technical or contractual restrictions.
  • Harass, threaten, defame, or facilitate harm to any person, or process personal data to those ends.

4.2 AI & content manipulation

  • Generate or distribute non-consensual, deceptive, or abusive synthetic media (e.g. deepfakes intended to deceive, non-consensual intimate imagery).
  • Attempt to jailbreak, prompt-inject, or otherwise subvert the safety controls of the Services or their underlying AI providers, or to extract another party's data or prompts.
  • Conduct unlawful or unauthorised scraping, harvesting, or automated extraction of data or content.
  • Generate content for deceptive SEO, spam, or coordinated inauthentic behaviour.
  • Use the Services for fully automated decisions with legal or similarly significant effects on individuals without the safeguards the law requires (the Customer is responsible for compliance with GDPR Art. 22 or its local equivalent).

4.3 Security & network integrity

  • Gain or attempt to gain unauthorised access to any system, account, data, or network.
  • Conduct denial-of-service or other availability attacks.
  • Perform security testing or penetration testing of the Services without Bilt's prior written authorisation, which may be requested at [email protected].
  • Operate open proxies, open mail relays, anonymising relays, or crypto-mining on the Services.
  • Probe, scan, or test the vulnerability of any system, or breach security/authentication measures.

4.4 Account & messaging abuse

  • Send spam, phishing, or unsolicited bulk messaging, or content that violates anti-spam laws.
  • Perform automated or bulk account creation, or use throwaway/temporary identifiers to evade limits or enforcement.
  • Impersonate any person or entity, or misrepresent affiliation with Bilt or any third party.

4.5 Financial crime & regulated/high-risk uses

  • Engage in fraud, money laundering, payment-card fraud, or other financial crime.
  • Traffic in illegal or restricted goods or services.
  • Deploy the Services in uses where failure could lead to death, serious injury, or severe environmental harm, except under terms expressly agreed with Bilt in writing.
  • Where using Bilt's in-app purchase feature, circumvent or misuse the applicable app-store billing rules and program policies (for example, Apple's), or use the feature to sell goods or services the store prohibits.

5. Prohibited & restricted data categories

5.1 No special-category or criminal-offence data by default. The Customer must not submit, and must not permit its End-users to submit, special-category personal data (GDPR Art. 9) or criminal-offence data (Art. 10) — and their equivalents under the UK GDPR and the Swiss nFADP (sensitive personal data) — to the Services, unless the parties have agreed otherwise in writing in advance and a valid Art. 9 condition / Art. 10 basis (or equivalent) applies. Bilt does not process such data by design, and the technical and organisational measures described in the Bilt Data Processing Agreement are not designed for it.

5.2 No cardholder data in the Services. The Customer must not submit payment-card / cardholder data (PAN, track data, CVV, etc.) into the Services, and must not build its application to collect cardholder data into the Services. Bilt operates no cardholder-data environment. Bilt's own subscription billing is handled by Stripe (Bilt is a PCI DSS v4.0.1 SAQ A merchant). Where the Customer enables Bilt's in-app purchase feature, End-user payments are taken by the app store (Apple), which processes the card — neither the Customer's application nor Bilt receives cardholder data, and the store is an independent controller of the purchase. A Customer that instead wishes to take card payments directly must integrate a compliant payment processor of its own, and must not route cardholder data through the Services to do so.

5.3 No unlawful content. The Customer must not submit or generate content that is unlawful for the Customer to hold or that Bilt is prohibited from processing.

5.4 Customer responsibility for sensitivity. Because Bilt does not define the Customer's schema or content, and does not review it or assess its sensitivity, the Customer is responsible for assessing the sensitivity of the data it submits and for applying any field-level protection (e.g. encryption, tokenisation, pseudonymisation, masking) its own risk assessment requires, as further described in the Bilt Data Processing Agreement. The automated technical processing described in §8.1(b) is not a review of Customer Content, and does not identify or classify the sensitivity of the Customer's data.

6. AI / model-generation acceptable use

6.1 Data sent to the generation pipeline. When the Customer uses the AI generation features, its prompts and inputs — and any personal data within them — are processed by Bilt's third-party AI/model sub-processors. The current list of sub-processors, and the safeguards applied to any international transfers, are made available with the Bilt Data Processing Agreement.

6.2 Minimise before you prompt. The Customer should not submit secrets, credentials, or unnecessary personal or special-category data into prompts or inputs, and should minimise inputs to what is necessary for the task. This is guidance to reduce risk; it does not, by itself, discharge the Customer's or Bilt's data-protection obligations for data actually submitted.

6.3 Lawful basis for AI processing. The Customer is responsible for having a valid legal basis and any required notices/consents for any personal data it submits to the AI features, and for the lawfulness of its use of the generated output.

6.4 AI transparency when the Customer publishes generated content. Output produced through the Services is generated by AI. Where the Customer publishes, distributes, or deploys that output — including in an application made available to End-users — the Customer is responsible for any disclosure that applicable law requires of it, for example telling people that content is artificially generated where the content could otherwise appear authentic. This complements the Customer's obligation under the Terms of Service not to misrepresent output as human-created where disclosure is legally required. Bilt applies the transparency and marking measures that fall on it as the provider of the AI system; it is the Customer, as the party deploying the output, who determines how and to whom the output is presented, and Bilt cannot make that disclosure on the Customer's behalf.

The Customer must not remove, obscure, or defeat any provenance or "artificially generated" marking that Bilt or its AI providers apply to generated output.

7. Customer responsibilities & security

7.1 Lawful basis & notices. The Customer is responsible for the lawfulness of the Customer Content and of its collection, and warrants that it has a valid legal basis and all necessary notices and consents for the processing it carries out through the Services (consistent with the Bilt Data Processing Agreement).

7.2 End-user authentication. The Customer determines and configures the authentication posture of its application's End-users (e.g. whether to require MFA, password policy, breach/leaked-password screening), using the capabilities Bilt makes available. Bilt secures the authentication capability it operates; the Customer decides and is responsible for its End-users' credentials, as described in the Bilt Data Processing Agreement.

7.3 Account security. The Customer is responsible for safeguarding its own Account credentials and for all activity under its Account, and must notify Bilt promptly of any suspected unauthorised use at [email protected].

8. Monitoring, investigation & enforcement

8.1 Monitoring.

(a) No pre-screening. Bilt does not review or moderate Customer Content for compliance with this Policy before it is submitted, generated, stored, or published, and is under no obligation to do so.

(b) Automated technical processing. Bilt applies automated technical processing to Customer Content and to use of the Services — for security, abuse and fraud prevention, service operation and reliability, and the removal of personal data before it is used to train Bilt's machine-learning systems. Such processing is not a review, approval, or endorsement of Customer Content, and does not constitute pre-screening.

(c) Investigation. Bilt may monitor use of the Services and investigate suspected violations of this Policy. Investigations are triggered by a report, an automated signal, or a reasonable suspicion. Anyone may notify Bilt of content they consider illegal or in breach of this Policy through the channels in §9, and Bilt reviews and acts on such notices under §8.2. Bilt does not carry out general monitoring of Customer Content.

(d) Roles. Monitoring that Bilt carries out for its own purposes — protecting the security, integrity and availability of the Services, preventing abuse, and complying with law — is carried out by Bilt as an independent controller, as described in the Bilt Privacy Policy, and falls outside the Bilt Data Processing Agreement. Where Bilt monitors Customer Personal Data at the Customer's request, it does so as a processor on the Customer's documented instructions under that agreement.

(e) Human review. A decision to suspend or terminate an Account, or to remove or disable access to Customer Content, is taken by a person, informed by automated signals. Bilt does not take such decisions by solely automated means.

(f) Monitoring is carried out only to the extent permitted by applicable law, including the confidentiality of communications.

8.2 Enforcement. Where Bilt reasonably determines that a Customer or End-user has violated this Policy, Bilt may, proportionately and as permitted by the Terms of Service: request remediation; remove or disable access to offending content; suspend or terminate the Account or Services; and, where required, report the matter to the authorities. Bilt will give notice where practicable and lawful; where a violation poses an imminent risk of harm, legal liability, or service degradation, Bilt may act first and notify after. Where Bilt restricts the Services under this section — removing or disabling content, or suspending or terminating an Account — it gives the affected Customer a statement of reasons: what was restricted, the facts or circumstances relied on, whether automated means were used in reaching the decision, the ground in this Policy or the Terms of Service, and how to contest the decision. Bilt need not do so where the law prohibits it, or where the restriction concerns manifestly illegal content or deceptive high-volume commercial content.

8.3 Reservation of rights. Bilt's failure to enforce any provision is not a waiver of its right to do so.

9. Reporting abuse

Suspected violations of this Policy, and content you consider illegal, may be reported to [email protected]. Security vulnerabilities should be reported to [email protected] and not exploited (§4.3). Bilt reviews the reports it receives and acts on them under §8; where a report includes contact details, Bilt confirms receipt and tells the reporter the outcome.

10. Relationship to other documents & precedence

10.1 This Policy forms part of the Bilt Terms of Service (bilt.me/terms). Where a Bilt Data Processing Agreement has been concluded (Bilt does not process personal data on the Customer's behalf by default — see the Terms of Service §5.3), it governs Bilt's processing of Customer Personal Data as a processor; the Bilt Privacy Policy (bilt.me/privacy) describes Bilt's own processing as a controller.

10.2 Precedence. On any conflict or inconsistency between this Policy and the Terms of Service, the Terms of Service prevail, except that this Policy prevails to the extent it expressly imposes stricter or more specific restrictions on the Customer's use of the Site or the Services. On any conflict concerning the processing of Customer Personal Data, the Bilt Data Processing Agreement prevails where one has been concluded.

10.3 Governing law. This Policy is governed by the law, and subject to the jurisdiction, stated in the Bilt Terms of Service, into which it is incorporated.

11. Changes to this Policy

Bilt may update this Policy where required for legal compliance, security, or service changes. Material changes will be notified through the Customer's registered contact or the Services, with reasonable prior notice where practicable; continued use of the Services after a change takes effect constitutes acceptance.

12. Review

This Policy is reviewed at least annually, or sooner upon significant legal, regulatory, product, or risk change. It is kept consistent with the Terms of Service, the Bilt Data Processing Agreement, and the Privacy Policy.