Acceptable Use Policy

Version 1.0 · Last updated: May 12, 2026 · Effective: May 12, 2026

This Acceptable Use Policy (the "AUP") describes the conduct and content that Choclement LLC, doing business as BHmetrics("BHmetrics", "we", "us", "our"), prohibits in connection with the BHmetrics web application, APIs, workers, dashboards, Copilot, pixel, documentation, and any related services or content (collectively, the "Service"). The AUP is part of, and is incorporated by reference into, our Terms of Service (the "Agreement") and applies to you and to every individual or entity you authorize to access the Service on your behalf (each, an "Authorized User"). Capitalized terms not defined here have the meanings given in the Agreement.

Compliance with this AUP is a continuing obligation. Violations may result in suspension, termination, loss of fees, reporting to the affected Connected Platform or to law enforcement, and any other remedy available under the Agreement or applicable law.

1. Lawful, accurate, and authorized use

You will:

Use the Service only for your own brands or for brands that have given you written authority to act on their behalf;
Comply with all applicable laws (including data-protection, consumer-protection, telemarketing, anti-spam, advertising-disclosure, sanctions, export-control, anti-corruption, and tax laws);
Comply at all times with each Connected Platform's terms of service, advertising policies, developer guidelines, and Conversions API terms (including Meta's Platform Terms, Business Tools Terms, and Conversions API Terms; Google Ads API Terms, Required Minimum Functionality, and User Data Policy; TikTok Marketing API Terms; Pinterest Business Terms and Developer Guidelines; Snap Marketing API Terms; and Shopify Partner Program and API terms);
Obtain and maintain all consents, notices, and lawful bases required to upload, transmit, and process the data you submit through the Service (including under GDPR Articles 6 and 9, the CCPA/CPRA, ePrivacy / cookie consent laws, the Telephone Consumer Protection Act, CAN-SPAM, and any equivalent under applicable law);
Honor opt-outs, do-not-sell, do-not-share, do-not-call, do-not-email, and similar consumer preferences applicable to data you upload or have us transmit.

2. Prohibited conduct — event quality and platform integrity

You will not, and will not allow any Authorized User or third party to:

Fabricate or spoof events. Send, submit, generate, automate, inject, or otherwise transmit conversion events, click identifiers, audience signals, identifiers, hashed values, attribution events, or any other data that does not accurately represent a real consumer action that actually occurred and that you are lawfully entitled to report.
Use click farms, bots, or activity simulators. Use, procure, or facilitate the use of bots, click-farms, automated user-action simulators, browser-automation frameworks, residential or datacenter proxy networks, mechanical-turk operations, or any other technique designed to fake, simulate, or generate user activity with the intent of creating exaggerated, misleading, or otherwise non-genuine activity, conversions, attribution, or audiences.
Duplicate or inflate. Re-send the same conversion event multiple times to inflate counts, defeat deduplication, or manipulate platform attribution; tamper with deduplication keys, event IDs, or timestamps; or otherwise interfere with the integrity of event matching.
Misattribute. Falsely attach click identifiers, customer identifiers, or audience-membership signals to events to which they do not lawfully belong.
Bypass platform policies. Use the Service in any manner intended to circumvent, defeat, or work around any policy, rate limit, quota, content moderation, attribution model, audience-eligibility check, or other restriction imposed by a Connected Platform.
Process unauthorized data. Send Personal Data, audiences, or events on behalf of any brand or entity that has not authorized you to do so, or in violation of any consent, notice, contract, or law applicable to that data.

3. Prohibited conduct — sensitive and unlawful data

You will not upload, submit, transmit, store, or cause the Service to Process:

Sensitive Data, including: (a) protected health information subject to HIPAA; (b) cardholder data subject to PCI DSS; (c) Social Security numbers, driver's-license numbers, passport numbers, financial-account numbers, or other government-issued identifiers; (d) precise (GPS-level) geolocation; (e) data of a known child under age sixteen (16), or under thirteen (13) in the United States; (f) biometric identifiers or templates; (g) data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, sexual orientation, or sex life; (h) data subject to the GLBA, FERPA, or similar sectoral regulations; or (i) any other "special category" data under GDPR Article 9, "sensitive personal information" under CPRA, or analogous categories under applicable law.
Content or data that is unlawful, infringing, defamatory, threatening, harassing, obscene, hateful, discriminatory, or otherwise objectionable.
Content or data that infringes or misappropriates a third party's intellectual-property right, privacy right, right of publicity, or contractual right.
Content or data obtained through hacking, unauthorized access, social engineering, phishing, or other unlawful means.

We expressly disclaim liability for any Sensitive Data or other prohibited content you upload through the Service, and you indemnify us for any claim arising from such uploads, in addition to your obligations under the Agreement.

4. Prohibited conduct — Service abuse

You will not, and will not allow any Authorized User or third party to:

Interfere with the Service. Probe, scan, or test the vulnerability of any system or network; circumvent any authentication, rate limit, quota, security, or access control; introduce malware, viruses, worms, trojan horses, time bombs, or harmful code or agents; overload, flood, spam, denial-of-service, or otherwise disrupt the Service or its infrastructure; or do anything that imposes an unreasonable load on our systems.
Reverse-engineer. Reverse-engineer, decompile, disassemble, decode, translate, or otherwise attempt to derive the source code, model weights, prompts, embeddings, algorithms, or architecture of the Service, except to the limited extent applicable law overrides this restriction notwithstanding contractual waiver.
Compete. Use the Service, its data, its outputs (including AI outputs), Aggregated Data, or any benchmark to build, train, benchmark, evaluate, or improve a product or service that competes with BHmetrics; use any portion of the Service as training data; or attempt to derive our underlying models or training datasets.
Scrape. Use any robot, spider, scraper, crawler, deep-link, framing, mirroring, or other automated means to access, monitor, or copy any part of the Service or its content, except via documented APIs and within published rate limits and scopes appropriate to your subscription tier; or take any action that imposes a load on our infrastructure exceeding the load a reasonable human user or properly-configured integration would impose.
Harvest data. Collect, store, scrape, or extract data about other users, customers, or third parties through the Service, including profile information, account names, identifiers, or analytics, except as expressly permitted.
Impersonate. Impersonate any person or entity, falsely state or misrepresent your affiliation, or forge any header or identifier; use another person's account or credentials; or hold yourself out as a representative of BHmetrics or Choclement without our written consent.
Send unsolicited communications. Use the Service to send chain letters, spam, unsolicited commercial communications, junk mail, or any form of mass solicitation in violation of applicable law (including CAN-SPAM, CASL, GDPR, ePrivacy, and TCPA).
Resell or sublicense. Rent, lease, sell, sublicense, time-share, distribute, white-label, host as a service for third parties, or otherwise commercialize the Service or any portion of it without our prior written agreement.
Remove notices. Remove, alter, conceal, or obscure any copyright, trademark, proprietary, or other notice on the Service or its outputs.

5. Prohibited conduct — APIs, pixel, webhooks, and integrations

Where you use the BHmetrics public API, embeddable pixel, outbound webhooks, or platform integrations, you will additionally not:

Exceed documented rate limits, including the 100 requests-per-second public-API ceiling per token, or use multiple tokens, IP rotation, or other techniques to circumvent rate limits;
Use API credentials issued for one workspace or brand to access another, or share API credentials with unaffiliated parties;
Hard-code API credentials into client-side or distributable software; you will store credentials in a server-side secret store and rotate them on suspected compromise;
Use the Service's outbound webhook feature to deliver payloads to recipients you do not control or that have not consented; target internal-network, loopback, link-local, or metadata-service IP addresses (e.g., 127.0.0.1, ::1, 169.254.x.x, 10.x.x.x, 172.16/12, 192.168.x.x); or otherwise use webhooks for server-side request forgery, port-scanning, or any unlawful purpose;
Tamper with HMAC signatures, dedup keys, or other integrity controls on inbound webhooks or pixel events;
Use the BHmetrics pixel on storefronts you do not operate or do not have written authorization to operate;
Misuse competitor-creative or advertising-library endpoints to harvest third-party advertisers' creative or audience data outside the scope, frequency, and use-case permitted by the relevant Connected Platform's terms.

6. Prohibited conduct — AI Copilot and AI Features

You will not, and will not allow any Authorized User or third party to:

Use the AI Features to generate content that violates law, infringes a third-party right, or violates this AUP;
Use the AI Features for fully automated decision-making about an identified individual that produces legal or similarly significant effects on that individual without appropriate human review;
Use the AI Features to extract personal data about identified individuals or to circumvent platform privacy controls;
Attempt prompt injection, jailbreaking, or any technique designed to (a) cause the AI Features to behave outside their intended scope, (b) derive system prompts, model weights, or training data, (c) bypass safety or content filters, or (d) cause the model to reveal another customer's data;
Use the AI Features to build, train, benchmark, or improve a competing AI product or service, or to scrape model outputs at industrial scale;
Submit content to the AI Features that is unlawful, infringing, harassing, sexually explicit material involving real or imagined minors, or that incites violence;
Pass through to the AI Features any Sensitive Data, in violation of Section 3.

You acknowledge that AI Output is probabilistic and may be inaccurate or fabricated, and that you are solely responsible for evaluating Output and any action taken on it. AI Output is not professional, legal, financial, tax, medical, investment, or fiduciary advice.

7. Prohibited conduct — security and confidentiality

Do not attempt to access any account, workspace, brand, data, or system you are not authorized to access.
Do not disclose API credentials, OAuth tokens, webhook secrets, or HMAC keys to any unauthorized party. Report any suspected credential compromise to [email protected] without delay.
Do not disclose Confidential Information of BHmetrics or of any third party, except as permitted under the Agreement.
Do not perform security testing, vulnerability research, or penetration testing on the Service without our prior written authorization. Authorized researchers should report findings under our responsible-disclosure process at [email protected].

8. Cooperative benchmarking (opt-in)

If you opt your brand into cooperative benchmarking, we contribute anonymized, aggregated metrics (e.g., industry-tier ROAS, CPM, CTR, CPA) to a shared benchmark pool that all participating brands can compare against. Cooperative benchmarking is voluntary and may be toggled at any time from Settings → Brand. You may not use the cooperative benchmarking feature to attempt to deanonymize another brand, to extract another brand's identity, or to reconstruct another brand's underlying data.

9. Reporting violations

Report suspected violations of this AUP, security incidents, or abuse to [email protected]. Provide as much detail as reasonable (URL, screenshots, timestamps in UTC, account or brand ID). We will respond and, where appropriate, investigate. We are not obligated to monitor for violations; failure to detect a violation is not a waiver of our rights.

10. Enforcement

We may, in our sole discretion and with or without notice: (a) investigate suspected violations; (b) request that you remove offending content or cease offending behavior; (c) suspend or restrict your access to all or any portion of the Service; (d) terminate your account; (e) refer the matter to the affected Connected Platform, the affected third party, a Supervisory Authority, or law enforcement; and (f) cooperate with lawful investigations. Suspension or termination for violation of this AUP does not entitle you to a refund and does not limit our right to recover Losses under the Agreement, including under the indemnification provisions.

11. Changes to this AUP

We may update this AUP from time to time to reflect new conduct we determine to be prohibited, changes in law, or changes in the Service. Updates will be posted with a new "Last updated" date and, for material changes, communicated by email or in-product notice at least thirty (30) days in advance. Continued use after the effective date constitutes acceptance.

12. Contact

Choclement LLC, doing business as BHmetrics
c/o registered agent on file with the Delaware Secretary of State
Abuse and AUP inquiries: [email protected]
Service URL: bhmetrics.com

Acceptable Use Policy

Version 1.0 · Last updated: May 12, 2026 · Effective: May 12, 2026

1. Lawful, accurate, and authorized use

You will:

Use the Service only for your own brands or for brands that have given you written authority to act on their behalf;
Comply with all applicable laws (including data-protection, consumer-protection, telemarketing, anti-spam, advertising-disclosure, sanctions, export-control, anti-corruption, and tax laws);
Comply at all times with each Connected Platform's terms of service, advertising policies, developer guidelines, and Conversions API terms (including Meta's Platform Terms, Business Tools Terms, and Conversions API Terms; Google Ads API Terms, Required Minimum Functionality, and User Data Policy; TikTok Marketing API Terms; Pinterest Business Terms and Developer Guidelines; Snap Marketing API Terms; and Shopify Partner Program and API terms);
Obtain and maintain all consents, notices, and lawful bases required to upload, transmit, and process the data you submit through the Service (including under GDPR Articles 6 and 9, the CCPA/CPRA, ePrivacy / cookie consent laws, the Telephone Consumer Protection Act, CAN-SPAM, and any equivalent under applicable law);
Honor opt-outs, do-not-sell, do-not-share, do-not-call, do-not-email, and similar consumer preferences applicable to data you upload or have us transmit.

2. Prohibited conduct — event quality and platform integrity

You will not, and will not allow any Authorized User or third party to:

Fabricate or spoof events. Send, submit, generate, automate, inject, or otherwise transmit conversion events, click identifiers, audience signals, identifiers, hashed values, attribution events, or any other data that does not accurately represent a real consumer action that actually occurred and that you are lawfully entitled to report.
Use click farms, bots, or activity simulators. Use, procure, or facilitate the use of bots, click-farms, automated user-action simulators, browser-automation frameworks, residential or datacenter proxy networks, mechanical-turk operations, or any other technique designed to fake, simulate, or generate user activity with the intent of creating exaggerated, misleading, or otherwise non-genuine activity, conversions, attribution, or audiences.
Duplicate or inflate. Re-send the same conversion event multiple times to inflate counts, defeat deduplication, or manipulate platform attribution; tamper with deduplication keys, event IDs, or timestamps; or otherwise interfere with the integrity of event matching.
Misattribute. Falsely attach click identifiers, customer identifiers, or audience-membership signals to events to which they do not lawfully belong.
Bypass platform policies. Use the Service in any manner intended to circumvent, defeat, or work around any policy, rate limit, quota, content moderation, attribution model, audience-eligibility check, or other restriction imposed by a Connected Platform.
Process unauthorized data. Send Personal Data, audiences, or events on behalf of any brand or entity that has not authorized you to do so, or in violation of any consent, notice, contract, or law applicable to that data.

3. Prohibited conduct — sensitive and unlawful data

You will not upload, submit, transmit, store, or cause the Service to Process:

Sensitive Data, including: (a) protected health information subject to HIPAA; (b) cardholder data subject to PCI DSS; (c) Social Security numbers, driver's-license numbers, passport numbers, financial-account numbers, or other government-issued identifiers; (d) precise (GPS-level) geolocation; (e) data of a known child under age sixteen (16), or under thirteen (13) in the United States; (f) biometric identifiers or templates; (g) data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, sexual orientation, or sex life; (h) data subject to the GLBA, FERPA, or similar sectoral regulations; or (i) any other "special category" data under GDPR Article 9, "sensitive personal information" under CPRA, or analogous categories under applicable law.
Content or data that is unlawful, infringing, defamatory, threatening, harassing, obscene, hateful, discriminatory, or otherwise objectionable.
Content or data that infringes or misappropriates a third party's intellectual-property right, privacy right, right of publicity, or contractual right.
Content or data obtained through hacking, unauthorized access, social engineering, phishing, or other unlawful means.

4. Prohibited conduct — Service abuse

You will not, and will not allow any Authorized User or third party to:

Interfere with the Service. Probe, scan, or test the vulnerability of any system or network; circumvent any authentication, rate limit, quota, security, or access control; introduce malware, viruses, worms, trojan horses, time bombs, or harmful code or agents; overload, flood, spam, denial-of-service, or otherwise disrupt the Service or its infrastructure; or do anything that imposes an unreasonable load on our systems.
Reverse-engineer. Reverse-engineer, decompile, disassemble, decode, translate, or otherwise attempt to derive the source code, model weights, prompts, embeddings, algorithms, or architecture of the Service, except to the limited extent applicable law overrides this restriction notwithstanding contractual waiver.
Compete. Use the Service, its data, its outputs (including AI outputs), Aggregated Data, or any benchmark to build, train, benchmark, evaluate, or improve a product or service that competes with BHmetrics; use any portion of the Service as training data; or attempt to derive our underlying models or training datasets.
Scrape. Use any robot, spider, scraper, crawler, deep-link, framing, mirroring, or other automated means to access, monitor, or copy any part of the Service or its content, except via documented APIs and within published rate limits and scopes appropriate to your subscription tier; or take any action that imposes a load on our infrastructure exceeding the load a reasonable human user or properly-configured integration would impose.
Harvest data. Collect, store, scrape, or extract data about other users, customers, or third parties through the Service, including profile information, account names, identifiers, or analytics, except as expressly permitted.
Impersonate. Impersonate any person or entity, falsely state or misrepresent your affiliation, or forge any header or identifier; use another person's account or credentials; or hold yourself out as a representative of BHmetrics or Choclement without our written consent.
Send unsolicited communications. Use the Service to send chain letters, spam, unsolicited commercial communications, junk mail, or any form of mass solicitation in violation of applicable law (including CAN-SPAM, CASL, GDPR, ePrivacy, and TCPA).
Resell or sublicense. Rent, lease, sell, sublicense, time-share, distribute, white-label, host as a service for third parties, or otherwise commercialize the Service or any portion of it without our prior written agreement.
Remove notices. Remove, alter, conceal, or obscure any copyright, trademark, proprietary, or other notice on the Service or its outputs.

5. Prohibited conduct — APIs, pixel, webhooks, and integrations

Where you use the BHmetrics public API, embeddable pixel, outbound webhooks, or platform integrations, you will additionally not:

Exceed documented rate limits, including the 100 requests-per-second public-API ceiling per token, or use multiple tokens, IP rotation, or other techniques to circumvent rate limits;
Use API credentials issued for one workspace or brand to access another, or share API credentials with unaffiliated parties;
Hard-code API credentials into client-side or distributable software; you will store credentials in a server-side secret store and rotate them on suspected compromise;
Use the Service's outbound webhook feature to deliver payloads to recipients you do not control or that have not consented; target internal-network, loopback, link-local, or metadata-service IP addresses (e.g., 127.0.0.1, ::1, 169.254.x.x, 10.x.x.x, 172.16/12, 192.168.x.x); or otherwise use webhooks for server-side request forgery, port-scanning, or any unlawful purpose;
Tamper with HMAC signatures, dedup keys, or other integrity controls on inbound webhooks or pixel events;
Use the BHmetrics pixel on storefronts you do not operate or do not have written authorization to operate;
Misuse competitor-creative or advertising-library endpoints to harvest third-party advertisers' creative or audience data outside the scope, frequency, and use-case permitted by the relevant Connected Platform's terms.

6. Prohibited conduct — AI Copilot and AI Features

You will not, and will not allow any Authorized User or third party to:

Use the AI Features to generate content that violates law, infringes a third-party right, or violates this AUP;
Use the AI Features for fully automated decision-making about an identified individual that produces legal or similarly significant effects on that individual without appropriate human review;
Use the AI Features to extract personal data about identified individuals or to circumvent platform privacy controls;
Attempt prompt injection, jailbreaking, or any technique designed to (a) cause the AI Features to behave outside their intended scope, (b) derive system prompts, model weights, or training data, (c) bypass safety or content filters, or (d) cause the model to reveal another customer's data;
Use the AI Features to build, train, benchmark, or improve a competing AI product or service, or to scrape model outputs at industrial scale;
Submit content to the AI Features that is unlawful, infringing, harassing, sexually explicit material involving real or imagined minors, or that incites violence;
Pass through to the AI Features any Sensitive Data, in violation of Section 3.

7. Prohibited conduct — security and confidentiality

Do not attempt to access any account, workspace, brand, data, or system you are not authorized to access.
Do not disclose API credentials, OAuth tokens, webhook secrets, or HMAC keys to any unauthorized party. Report any suspected credential compromise to [email protected] without delay.
Do not disclose Confidential Information of BHmetrics or of any third party, except as permitted under the Agreement.
Do not perform security testing, vulnerability research, or penetration testing on the Service without our prior written authorization. Authorized researchers should report findings under our responsible-disclosure process at [email protected].

8. Cooperative benchmarking (opt-in)

9. Reporting violations

10. Enforcement

11. Changes to this AUP

12. Contact

Choclement LLC, doing business as BHmetrics
c/o registered agent on file with the Delaware Secretary of State
Abuse and AUP inquiries: [email protected]
Service URL: bhmetrics.com