Legal

Acceptable Use Policy

Last updated: May 1, 2026. This Acceptable Use Policy (the "AUP") is part of and incorporated into the Terms of Service. It lists prohibited uses of Helodata services. Violators are suspended immediately and without refund; serious cases are reported to the appropriate authorities. This policy binds direct customers, their employees, their authorized users, and their resellers equally.

Our reasoning

Helodata is infrastructure. Like electric grids, internet backbones, and CDNs, the overwhelming majority of usage is lawful and well-intentioned; a small fraction of abuse poisons the entire network reputation, harms other customers, harms peer nodes, and invites regulatory crackdowns on the whole industry.

So we draw the line β€” not for moral posture, but to protect compliant customers' availability and the cleanliness of our IP ranges. Every clause below corresponds to a real abuse pattern we have handled over six years.

Compliance is two-layer: (a) is your behavior itself lawful? (b) Even if lawful, will it cause Helodata's network to be identified as a 'malicious traffic source'? Both must be yes for use to be acceptable.

1. Illegal activity (zero tolerance)

  • Breaking the law β€” Anything illegal in your home jurisdiction, your operating jurisdiction, or the target site's jurisdiction. When the legal interpretation is ambiguous, we lean strict.
  • Sanctions evasion β€” Helping persons or entities sanctioned by US OFAC, EU, or UN evade sanctions; serving customers in comprehensively sanctioned regions (Cuba, Iran, North Korea, Syria, Crimea / Donetsk / Luhansk / Zaporizhzhia / Kherson).
  • Export control violation β€” Use that violates US EAR, ITAR, or similar regimes (especially for cryptographic software, dual-use tech, certain SaaS services).
  • Drugs & weapons β€” Procurement, sale, or promotion of illegal drugs, controlled substances, weapons, ammunition, explosives.
  • Human trafficking β€” Anything related to human trafficking, forced labor, or sexual exploitation.

2. Network & system attacks (zero tolerance)

  • DDoS / denial of service β€” Using our proxies to launch DDoS, amplification attacks, SYN floods, etc. against third-party systems. Detection terminates the account immediately.
  • Unauthorized access β€” Penetration, port scanning, exploitation, credential stuffing, brute force, cookie injection, post-WAF-bypass intrusion.
  • Injection & exploitation β€” SQL injection, XSS, SSRF, command injection, deserialization vulnerabilities β€” even against your 'own' systems, this must happen outside Helodata.
  • Botnets β€” Including our proxies in any botnet, C&C communication, or remote command relay.
  • Identity-cloaking attacks β€” Using proxies to hide identity while perpetrating fraud, extortion, or harassment.
  • Security research boundary β€” Good-faith security research is welcome, but you must obtain written authorization for the target system and stay within the authorized scope; do not use our proxies to probe unauthorized targets.

3. Communications spam (zero tolerance)

  • Email / SMS bulk β€” Mass sending in violation of CAN-SPAM, GDPR, PIPL, etc.; non-cold marketing email without recipient opt-in.
  • Social platform / forum flooding β€” Mass auto-posting, like-spamming, or repost-spamming on Reddit, Discord, Twitter/X, Zhihu, Douyin, etc.
  • Review manipulation β€” Posting fake positive or negative reviews of products, services, companies, or politicians (Amazon, TripAdvisor, Glassdoor, Dianping, etc.).
  • Fake traffic & click fraud β€” Manufacturing site visits, ad clicks, AdSense fraud, affiliate self-loops.
  • Account farming β€” Mass-creating, hoarding, and reselling third-party platform accounts.

4. Harm to minors (zero tolerance / immediate report)

  • CSAM β€” Collecting, hosting, or distributing any Child Sexual Abuse Material. Immediate suspension, full data preservation, and proactive reporting to NCMEC, Europol, and local authorities.
  • Targeted harassment of minors β€” Targeting minors using location, school, or identity attributes for data collection.
  • Mass scraping of minors' content β€” Systematic scraping of minor profiles from TikTok, Instagram, etc.

5. Sensitive personal information

  • Health records β€” Health records, prescriptions, or insurance accounts without explicit data-subject consent.
  • Financial accounts β€” Bank account numbers, credit card numbers, crypto wallet private keys, login credentials.
  • Biometrics β€” Fingerprints, iris scans, face-recognition vectors, voice prints β€” unauthorized collection.
  • Unauthorized facial imagery β€” Systematic collection of face images for face-recognition training; bulk profile-photo scraping from public social platforms to build datasets.
  • Health-app data β€” Sensitive behavioral data like fitness tracking, menstrual cycles, heart rate, sleep patterns.
  • Location tracking β€” IP-based location-trail collection without subject knowledge.
  • Education records β€” Student records protected by FERPA or similar laws.

6. Intellectual property

  • Copyright infringement β€” Systematic downloading of copyrighted films, music, e-books, or news articles beyond fair use.
  • Trademark / counterfeiting β€” Registering or operating phishing sites or counterfeit brand domains; cybersquatting.
  • Patent infringement assistance β€” Helping third parties practice known patent infringement.
  • DRM circumvention β€” Systematically circumventing streaming DRM to download protected content.
  • Crawling & terms β€” Respect robots.txt and the target site's terms; large-scale collection that obviously violates a site's stated prohibitions (even when technically possible) is a violation.

7. Market & financial abuse

  • Insider trading β€” Trading on 'material non-public information' obtained via proxies.
  • Market manipulation β€” Spoofing, layering, wash trading, pump-and-dump β€” including in crypto markets.
  • Scalping & ticket spam β€” Using automation and multiple proxy identities to mass-buy hot products, concert tickets, or limited editions for resale (unless the platform explicitly allows it).
  • Rating fraud β€” Manipulating inputs to credit-rating, insurance pricing, or loan-scoring platforms.

8. Identity & impersonation

  • Identity theft β€” Opening accounts using someone else's name, ID number, SSN, or passport number.
  • Impersonation of minors β€” Approaching others while pretending to be a minor; impersonating a parent or guardian to provide consent.
  • Identity reselling β€” Selling or lending KYC-verified Helodata accounts to others.
  • Compliance forgery β€” Forging compliance materials (KYC documents, business registrations, signatures).

9. Surveillance & privacy invasion

  • Human-rights abuse β€” Helping surveil, track, or persecute journalists, human-rights workers, protesters, or activist lawyers.
  • Stalkerware β€” Integrating with stalkerware to monitor a spouse, partner, or child without their consent.
  • Workplace monitoring abuse β€” Monitoring employees beyond what local law allows or without informing them.
  • Public-data aggregation misuse β€” Aggregating public information for discriminatory decisions in hiring, lending, or insurance.

10. Resale & ToS evasion

  • Unauthorized resale β€” Reselling, redistributing, leasing, or embedding Helodata into a third-party-charging product without a signed Reseller Agreement.
  • Account sharing β€” Sharing accounts with non-KYC third parties.
  • Multi-account quota abuse β€” Registering multiple accounts to evade free-tier, trial quotas, or rate limits.
  • Bypassing abuse detection β€” Trying to evade or deceive our abuse-detection system (traffic shaping, manual distribution, KYC identity rotation).

Industry-specific guidance

E-commerce competitor monitoring: lawful. Throttle frequency (don't hammer one target, follow robots.txt + sensible delays); avoid pulling logged-in content.

Ad verification: lawful. Pull only from positions already publicly rendered by the ad network; don't access advertiser back-end data.

Price scraping & travel aggregation: lawful, but identify your proxy in the user-agent (with contact info); respect cache-control / rate-limit; some OTAs explicitly prohibit scraping and require separate authorization.

AI training data collection: lawful but sensitive. We strongly recommend respecting robots.txt, avoiding PII, not bypassing paywalls, and establishing licensing arrangements with rights holders.

SEO rank tracking: lawful. Low-frequency requests that mimic real users β€” no need to hammer search engines concurrently.

Social-media account warming and public data collection: lawful for public data, not logged-in content. We firmly refuse stalkerware-style use cases.

Detection & enforcement

Layer 1 (real-time): all egress traffic passes a dual signature-match + anomaly-score engine. P1 patterns (CSAM hashes, known DDoS signatures, credential-stuffing fingerprints) are blocked instantly and the account is frozen.

Layer 2 (24h human triage): high-score accounts enter a rolling 24-hour queue, reviewed jointly by a security engineer and a compliance analyst.

Layer 3 (decision): confirmed violation β†’ immediate termination, no refund, law-enforcement reporting where required; false positive β†’ unfreeze, compensation, and process improvement.

P0 emergencies (CSAM, etc.): the on-call security engineer terminates immediately, preserves evidence, and proactively reports to NCMEC and applicable authorities within 72 hours.

Penalty ladder

Tier 1 warning: first minor violation β†’ warning + education + 24-hour temporary throttle.

Tier 2 restriction: repeat or moderate violation β†’ 50% quota cut + 7-day observation.

Tier 3 suspension: serious violation β†’ immediate account termination, no refund, KYC entered into the violations archive.

Tier 4 legal action: criminal involvement or material harm to customers or third parties β†’ above + civil pursuit + law-enforcement reporting.

Violations archive: entities sanctioned at Tier 3 or above have their KYC information added to an internal blacklist for 5 years; they may not re-onboard via new companies, emails, or payment methods within that period.

Appeal mechanism

Believe you were misjudged? Email abuse@helodata.com with your account email and your factual statement. We commit to independent review by a different security engineer within 5 business days.

If the review upholds the original decision, you may escalate to compliance@helodata.com within 14 days for direct review by the Head of Compliance.

All appeals are archived. An independent security advisor reviews 10% of denied appeals quarterly for compliance.

Reporting abuse

If a Helodata IP is being used against you or a third party, email abuse@helodata.com with: (a) sample requests including full HTTP headers; (b) UTC timestamps; (c) target URL; (d) impact description; (e) your contact details.

We commit to a 24-hour first response and 72-hour resolution (confirm the violation and provide outcome, or provide reasonable evidence the traffic is not abusive).

Law-enforcement requests go through a separate channel: le-requests@helodata.com, with jurisdictional documentation.

Cooperation with law enforcement

We respect and respond to lawful court orders, subpoenas, and regulatory requests within proper jurisdiction.

We disclose only the minimum necessary information; we notify customers in advance where legally permitted.

We publicly commit to challenging requests that are obviously overbroad or jurisdictionally unfounded, retaining independent legal counsel where necessary.

Transparency report: annual statistics on law-enforcement requests (count, compliance rate, challenge rate) at /transparency.

Contact

Abuse
abuse@helodata.com
Appeals
compliance@helodata.com
Law enforcement
le-requests@helodata.com
Transparency report
/transparency