Trust Center · 07

← Back to Trust Center

Acceptable use policy

EFFECTIVE: MAY 1, 2026 · LAST UPDATED: MAY 1, 2026

This Acceptable Use Policy (the "AUP") sets out what you may and may not do with Arx — including our web application, public APIs, MCP server, email features, and AI assistant. The AUP is incorporated by reference into the Terms of Service. We enforce it consistently and impartially against every customer.

The short version: use Arx for legitimate fundraising and company operations, treat the people on the other end of your communications with respect, do not try to access data that isn't yours, and do not abuse our integrations with third parties.

Contents
  1. Prohibited content
  2. Prohibited activity
  3. Email & investor updates
  4. Public sharing surfaces
  5. AI assistant & MCP
  6. APIs & automation
  7. Third-party services
  8. Reporting violations
  9. Enforcement
  10. Contact

1. Prohibited content

You may not upload to Arx, store in Arx, or transmit through Arx any content that:

  • is illegal under the laws of Canada, the United States, or any jurisdiction where you operate or where the recipient is located;
  • infringes someone else's intellectual property, trademark, or other proprietary rights;
  • contains malware, viruses, worms, ransomware, or other harmful code;
  • is defamatory, harassing, threatening, or hateful;
  • depicts or facilitates the sexual exploitation of minors;
  • impersonates another person or company without authorisation;
  • contains payment-card numbers, government identification numbers, health records, or other categories of sensitive personal information that we have not designed Arx to handle. Arx is built for fundraising operations, not regulated data — please keep such data out of the product.

2. Prohibited activity

You may not use Arx to:

  • send spam, phishing messages, or fraudulent communications;
  • misrepresent your business, financials, fundraising status, or affiliation to investors or other recipients;
  • circumvent any access control, authentication, or audit-logging mechanism;
  • access, probe, scan, or test any part of the Service except as expressly permitted by our responsible-disclosure policy;
  • attempt to access another workspace's data, or to identify other customers from public-link analytics;
  • interfere with, disrupt, or overload the Service or the infrastructure of any subprocessor;
  • reverse-engineer, decompile, or extract the underlying source code or model weights of the Service;
  • use the Service to build, train, or evaluate a competing product;
  • resell, sublicense, or commercially redistribute the Service or substantial portions of it without our written permission.

3. Email & investor updates

Arx integrates with Gmail (and falls back to a Resend sender) so you can send investor updates from your own address. When using these features:

  • Only contact people who have a legitimate connection to your fundraising — investors, prospective investors who opted in, your own portfolio CRM. Bulk-emailing scraped or purchased lists is prohibited.
  • Honour unsubscribe requests promptly. Each Arx-sent update includes an unsubscribe link; do not strip or disable it.
  • Do not impersonate another sender, spoof headers, or otherwise disguise the origin of a message sent through Arx.
  • Comply with applicable anti-spam law, including CAN-SPAM (US), CASL (Canada), and the ePrivacy Directive (EU/UK).
  • Repeated complaints or high bounce rates against your sender domain may result in your update-send feature being suspended pending review.

4. Public sharing surfaces

Data rooms, decks, and public booking pages are designed to be shared with specific recipients. When you use them:

  • Only share content you have the right to share.
  • Do not use Arx to host or distribute content that is unrelated to your fundraising or company operations.
  • Do not attempt to track or de-anonymise public-link viewers beyond the analytics Arx provides.
  • Watermarks on view-only PDFs must not be tampered with.

5. AI assistant & MCP

Arx's AI assistant ("Ask Arx") and our MCP server give you and any external client you authorise (e.g., Claude Desktop) tool-based access to your workspace. When using these features:

  • Do not attempt to use the AI assistant or MCP to access data from another workspace, or to enumerate other customers.
  • Do not paste third-party personal data into the assistant that you do not have a lawful basis to process. Use the Settings → Account → AI access toggles to limit what the assistant can read.
  • Do not use the assistant to generate content that is unlawful, harassing, infringing, or otherwise prohibited by §1.
  • Do not use prompts or tool calls to attempt to extract our model providers' system prompts, internal instructions, or other tenants' content.
  • MCP tokens are bound to your workspace and may only be used by clients you control. If a token is lost or compromised, revoke it immediately in Settings → Integrations and notify security@foundersarx.com.
  • Mutating MCP tools require explicit confirmation in the Arx app. Do not attempt to bypass these confirmations.

6. APIs & automation

  • API tokens are tied to your workspace and authenticate as you. Treat them like passwords. Rotate them if compromised.
  • Automation must respect published rate limits. Do not attempt to disguise an automated client as a browser.
  • Do not scrape or mirror the application or its public surfaces beyond what the API offers.
  • If you need higher limits for a legitimate use case, contact hi@foundersarx.com.

7. Third-party services

When you connect a third-party service (Google, Stripe, Slack, Zoom, Claude, etc.) Arx interacts with that service on your behalf using the OAuth scopes you grant. You must:

  • only grant scopes you are entitled to share with Arx;
  • comply with that third party's own terms of service when interacting through Arx;
  • revoke the integration if your authority to grant it ends (for example, you leave the company that owns the third-party account).

8. Reporting violations

If you believe a customer or other user is violating this AUP — for example, you received an unsolicited investor update sent through Arx, you discovered a public link being abused, or you suspect impersonation — please email security@foundersarx.com with as much detail as you can share. We will investigate.

9. Enforcement

We take a graduated approach to enforcement. Depending on severity and pattern of behaviour we may:

  • contact the workspace owner for clarification;
  • require remediation (e.g., remove an offending file, stop a bulk-send) within a stated window;
  • temporarily disable a specific feature (such as Gmail send, MCP, or public sharing) for that workspace;
  • suspend the workspace pending investigation;
  • terminate the account in line with the Terms of Service; and
  • where required by law, report to the relevant authorities or affected third parties.

We reserve the right to take immediate action without notice when the violation poses an active risk to other customers, third parties, or the integrity of the Service.

10. Contact

This document is provided for transparency. It is not legal advice and is incorporated by reference into the Terms of Service; in the event of any conflict between the AUP and the Terms, the Terms control.