nomoslynomosly
Legal

Acceptable Use Policy

What is and is not allowed when using nomosly. Violation may result in immediate suspension or termination.

Effective: May 6, 2026Last updated: May 6, 2026

Purpose

This Acceptable Use Policy ("AUP") defines uses of the nomosly service that are not allowed. It applies to everyone who uses the Service: account holders, end users of products built on top of nomosly, and anyone acting on their behalf. The AUP is incorporated into our Terms of Service.

Prohibited uses

You may not use the Service to:

  • Conduct surveillance or monitoring of individuals without their informed consent or another lawful basis
  • Build or operate a system for mass biometric identification in public or semi-public spaces without explicit legal authority
  • Process images of minors for commercial profiling, behavioral targeting, or generating content of any kind
  • Make consequential decisions about individuals (employment, housing, credit, insurance, immigration, law enforcement) based solely on Vision API output without human review
  • Facilitate discrimination on the basis of race, gender, religion, national origin, disability, sexual orientation, or any other protected characteristic
  • Generate, distribute, or facilitate the creation of non-consensual intimate imagery, deepfakes targeting individuals, or content that sexualizes minors
  • Process medical imagery for diagnostic decisions without appropriate regulatory clearance (the API is not certified for medical use)
  • Circumvent access controls, scrape data from the Service, or abuse the API beyond documented rate limits
  • Reverse-engineer, decompile, or attempt to extract the underlying models or infrastructure
  • Resell or redistribute API access without a separate written agreement
  • Violate any applicable local, national, or international law or regulation

Biometric data & consent

Face comparison and face detection process biometric identifiers. You (not nomosly) are the controller or business with respect to those identifiers under applicable privacy law. You are responsible for:

  • Collecting informed, written consent from individuals whose face images you submit, where required by law (BIPA in Illinois, GDPR Article 9 in the EU, CCPA in California, and similar regimes elsewhere)
  • Disclosing in your product's privacy notice that biometric processing occurs, what is processed, who processes it, and how long results are retained
  • Implementing retention and deletion policies for any results you store on your side (nomosly does not retain image bytes)
  • Honoring access, deletion, and portability requests from data subjects
  • Not using the Service for one-to-many identification against a database of individuals scraped from the public internet
Note: nomosly does not retain image bytes after processing and cannot recover or identify past requests. Compliance obligations on your side persist regardless.

Regulatory compliance

You are responsible for determining whether your specific use case is permitted in the jurisdictions where you operate. Notable regimes that may apply:

  • BIPA (Illinois): requires written consent before collecting biometric identifiers and a published retention/destruction policy
  • GDPR (EU/UK): biometrics are special-category data under Article 9, requiring explicit consent or another Article 9 lawful basis
  • CCPA / CPRA (California): includes biometrics in "sensitive personal information" with disclosure and opt-out requirements
  • EU AI Act: certain real-time remote biometric identification uses may be prohibited or high-risk
  • Sectoral laws: child-protection laws, employment screening laws, fair housing laws, and others may further restrict use

nomosly provides the technology; you are responsible for using it lawfully.

API key security

API keys are credentials. You must not embed them in client-side code (web frontend, mobile app), commit them to public repositories, paste them into chat tools, or share them outside the team that needs them. Use environment variables or a secrets manager. Use one key per environment so a leaked staging key does not affect production. Revoke keys immediately if you suspect a compromise.

Rate limits & abuse

The API is subject to a per-key daily quota (default 100,000 requests per UTC day) and a service-wide rate limit. Sustained abuse (repeated 4xx responses indicating malformed requests, attempts to bypass authentication, or scraping behavior) may result in suspension. Email support@nomosly.com if you legitimately need a higher quota.

Enforcement

nomosly reserves the right to investigate suspected violations and to suspend or terminate accounts without prior notice if we determine in good faith that a violation has occurred or is imminent. We may report unlawful activity to appropriate authorities. We may revoke individual API keys without suspending the full account where the violation is contained.

Reporting violations

To report abuse or suspected violations of this policy, email support@nomosly.com with as much detail as you can share (account, time window, evidence). We do not publicly disclose reporters.

Acceptable Use Policy · nomosly