This Acceptable Use Policy ("AUP") governs the use of all proxy infrastructure services provided by the Operator. This policy applies to all customers, end users, and any party accessing the Service, regardless of plan type or subscription tier.

All customers must comply with this AUP at all times. The Operator reserves the right to suspend or terminate access to the Service for any customer found to be in violation of this policy. By using the Service, you acknowledge that you have read, understood, and agree to abide by the terms outlined herein.

This AUP supplements the Terms of Service and should be read in conjunction with the Privacy Policy and all other applicable policies published by the Operator.

The Service is intended for lawful business and research activities. The following are examples of permitted uses:

• Lawful web scraping and data collection — Automated gathering of publicly available data in compliance with applicable laws and website terms of service • Market research and competitive analysis — Monitoring pricing, product availability, and market trends across public websites • Ad verification — Verifying the placement, content, and targeting of digital advertisements across regions and platforms • SEO monitoring — Tracking search engine rankings, keyword positions, and SERP features across geographies • Brand protection — Detecting counterfeit products, unauthorized use of trademarks, and brand impersonation • Academic research — Collecting data for scholarly research, provided such activity complies with institutional review board requirements and applicable laws • Quality assurance testing and automation — Testing web applications, APIs, and services across multiple IP addresses and geographic locations • Legitimate business operations — Any other lawful commercial activity that does not violate this AUP, applicable law, or the rights of third parties

This list is illustrative, not exhaustive. If you are unsure whether your intended use is permitted, contact the Operator before proceeding.

The following activities are strictly prohibited when using the Service. This list is non-exhaustive, and the Operator reserves the right to determine, at its sole discretion, whether any activity constitutes a violation.

• DDoS attacks or traffic flooding — Using the Service to launch denial-of-service attacks, volumetric floods, or any form of attack designed to disrupt the availability of third-party systems • Credential stuffing or brute force attacks — Automated attempts to gain unauthorized access to accounts using stolen, leaked, or guessed credentials • Account takeover or unauthorized access — Accessing third-party systems, accounts, or data without proper authorization • Credit card testing or carding — Using the Service to validate stolen or fraudulently obtained payment card information • Distribution of malware, ransomware, or viruses — Transmitting, hosting, or distributing malicious software of any kind through the Service • Child sexual abuse material (CSAM) — Any activity involving the creation, distribution, or possession of CSAM. The Operator maintains a zero-tolerance policy. See Section 4 (Enforcement Tiers, Tier 4) for details. • Spam or unsolicited bulk messaging — Sending unsolicited commercial email, messages, or communications in bulk through the Service • Harassment, stalking, or threatening behavior — Using the Service to harass, stalk, intimidate, or threaten any individual or organization • Scraping in violation of CFAA or applicable law — Collecting data in a manner that violates the Computer Fraud and Abuse Act (CFAA) or equivalent legislation in the applicable jurisdiction • Violations of intellectual property rights — Using the Service to infringe upon copyrights, trademarks, patents, trade secrets, or other proprietary rights of third parties • Cryptocurrency mining on proxy infrastructure — Using the proxy network or associated infrastructure for cryptocurrency mining operations • Reselling or sublicensing proxy access without authorization — Redistributing, reselling, or sublicensing access to the Service or any portion thereof without prior written consent from the Operator • Circumventing access controls on government or military systems — Attempting to bypass security measures on government, military, or critical infrastructure systems • Any activity violating applicable law — Engaging in any activity that violates applicable local, state, national, or international law in the jurisdiction of the customer or the target of the activity

Violations of this AUP are addressed through a tiered enforcement system. The Operator reserves the right to escalate directly to a higher tier based on the severity of the violation.

Tier 1 — Minor / First Offense Written warning delivered via email to the account holder. The customer is given 7 calendar days to remediate the violation and confirm compliance. Failure to remediate within the specified period may result in escalation to Tier 2.

Tier 2 — Moderate / Second Offense Temporary suspension of services associated with the account (typically up to 24 hours). The customer must acknowledge this AUP in writing and confirm that the violating activity has ceased before service is reinstated. Repeated Tier 2 violations may result in escalation to Tier 3.

Tier 3 — Severe / Third Offense Immediate and permanent termination of the account. No refund will be issued for the current billing period or any unused service credits. The customer is prohibited from creating new accounts.

Tier 4 — Critical (CSAM, Active DDoS, Terrorism) Immediate termination of the account without prior notice. Relevant account data and traffic metadata may be preserved for investigation as required by law or policy. The Operator may refer the matter to appropriate law enforcement authorities. No refund will be issued. Decisions regarding Tier 4 violations are final and not subject to appeal.

The Customer is solely responsible for all activity conducted through their assigned proxies, API keys, and account credentials, regardless of whether the activity was performed by the Customer directly or by any authorized or unauthorized third party.

The Customer must:

• Maintain secure credentials — Use strong, unique passwords for account access. Enable multi-factor authentication (MFA) where available. Do not reuse passwords from other services. • Restrict proxy access — Do not share proxy credentials, API keys, or account access with unauthorized third parties. Access should be limited to individuals within the Customer's organization who have a legitimate need. • Monitor usage — Regularly review proxy usage, bandwidth consumption, and activity logs available in the dashboard to detect any anomalous or unauthorized activity. • Report security incidents promptly — Notify the Operator immediately at abuse@hex.gg if the Customer becomes aware of any unauthorized use of their account, credentials compromise, or suspected security incident. • Comply with applicable laws — Ensure that all activity conducted through the Service complies with all applicable local, state, national, and international laws and regulations in the Customer's jurisdiction and the jurisdiction of the target.

The Operator reserves the right to monitor traffic metadata for the purposes of abuse detection, network security, and compliance enforcement. Monitoring is limited to metadata and connection-level data; the Operator does not inspect, log, or store the content of customer traffic.

What we monitor: • Connection metadata (timestamps, source IPs, destination IPs, ports, protocol types) • Bandwidth usage and request volume per account • Anomalous traffic patterns that may indicate abuse or compromise

What we do not monitor: • HTTP request or response bodies • Payload content, form data, or uploaded files • Authentication credentials transmitted through the proxy

The Operator operates as a mere conduit and does not inspect or modify the substance of customer communications passing through its infrastructure.

Data retention: Traffic metadata is retained for a limited period (typically up to 90 days) for abuse investigation purposes. After this period, metadata is deleted unless a specific investigation or legal hold requires extended retention. See the Data Retention Policy for details.

Automated detection: The Operator employs automated systems to flag anomalous patterns, including sudden spikes in request volume, connections to known malicious endpoints, and traffic patterns consistent with credential stuffing or DDoS activity. Flagged accounts may be subject to manual review before enforcement action is taken, depending on severity and risk.

If you believe that the Service is being used in violation of this AUP, we encourage you to report the abuse promptly.

How to report: Send a detailed report to abuse@hex.gg

Include the following in your report: • IP address(es) involved in the abusive activity • Timestamp(s) of the incident, including timezone (UTC preferred) • A clear description of the abusive behavior observed • Supporting evidence (logs, screenshots, packet captures, or other documentation) • Your contact information for follow-up correspondence

Response time: The Operator aims to acknowledge receipt of abuse reports within 1 business day. Reports are investigated in accordance with the Abuse Handling Policy. Reporters will receive a status update or resolution within a reasonable timeframe based on severity and complexity.

Reports may also be submitted via the abuse contact listed in the WHOIS records for the relevant IP range.

The Operator may update, revise, or modify this AUP at any time to reflect changes in our services, legal requirements, industry best practices, or enforcement experience.

Notification of changes: Material changes to this AUP will be communicated to all active customers via: • Email notification to the primary account email address • Dashboard notification within the Service

Effective date: Changes take effect immediately upon publication unless otherwise specified. Customers are encouraged to review this AUP periodically.

Continued use: Continued use of the Service after changes have been published constitutes acceptance of the updated AUP. If you do not agree with any changes, you must discontinue use of the Service and contact the Operator to close your account.