Acceptable Use Policy

Last updated: 7 May 2026

7 May 2026 — Special-category restriction tightened (aggregated/de-identified diversity metrics by default; Article 9 + DPA 2018 Schedule 1 lawful-basis carve-out). Article 10 criminal-offence regime split out separately.

This policy sets out what is and is not permitted when using AnswerVault. It forms part of our Terms of Service.

General principles

AnswerVault is designed for business use — specifically, managing ESG questionnaire responses, storing sustainability-related facts and evidence, and generating compliant reports. Use the Service for its intended purpose and in compliance with applicable laws.

Restricted data — special-category personal data (Article 9 UK GDPR)

You may not upload identifiable special-category personal data as defined by Article 9 UK GDPR (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person's sex life or sexual orientation) without first documenting your Article 9 lawful basis AND, where the data concerns employees of a UK organisation, an applicable basis under DPA 2018 Schedule 1.

Diversity metrics intended for ESG questionnaire reporting must be aggregated or de-identified at source (e.g. percentage workforce by category, not individual employee records) unless the documented lawful basis above applies and the use is strictly necessary as compliance evidence.

Where special-category data appears incidentally in uploaded correspondence (for example, a sentence in a contract referring to an employee's health), you must identify its lawful basis under Article 9.

Restricted data — criminal-offence data (Article 10 UK GDPR)

Criminal-offence data is governed by a separate regime from Article 9. Criminal-conviction data, allegations of criminal conduct, and related security-measure data are governed by Article 10 UK GDPR and the conditions in DPA 2018 Schedule 1 Part 1 + Part 2 (which differ from Article 9 conditions). You may not upload such data without documenting both an Article 10 lawful authority basis (e.g. official authority, employment screening with statutory basis, legal claims) AND, where applicable, the relevant DPA 2018 Schedule 1 condition. AnswerVault does not process criminal-offence data on behalf of customers under any documented standing instruction.

Both restrictions above are mirrored in Schedule 1 of the Data Processing Agreement and exist because AnswerVault's row-level security, sub-processor stack, and audit-log handling are designed for ordinary business contact data and ESG metrics — not for material that requires the heightened technical and organisational measures expected of a system specifically designed for Article 9 / Article 10 processing.

Prohibited activities

You must not:

Misuse of the platform

  • Use the Service for any unlawful purpose or to promote illegal activity.
  • Upload or store content that infringes third-party intellectual property rights.
  • Store content unrelated to the Service's intended ESG and business compliance purpose, including but not limited to personal files, media libraries, or bulk data dumps.
  • Use the Service to store, process, or transmit content that is defamatory, obscene, threatening, or discriminatory.

Security and technical abuse

  • Attempt to gain unauthorised access to other users' accounts, data, or any part of our infrastructure.
  • Probe, scan, or test the vulnerability of our systems except through our responsible disclosure programme.
  • Interfere with or disrupt the Service, including denial-of-service attacks or resource exhaustion.
  • Reverse engineer, decompile, or disassemble any part of the Service.
  • Use automated tools (bots, scrapers, crawlers) to access the Service without our written permission.
  • Circumvent rate limits, authentication controls, or access restrictions.

Account misuse

  • Share account credentials outside your organisation.
  • Create multiple free-trial accounts to avoid paying for the Service.
  • Resell, sublicense, or redistribute access to the Service without our written permission.
  • Impersonate another person or organisation.

Your responsibilities

  • You are responsible for all content stored in your account and for ensuring it complies with applicable laws.
  • You are responsible for maintaining the security of your account credentials.
  • If you become aware of any misuse or security concern, notify us at support@answervault.co.uk.

Enforcement

If we determine that you have breached this policy, we may:

  1. Issue a warning and request that you stop the activity.
  2. Temporarily suspend your account while we investigate.
  3. Permanently terminate your account and delete your data (after providing reasonable notice where possible).

We will always aim to be proportionate and fair. Where possible, we will contact you before taking action and give you an opportunity to resolve the issue.

For serious breaches (e.g. illegal activity, security attacks), we may act immediately without prior notice.

Reporting abuse

If you believe another user is misusing the Service, please report it to support@answervault.co.uk.

Contact

Questions about this policy? Contact us at support@answervault.co.uk.