Tap Links — Acceptable Use Policy

Operator: Mace Design LLC (a New York limited liability company) d/b/a “Tap Links”
Effective date: 2026-05-13 · Version: 1.0

This Acceptable Use Policy (“AUP”) applies to all use of the Tap Links Service (defined in our Terms of Service) and is incorporated into those Terms by reference. If you have a signed Master Services Agreement with Tap Links, this AUP is also incorporated into that agreement.

Capitalized terms used but not defined here have the meanings given in the Terms of Service or MSA.

Summary

• Use the Service for lawful purposes; do not use it to host or redirect to malware, fraud, infringing material, or other prohibited content.
• Do not attempt to bypass authentication, rate limits, or the cryptographic protections on our hardware.
• We may suspend or terminate access for material violations, with notice and cure rights where required by the applicable contract.

This summary is informational and subject to change. In a conflict between this summary and the formal text below, the formal text controls.

1. The short version

Do not use the Service to do anything illegal, harmful, deceptive, abusive, infringing, or that interferes with the operation of the Service or the experience of other users. Do not point Tap Links devices at malware, phishing pages, fraud sites, or material that violates third-party rights. Do not try to break the cryptographic protections on our hardware. If you see a violation, tell us at hello@taplinks.com.

2. Prohibited content

You may not configure a Tap Links device to redirect to, or use the Service to host, link to, or distribute, any of the following (“Prohibited Content”):

• Illegal content. Content that violates applicable law in the jurisdiction where it is made available or where the customer operates.
• Child sexual abuse material (CSAM). Zero tolerance. We will preserve evidence and report violations to the National Center for Missing & Exploited Children (NCMEC) and to law enforcement as required by 18 U.S.C. § 2258A.
• Non-consensual intimate imagery.
• Content that incites or threatens violence, terrorism, genocide, or other serious harm against any person or group.
• Doxing or harassment: content that targets an individual with personal information for the purpose of intimidation, harassment, or violence.
• Malware, ransomware, spyware, viruses, worms, Trojan horses, or other malicious code.
• Phishing pages or other content designed to deceive a viewer into surrendering credentials, payment information, or other sensitive information.
• Fraudulent schemes, including pyramid schemes, advance-fee fraud, and false-promise investment offers.
• Counterfeit goods or services, including the sale of fake brand merchandise.
• Material that infringes another party’s copyright, trademark, patent, trade secret, publicity rights, or other intellectual property rights. See our DMCA Policy for the procedure to report copyright infringement.
• Content that violates a third party’s privacy rights, including unauthorized disclosure of personal information.
• Content that defames any identifiable person or entity.
• Spam, deceptive marketing, or unsolicited bulk messaging (including configuring a device to launch an SMS to a phone number that did not consent to be contacted).
• Content that exploits minors in any way, or that targets minors with content that is inappropriate for their age.

We may add to this list in our reasonable discretion as new categories of abuse emerge. We will give reasonable notice to current customers when we do.

3. Prohibited activities

You also may not, and may not permit any user under your account to:

• Reverse-engineer, decompile, disassemble, or attempt to derive source code from any part of the Service, except where applicable law expressly permits it notwithstanding this restriction.
• Bypass or attempt to bypass any authentication mechanism, rate limit, technical protection measure, or access control. This includes the AES-128 lock on our NFC devices and the cloud infrastructure that powers the redirect path.
• Use the Service to probe, scan, or test the vulnerability of any system that you do not own or are not authorized to test, or to breach any security or authentication measure.
• Send malicious traffic to the Service, including SQL-injection payloads, XSS payloads, malformed protocol messages, or other content designed to exploit a vulnerability.
• Interfere with or disrupt the integrity or performance of the Service, including by deploying excessive automated requests, denial-of-service attacks, or amplification attacks.
• Impersonate any person or entity, or misrepresent your affiliation with any person or entity.
• Use the Service to facilitate anything prohibited above by another party.
• Scrape or harvest data from the Service without our prior written consent. Use the documented API only.
• Resell access to the Service without our prior written consent. This restriction does not prohibit selling devices you have lawfully purchased from us to your own customers.
• Forge, alter, or remove any Tap Links branding, attribution, or copyright notice.
• Use the Service to compete with Tap Links by building a substantially similar competing service.

4. Hardware

Our hardware is built and sold for the configured purpose. You may not:

• Modify the cryptographic state of a Tap Links device (e.g., attempting to overwrite the AES-128 key, reading out the key, replaying tap signatures).
• Counterfeit or clone a Tap Links device in a way that misrepresents it as a genuine Tap Links product or as a device manufactured for a different customer.
• Remove or alter Tap Links branding on the physical product or on the cloud-rendered interstitial pages, except as expressly authorized in writing by us (e.g., through a customer-branded interstitial agreed in your MSA).

You may, of course, paint, sticker, or otherwise visually customize devices you have purchased; the restriction is on cryptographic and brand-attribution modification.

5. Service capacity

The Service is built for the workloads of a single client at typical retail-tap volumes. If you anticipate volumes substantially higher than typical (e.g., a single-day campaign expected to drive more than 100,000 taps in 24 hours), contact us at hello@taplinks.com in advance so we can coordinate capacity.

We may apply rate limits per IP, per device, per account, or per endpoint at our discretion to protect the Service. Persistent rate-limit violations may result in temporary or permanent suspension.

6. Privacy and end users

If you configure a device to collect personal information from end users (for example, by redirecting to a sign-up form, a survey, or a phone number that captures caller ID), you are responsible for:

• Providing accurate notice to those end users about what you collect and what you do with it, consistent with applicable privacy law.
• Obtaining any required consent.
• Honoring the rights those end users may have under applicable privacy law.

Tap Links does not control destination URLs and is not the privacy controller for whatever happens after the redirect. The Tap Privacy Notice we publish covers only the tap event itself (the data we log when a device is tapped).

7. Reporting violations

If you see a Tap Links device, dashboard account, or any other part of the Service being used in violation of this AUP, please report it to:

• General abuse: hello@taplinks.com
• Security vulnerabilities: hello@taplinks.com
• Copyright infringement: see DMCA Policy
• Privacy issues: hello@taplinks.com

Include:

• The URL or device UID involved.
• A description of what you observed.
• Any supporting evidence (screenshots, hash of suspected malware, links to original works for copyright complaints).
• Your contact information so we can follow up.

We investigate every credible report and take action where appropriate. We will not disclose the identity of a reporter to a customer who is the subject of a complaint without the reporter’s consent, except as required by law or by the DMCA Policy (which requires us to forward complete DMCA notices to the alleged infringer).

8. Consequences of violation

If we reasonably determine that you (or a user under your account) have violated this AUP, we may, in our discretion and based on the severity of the violation:

1. Notify you and ask you to cease the conduct or remove the offending content.
2. Temporarily suspend specific devices, specific features, or your entire account.
3. Terminate your access to the Service, with notice consistent with the Terms of Service or your MSA.
4. Preserve evidence and disclose it to law enforcement as required by applicable law or in our good-faith judgment that doing so is necessary to prevent imminent harm.
5. Pursue civil remedies for damages caused to Tap Links, including breach of contract, indemnification under the Terms of Service, and recovery of attorneys’ fees where legally available.

For violations that pose an immediate and serious risk to the Service, to other users, or to the public (for example, malware distribution or CSAM), we may suspend or remove content without prior notice and pursue further action thereafter.

9. Cooperation with law enforcement

We will cooperate with law enforcement when we receive a properly served subpoena, court order, or other valid legal process. We will not voluntarily disclose customer information to law enforcement except in response to valid process, in an emergency where we have a good-faith belief that disclosure is needed to prevent imminent physical harm, or as otherwise required by law.

Where lawful and practical, we attempt to provide notice to the affected customer before responding to a legal request so that the customer has an opportunity to object.

10. Changes

We may update this AUP from time to time. Material changes will be announced at least 14 days before they take effect by email, dashboard banner, or notice on the marketing site. Continued use of the Service after a change indicates acceptance.