Helium Systems

Acceptable Use Policy

Last updated: February 2026

This Acceptable Use Policy ("AUP") governs your use of the Helium Systems platform ("the Service") provided by Helium Systems Ltd ("Helium", "we", "us"). This AUP forms part of our Terms of Service and applies to all users of the Service, including organisation administrators, team members, B2B portal buyers, and API consumers.

By using the Service, you agree to comply with this AUP. Violation may result in suspension or termination of your account as described in Section 8.

1. Permitted Use

1.1 Intended Purpose

The Service is designed for legitimate business operations, including but not limited to:

  • Managing your product catalogue, inventory, and warehouse operations
  • Processing and fulfilling customer orders
  • Managing purchasing, supplier relationships, and procurement
  • Operating e-commerce channels and marketplace integrations
  • Managing customer relationships, communications, and support
  • Accounting, invoicing, and financial record-keeping
  • Manufacturing planning and production management
  • Analytics, reporting, and business intelligence
  • Team management, workforce planning, and payroll
  • B2B wholesale portal operations

1.2 Your Products and Data

You may only use the Service to manage products, inventory, and data that you own or are legally authorised to manage. You are responsible for ensuring that all data you enter into the Service is accurate and that you have the necessary rights and permissions to process it.

2. Prohibited Content

You must not use the Service to store, process, distribute, or facilitate the sale of:

  • Illegal goods — Any products or materials that are illegal to manufacture, possess, sell, or distribute under the laws of England and Wales, the laws of your jurisdiction, or the laws of any jurisdiction in which you operate.
  • Counterfeit goods — Products that infringe the intellectual property rights of third parties, including counterfeit, pirated, or unlicensed goods.
  • Restricted items — Products subject to export controls, sanctions, or trade restrictions without the required licences and authorisations.
  • Dangerous goods (without compliance) — Hazardous materials, controlled substances, or dangerous goods unless you hold all required licences and have completed the appropriate compliance documentation within the Service.
  • Offensive or harmful content — Content that is defamatory, obscene, threatening, discriminatory, or that promotes violence or hatred.
  • Stolen property — Goods known or suspected to be stolen, misappropriated, or obtained through fraud.

3. Prohibited Behaviour

You must not:

3.1 System Abuse

  • Attempt to gain unauthorised access to any part of the Service, other users' accounts, our infrastructure, or third-party systems connected via the Service.
  • Probe, scan, or test the vulnerability of the Service or any connected system without prior written authorisation from Helium.
  • Introduce viruses, trojan horses, worms, logic bombs, ransomware, or any other malicious or technologically harmful material.
  • Use the Service to conduct denial-of-service attacks or any action intended to disrupt or degrade the performance of the Service for other users.

3.2 Data Scraping and Automated Access

  • Scrape, spider, crawl, or use any automated means to access the Service or extract data, except through our published APIs in accordance with the API usage terms (Section 6).
  • Use bots, automated scripts, or mechanical devices to interact with the Service interface, unless specifically authorised by Helium.
  • Systematically download or cache content from the Service for purposes other than your normal business use.

3.3 Overloading and Resource Abuse

  • Intentionally or negligently overload the Service's infrastructure, including excessive API calls, bulk imports without appropriate throttling, or creation of unnecessary data to inflate storage usage.
  • Use the Service in a manner that disproportionately consumes shared resources, negatively impacting other customers.
  • Circumvent or attempt to circumvent rate limits, usage quotas, storage limits, or any other resource restrictions.

3.4 Circumventing Controls

  • Bypass, disable, or interfere with any security, authentication, or access control features of the Service.
  • Share or transfer account credentials, API keys, or session tokens to unauthorised individuals.
  • Create multiple accounts to circumvent subscription limits, usage restrictions, or enforcement actions.

3.5 Misuse of AI Features

  • Use AI-powered features (Nucleus AI, content generation, compliance tools) to generate content that is deliberately misleading, fraudulent, or harmful.
  • Attempt to extract or reverse-engineer the prompts, training data, or model weights underlying AI features.
  • Use AI outputs without appropriate human review where the outputs relate to legal compliance, health and safety, or financial reporting.

4. Security Responsibilities

4.1 Password and Credential Management

  • Choose strong, unique passwords for your account and do not reuse passwords from other services.
  • Enable multi-factor authentication (MFA) where available, particularly for administrator accounts.
  • Never share your login credentials with others. Use the team management features to grant appropriate access to colleagues.
  • Report any suspected unauthorised access to your account immediately to security@heliumsystems.app.

4.2 Access Control

  • Organisation administrators must configure appropriate permission levels for each team member, following the principle of least privilege.
  • Promptly revoke access for team members who leave the organisation or no longer require access.
  • Regularly review and audit user permissions, API keys, and webhook configurations.
  • Client users must only be granted access to data and features relevant to their client account.

4.3 API Key Security

  • Store API keys securely and never embed them in client-side code, public repositories, or unprotected configuration files.
  • Use IP allowlisting to restrict API key usage to known IP addresses where possible.
  • Rotate API keys regularly and immediately if a compromise is suspected.

5. Data Restrictions

5.1 Personal Data

You must comply with all applicable data protection laws (including the UK GDPR and EU GDPR) when processing personal data through the Service. You are the data controller for the personal data you enter into the Service, and you must ensure you have a lawful basis for processing it.

5.2 Special Category Data

The Service is not designed to process special category data (as defined in Article 9 of the UK GDPR), including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person's sex life or sexual orientation, except:

  • Health and safety data required for workforce management (e.g. absence reasons categorised as "medical"), where you have obtained appropriate consent or have another lawful basis.
  • Allergen and dietary information where required for food product compliance documentation.

If you need to process special category data beyond these limited exceptions, you must contact us in advance to discuss appropriate safeguards.

5.3 Payment Card Data

You must not enter full payment card numbers (PAN), CVV/CVC codes, or PIN numbers into any free-text field in the Service. Payment processing is handled exclusively through our integrated payment provider (Stripe) in a PCI-DSS compliant manner.

6. API Usage

6.1 Rate Limits

API access is subject to rate limits as published in our API documentation. Current default limits apply per API key per time window. You must design your integrations to handle rate limit responses (HTTP 429) gracefully, implementing exponential backoff.

6.2 Prohibited API Use

  • Do not use the API to mirror, replicate, or create a competing service.
  • Do not use the API to systematically extract data for purposes unrelated to your business operations.
  • Do not share API access with third parties without our prior written consent.
  • Do not use the API to bypass features or restrictions of the user interface.

6.3 Webhooks

Webhook endpoints you configure must be secured with HTTPS and should validate the HMAC signature on incoming payloads. You are responsible for the availability and security of your webhook endpoints.

7. Monitoring

We monitor the use of the Service to ensure compliance with this AUP, detect security incidents, maintain system performance, and fulfil our legal obligations. Monitoring includes automated analysis of usage patterns, API call volumes, error rates, and audit log review. We do not routinely review the content of your data except as necessary to investigate a suspected violation of this AUP or in response to a legal requirement.

8. Enforcement

If we determine that you have violated this AUP, we may take one or more of the following actions, depending on the severity and nature of the violation:

8.1 Warning

For minor or first-time violations, we will issue a written warning describing the violation and requesting that you take corrective action within a specified timeframe.

8.2 Suspension

For serious or repeated violations, we may temporarily suspend your access to all or part of the Service. We will notify you of the suspension, the reason, and what steps you must take to have access restored. During suspension, your data remains intact and accessible for export upon request.

8.3 Termination

For severe violations (including illegal activity, deliberate security breaches, or persistent non-compliance after warnings), we may terminate your account. Termination will follow the process described in our Terms of Service, including the data retention and deletion provisions.

8.4 Immediate Action

We reserve the right to take immediate action (including suspension without prior warning) where we reasonably believe that a violation poses an imminent risk to the security, integrity, or availability of the Service, or to other customers' data.

9. Reporting Violations

If you become aware of any violation of this AUP, whether by users within your organisation or by third parties, please report it promptly to:

  • Security incidents: security@heliumsystems.app
  • General AUP violations: abuse@heliumsystems.app
  • Intellectual property concerns: legal@heliumsystems.app

We will investigate all reports and take appropriate action. Reports may be made anonymously, though providing contact details may help us investigate more effectively.

10. Changes to This Policy

We may update this AUP from time to time to reflect changes in our services, legal requirements, or industry best practices. Material changes will be communicated via email or a prominent notice within the platform at least 30 days before they take effect.

11. Governing Law

This AUP is governed by and construed in accordance with the laws of England and Wales. Any disputes arising from or in connection with this AUP shall be subject to the exclusive jurisdiction of the courts of England and Wales.

12. Contact

Helium Systems Ltd
Email: legal@heliumsystems.app