This policy applies to every use of the KINDI service, including the API, the dashboard, the playground, the administrative console, and any reference implementation distributed by KINDI. It is incorporated into the Terms of Service by reference; a breach of this policy is a breach of the Terms.

You may not submit, process, store, or generate content through the service that is, or that is intended to enable:

• unlawful under the law of the Kingdom of Saudi Arabia, including any conduct prohibited by the Anti-Cyber Crime Law (Royal Decree M/17, 2007);
• child sexual abuse material, in any form, regardless of jurisdiction;
• the targeting of individuals with harassment, threats, or defamation;
• the planning, facilitation, or instruction of violence, terrorism, or attacks on critical infrastructure;
• the production of weapons of mass destruction, biological agents, chemical agents, or material that lowers the barrier to such production;
• the unauthorised disclosure of classified state secrets or military information;
• the impersonation of a real person, organisation, or public authority in a manner that would mislead a reasonable recipient.

Regardless of content, you may not:

• circumvent or attempt to circumvent any rate limit, billing control, authentication mechanism, or access control;
• extract, reverse-engineer, or attempt to extract the detection models, parameters, or training data behind the service;
• scrape, crawl, or otherwise mass-download KINDI properties outside the documented public API;
• interfere with the service's availability for any other customer, including by submitting deliberately malformed requests at volume;
• use the service to test or develop a competing product while accepting these Terms;
• share an API key with a party that has not accepted these Terms, or sub-license access without written permission from KINDI.

The service operates under per-account rate limits and a published free daily quota. KINDI may reduce a rate limit, shorten a quota, or block a request pattern at any time if we determine, on reasonable grounds, that the pattern threatens the service's stability or another customer's availability. We will inform the affected account at the earliest practicable moment.

KINDI is designed to process text from regulated industries, including healthcare, financial services, and legal services. If you submit text that contains sensitive personal data as defined by the PDPL, including health data, you represent that:

1. you are the Controller of that data, or have a written processing agreement with the Controller that permits the submission;
2. you have a lawful basis under the PDPL for the processing you are asking KINDI to perform;
3. the data subject has been informed of your use of an automated masking service to the extent required by your own privacy notice; and
4. you have applied any additional safeguards required for sensitive personal data, including the access-control minimisation expected of health data under the PDPL Implementing Regulations.

KINDI's Data Processing Addendum states our matching Processor obligations.

Concerns about the use of the KINDI service by another party, including suspected breach of this policy, should be sent to abuse@kindi.me. Security vulnerabilities should be sent to security@kindi.me instead; KINDI acknowledges those within one business day.

On a confirmed breach of this policy, KINDI may, at its sole discretion and proportionate to the breach: warn the account holder, throttle or block the offending request pattern, suspend the account, terminate the account, retain relevant records as required by law, and report the conduct to the appropriate authority. KINDI will not refund unused balance on an account terminated for a breach of this policy.