Acceptable Use Policy

This Acceptable Use Policy (the "AUP") forms part of the Drupd Terms of Service and applies to everyone who accesses or uses Drupd, including free, trial, and paid users, as well as anyone they invite or share content with. It explains the kinds of activity we don't allow on the service.

We keep this policy short and concrete. If you're unsure whether something is allowed, ask first: abuse@drupd.com.

Drupd is a tool for legitimate freelancers and businesses to bill real clients for real work. Anything that runs counter to that purpose — fake invoices, fraud, harassment, abuse of clients or recipients, or attempts to harm the service or other users — is not permitted, regardless of whether it's specifically listed below.

You must not, and must not allow any third party to, use Drupd to:

Send spam, unsolicited bulk email, mass marketing campaigns, phishing emails, or any communication where you do not have a clear and lawful basis to email the recipient. Drupd's email sending is for invoices and directly related billing communications only — it is not a marketing tool.

Issue invoices that are fraudulent, fake, inflated, duplicated, or otherwise misleading; bill for goods or services not provided; bill a person or entity you do not have a contractual or legal right to bill; or use the service to launder funds, evade tax, sanctions, or other legal obligations.

Engage in any form of fraud, money laundering, tax evasion, sanctions evasion, identity theft, impersonation, or other financial crime; or assist any other person to do so.

Process invoices on behalf of a third party as an undisclosed service, white-label the product, or resell access to Drupd to others without our prior written agreement.

Harass, threaten, defame, intimidate, stalk, dox, or otherwise abuse any client, recipient, Drupd user, or member of the Drupd team. Use of Drupd to send threats, harassment, hate speech, sexually explicit material, or material that promotes violence is prohibited.

Upload, send, store, or transmit content that infringes any intellectual property, trade secret, privacy, publicity, or contractual right of any person; or content that is unlawful, obscene, or otherwise prohibited by applicable law.

Reverse engineer, decompile, disassemble, scrape, crawl, mirror, train a model on, or attempt to derive the source code, models, prompts, embeddings, weights, or underlying structure of Drupd, except to the limited extent applicable law expressly permits despite this restriction.

Probe, scan, attack, stress-test, denial-of-service, brute-force, fuzz, or otherwise interfere with the service, our infrastructure, or any other user, without our prior written authorization. Security researchers acting in good faith should contact security@drupd.com before testing.

Circumvent, attempt to circumvent, or disable any rate limit, plan limit, billing control, anti-abuse mechanism, authentication mechanism, or security control.

Introduce or transmit any malware, ransomware, virus, worm, time bomb, logic bomb, backdoor, trojan, or any other code, file, or program designed to interrupt, destroy, or limit the functionality of any computer software, hardware, or service.

Use the service in any way that violates export-control or sanctions laws of the United States, the United Kingdom, the European Union, the United Nations, or any other applicable jurisdiction, including by providing access to the service to a person or entity on any sanctions or denied-party list, or by using the service from a comprehensively sanctioned jurisdiction.

Misrepresent your identity, your business, your right to bill a recipient, or your relationship with Drupd; or create accounts using false information.

Because Drupd's emails are delivered through shared infrastructure, even isolated abuse can damage deliverability for every user. We hold email use to a strict standard.

You may only send invoices and directly related billing communications (reminders, receipts, signed copies, follow-ups) to recipients with whom you have an existing business relationship and a legitimate billing purpose.

You must use accurate sender information, including a real "from" name and a reply-to address you actively monitor. You must not spoof, falsify, or obscure routing information; falsify headers; or send through anonymized re-mailers.

You must promptly honor opt-out requests, bounce reports, and complaints. Repeated bounces, spam complaints, or unsubscribes are a strong signal of misuse and may result in suspension.

You must not use Drupd to send newsletters, marketing campaigns, promotional offers, surveys, transactional emails for unrelated products, or any communication outside the scope of invoicing.

Anyone whose data you upload to Drupd — clients, contacts, recipients — is your responsibility. You are the controller of that personal data; we are the processor acting on your instructions (see /dpa).

You must have a valid lawful basis under applicable data protection law to enter a person's personal data into Drupd, including their name, contact details, billing information, and the contents of invoices you send them.

You must not enter special-category personal data (health, biometric, political opinions, religious beliefs, sexual orientation, etc.) or other sensitive categories (e.g., financial account credentials, government-issued ID numbers beyond what is needed for invoicing) into Drupd unless you have first agreed additional safeguards in writing with Drupd.

You must not upload personal data of children under the age applicable in their jurisdiction (typically under 13 or 16) unless you have all necessary parental consents and a lawful basis to process that data.

We may, but are not obligated to, monitor, inspect, scan, or filter content sent through the service for compliance, abuse, fraud, security, or legal reasons. We will use reasonable judgment and act proportionately.

Where we identify a likely violation, our response may include any combination of: warning the user; quarantining or removing specific content; throttling, restricting, or disabling specific features; suspending the account temporarily; terminating the account permanently; preserving evidence for legal or regulatory processes; and reporting the activity to law enforcement, regulators, or affected third parties as required or permitted by law.

We will generally try to provide notice before taking action and an opportunity to remedy where appropriate. We will not provide notice where doing so would be unsafe, unlawful, harmful to other users, or where the violation is severe (e.g., fraud, abuse, criminal activity, imminent security threat).

Suspension or termination for AUP violations is not refundable. We may also pursue civil or criminal remedies and recover our costs of investigation and enforcement to the extent permitted by law.

If you received an invoice through Drupd that you believe is fraudulent, abusive, harassing, or otherwise violates this policy, or if you've observed any other abuse of the service, please report it to abuse@drupd.com with as much detail as possible (the email you received, headers, sender, time, and any relevant context). Reports are reviewed promptly and treated confidentially to the extent reasonably possible.

Security vulnerabilities should be reported to security@drupd.com. Please test only against test accounts, do not exfiltrate user data, and give us a reasonable window to respond before public disclosure.

We may update this AUP from time to time. Material updates will be communicated by email to registered users or by a notice on the marketing site. Continued use of the service after the effective date of any update constitutes acceptance of the updated policy.

This policy was last updated on May 16, 2026.