Acceptable Use Policy (AUP)
Version: 2026-05-14
Provider: Oleksandr Chornous, Drewerstraße 5, 59602 Rüthen, Germany. Scope: boncard.app SaaS platform (beta).
This AUP applies to all users (account owners/tenants). Violations may lead to account suspension (SUSPENDED) or deletion (SCHEDULED_FOR_DELETION → EXECUTED).
1. Permitted use
- Managing your own loyalty program (cards, points, rewards)
- Collecting customer data with their explicit consent (GDPR Art. 6(1)(a))
- Sending marketing email only to customers with confirmed double opt-in
- Exporting your own business data (GDPR Art. 20)
2. Prohibited content and actions
2.1 Data protection
- Collecting customer data without consent
- Sharing customer data with third parties without legal basis (AVV violation)
- Refusing GDPR data-subject rights (access, deletion, portability)
- Faking consent / forging consent logs
- Using the platform for profiling that violates GDPR Art. 22
2.2 Marketing abuse
- Sending marketing email to recipients without double opt-in confirmation
- Spam, misleading subject lines, phishing content
- Bypassing the
email_suppressionlist - Bulk-mailing imported lists without single-opt-in evidence
- Sending without complete sender details (UWG §7, DDG §5)
2.3 Platform abuse
- Circumventing rate limits or plan limits via sock-puppet accounts
- Creating fake customers to skew statistics
- Automated bulk access to API endpoints (DDoS-like behavior)
- Reverse-engineering, crawling, scraping the platform UI
- Uploading malware in photo uploads
- SSRF / XSS / SQL-injection attempts
2.4 Content restrictions
- Uploading illegal content (copyright violations, NS content, depictions of violence)
- Using the platform for gambling, adult content, weapons, drugs
- Marketing products that are illegal or require a license in Germany
2.5 Identity fraud
- Registering with false business information (name, address, phone)
- Claiming to operate a non-existent business
- Using stolen payment methods (post-Gewerbe)
3. Sanctions
| Violation | Action |
|---|---|
| 1st violation (minor) | Written warning by email, 14-day cure period |
| 2nd violation / severe first violation | Suspension (SUSPENDED) — no data loss, features restricted |
| Repeat despite suspension | Deletion (SCHEDULED_FOR_DELETION) with 30-day grace |
| Order from supervisory authority | Immediate deletion, no grace |
| Criminal (fraud, identity theft) | Immediate deletion + report to police |
4. Documentation
All sanction steps are logged in the audit log and deletion protocol.
5. Complaints
- Email: sahajaret@gmail.com
- Reply within 14 days
- Escalation to supervisory authority: LDI NRW (ldi.nrw.de)
6. Changes
This AUP may be updated. Existing tenants are notified by email of material changes with a 30-day objection period.
7. Change history
- 2026-05-14: Initial version (beta, before Gewerbeanmeldung)