Acceptable Use Policy

This Acceptable Use Policy (the "AUP" or "Policy") governs how you may use KLNR's products and services, including Search, Lexor, FRRE.ai, Sign, Comms, CoLab, AgentOS, Bill, and the klnr.ai platform (collectively, the "Services"). It is a single, shared policy incorporated by reference into each of our product Terms of Service. By accessing or using the Services, you agree to this Policy. Because KLNR builds AI tools for the legal profession, this Policy places particular emphasis on responsible use in legal and other high-risk contexts, on human authorship and accountability, and on our evidence-first principle: AI assists, but a qualified human authors and decides. — DRAFT, pending legal review.

WORKING DRAFT — modeled on industry best practice and adapted for KLNR; pending legal review before publication as binding. Fields [...] are completed by KLNR. English is the authoritative language of these documents.

1. Scope, Purpose and Who We Are

KLNR is operated by KLNR Labs P.S.A. (a Polish prosta spółka akcyjna), with its registered seat in Gdańsk, Poland, registered in the National Court Register under KRS [KRS], NIP [NIP], REGON [REGON], registered address [address], share capital [share capital] ("KLNR", "we", "us", "our"). KLNR Labs P.S.A. is the single data controller for the KLNR group of products.

This Policy applies to every user, customer, account holder, end user, and any person who submits inputs to, or receives outputs from, the Services, whether you access them directly, through a single sign-on ("klnr-gate") account, through an integration or connector, or through an organization that provides you access ("you").

The purpose of this Policy is to set out the uses of the Services that are permitted and those that are prohibited. It is designed to protect users, third parties, the integrity of the legal profession, the public, and KLNR itself, and to keep our Services lawful, safe, and trustworthy. This Policy supplements, and does not replace, the obligations in the applicable product Terms of Service, our Privacy Policy, and any data processing agreement or order form between you and KLNR. Where this Policy and a negotiated written agreement conflict, the negotiated agreement controls for that customer.

Capitalized terms not defined here have the meaning given in the applicable Terms of Service.

2. Our Approach: Evidence-First, Human Authorship, Abstain Over Hallucinate

KLNR's products are built on a simple principle: evidence, not words. Our Services are designed to surface sources, cite authority, and decline to answer where the evidence does not support a confident response. This design philosophy carries obligations for you as a user:

  • AI assists; a qualified human authors and decides. Outputs of the Services are drafts, research aids, and decision support. They are not, and must not be presented as, legal advice, a legal opinion, a court filing, or a final professional work product unless and until a qualified, competent human professional has reviewed, verified, and adopted them.
  • Verify before you rely. AI systems can produce inaccurate, incomplete, or fabricated information, including non-existent citations or misstatements of law. You are responsible for independently verifying every output before relying on it or disseminating it.
  • Abstain over hallucinate. Where the Services indicate uncertainty, decline to answer, or abstain, you must not coerce, jailbreak, or engineer the system into producing an unsupported answer and then present it as authoritative.
  • Respect professional duties. If you are a lawyer, attorney, advocate, notary, or other regulated professional, your use of the Services does not relieve you of your professional, ethical, and supervisory obligations, including competence, confidentiality, conflicts checks, and candor to tribunals.

3. Universal Usage Standards (Prohibited Uses)

The following standards apply to all users of all Services, in every region. You may not use, nor permit or enable any third party to use, the Services to do, facilitate, promote, or attempt any of the following. These categories are illustrative, not exhaustive; conduct that is harmful in a manner analogous to the examples below is also prohibited.

3.1 Do Not Violate Applicable Laws or Engage in Illegal Activity

  • Acquire, produce, market, or exchange illegal or controlled substances, weapons, or other unlawful goods;
  • Engage in, facilitate, or promote human trafficking, forced labor, or sexual exploitation;
  • Infringe, misappropriate, or violate the intellectual property, trade-secret, database, or proprietary rights of any third party;
  • Launder money, evade sanctions, finance terrorism, or facilitate tax evasion or other financial crime;
  • Violate any other applicable law, regulation, sanction, court order, or regulatory or professional rule in any jurisdiction in which you operate.

3.2 Do Not Compromise Critical Infrastructure

  • Facilitate the destruction, disruption, or sabotage of critical infrastructure, including power grids, water treatment, healthcare and medical devices, telecommunications networks, financial market systems, transport, or air-traffic control;
  • Obtain or attempt unauthorized access to critical systems such as voting machines, court or government case-management systems, healthcare databases, or financial-market infrastructure;
  • Interfere with the operation of military, defense, emergency-services, or related infrastructure.

3.3 Do Not Compromise Computer or Network Systems

  • Discover or exploit vulnerabilities in systems, networks, or applications without the authorization of the system owner;
  • Gain unauthorized access through technical attacks or social engineering;
  • Create or distribute malware, ransomware, spyware, or other malicious code;
  • Develop tools for denial-of-service attacks or for operating botnets;
  • Build tools to intercept communications or monitor devices without authorization;
  • Develop persistent, covert, or below-OS access tools, including firmware modifications;
  • Create automated tooling designed to compromise multiple systems at scale;
  • Bypass or defeat security controls, including authentication, endpoint protection, or monitoring tools.

3.4 Do Not Develop or Design Weapons or Harmful Materials

  • Produce, modify, design, or unlawfully acquire weapons, explosives, or other systems designed to cause harm;
  • Design or develop weaponization or delivery processes;
  • Circumvent regulatory or export controls to acquire weapons or their precursors;
  • Synthesize or develop high-yield explosives or chemical, biological, radiological, or nuclear (CBRN) weapons.

3.5 Do Not Incite Violence or Hateful Behavior

  • Incite, facilitate, or promote violent extremism, terrorism, or hateful behavior;
  • Provide material support to organizations or individuals associated with violent extremism, terrorism, or hateful conduct;
  • Facilitate or promote any act of violence or intimidation targeting individuals, groups, animals, or property;
  • Promote discrimination, denigration, or harmful stereotyping against individuals or groups on the basis of a protected characteristic (including race, ethnicity, national origin, religion, sex, gender identity, sexual orientation, age, disability, or other characteristic protected under applicable law).

3.6 Do Not Compromise Privacy or Identity Rights

  • Violate privacy or data-protection rights as defined by applicable law, including sharing or processing personal data without a lawful basis or required consent;
  • Misuse, collect, scrape, solicit, or gain unauthorized access to private information such as non-public contact details, government identifiers, health data, financial data, biometric data, or neural data;
  • Use the Services to re-identify, profile, or track individuals in a manner that is unlawful or that they have not been informed of;
  • Impersonate a human by presenting AI outputs as human-generated, or use outputs to convince a natural person that they are communicating with a human, except where AI involvement is clearly disclosed as permitted by this Policy and applicable law.

3.7 Do Not Compromise Children's Safety

KLNR has zero tolerance for content or conduct that endangers minors. A "minor" is any person under 18 years of age, regardless of the age of majority or consent in any jurisdiction. You must not use the Services to:

  • Create, distribute, request, or promote child sexual abuse material ("CSAM"), including AI-generated, fictional, or stylized CSAM;
  • Facilitate the trafficking, sextortion, or any other exploitation of a minor;
  • Facilitate grooming, including generating content designed to impersonate or pose as a minor;
  • Facilitate child abuse of any kind, including instructions to commit or conceal abuse;
  • Promote or facilitate pedophilic relationships, including through roleplay with the Services;
  • Sexualize or fetishize minors, including in fictional, artistic, or roleplay settings.

Mandatory reporting. Where we detect apparent CSAM or the sexual coercion or exploitation of a minor, KLNR will preserve relevant data and report it to the competent authorities and to recognized child-safety organizations (for example, in the European Union and elsewhere as required by law, and in the United States to the National Center for Missing & Exploited Children (NCMEC)), to the extent permitted or required by applicable law, and will take enforcement action under Section 9.

3.8 Do Not Create Psychologically or Emotionally Harmful Content

  • Facilitate, promote, or glamorize suicide, self-harm, or disordered eating;
  • Promote unhealthy or unattainable body image or beauty standards;
  • Shame, humiliate, intimidate, bully, harass, or celebrate the suffering of individuals;
  • Coordinate the harassment or intimidation of an individual or group;
  • Generate content depicting animal cruelty or abuse;
  • Promote, trivialize, or depict graphic violence, gratuitous gore, or sexual violence;
  • Build or support products or services that employ deceptive, manipulative, or subliminal techniques to cause psychological harm.

3.9 Do Not Create or Spread Misinformation

  • Create or disseminate deceptive or misleading information targeting a group, entity, or person;
  • Create or disseminate false or misleading information about laws, regulations, court procedures, legal standards, professional practices, or the status of a legal matter;
  • Create or disseminate conspiratorial narratives intended to target a specific group, individual, or entity;
  • Impersonate real entities or create fake personas to falsely attribute content or mislead others about its origin;
  • Provide false or misleading medical, health, scientific, or legal information presented as fact.

3.10 Do Not Undermine Democratic Processes or Engage in Deceptive Political Activity

  • Engage in personalized vote or campaign targeting based on individual profiles or data without lawful basis and disclosure;
  • Create artificial or deceptive political movements that misrepresent their source, scale, or nature;
  • Generate automated communications to public officials or voters at scale that conceal their artificial origin;
  • Create political content designed to deceive or mislead voters, including synthetic media (deepfakes) of political figures;
  • Generate or disseminate false or misleading information in electoral or political contexts;
  • Conduct lobbying or grassroots advocacy using false or fabricated information;
  • Incite, glorify, or facilitate the disruption of electoral or civic processes, including interference with voting systems;
  • Create content designed to suppress voter turnout or discourage legitimate political participation.

3.11 Do Not Use for Prohibited Justice, Surveillance, Censorship, or Law-Enforcement Purposes

Because KLNR serves the legal field, this category is enforced strictly and read together with the high-risk requirements in Section 4 and the EU AI Act mapping in Section 5. You must not use the Services to:

  • Make, or fully automate, determinations in criminal-justice applications, including decisions or eligibility regarding arrest, detention, bail, parole, sentencing, or recidivism (predictive policing or risk-scoring of individuals);
  • Target or track a person's physical location, emotional state, or communications without their consent, including through facial recognition;
  • Assign scores or ratings to individuals based on trustworthiness or social behavior (social scoring), or in a manner that produces unjustified or disproportionate detriment;
  • Build or support emotion-recognition systems used to infer the emotions of a natural person in prohibited contexts (such as the workplace or education);
  • Analyze or identify content for censorship on behalf of a government to suppress lawful expression;
  • Operate biometric categorization systems that classify people by sensitive attributes;
  • Support any law-enforcement, intelligence, or surveillance application that violates or impairs the liberty, civil liberties, due-process rights, or human rights of natural persons.

3.12 Do Not Engage in Fraudulent, Abusive, or Predatory Practices

  • Facilitate the production, acquisition, or distribution of counterfeit or illicitly acquired goods;
  • Generate or distribute spam;
  • Generate content for fraud, scams, phishing, or malware that can cause financial or psychological harm;
  • Create falsified documents, including fake identity documents, licenses, currency, court documents, or other government or legal records;
  • Develop, promote, or facilitate fraudulent or deceptive products or services;
  • Generate deceptive digital content such as fake reviews, comments, ratings, or media;
  • Operate or facilitate multi-level marketing, pyramid schemes, or other deceptive business models;
  • Promote or facilitate payday loans, title loans, or other high-interest predatory lending;
  • Exploit individuals based on age, disability, or a specific social or economic situation;
  • Promote or facilitate abusive or harassing debt-collection practices;
  • Deploy subliminal, manipulative, or deceptive techniques in any product or service;
  • Circumvent the guardrails, security measures, or terms of other platforms or services;
  • Plagiarize or submit AI-assisted work without required permission, disclosure, or attribution, including in courts, regulatory filings, or academic settings where such disclosure is required.

3.13 Do Not Abuse Our Platform

  • Coordinate malicious activity across multiple accounts to avoid detection or circumvent product guardrails;
  • Use automation to create accounts or engage in spammy behavior;
  • Circumvent a suspension or ban, including by creating a new or alternate account;
  • Access or facilitate access to the Services in violation of our Supported Regions Policy or applicable export-control or sanctions laws;
  • Intentionally bypass capabilities, restrictions, safety guardrails, rate limits, or abstention behaviors built into the Services (including prompt-injection or "jailbreak" attacks);
  • Use inputs or outputs of the Services to train, fine-tune, or develop a competing AI model, or to benchmark for that purpose, without KLNR's prior written authorization;
  • Resell, sublicense, or provide the Services to third parties except as expressly permitted by your Terms of Service.

3.14 Do Not Generate Sexually Explicit Content

  • Depict or request sexual intercourse or sex acts;
  • Generate content related to sexual fetishes or fantasies;
  • Facilitate, promote, or depict incest or bestiality;
  • Engage in erotic chats or sexually explicit roleplay.

Legitimate professional handling of sexual-offense matters by qualified legal, medical, or law-enforcement professionals (for example, drafting an indictment, judgment, or legal memorandum) is permitted to the extent strictly necessary for that lawful professional purpose and subject to the high-risk requirements in Section 4.

4. High-Risk Use Cases: Human-in-the-Loop and AI Disclosure

Some uses of AI carry a heightened risk of harm to the rights, safety, livelihood, or legal position of individuals. If you use the Services in any of the high-risk domains below, you must implement both of the following safeguards:

  • Human-in-the-loop review. A qualified professional competent in the relevant field must meaningfully review the output, content, or decision before it is disseminated, relied upon, or acted upon. Review must be genuine human oversight with authority and ability to disregard or override the AI output, not a rubber stamp.
  • AI disclosure. You must clearly disclose to affected end users that they are interacting with, or that the content was produced with the assistance of, an AI system. For interactive or conversational uses, disclose this at least at the beginning of each session.

High-risk domains include, without limitation:

DomainExamples of high-risk use
Legal (core KLNR domain)Interpretation of law; legal research relied on without verification; drafting binding contracts, pleadings, or court filings; advice or decisions with legal consequences; assessment of a person's legal rights or eligibility; administration of justice.
HealthcareDiagnosis, triage, patient care, therapy, or medical guidance (excluding general wellness information).
InsuranceUnderwriting, claims adjudication, pricing, or coverage decisions.
Finance & CreditInvestment advice, loan or credit approvals, creditworthiness or fraud determinations affecting individuals.
Employment & HousingHiring, promotion, termination, worker management, resume screening, or housing eligibility.
Education, Testing & AccreditationAdmissions, evaluation, proctoring, standardized testing, or professional certification.
Essential services & benefitsEligibility for, or denial of, public benefits or essential private services.

Legal interpretation as a core high-risk domain. KLNR builds tools for lawyers and the legal profession. Outputs touching the interpretation or application of law are high-risk by default. They must be reviewed and adopted by a qualified, competent human professional (such as an admitted attorney or advocate) who takes authorship and responsibility for the final work product, who performs independent verification of cited authority, and who, where required by court rules or professional regulation, discloses the use of AI assistance. The Services are decision support; they do not practice law and do not replace your professional judgment.

5. Mapping to the EU AI Act

For users and uses within the European Union, or otherwise within the scope of Regulation (EU) 2024/1689 (the "EU AI Act"), this Policy is intended to operate consistently with that Regulation. Nothing in this Section limits the broader prohibitions above.

  • Prohibited practices (Article 5). You must not use the Services for any practice prohibited by Article 5, including: harmful subliminal, manipulative, or deceptive techniques; exploitation of vulnerabilities due to age, disability, or social or economic situation; social scoring leading to unjustified or disproportionate detrimental treatment; individual criminal-offense risk assessment based solely on profiling; untargeted scraping of facial images to build facial-recognition databases; emotion inference in the workplace or educational settings (outside medical or safety exceptions); biometric categorization to infer sensitive attributes; and "real-time" remote biometric identification in publicly accessible spaces for law-enforcement outside the narrow permitted exceptions. These map to Sections 3.6, 3.8, 3.11, and 3.12 above.
  • High-risk systems (Article 6 and Annex III). Where your use falls within an Annex III high-risk category — including administration of justice and democratic processes (AI intended to assist a judicial authority, or to be used in alternative dispute resolution, in researching and interpreting facts and the law and applying it), as well as biometrics, critical infrastructure, education, employment, access to essential services, law enforcement, and migration — you act as a deployer (and, where you build on top of our Services, potentially a provider). You are responsible for the obligations applicable to your role, including human oversight, accuracy, record-keeping, and the high-risk safeguards in Section 4 of this Policy.
  • Transparency obligations (Article 50). You must ensure that natural persons are informed when they interact with an AI system, and that AI-generated or AI-manipulated text, audio, image, or video (including deepfakes and synthetic legal or public-interest content) is disclosed and, where applicable, machine-readably marked as artificially generated. This maps to the disclosure requirements in Sections 4 and 3.6.

References to specific provisions are for guidance only and do not constitute legal advice; you remain responsible for your own compliance assessment.

6. Product- and Audience-Specific Requirements

  • Conversational and consumer-facing assistants. If you deploy a chatbot or assistant built on the Services that interacts with consumers, you must disclose at the start of each session that the user is interacting with an AI system.
  • Agentic and automated use (AgentOS, CoLab, connectors). AI agents, automations, and workflows must comply with this entire Policy. You are responsible for the actions your agents take on your behalf, including actions taken through tools, connectors, and integrations. You must scope agent permissions to what is necessary and maintain meaningful human oversight over consequential actions.
  • E-signatures and identity (Sign). You must not use Sign to forge signatures, impersonate signatories, or create documents intended to deceive as to their authenticity or legal effect. Use must comply with eIDAS (Regulation (EU) No 910/2014, as amended), the U.S. ESIGN Act and UETA, and other applicable electronic-signature laws.
  • Communications and invoicing (Comms, Bill). You must comply with applicable anti-spam and electronic-communications laws (including the EU ePrivacy rules and the U.S. CAN-SPAM and TCPA) and with applicable invoicing, tax, and e-invoicing requirements (including KSeF where applicable). You must not send unsolicited bulk messages or misrepresent the origin of communications.
  • Products and content involving minors. Services are not directed to children. You must not knowingly use the Services to provide an offering directed to minors, or to collect personal data of minors, without verifiable, legally valid consent and the additional safeguards required by law (including the GDPR and, in the United States, COPPA).
  • Connectors and the integration directory. If you publish a connector, plugin, or integration through any KLNR directory, you must additionally comply with our directory and developer policies.

7. Data, Confidentiality, and No Training on Legal or Client Content

  • Lawful basis and your data. You must have all rights, consents, and lawful bases necessary to submit inputs to the Services and to authorize the processing described in our Privacy Policy and any data processing agreement.
  • No training on your content. KLNR does not use your inputs, outputs, client content, or legal content to train its foundation or general-purpose models, except as expressly and separately authorized by you in writing. We respect professional secrecy and attorney-client privilege; you must not, however, submit privileged or confidential content of others without the necessary authority to do so.
  • Professional secrecy. If you are bound by professional secrecy or legal professional privilege, you remain responsible for ensuring that your use of the Services is consistent with those duties and with applicable bar or regulatory rules.
  • Sensitive data. You must not submit special categories of personal data, government identifiers, or other highly sensitive data except where lawful, necessary, and consistent with our documentation and your agreement with us.

8. Regional Supplement — European Union, EEA, and United Kingdom

This Section supplements the Policy for users and processing within the European Union, the European Economic Area, and the United Kingdom and prevails over conflicting general terms to the extent of any conflict for those users.

  • GDPR / UK GDPR. You must comply with Regulation (EU) 2016/679 (GDPR) and, in the UK, the UK GDPR and Data Protection Act 2018, including lawful basis, data-subject rights, data-minimization, purpose limitation, and (where you are a controller using KLNR as processor) the terms of our data processing agreement. You must not use the Services for automated decisions producing legal or similarly significant effects on a person contrary to Article 22 GDPR without the safeguards it requires.
  • ePrivacy. Electronic marketing and the use of cookies or similar technologies must comply with the ePrivacy Directive and national implementations, including consent requirements.
  • EU consumer protection. Where you offer goods or services to consumers using the Services, you must comply with EU consumer-protection law, including the Unfair Commercial Practices Directive 2005/29/EC, the Consumer Rights Directive 2011/83/EU, and the Digital Services Act where applicable. You must not deploy dark patterns or unfair or misleading commercial practices.
  • EU AI Act. Section 5 of this Policy applies.
  • Supervisory contact. Privacy enquiries may be directed to [privacy@klnr.ai] and to our Data Protection Officer at [dpo@klnr.ai]. The competent lead supervisory authority is the Polish President of the Personal Data Protection Office (UODO); you also retain the right to lodge a complaint with your local supervisory authority.

9. Regional Supplement — United States

This Section supplements the Policy for users and processing in the United States.

  • State privacy laws. You must comply with applicable U.S. state privacy laws, including the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and comparable laws in states such as Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), and others as enacted. Where KLNR acts as a "service provider," "processor," or "contractor," you must not use the Services in a manner that would cause KLNR to violate those laws, and you must honor consumer rights (including access, deletion, correction, and opt-out of sale/sharing and targeted advertising).
  • Sensitive personal information. You must obtain any consent required for the processing of "sensitive personal information" as defined by applicable state law.
  • Consumer protection. You must comply with Section 5 of the FTC Act and applicable state UDAP statutes prohibiting unfair or deceptive acts or practices, and you must not use the Services to engage in deceptive AI-generated endorsements, impersonation, or dark patterns.
  • Sector and communications laws. Depending on your use, additional U.S. laws apply, including HIPAA (health), GLBA and FCRA (financial/credit and consumer reports), the Fair Housing Act and ECOA (housing and credit anti-discrimination), the EEOC framework (employment), COPPA (children), and the TCPA and CAN-SPAM Act (communications). High-risk uses in these areas are subject to Section 4.
  • Child-safety reporting. Apparent CSAM will be reported to NCMEC and competent authorities as described in Section 3.7 and as required by 18 U.S.C. § 2258A and related law.

10. Enforcement, Reporting, and Changes

Monitoring and enforcement. We may use automated and manual measures to detect violations of this Policy, consistent with our Privacy Policy and applicable law. Where we identify a violation, or a risk of imminent or serious harm, we may take action proportionate to the circumstances, including: issuing a warning; blocking, filtering, or modifying inputs or outputs; throttling or rate-limiting; suspending or terminating accounts or access; removing content; and reporting to, or cooperating with, regulators or law-enforcement authorities. For the most serious categories (such as child safety, CBRN, and critical-infrastructure threats), we may act immediately and without prior notice.

Reporting violations and harmful outputs. If you become aware of a violation of this Policy, a security vulnerability, or a harmful, unsafe, or unexpected output, please report it to us at [security@klnr.ai] (security and vulnerabilities) or [kontakt@klnr.ai] (general), and use in-product feedback tools where available. We investigate reports in good faith and do not retaliate against good-faith reporters.

Government and enterprise customers. KLNR may, in a separate written agreement, tailor certain restrictions for specific customers (for example, vetted public-sector or research uses) where we determine that appropriate contractual, technical, and oversight safeguards adequately mitigate the relevant harms. Any such tailoring applies only to that customer and to the scope expressly agreed.

Changes to this Policy. We may update this Policy from time to time to reflect new products, risks, or legal requirements. Material changes will be communicated as required by the applicable Terms of Service and will take effect on the stated effective date. Your continued use of the Services after the effective date constitutes acceptance of the updated Policy.

Contact. Questions about this Policy may be sent to [kontakt@klnr.ai]. Privacy matters: [privacy@klnr.ai]; Data Protection Officer: [dpo@klnr.ai]; Security: [security@klnr.ai].

Effective date: [effective date]. This document is a working draft and is subject to legal review and revision prior to publication.

KLNR Labs P.S.A. · Gdańsk, Poland · Home · DRAFT · 2026-06-13