PRIVATEBYTE
LegalHomeSign in

Acceptable Use Policy

Last modified: 21 April 2026

This Acceptable Use Policy ("AUP") sets out what you can and cannot do with PRIVATEBYTE services. It is part of our Terms of Service and applies to every customer, contact, and invited user on every service we provide.

The AUP exists to keep our network safe, our customers protected, and our service available. Breach of this policy is one of the few things that allows us to suspend services without notice (see our Terms of Service, Section 9).

1. Scope

This policy applies to:

  • all VPS plans (Flare, Orbit, Comet, Pulsar, Quasar, Nebula)
  • OpenClaw AI-agent hosting
  • residential and datacentre proxy services
  • all add-ons (additional IPv4, extended backups, managed support, etc.)
  • our client portal, APIs, management tools, and the Telegram bot
  • any other product we may introduce, unless a product-specific policy supersedes this one

2. Universal prohibitions

Regardless of product, you must not use PRIVATEBYTE services for any of the following:

2.1 Illegal activity

  • Any activity that is unlawful under UK law or the law of a jurisdiction applicable to you or your users
  • Hosting, transmitting, or facilitating content that depicts or exploits minors (CSAM) — reported immediately to the National Center for Missing & Exploited Children (NCMEC) and UK Internet Watch Foundation (IWF)
  • Facilitating terrorist financing, sanctions evasion, or the distribution of violent-extremist content
  • Trafficking in controlled substances, stolen goods, stolen credentials, or stolen identity data

2.2 Malware and intrusion

  • Hosting, distributing, or command-and-controlling malware, ransomware, spyware, rootkits, cryptominers-as-malware, credential stealers, or remote-access trojans
  • Scanning, probing, or exploiting systems you do not own or have explicit written permission to test (see Section 9 on vulnerability research)
  • Denial-of-service attacks, amplification attacks, or botnet participation
  • Credential stuffing, brute force attacks, or account takeover tooling

2.3 Fraud

  • Phishing websites, banking trojans, fake support lines, scam calling infrastructure, or investment/romance scam backends
  • Hosting content designed to deceive users into surrendering credentials, funds, or personal data
  • Money mule recruitment, fraudulent e-commerce, or stolen-card carding infrastructure

2.4 Spam and abuse

  • Sending unsolicited bulk email or messaging of any kind (see Section 5 for the detailed email rules)
  • Operating harvesters, scrapers, or enrichment pipelines that violate the target site's terms of service
  • SMS pumping, international revenue share fraud (IRSF), or other carrier abuse

2.5 Harm to PRIVATEBYTE

  • Attempting to gain unauthorised access to our systems or other customers' VMs
  • Attempting to circumvent our rate limits, firewall rules, or security controls
  • Overloading our network, support, or billing infrastructure deliberately

3. Content restrictions

In addition to the illegal-content rules above, the following categories of content are not permitted on any of our services:

  • Content that incites violence against individuals or groups
  • Non-consensual intimate imagery
  • Deepfakes or synthetic media designed to defame, harass, or defraud identifiable individuals
  • Content infringing third-party copyright, trademark, patent, or other intellectual property rights where we have received a valid takedown notice
  • Content knowingly used to harass, dox, or stalk an individual

You remain free to host lawful controversial content (political speech, adult content between consenting adults, security research, whistleblower disclosures) provided it does not breach any other rule in this AUP or the law.

4. Network abuse

  • Do not operate open relays, open proxies, open recursive DNS resolvers, or open SMTP servers accessible to the public internet
  • Do not run network-amplification services (open NTP, memcached, chargen, SSDP) that can be abused for DDoS
  • Do not forge source IP addresses, MAC addresses, TCP/UDP headers, BGP announcements, or ARP/NDP responses
  • Do not interfere with routing for networks you do not legitimately operate
  • Do not run Tor exit nodes on shared VPS plans. Tor relays and bridges are permitted. Exit nodes require a dedicated server and advance written approval.

5. Email and SMTP

We operate a strict email policy to protect our IP reputation and our customers.

5.1 Port 25 restriction

Outbound TCP port 25 is blocked by default on all VPS and OpenClaw services. Customers with a legitimate sending use case may request an unlock through the portal. Approval requires:

  • an account in good standing (no overdue invoices, no prior abuse)
  • a defined use case (transactional email only, or opt-in marketing only)
  • valid SPF, DKIM, and DMARC records on your sending domains
  • a properly configured PTR record matching your hostname (FCrDNS)
  • acceptance of a 30-day probation with lower rate limits and active reputation monitoring

5.2 Always prohibited

Regardless of port-25 status:

  • Unsolicited bulk email, including purchased or scraped lists
  • Cold outreach without a prior business relationship or verifiable opt-in
  • Snowshoe spamming, bulk-from-compromised-credentials, or throwaway-sender tactics
  • Joe-job style forged headers, impersonation of other senders, or misleading From addresses
  • Hosting backends for spamming services or list brokers
  • Any sending that generates a complaint rate above 0.1% or a hard-bounce rate above 2% sustained over a week

5.3 Volume caps

Even with port 25 unlocked, sustained sending above 10,000 messages per day per account requires a separate commercial agreement. Higher-volume senders should contact us before scaling.

5.4 Consequences

Any material breach of Section 5 — spam complaints at scale, blacklist listings attributed to our IP ranges, or patterns of abuse detected by our monitoring — will result in immediate port 25 re-blocking and may trigger service suspension.

6. VPS and dedicated-server rules

6.1 Cryptocurrency mining

  • Not permitted on any VPS plan, including dedicated-CPU plans. Sustained CPU at mining workload levels degrades the experience for other customers on shared hardware.
  • Permitted on dedicated servers, where you have exclusive access to the physical machine. Not permitted on any shared-tenancy product even if our dedicated-CPU language suggests you can monopolise the compute.

6.2 Resource abuse

Even on dedicated CPU plans, sustained activity that materially impacts other customers sharing network or storage infrastructure may be throttled or suspended. This includes:

  • sustained disk I/O sufficient to starve co-located VMs
  • sustained outbound network saturation for commercial traffic (e.g. operating a CDN origin) without the appropriate plan
  • port-scanning activity originating from your VM

6.3 Backups and data loss

Our Cross-Node VM Backup service is provided as a courtesy and best-effort safeguard. You remain responsible for your own data. We are not liable for data loss where you have not maintained independent backups of critical material.

7. OpenClaw (AI agent) rules

OpenClaw is purpose-built for running AI agents. Because agents can take automated action at scale, these rules apply specifically:

7.1 Content generation

You must not use OpenClaw to generate, store, or distribute:

  • CSAM or any sexual content involving minors (zero tolerance)
  • Non-consensual intimate imagery of real individuals, including deepfakes
  • Content designed to impersonate a real identified individual for the purpose of defrauding, harassing, or defaming them
  • Disinformation campaigns targeting elections, public-health emergencies, or ongoing disasters

7.2 Agent behaviour

Your agents must not:

  • scrape content from behind authentication walls in violation of the source site's terms
  • submit abusive volumes of traffic to target sites or APIs without authorisation
  • impersonate human users with the intent to deceive (e.g. automated dating-app manipulation, fake review generation, astroturfing)
  • harvest personal data in violation of UK-GDPR or the relevant local data-protection law
  • be used as a vehicle for any activity otherwise prohibited by this AUP

7.3 Responsible AI practice

You are responsible for the outputs of agents you run on OpenClaw, whether you wrote them, fine-tuned them, or deployed third-party agent frameworks. We do not inspect the content of your agents, but if an output causes a complaint we receive and can verify, we may ask you to mitigate or suspend the workload.

8. Proxy service rules

Our proxy services are sold for legitimate automation use cases — market research, QA testing, price comparison, SEO monitoring, ad verification, brand protection. They are not sold as, and must not be used for, any of the following:

8.1 Always prohibited on proxies

  • Ad fraud, including click fraud, impression fraud, conversion fraud, and attribution fraud
  • Credential stuffing or account takeover attempts against any target
  • Evading IP-based bans placed for conduct that would itself breach the target's terms
  • Accessing, distributing, or monetising content obtained from sources that have blocked our IP ranges for TOS breaches
  • Automated ticket purchasing from primary or secondary event-ticketing platforms. This is separately prohibited by UK law under the Breaching of Limits on Ticket Sales Regulations 2018.
  • Automated harassment, stalking, or mass-reporting campaigns
  • Carding, testing stolen credit card data, or laundering payment fraud through proxied endpoints
  • Child sexual abuse material (CSAM) — accessing, distributing, requesting, or facilitating any content depicting minors in a sexual context. We block known-CSAM hostnames at the gateway level using the Internet Watch Foundation feed, report all detected attempts to the IWF, and cooperate fully with NCMEC, IWF, and law enforcement on identification of the originating customer.
  • Targeting of government, military, or educational infrastructure (.gov, .mil, .edu and their international equivalents) without an explicit business justification accepted by us in writing in advance. This includes scraping, scanning, or any other automated access. Required because such traffic invariably attracts CISA / NCSC / equivalent attention to our shared upstream account.
  • Sanctions evasion — routing traffic on behalf of, to, or from any individual or entity on the UK Treasury OFSI consolidated list, the US OFAC SDN list, the EU Consolidated Sanctions List, or any other applicable sanctions regime.
  • Banking, payment, and financial-services fraud — automated access to retail-banking, payment-processor, or fintech services for the purpose of credential testing, account takeover, money-mule recruitment, transaction laundering, or fund movement that is itself unlawful in the source or destination jurisdiction.
  • Dark net and known-criminal-marketplace traffic — .onion services, marketplaces operated for the trade of illegal goods or services, and any service whose primary purpose is facilitating offences listed in Section 2 or in this Section 8.1.
  • Stalkerware and non-consensual surveillance — any product or service whose primary purpose is enabling one party to monitor another party's device, account, or location without that party's knowing, freely-given consent.
  • Any activity already prohibited under Section 2 or 3 of this AUP

8.2 Third-party terms of service

Proxies are commonly used for automation against third-party websites whose terms of service may prohibit automated access (scraping, bulk account creation, automated purchasing of limited-inventory retail releases, and similar). Breaching a destination site's terms is a matter between you and that site, not between you and us — we do not police third-party terms of service and we do not terminate service for breaching them alone.

What we do care about is whether destination sites then complain to us about traffic originating from our network. Sustained complaint volume against a specific customer will, regardless of the underlying activity, result in action under Section 8.4 to protect our shared IP reputation and other customers who depend on it.

8.3 Exit-IP responsibility

When you route traffic through our proxy network, you are responsible for what goes out. We cooperate with abuse reports from target sites, hosting providers, and law enforcement where legally required.

To support that cooperation, we maintain a per-request audit log of: the customer making the request, their connecting IP, the destination hostname, the HTTP method, the upstream status code, the bytes transferred, and the timestamp. We do not log URL paths, query strings, request bodies, or response bodies. The retention period for this log is 90 days. See our Privacy Policy section 3.3 for the full list of what we log and the legal basis.

8.4 Action on complaints

Regardless of whether the underlying activity is lawful, sustained complaint volume attributed to a specific customer — including blacklist listings, takedown notices, or repeated direct complaints from destination networks — may result in:

  • throttling of the affected account's outbound traffic
  • suspension of the affected account's proxy access pending remediation
  • termination without refund of remaining balance for repeated or severe cases

This exists to protect the IP reputation of our shared network, which every customer depends on.

8.5 Compliance responsibility

Proxy traffic frequently crosses jurisdictions. You are responsible for ensuring your use complies with:

  • the laws of the jurisdiction you are operating from
  • the laws of the jurisdiction of the target of your traffic
  • any applicable data-protection rules, especially UK-GDPR and EU-GDPR when personal data is involved

8.6 Hostname blocklists

We operate proactive blocklists at the proxy gateway. Traffic to hosts on these lists is rejected with HTTP 403 and logged for review. Lists in active enforcement:

  • CSAM — Internet Watch Foundation (IWF) URL list, refreshed daily
  • Sanctions — domains owned by entities on UK OFSI, US OFAC, and EU sanctions lists
  • Phishing — PhishTank, OpenPhish, and our own observed-abuse list
  • Malware C2 — Spamhaus DROP, Abuse.ch, and our own observed-abuse list
  • Government and military (.gov, .mil) — soft-blocked; opt-in unlock requires written justification and contractual approval

Attempts to access blocked hosts are not "errors" attributable to us — they are policy enforcement. Repeat attempts against blocklisted hosts will result in account suspension under Section 8.4.

9. Vulnerability research and penetration testing

We welcome responsible security research and understand that legitimate testing sometimes involves activity that would otherwise look abusive.

  • You may test systems you own on your PRIVATEBYTE VM without prior approval.
  • You must not test third-party systems from our network without either their written authorisation or a valid bug-bounty programme covering that target. Written proof of authorisation must be available on request.
  • You may test our own infrastructure only under our Security Disclosure programme. Out-of-scope testing may be treated as an intrusion attempt.
  • Automated vulnerability scanning from your VM against third parties without authorisation is a breach of this AUP.

10. Reporting abuse

If you believe a PRIVATEBYTE customer is violating this policy, email [email protected] with:

  • the abusing IP address or domain
  • timestamps in UTC
  • log excerpts, email headers, or other evidence
  • a brief description of the incident

We acknowledge reports within 24 hours and investigate within 72 hours. We do not disclose the outcome of investigations to the reporter, but we do act.

11. Enforcement

Where we identify a breach of this AUP, our response scales with the severity:

  • Minor breach (first-time, low impact): a warning and guidance to remediate
  • Material breach: immediate service suspension pending investigation; data preserved
  • Serious or repeated breach: termination of services without refund, and account closure
  • Illegal activity: termination, data preservation for law enforcement if required, and reporting to the relevant authority

We reserve the right to escalate directly to immediate suspension or termination where the breach is serious, ongoing, or causing active harm to others.

Specific enforcement tools available to us include: null-routing IPs, suspending or terminating services, removing access to specific features, clawing back Green Credits obtained through abuse, and, where permitted, cooperating with law enforcement.

12. Changes

We update this AUP as new threats and new products emerge. Material changes are notified to active customers by email at least 14 days before taking effect. Non-material changes (typos, clarifications, re-ordering) may be made without notice. The "last modified" date at the top of this page always reflects the current version. Previous versions are available on request.

13. Contact

  • Abuse reports: [email protected]
  • Port 25 / SMTP unlock: through the client portal, or [email protected]
  • General support: [email protected]
  • Privacy questions: [email protected]
  • Post: PRIVATEBYTE, 128 City Road, London, EC1V 2NX, United Kingdom

Related documents

Privacy PolicyTerms of ServiceRefund PolicyService Level AgreementAbuse & Legal Process
PRIVATEBYTE

High-performance VPS hosting with unmetered bandwidth, free DDoS protection, and no hidden fees.

TelegramExcellent on Trustpilot
Product
FeaturesPricingProxiesStatus
Company
AboutContactTerms of ServicePrivacy PolicyAcceptable UseRefund PolicySLA
Resources
Client PortalSupport
© 2026 PRIVATEBYTE LTD · 128 City Road, London, EC1V 2NX, United KingdomAll prices in USD. All plans include IPv4, DDoS protection, backups & snapshots.