This Acceptable Use Policy (“AUP”) sets out restrictions on how Strawberry Browser (the “Service”) may be used. It applies to all users of the Service and is incorporated by reference into the Business Terms of Service (the “Terms”). The Service is offered only for business use; references in this AUP to “you” mean the Customer and its Users acting on the Customer's behalf under the Business Terms. Violation of this AUP is a material breach of the Terms and may result in suspension or termination of your access to the Service.

We may update this AUP from time to time. Material changes will be communicated with at least 30 days' notice where they would meaningfully restrict your existing, permitted use.

Feature availability. Certain features described in this AUP may not be available in all versions of the Service. Where a feature is not available or not enabled for you, the provisions in this AUP relating to that feature take effect only with respect to you where and when the feature becomes available and enabled.

1. Universal Prohibitions

You may not use the Service, and may not permit any User of your account to use the Service, to:

• engage in activity that is illegal under any law applicable to you or the person whose data is processed;
• invade the privacy of, or exploit or harm, any third party, including minors;
• engage in threatening, deceptive, defamatory, harassing, or violence-promoting conduct;
• access, interfere with, or connect to any system or service without authorization;
• infringe, misappropriate, or otherwise violate any intellectual property, publicity, confidentiality, or privacy right;
• distribute malware, viruses, ransomware, spyware, or similar malicious code;
• scrape, crawl, or harvest data from any source in a manner that violates that source's terms of service or applicable law;
• interfere with the Service or disrupt networks or servers used to provide the Service;
• impersonate any person or entity, or misrepresent your affiliation with a person or entity;
• sell, transfer, or sublicense access to the Service in violation of the Terms.

2. AI Act Prohibitions

You may not use the Service to engage in any practice prohibited under Article 5 of the EU AI Act, including:

• using subliminal, manipulative, or deceptive techniques that materially distort a person's behavior in a way likely to cause harm;
• exploiting vulnerabilities of individuals related to age, disability, or socio-economic circumstances;
• creating or expanding facial recognition databases through untargeted scraping;
• conducting real-time remote biometric identification in publicly accessible spaces for law enforcement (except as permitted by law);
• evaluating or classifying individuals based on social behavior or personal traits (including social scoring) in ways leading to detrimental or unfavorable treatment;
• assessing or predicting the risk of a person committing a criminal offense based solely on profiling;
• inferring individuals' emotions in workplace or educational contexts (except for medical or safety reasons);
• categorizing individuals based on biometric data to infer sensitive attributes.

You may not transform the Service into a high-risk AI system under Article 6 of the AI Act without our prior written agreement.

3. Agentic Use Standards

The Service can take Actions on your behalf across websites and Connected Apps. The Service is designed with human oversight in mind: it completes tasks, but consequential decisions remain with you. You are responsible for using the agentic capabilities of the Service in a safe, supervised, and lawful manner. In particular, you shall:

• supervise Actions taken by the Service, especially for sensitive operations (sending messages, making payments, sharing or publishing content, modifying security settings, or any irreversible actions);
• enable and use any approval flows, confirmation prompts, or restricted-action settings that the Service makes available;
• respect the terms of service, acceptable-use policies, and technical access controls (including robots.txt and anti-automation measures) of any third-party website or service the Service interacts with;
• not use the Service to circumvent bot-detection, rate-limiting, or human-verification systems;
• not use the Service to attempt prompt-injection, jailbreaking, or exfiltration attacks against the Service itself or any other AI system;
• promptly report suspicious behavior, unexpected Actions, or suspected prompt-injection events to security@strawberrybrowser.com.

4. High-Risk Domains

You shall not use the Service to provide advice, decisions, or recommendations in the following domains without review by a qualified professional in that domain prior to reliance, dissemination, or finalization:

• legal;
• healthcare and medical;
• insurance underwriting and claims;
• finance and investment advice;
• employment decisions (hiring, firing, performance);
• housing decisions;
• academic or professional testing;
• journalism and media publication.

Disclosure of AI involvement. As provider of the Service, Strawberry ensures that users of the Service are informed they are interacting with AI. As deployer of the Service, you are responsible, to the extent applicable to you, for informing third parties when they receive AI-generated content from you (including emails, messages, or other communications drafted by the Service and sent through Connected Apps), consistent with applicable law including Article 50(4) of the EU AI Act. Any consumer-facing chatbot or interactive AI agent you deploy using the Service must disclose to users that they are interacting with AI rather than a human, consistent with Article 50(1).

5. Regulated Workloads

You shall not use the Service to process data regulated under HIPAA, HITECH, or similar healthcare-data laws; PCI-DSS-regulated cardholder data; FERPA-regulated educational records; ITAR- or EAR-regulated export data; national-security classified information (including data subject to the Swedish Säkerhetsskyddslagen 2018:585 or equivalent EEA/EU legislation); data subject to sector-specific national health-data law (including the Swedish Patientdatalag 2008:355 or equivalent EEA/EU legislation); or other regulated data, unless a separate written agreement with Strawberry expressly permits such use. The Service is not certified for regulated workloads and shall not be used to make or support decisions where a failure would cause regulatory non-compliance.

6. Prohibited Inputs

Why this matters. The Service processes content you provide (including prompts, files, and the contents of websites and Connected Apps you direct it to). Where the Activity Memory feature is enabled, or when an agent has been authorized to view your screen, the Service can also see whatever is displayed on your screen at the time. Inputs that you submit or paste — and, while an active-capture feature is enabled, anything you type or display on screen — may be transmitted to our AI Sub-Processors. The rules below set out what you must not put in front of the Service.

6.1 Prohibited categories

You shall not submit to the Service, paste into prompts or chats, save into Activity Memory (where the feature is enabled), or — while an active-capture feature is enabled — display on screen, the following categories of data unless a separate written agreement with Strawberry expressly permits it:

• Authentication credentials (in cleartext): passwords, security questions and answers, one-time codes, API keys, and recovery codes — when pasted into prompts, chats, or files submitted to the Service. Credentials you provide through the official Connected Apps authentication flow are addressed in §6.3 below. In the ordinary course of agentic browsing, the Service may incidentally encounter credentials displayed on websites or Connected Apps you direct it to interact with; Strawberry applies commercially reasonable best-effort measures designed to limit the inclusion of such data in AI Sub-Processor prompts and in persistent storage, but you should treat any incidental capture as exposed information until verified otherwise.
• Payment-card and bank data: payment-card numbers, card security codes, full bank-account numbers, and PINs.
• Government-issued identifiers: social security numbers, driver's license numbers, passport numbers, tax identification numbers, and similar.
• Special category personal data (Article 9 GDPR): data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data processed for identification, health data, and data concerning a person's sex life or sexual orientation. You may submit such data only where you have a valid Article 9(2) basis and have determined that the Service is suitable for such processing.
• Criminal-offence data (Article 10 GDPR): data relating to criminal convictions and offences. Note: Swedish law restricts processing of such data even more narrowly than Article 10 GDPR.
• Children's data: personal data relating to any individual under 18 years of age, consistent with the Service's adult-only user threshold under the Business Terms. This threshold is set higher than the digital-consent ages set under data-protection laws in many jurisdictions (e.g., 13 in the US under COPPA; 13–16 in EEA Member States, including 13 under Swedish law).
• Regulated-workload data: data subject to the regimes listed in Section 5.
• Confidential information of third parties: information you owe a duty of confidentiality with respect to (e.g., under NDA), unless your duty permits processing through a service provider acting on your behalf.
• Unlawfully obtained data: data scraped, accessed, or otherwise obtained in violation of the source's terms of service or applicable law (see also Section 1).

6.2 In particular: pause active capture features before working with sensitive data

Where the Activity Memory feature is enabled, the Service captures screenshots and on-screen content; and an agent that has been authorized to view your screen can read whatever is shown there. In either case, you should not display the prohibited categories above on your screen while these features are active. If you must work with such data, disable or pause the relevant feature first, and clear any captured entries afterwards. Where Activity Memory is enabled, Strawberry provides a pause control and a per-entry delete control to support this.

6.3 Carve-out for credentials provided through Connected Apps

The credentials you provide through the official Connected Apps authentication flow (OAuth tokens and similar) are necessary for the Service to act on your behalf. These credentials are stored on Strawberry's managed database with application-layer encryption at rest using industry-standard algorithms; the encryption keys are held in our secrets-management system and are not made accessible to AI Sub-Processors. Strawberry does not configure the Service to transmit such credentials to AI Sub-Processors. The prohibition in §6.1(a) does not apply to credentials provided through this flow. If you instead paste a password or API key into a prompt, chat, file submitted to the Service, or any context the Service can see on your screen, that is a violation of §6.1(a).

6.4 Your responsibility if a Prohibited Input is captured

If a Prohibited Input is nevertheless submitted to or captured by the Service, you are responsible for the lawful basis for that processing and for promptly reviewing and deleting the relevant entries. Strawberry may, at its discretion, delete or quarantine entries that appear to contain Prohibited Inputs to limit further exposure.

7. Security-Related Conduct

You shall not:

• attempt to reverse engineer, decompile, or otherwise discover the source code of the Service (except as permitted by applicable law);
• attempt to interfere with or circumvent security, authentication, rate-limiting, or abuse-prevention features;
• attempt to extract the weights or structure of any model used by the Service (“model scraping” or “model distillation”) without our prior written authorization;
• attempt to bypass account bans or restrictions by creating or using different accounts or providing access to previously banned users.

8. Enforcement

If we determine that you have violated this AUP, we may, in our discretion: warn you; limit, suspend, or terminate your access to the Service; reverse or remove content or Actions; cooperate with law enforcement; and pursue other remedies under the Terms or applicable law. Where possible, we will provide an opportunity to cure non-material violations before suspending access.

9. Reporting Violations or Safety Concerns

If you observe activity that appears to violate this AUP, or if you experience a safety concern (including a suspected prompt-injection event), please contact security@strawberrybrowser.com. For privacy-related concerns, contact security@strawberrybrowser.com. For general support, contact hello@strawberrybrowser.com.