Legal

Acceptable Use Policy

Last updated: 25 April 2026

Glia Quest — Acceptable Use Policy
Effective date: 25 April 2026

1. Purpose and Scope

1.1 Purpose

This Acceptable Use Policy (the "AUP") sets out the rules that apply to all access to and use of the Glia Quest service (the "Service"). It is designed to protect Customers, the operators and users of applications tested through the Service, the Service itself and Glia Quest.

1.2 Scope

This AUP applies to all Customers, all users of an Account and any other person who accesses the Service. It is incorporated into the Terms of Service. Capitalised terms used but not defined in this AUP have the meanings given in the Terms of Service.

1.3 Compliance

Compliance with this AUP is a condition of use of the Service. A breach of this AUP is a material breach of the Terms of Service.

2. Authorisation Requirement

2.1 The Core Rule

You must have one of the following before submitting any URL for testing through the Service:

(a) you own or operate the web application at that URL;

(b) you have received explicit written authorisation from the owner or operator of the web application to conduct automated browser-based testing of the type performed by the Service; or

(c) the URL is subject to a publicly published bug bounty or security testing programme that expressly permits automated browser-based navigation tools of the type performed by the Service, and your testing is conducted within the scope of that programme.

2.2 Continuing Warranty

You represent and warrant the existence of one of the bases of authority set out in clause 2.1 each time you initiate a Test Run, and you must not initiate a Test Run if you do not have such authority. You accept sole responsibility and liability for any failure of authority.

2.3 Acknowledgement of Computer Access Laws

You acknowledge that submitting a URL of an application without one of the bases of authority in clause 2.1 may constitute an offence under, among other laws: the Computer Crimes provisions of the Crimes Ordinance (Cap. 200) of Hong Kong; the Computer Fraud and Abuse Act (18 U.S.C. § 1030) of the United States; the Computer Misuse Act 1990 of the United Kingdom; and Directive 2013/40/EU of the European Union as transposed in member states.

2.4 Records

We may, but are not required to, ask you to evidence the authorisation referred to in clause 2.1(b). You agree to provide that evidence promptly on request.

3. Prohibited Uses

3.1 General Prohibition

You must not use the Service in any way that is unlawful, harmful, fraudulent, deceptive, abusive or that infringes the rights of any other person. The list below is illustrative, not exhaustive.

3.2 Unauthorised Access

You must not:

(a) test any web application, website or system without the authority required by clause 2.1;

(b) submit Credentials that are not lawfully issued or generated for the purpose of your own testing of the application; or

(c) attempt to access any part of an application that you are not authorised to access (including by privilege escalation, session hijacking or password cracking).

3.3 Malicious or Abusive Use

You must not use the Service to:

(a) cause excessive load on, degrade the performance of or interfere with the availability of any application or system, including any denial-of-service or load-testing behaviour;

(b) extract, scrape, harvest, mirror or otherwise systematically copy data from third-party applications;

(c) discover vulnerabilities in third-party applications for the purpose of exploitation, sale or unauthorised disclosure (as opposed to lawful identification for remediation by the application owner);

(d) gather competitive intelligence on third-party applications other than as expressly authorised by the application owner;

(e) deliver, distribute or test malware, viruses, worms or other malicious code;

(f) impersonate any person or misrepresent your affiliation with any person; or

(g) interfere with, disable or compromise the security of the Service or of any Sub-Processor.

3.4 Regulated Sectors

You must not use the Service to test applications operated by financial institutions, healthcare providers, government agencies, critical-infrastructure operators or other regulated entities unless you both:

(a) have one of the bases of authority in clause 2.1; and

(b) hold any further authorisation, approval or accreditation required under sector-specific law (including but not limited to the Computer Fraud and Abuse Act provisions specific to financial institutions in the United States, the Health Insurance Portability and Accountability Act (HIPAA) in the United States, the Network and Information Security framework in the European Union, and equivalent regulation elsewhere).

You acknowledge that these sectors carry heightened legal exposure.

3.5 Circumvention

You must not:

(a) attempt to bypass, defeat or circumvent any rate limit, the 30-day URL block on free Tease Audits, the continuation window or any other technical or policy enforcement mechanism within the Service;

(b) create multiple Accounts to evade per-Account restrictions; or

(c) re-register an Account that has been suspended or terminated.

3.6 Illegal Content

You must not submit a URL of, or use the Service to test, any application that hosts content that is illegal under Applicable Law, including: child sexual abuse material; content facilitating terrorism; content facilitating human trafficking; or content unlawfully depicting violence.

3.7 Credential Sharing

You must not:

(a) share Account credentials or API keys with any third party other than as expressly permitted under your subscription;

(b) allow any third party to access the Service through your Account in order to test that third party's own applications or applications belonging to a further third party; or

(c) use the Service to provide a "service bureau" or "managed testing" service to others without our prior written consent.

4. Rate Limiting and Fair Use

4.1 Glia Quest's Limits

To protect target applications, the Service implements technical rate limits on:

(a) the number of page loads per minute generated by a single Test Run;

(b) the maximum number of concurrent Test Runs per Account; and

(c) automatic session timeouts to prevent runaway agents.

Current limits are set out in the Documentation and may be adjusted from time to time.

4.2 Customer Conduct

You must not configure or use the Service in any way intended to: (a) generate load on a target application beyond what is necessary for normal navigation and reachability testing; or (b) perform performance, stress or load testing, which is outside the intended purpose of the Service.

4.3 Fair Use

We reserve the right to apply additional rate limits, suspend or throttle access where Account activity is materially disproportionate to ordinary use of the Service, or where activity is consistent with abuse, scraping or circumvention.

5. Credential Restrictions

5.1 Lawful Issuance

You must only submit Credentials that have been lawfully issued or generated by or for you for the purpose of testing your own application. Credentials must not be obtained by phishing, theft, brute force, breach of contract or any other unlawful means.

5.2 Sensitive Applications

You must not submit Credentials for an application containing sensitive special-category personal data (including health, financial, biometric, children's or genetic data) unless you have first put in place additional contractual provisions with us as referenced in the Data Processing Agreement Addendum.

5.3 No Production-User Credentials

You must not submit Credentials that belong to an end user of your application other than a dedicated test account that you have created or controlled for testing purposes.

5.4 Rotation and Revocation

You must rotate or revoke any Credentials submitted to the Service promptly after testing where the Credentials have ongoing access to a live system. We delete Credentials submitted to the Service in accordance with the retention period set out in the Privacy Policy.

6. Content Restrictions

6.1 No Unlawful Content

You must not use the Service to upload, store, generate or transmit content that is unlawful, defamatory, harassing, obscene or that infringes the intellectual property rights, privacy rights or other rights of any other person.

6.2 No Sensitive Personal Data Beyond DPA Scope

You must not submit, or cause the Service to process, sensitive special-category personal data (including health, financial, biometric, children's or genetic data) outside the scope of any additional written agreement with us addressing that processing.

7. Preview Audit Restrictions (URL Block Policy)

7.1 The Free Preview Audit

We offer a Free Preview Audit so that prospective Customers can evaluate the Service. The Free Preview Audit performs a partial discovery of an application sufficient to demonstrate the value of the Service.

7.2 30-Day URL Block

Once a Free Preview Audit has been requested for a URL, that URL cannot be the subject of another Free Preview Audit for thirty (30) days, regardless of the Account from which the request originates. Paid Test Runs are not subject to this restriction; a paying Customer can re-test a URL as often as its Credit balance allows.

7.3 Anti-Abuse Rationale

The 30-day URL block is an anti-abuse measure. It exists to prevent: (a) creation of multiple Accounts to obtain repeated Free Preview Audits of the same URL; and (b) use of the free tier as a tool for systematic competitive intelligence gathering on third-party applications.

7.4 Warranty

By using the Free Preview Audit, you warrant that the 30-day restriction does not impair any legitimate authorised testing obligation you have with the application owner. Where you require unrestricted re-testing of an authorised target, the paid Service is available without this restriction.

8. Enforcement

8.1 Graduated Enforcement

We may take any of the following steps in response to a suspected or confirmed breach of this AUP. We may take more than one step in response to a single incident.

Trigger Response
First technical breach (for example, exceeding rate limits) Automatic session suspension; email notification
Suspected unauthorised testing Immediate Account suspension pending investigation
Confirmed unauthorised testing or credential misuse Account termination; forfeiture of unused Credits; Customer remains liable for costs and any third-party claims
Use of the Service in connection with illegal content or criminal activity Immediate termination; forfeiture of unused Credits; reporting to relevant law-enforcement or regulatory authorities
Repeated breaches of this AUP Permanent ban on future Accounts; no refund of unused Credits

8.2 Credit Forfeiture

Where we terminate an Account for breach of this AUP, any unused Credits in the Account are forfeited and will not be refunded. This is without prejudice to any other right or remedy we may have under the Terms of Service or Applicable Law.

8.3 Cooperation with Authorities

We may report suspected criminal activity to law-enforcement or regulatory authorities and, where required by Applicable Law or by an order of a competent court, disclose Customer information to assist in any investigation.

8.4 Discretion

We have sole discretion as to whether and how to enforce this AUP. A decision not to enforce in any particular case is not a waiver of our right to enforce in any other case.

9. Reporting Violations

If you believe that the Service is being used in breach of this AUP, please report it to abuse@glia.quest. Reports should include: the URL or Account concerned (where known); a description of the suspected breach; the date and time of the activity; and any supporting evidence. We will investigate promptly and may follow up to request further information. Where appropriate we will keep the reporter informed of the outcome.

10. Changes to this Policy

We may update this AUP from time to time. Where a change is material and adverse to Customers, we will give at least thirty (30) days' prior notice by email to the address registered to the Account or by prominent notice in the Service before the change takes effect.