Acceptable Use Policy

Effective February 20, 2026 | Last Updated June 4, 2026

Soleur -- Company-as-a-Service Platform

Effective Date: February 20, 2026

Last Updated: June 4, 2026 -- added Section 5.7 "Autonomous command execution (Web Platform)" + a Section 2 scope clause disclosing the Web Platform agent's auto-run shell-command surface and its residual-risk admission, with the git-backed-recovery and visible-in-chat mitigations (PR #4949 / #4952); previously May 26, 2026 -- added Section 5.6 "BYOK delegation responsibilities" (PR-B #4508 / #4232); previously May 22, 2026 -- softened Section 5.5 (renamed "Workspace member attestation" → "Workspace member responsibility"): the per-pair Soleur Side Letter is no longer required; Owners may satisfy the responsibility by any sufficient means (click-through ToS reliance, existing employment/contractor/consultancy agreement, or optional Side Letter execution); the Side Letter template remains available as a belt-and-braces reference document; previously same-day added Section 5.5 "Workspace member attestation" governing the team-workspace feature gated by FLAG_TEAM_WORKSPACE_INVITE (PR #4289); May 21, 2026 added a "Template-authorization revocation for AUP breaches" paragraph to Section 5.4 disclosing that Soleur may revoke a per-template authorization (template_authorizations ledger, PR-I #4078) with revocation reason policy_violation where a template-bound send is determined to violate this AUP; May 18, 2026 added Section 5.4 "Automated agent actions taken on your behalf" governing per-tenant scope grants on the Web Platform (PR-G #3947); previously same-day added Section 4.7 "Special-Category and Sensitive Personal Data -- Hosted Chat Surface" + chat-attachments scope bullet (PR #3988) (previous: March 29, 2026)

1. Introduction

This Acceptable Use Policy ("AUP" or "Policy") governs your use of the Soleur platform ("Soleur," "the Platform"), including the Claude Code plugin ("the Plugin") and the hosted web application at app.soleur.ai ("the Web Platform"), providing agents for software development workflows, including code generation, review, planning, deployment, and browser automation. Soleur is developed and maintained by Jikigai ("we," "us," "our") and is available at soleur.ai, app.soleur.ai, and through the GitHub repository jikig-ai/soleur.

By installing, configuring, or using Soleur, you ("User," "you," "your") agree to comply with this Policy. If you do not agree, you must discontinue use of the Platform immediately.

This Policy applies to all users globally, with specific provisions addressing compliance with the laws of the European Union (including the General Data Protection Regulation) and the United States.

2. Scope

This Policy applies to all use of the Soleur platform, including but not limited to:

  • Interaction with Soleur's 67 AI agents and 83 skills;
  • Execution of shell commands, code generation, and file manipulation through agents;
  • Autonomous (auto-run) execution of shell commands by the Web Platform agent without a per-command approval step, as described in Section 5.7 and Terms & Conditions Section 3a.7;
  • Browser automation via the agent-browser subsystem;
  • API interactions initiated by or through Soleur agents;
  • Use of the compounding knowledge base;
  • Cloud-hosted conversation sessions via the Web Platform;
  • Account creation and workspace management on app.soleur.ai;
  • Subscription and payment processing through the Web Platform; and
  • Any output, artifact, or action produced by or through the Platform.
  • The hosted Web Platform at app.soleur.ai, including conversational prompt input, the chat-attachments upload surface (image and PDF files up to 24 MB), and any artifacts persisted to user-scoped storage.

The Plugin operates locally on your machine; the Web Platform operates on cloud infrastructure managed by Jikigai. You retain full control over Plugin agent actions and bear responsibility for all activities performed through the Platform -- whether locally via the Plugin or remotely via the Web Platform -- under your account or on your systems.

3. Permitted Use

You may use Soleur for lawful purposes consistent with its intended function as a software development productivity tool. Permitted uses include, but are not limited to:

  • Generating, reviewing, and refactoring source code;
  • Automating software development workflows (build, test, deploy);
  • Planning and managing software projects;
  • Generating documentation and technical specifications;
  • Conducting code review and security analysis;
  • Automating repetitive development tasks; and
  • Researching and prototyping software solutions.

4. Prohibited Conduct

You must not use Soleur, directly or indirectly, to engage in any of the following activities. This list is illustrative, not exhaustive.

4.1 Malicious Automation

You must not use Soleur's agents, skills, or browser automation capabilities to:

  • (a) Generate, distribute, or facilitate spam, unsolicited bulk messages, or automated mass outreach;
  • (b) Conduct phishing attacks, social engineering, or credential harvesting;
  • (c) Develop, test, or deploy malware, ransomware, viruses, trojans, worms, or other malicious software;
  • (d) Perform or facilitate denial-of-service (DoS/DDoS) attacks;
  • (e) Conduct unauthorized port scanning, vulnerability scanning, or network reconnaissance against systems you do not own or have explicit authorization to test;
  • (f) Exploit, probe, or attempt to compromise the security of any system, network, or service;
  • (g) Automate actions that violate rate limits, access controls, or terms of service of any third-party platform; or
  • (h) Create botnets, automated sock-puppet accounts, or deceptive automated personas.

4.2 Harmful or Illegal Content

You must not use Soleur to generate, process, store, or distribute:

  • (a) Content that is unlawful under applicable law in any relevant jurisdiction;
  • (b) Content that promotes, incites, or facilitates violence, terrorism, or extremism;
  • (c) Child sexual abuse material (CSAM) or any content that sexualizes minors;
  • (d) Content that constitutes or facilitates harassment, stalking, doxxing, or intimidation;
  • (e) Content that infringes upon the intellectual property rights of others, including unauthorized reproduction of copyrighted works;
  • (f) Defamatory, fraudulent, or deliberately misleading content intended to deceive; or
  • (g) Content that violates export control laws, sanctions regulations, or trade restrictions.

4.3 Circumvention of Security Controls

You must not:

  • (a) Attempt to bypass, disable, or circumvent any security mechanism, access control, or usage limitation of the Soleur platform;
  • (b) Reverse-engineer Soleur for the purpose of developing competing products or extracting proprietary logic (subject to applicable license terms);
  • (c) Modify Soleur in a manner designed to remove safety guardrails, audit logging, or confirmation prompts that protect against destructive operations;
  • (d) Use Soleur to circumvent security controls, authentication mechanisms, or access restrictions on third-party systems; or
  • (e) Attempt to manipulate or override the agent instruction framework to cause agents to perform actions outside their defined scope or safety boundaries.

4.4 Violation of Third-Party Terms

You must comply with the terms of service, acceptable use policies, and usage guidelines of all third-party services accessed through or in conjunction with Soleur, including but not limited to:

  • Anthropic / Claude: You must comply with Anthropic's Acceptable Use Policy and Usage Policy when using Soleur, which operates as a Claude Code plugin and relies on Anthropic's API;
  • GitHub: You must comply with GitHub's Terms of Service and Acceptable Use Policies when Soleur interacts with GitHub repositories, issues, pull requests, or APIs;
  • Other APIs and Services: You must ensure that any API keys, tokens, or credentials used by Soleur agents are obtained and used in compliance with the applicable service provider's terms; and
  • Rate Limits and Quotas: You must not configure or direct Soleur agents to exceed the rate limits, quotas, or fair-use thresholds of any third-party service.

4.5 Misrepresentation

You must not:

  • (a) Represent output generated by Soleur's AI agents as being produced by a human when disclosure of AI involvement is required by law, regulation, or applicable professional standards;
  • (b) Use Soleur-generated content to impersonate individuals, organizations, or government entities; or
  • (c) Misrepresent the capabilities, limitations, or origin of Soleur or its outputs.

4.6 Shared Content

When sharing knowledge base documents via the Web Platform's public link feature, you must not share documents that:

  • (a) Contain confidential or proprietary information belonging to third parties without their authorization;
  • (b) Include personally identifiable information (PII) of third parties without their explicit consent;
  • (c) Contain material that infringes any third party's copyright, trademark, or other intellectual property rights; or
  • (d) Contain harmful, illegal, defamatory, or misleading content.

You are solely responsible for reviewing document content before sharing. Jikigai does not pre-screen shared content. Violation of this section may result in share link revocation and account suspension under Section 6.

4.7 Special-Category and Sensitive Personal Data — Hosted Chat Surface

When you use the hosted Web Platform at app.soleur.ai, both the conversational prompt field and the chat-attachments upload surface (image and PDF files up to 24 MB) accept content that you, the user, choose to supply. We do not inspect this content, and our processing of it is governed by the lawful bases declared for processing activity PA2 (Conversation Data) in our Article 30 register.

You must NOT submit, paste, upload, or attach content of the following kinds unless both (1) you have an independent lawful basis (for items (a)–(h), under GDPR Article 9(2) — e.g., explicit consent under Art. 9(2)(a) or one of the other Art. 9(2) derogations; for item (i), under GDPR Art. 10, which requires processing under the control of official authority or authorisation by Union or Member State law providing appropriate safeguards — Art. 9(2) bases are NOT sufficient for Art. 10 data); and (2) you have informed any third-party data subjects whose data is contained in the submission:

  • (a) Personal data revealing racial or ethnic origin;
  • (b) Personal data revealing political opinions;
  • (c) Personal data revealing religious or philosophical beliefs;
  • (d) Personal data revealing trade-union membership;
  • (e) Genetic data;
  • (f) Biometric data processed for the purpose of uniquely identifying a natural person (e.g., fingerprint scans, facial recognition templates);
  • (g) Data concerning health (including medical records, prescriptions, diagnostic imaging, and insurance claims);
  • (h) Data concerning a natural person's sex life or sexual orientation; or
  • (i) Personal data relating to criminal convictions and offences or related security measures (GDPR Art. 10).

These categories are referred to collectively in this Policy as "Special-Category Data."

Soleur is not configured, contracted, or technically equipped to process Special-Category Data as a routine or systematic input. Incidental ingress of Special-Category Data through prompts or attachments will be treated under the "regulated-data surface" handling rule in our internal compliance procedure and may, at our discretion, result in removal of the affected content under Section 6.2 (Consequences of Violation) of this Policy.

If you require a service that processes Special-Category Data as a defined purpose, contact us at [email protected] before submitting such content; we will assess whether a separate data-processing arrangement is feasible.

4.8 California Sensitive Personal Information

If you are a California resident, or if your submissions contain personal information of California residents, the following categories of Sensitive Personal Information as defined in Cal. Civ. Code §1798.140(ae) are subject to the same prohibition as §4.7, in addition to the Art. 9 categories listed there:

  • (a) Social Security number, driver's license, state identification card, or passport number;
  • (b) Account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
  • (c) Precise geolocation (location data identifying a consumer within a geographic area equal to or less than 1,850 feet);
  • (d) Contents of a consumer's mail, email, or text messages, unless we are the intended recipient of the communication;
  • (e) Citizenship or immigration status;
  • (f) Genetic, biometric-for-identification, and health-related categories already covered by §4.7;
  • (g) Neural data (information generated by measuring the activity of a consumer's central or peripheral nervous system), as defined in Cal. Civ. Code §1798.140(ae)(1)(G); and
  • (h) Racial or ethnic origin, religious or philosophical beliefs, and union membership (also enumerated under GDPR Art. 9 categories at §4.7(a), (c), and (d), respectively).

The list above tracks Cal. Civ. Code §1798.140(ae) as in force on the effective date of this Policy. Because the California legislature periodically amends the SPI definition, any category recognised as "Sensitive Personal Information" under §1798.140(ae) at the time of your submission is treated as in scope of this Section 4.8, whether or not it is enumerated above; the operative statutory text at leginfo.legislature.ca.gov controls in the event of a divergence.

You must not upload scans, screenshots, or text containing the items above through the prompt field or the chat-attachments upload surface unless you have independently established a lawful basis and have informed any third parties whose information is included. The Soleur processing record does not declare these categories as inputs, and incidental ingress will be treated under §4.7.

5. User Responsibilities

5.1 Platform-Specific Responsibilities

Plugin (Local Execution). The Plugin operates locally on your machine. You are solely responsible for:

  • Reviewing and approving agent actions before execution, particularly destructive operations (file deletion, force-push, deployment);
  • Securing API keys, credentials, and secrets used by or accessible to Soleur agents;
  • Ensuring that generated code, configurations, and artifacts are reviewed before deployment to production systems;
  • Maintaining appropriate backups of your data and code; and
  • Configuring appropriate access controls on your local environment.

Web Platform (Cloud Execution). The Web Platform operates on cloud infrastructure managed by Jikigai. You are solely responsible for:

  • Securing your account credentials for app.soleur.ai;
  • Not sharing or transferring account access to unauthorized third parties;
  • Compliance with usage limits and fair-use thresholds of the Web Platform;
  • Reporting unauthorized access to your Web Platform account promptly to Jikigai; and
  • Reviewing outputs generated through the Web Platform before relying on them in production.

5.2 Output Review

AI-generated outputs, including code, documentation, and automated actions, may contain errors, vulnerabilities, or unintended consequences. You must:

  • Review all generated code for security vulnerabilities before use;
  • Validate generated configurations and deployment scripts before execution;
  • Not rely on Soleur-generated legal, medical, financial, or other professional content without independent professional review; and
  • Accept that Soleur's outputs are assistive, not authoritative.

5.3 Data Protection

When using Soleur in a manner that involves personal data:

  • You must comply with all applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and applicable US state privacy laws;
  • You must have a lawful basis for processing any personal data that Soleur agents may access or generate;
  • You must not direct Soleur agents to collect, scrape, or process personal data in violation of applicable law; and
  • You are the data controller for any personal data processed through your use of the Platform.

5.4 Automated agent actions taken on your behalf

The Web Platform includes agent-runtime features that can act on your behalf in response to external events (for example, a Stripe invoice.payment_failed webhook). The scope and tier of every such action is governed by Section 3a of the Terms & Conditions ("Agent Command Authority"); this AUP section enumerates your responsibilities as the operator who controls those grants.

You remain responsible for sends derived from drafts. Soleur's binding invariant is "drafts everywhere, sends nowhere": at the Approve every time and Draft, one click tiers, an agent prepares a draft but no external effect is produced until you approve the draft through the Web Platform user interface. When you approve a draft, the resulting send is your action, performed through Soleur as your instrument. You are responsible for reviewing each draft -- recipient, tone, factual accuracy, applicable law -- before authorization.

Auto tier acknowledgement. The Auto tier permits Soleur to execute a specific action class without per-instance approval. Selecting the Auto tier requires an explicit second-click acknowledgement on the /dashboard/settings/scope-grants page. By selecting Auto, you authorize Soleur to act in your name for that action class until you revoke the grant. You remain responsible for actions taken on your behalf under an active Auto grant.

Circumventing the human-in-the-loop boundary violates this AUP. The draft / Send / Edit / Discard flow and the per-action-class scope grants ledger are the substrate by which Soleur ensures every external effect is consented to. You shall not:

  • Modify, bypass, or disable the scope grants gating layer (whether through API misuse, debugger attachment, or browser-side manipulation);
  • Send messages or trigger external effects outside the surfaces that record consent in the audit ledger;
  • Share account credentials with software or services intended to programmatically click "Send" on drafts without human review.

Attempts to bypass these guardrails are a material breach of Section 4 ("Prohibited Conduct") and may result in suspension or termination of your Web Platform account.

Audit and contestation. Every automated action taken on your behalf is recorded in the /dashboard/audit viewer with the action class, tier active at the moment of the event, timestamp, and (for BYOK calls) token + cost data. You may contest any automated action through the inlined "Request human review" affordance on each audit row, or by contacting [email protected].

Template-authorization revocation for AUP breaches. Soleur reserves the right to revoke an individual template authorization (as recorded in the template_authorizations ledger introduced by PR-I #4078) with revocation reason policy_violation where a template-bound send is determined to violate this AUP. The revocation is audit-recorded in the same WORM ledger as your founder-initiated revocations and is surfaced in /dashboard/settings/scope-grants; you may contest a policy_violation revocation through the same channels described above.

5.5 Workspace member responsibility

Where the team-workspace feature is enabled for your organization (gated by FLAG_TEAM_WORKSPACE_INVITE and the per-organization allowlist TEAM_WORKSPACE_ALLOWLIST_ORG_IDS), you are responsible for ensuring every natural person you invite as a Co-Member (as defined in the Terms & Conditions Section 3b) is bound by appropriate confidentiality and intellectual-property assignment terms in your relationship with that person. You may satisfy this responsibility by any means you deem sufficient, including: (a) reliance on the Co-Member's click-through acceptance of these Soleur Terms & Conditions (the canonical click-through anchor for confidentiality and IP-assignment in Web Platform usage); (b) reliance on an existing employment, contractor, or consultancy agreement between you and the Co-Member that already contains equivalent terms; or (c) execution of a separate bilateral instrument such as the optional Soleur Side Letter template (available from Jikigai at [email protected]) as a belt-and-braces reference document. Jikigai does not require a specific instrument; the choice is yours and the residual risk of selecting an insufficient instrument is yours under the Workspace Owner indemnification at Terms & Conditions Section 3b.3.

5.6 BYOK delegation responsibilities

Where the BYOK delegation feature is enabled for your organization (gated by BYOK_DELEGATIONS_ENABLED), the following additional responsibilities apply:

  • Grantor (Workspace Owner) responsibilities: You must hold a current Delegation Consent Side Letter (available from Jikigai at [email protected], distinct from the workspace co-member Side Letter in Section 5.5) from each Co-Member ("Grantee") before granting them a BYOK delegation. You may not use delegation to circumvent a Grantee's usage limits or to surveil a Grantee's prompt content. The cost telemetry you receive is limited to: token count, cost in USD cents, timestamp, and agent role. Prompt content, response content, and conversation history are NOT accessible to you via delegation.
  • Grantee (Co-Member) responsibilities: By accepting a BYOK delegation, you consent to the Grantor receiving itemized cost telemetry for each AI agent run funded by the delegation (as described in the Delegation Consent Side Letter and the Data Protection Disclosure Section 2.3(w)). You remain responsible for the content of prompts submitted through the delegation.
  • Joint controllership: For the Grantee's prompt content routed through the Grantor's API key, the Grantor and Grantee are joint controllers within the meaning of Article 26 GDPR. Anthropic PBC remains the processor under the Grantor's existing DPA. No new sub-processor relationship is created.
  • Cross-references: Data Protection Disclosure Section 2.3(w); Terms & Conditions Section 3b.

5.7 Autonomous command execution (Web Platform)

The Web Platform's hosted agent can run shell commands in your connected workspace automatically -- that is, without a separate per-command approval step -- once the Workspace Owner has acknowledged the first-run autonomous-execution disclosure (a one-time consent soft-gate shown the first time a non-blocked command would auto-run) or has set the workspace to autonomous (trusted) mode. This Section discloses that surface and your responsibilities as the operator who connects the workspace; the contractual residual-risk admission is at Terms & Conditions Section 3a.7 and Section 10.4.

The command-safety layer is real but is not a guarantee. Soleur always blocks a fixed set of clearly-dangerous commands (for example curl, wget, nc/ncat, eval, sudo, inline interpreter -e/-c execution, base64 -d, and /dev/tcp redirections) and auto-approves only a narrow read-only allowlist; commands that are neither blocked nor on that allowlist run automatically under autonomous mode. No blocklist is perfect. A command that looks safe, and is not on the blocklist, can still change or delete files in the connected workspace without asking you first.

Mitigations, stated as mitigations and not as safety guarantees. Your work is git-backed -- the connected repository is the recovery surface for an unwanted change -- and every command Soleur runs is visible in the chat, so you can watch each command as it executes. The Workspace Owner controls the autonomous toggle and can return the workspace to ask-each-time at any time. These reduce, but do not eliminate, the residual risk that a non-blocked command auto-runs and is harmful.

Your responsibilities. You are responsible for connecting only repositories and accounts you trust to autonomous command execution, for reviewing command activity in the chat, and for the consequences of a non-blocked command that auto-runs in a workspace you have placed (or left) in autonomous mode. The in-product disclosure banner shown at first run states the same residual-risk admission in summary form; this Section and Terms & Conditions Section 3a.7 / Section 10.4 are its contractual counterpart.

6. Enforcement

6.1 Monitoring

The Plugin operates locally and we do not monitor Plugin usage in real time. The Web Platform operates on cloud infrastructure managed by Jikigai, which enables server-side monitoring of service usage, access patterns, and compliance with this Policy. We reserve the right to investigate reported violations of this Policy across both the Plugin and the Web Platform.

6.2 Consequences of Violation

Violation of this Policy may result in:

  • Warnings or requests to cease the violating activity;
  • Temporary or permanent suspension of access to Soleur updates, support, or community resources;
  • Temporary or permanent suspension of Web Platform account access;
  • Termination of Web Platform account and deletion of associated data;
  • Restriction of specific Web Platform features or capabilities;
  • Removal from community channels (GitHub Discussions, issue trackers); and
  • Referral to law enforcement authorities where we believe a violation involves criminal conduct.

6.3 Reporting Violations

If you become aware of any use of Soleur that violates this Policy, please report it through:

7. Jurisdiction-Specific Provisions

7.1 European Union / European Economic Area

For users subject to EU/EEA law:

  • This Policy is intended to be consistent with the GDPR, the EU AI Act, and other applicable Union and Member State law;
  • Nothing in this Policy limits your rights under the GDPR, including your rights of access, rectification, erasure, and data portability;
  • Where Soleur generates output that constitutes a decision with legal or similarly significant effects on individuals, you must ensure human oversight as required by applicable law; and
  • The provisions of this Policy shall be interpreted in conformity with applicable EU law, and any provision found to be inconsistent shall be modified to the minimum extent necessary to achieve compliance.

7.2 United States

For users subject to US law:

  • This Policy is intended to be consistent with applicable federal and state law, including the Computer Fraud and Abuse Act (CFAA), CAN-SPAM Act, and applicable state privacy laws (e.g., CCPA/CPRA);
  • You must not use Soleur in any manner that would constitute a violation of the CFAA, including unauthorized access to computer systems; and
  • You are responsible for compliance with any industry-specific regulations applicable to your use (e.g., HIPAA, FERPA, GLBA) if you direct Soleur agents to interact with regulated data.

8. Modifications

We reserve the right to modify this Policy at any time. Material changes will be communicated through the GitHub repository (release notes, changelog, or repository notification). Your continued use of Soleur after such changes constitutes acceptance of the modified Policy.

9. Severability

If any provision of this Policy is found to be unenforceable or invalid under applicable law, that provision shall be limited or eliminated to the minimum extent necessary, and the remaining provisions shall remain in full force and effect.

10. Governing Law and Dispute Resolution

10.1 Governing Law

This Policy shall be governed by and construed in accordance with the laws of France, without regard to its conflict of laws provisions.

10.2 Jurisdiction

Any disputes arising under or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts of Paris, France.

10.3 EU/EEA Consumers

If you are a consumer in the EU/EEA, nothing in this Policy affects your rights under mandatory EU or member state consumer protection laws, including your right to bring proceedings in the courts of your country of habitual residence.

11. Legal Entity and Contact

Soleur is a source-available project maintained by Jikigai, a company incorporated in France, with its registered office at 25 rue de Ponthieu, 75008 Paris, France.

For questions about this Policy, please contact us through:

Related documents: This Acceptable Use Policy references data protection practices and obligations. Consider generating companion Privacy Policy, GDPR Policy, and Terms and Conditions documents to ensure consistency. If Soleur processes personal data on behalf of users in a controller-processor relationship, a Data Protection Disclosure may also be appropriate.

Stay in the loop

Monthly updates about Soleur — new agents, skills, and what we're building next.