API Terms of Service

The PolicifyAI API uses site keys (format: pk_*) for embed authentication and API key pairs for programmatic access. Your API keys and site keys are credentials — treat them as secrets.

• Do not commit API keys or site keys to public source code repositories.
• Do not share keys with unauthorised third parties.
• Store keys in environment variables or a secrets manager, not in client-side code.
• PolicifyAI may rotate or revoke any compromised key without notice. Rotated keys are replaced with new credentials provided via your account dashboard.

You may use the API to:

• Embed PolicifyAI policy widgets on your own website or digital properties using our official embed script.
• Build internal tooling to manage your organisation's policies programmatically.
• Integrate policy embedding into your CMS, website builder, or development workflow.
• Access and retrieve your own generated policies programmatically via authenticated API calls.

You may not use the API to:

• Resell API access to third parties as a standalone service.
• Build a competing product — you may not use our API to power or bootstrap a competing policy generation service.
• Automate scraping of generated policy content or any other platform data at scale.
• Serve policies for others — you may not use the API to serve policies for businesses you do not represent or are not engaged by as an authorised agency.
• Circumvent rate limits or quota systems, including through multiple accounts or key rotation.

Prohibited use may result in immediate key suspension and account termination as described in section 10.

API calls that trigger policy generation are subject to the same monthly generation quotas as the web interface. Quotas are defined by your subscription plan and are visible in your account dashboard.

• Embed script calls that serve already-published policies are not rate-limited under normal usage conditions.
• Abuse of the embed endpoint — including serving policies across thousands of unrelated domains or using it to scrape content — may result in key suspension.
• If you require higher generation limits, contact us at [email protected] to discuss an enterprise arrangement.

The PolicifyAI embed script is served from https://policifyai.com/embed.js under a CDN-cached URL.

• Backwards compatibility: We maintain backwards compatibility for all minor and patch version updates. Minor breaking changes will not be introduced without a version increment.
• Major breaking changes will be announced at least 90 days in advance via email to registered users and a notice on our changelog.
• The embed script may load policy content from PolicifyAI servers in real-time. Ensure your Content Security Policy (CSP) permits connections to policifyai.com.

Policy generation API calls send your inputs (company name, jurisdiction, industry, and context) to our AI providers (Anthropic, OpenRouter) under zero-retention agreements where technically supported. These inputs are not used to train foundation models.

Embed script calls serve already-generated and published policy HTML. These calls do not process additional personal data beyond a standard server access log entry (IP address, user-agent, timestamp). No personally identifiable information from your website visitors is transmitted to PolicifyAI via the embed script.

For more detail on how we handle data, see our Privacy Policy.

We target 99.5% uptime for the embed script serving infrastructure, measured monthly. The embed endpoint is served via CDN and is designed for high availability.

We do not provide formal uptime SLAs for the policy generation API, as generation depends on third-party AI provider availability (Anthropic, OpenRouter). We will make reasonable efforts to maintain generation availability and will communicate significant outages.

API and platform status is available at status.policifyai.com.

The current API version is v1. We use URL versioning (e.g., /api/v1/).

Deprecated API endpoints remain available for a minimum of 6 months after the deprecation notice is issued. Deprecation notices are communicated via email to registered API users and on our changelog.

The PolicifyAI API, embed script, underlying software, AI models, user interface, and all associated intellectual property are owned exclusively by PolicifyAI. These API Terms do not grant you any ownership rights in those assets.

No licence is granted to reverse engineer, decompile, disassemble, or create derivative implementations of the API or embed script. You may not attempt to recreate PolicifyAI's API interface or embed mechanism for commercial purposes.

PolicifyAI may suspend or revoke API access for any of the following reasons:

• Quota or rate limit abuse.
• Security violations or compromised credentials.
• Non-payment of subscription fees.
• Any violation of these API Terms or our main Terms of Service.

Where feasible, we will provide at least 24 hours' notice before suspension. For security incidents or fraud, suspension may be immediate without prior notice. We will notify you by email as soon as practicable following an emergency suspension.

The API is provided "as is" without warranty of any kind. PolicifyAI does not warrant that the API will be uninterrupted, error-free, or produce legally accurate policy content for any particular jurisdiction or use case.

PolicifyAI is not liable for any downstream consequences — including regulatory action, legal claims, or end-user harm — arising from policy content served via the API or embed script. You are responsible for reviewing all policy content before publishing it.

PolicifyAI's aggregate liability for any claim arising from these API Terms is capped at the total fees paid to PolicifyAI in the 12 months preceding the claim.

Developer questions: [email protected]

Security issues (compromised keys, suspected abuse): [email protected]

Embed script issues: include your site key (format: pk_*) in your correspondence to help us investigate quickly.