Back to Privacy Centre

Legal

API Terms of Service

Last updated: 7 July 2026  ·  Operated by L. Bone trading as PolicifyAI

These API Terms of Service govern your access to and use of the PolicifyAI REST API, embed script, site key system, and any related developer tooling (collectively the "API"). By accessing the API, generating site keys, or using the embed script, you agree to these API Terms in addition to our main Terms of Service and EULA. In the event of conflict, these API Terms govern API-specific matters.

1.Scope and agreement

These API Terms apply to all programmatic access to PolicifyAI's services, including:

  • The PolicifyAI REST API (currently at /api/v1/), used to programmatically retrieve, manage, and generate policies.
  • The PolicifyAI embed script (https://policifyai.com/embed.js), used to display generated policies on your website.
  • The site key system (pk_* format keys) used to authenticate embed script calls.
  • Any additional developer tooling, SDK libraries, or integration methods provided by PolicifyAI.

By accessing or using any of the above, you ("Developer" or "you") agree to be bound by these API Terms. If you are accessing the API on behalf of an organisation, you represent that you have authority to bind that organisation to these terms.

2.API access & authentication

Access to the PolicifyAI API requires valid credentials. Currently, the API supports two forms of authentication:

  • Session-based authentication: For web application use, API calls from authenticated dashboard sessions are authorised using your Supabase session JWT. This authentication is managed automatically by the platform.
  • Site keys (pk_*): For embed script authentication. Site keys are tied to specific domains and authorise the embed script to serve your published policies. See section 3 for site key-specific requirements.
2.1 Credential security requirements

Your API credentials are secrets. You must:

  • Not commit API keys or site keys to public source code repositories (e.g. GitHub, GitLab, Bitbucket).
  • Not hardcode keys in client-side JavaScript, mobile app binaries, or any other publicly distributed code.
  • Store API keys in environment variables or a dedicated secrets manager (e.g. Vercel Environment Variables, AWS Secrets Manager).
  • Not share API credentials with unauthorised third parties.
  • Rotate credentials immediately if you suspect they have been compromised.
2.2 Compromised credentials

If you discover or suspect that your API credentials have been compromised, report this immediately to [email protected]. PolicifyAI may rotate or revoke any compromised credential without prior notice to protect users and the platform. Revoked credentials are replaced with new credentials available via your account dashboard.

3.Site keys and embed authentication

Site keys are unique identifiers in the format pk_[alphanumeric] that are generated per website domain. They are stored in Supabase and authorise the embed script to serve your published policies on the associated domain.

3.1 Site key properties
  • Domain-scoped: Each site key is associated with one or more domains. Requests from domains not associated with a site key will be rejected.
  • Public keys: Unlike secret API keys, site keys are designed to be included in client-side embed code. However, they should still only be used on the specific domain(s) they are registered for.
  • Read-only scope: Site keys authorise only the serving of already-published policies. They cannot be used to generate new policies, access account data, or perform any write operations.
3.2 Managing site keys

You can create, view, and revoke site keys from your Dashboard → Sites page. We recommend creating separate site keys for each domain you manage, so that a compromised key can be revoked without affecting your other properties.

4.Permitted uses

You may use the API to:

  • Embed policies on your own website — use the embed script and site key to display your published PolicifyAI policies on your own website or digital properties, including client websites you manage as an authorised agency.
  • Programmatic policy management — retrieve, update, and manage policies associated with your account via authenticated API calls.
  • Internal tooling integration — integrate PolicifyAI policy management into internal CMS platforms, website builder workflows, or development pipelines for your own organisation or for clients you represent.
  • Automated policy retrieval — build automated workflows that retrieve published policy content from your account to use within your own systems.
  • Agency multi-site management — if you are on an Agency plan, use the API to manage policies across multiple client sites from a single integration, provided each client relationship is genuine and you are authorised to act on their behalf.

5.Prohibited uses

You may not use the API to:

  • Resell API access:Resell, sublicense, or otherwise provide API access to third parties as a standalone commercial service, without PolicifyAI's prior written consent.
  • Build a competing product: Use the API, embed script, or generated output to build, train, or bootstrap a competing policy generation service or AI legal document product.
  • Scrape at scale: Use the API or embed endpoint to systematically scrape, harvest, or extract policy content or other platform data beyond your own authorised account data.
  • Serve policies for unauthorised sites: Use your site key or API access to serve policies for websites or businesses you do not own, represent, or are not engaged by as an authorised agency.
  • Circumvent quotas:Use multiple accounts, key rotation, or other techniques to circumvent your plan's generation quotas or rate limits.
  • Security testing without permission: Conduct penetration testing, security scanning, or load testing against the API or embed infrastructure without prior written approval from PolicifyAI (email: [email protected]).
  • Automated generation abuse: Use automated API calls to generate policies at a rate or scale that exceeds your plan quotas or that would constitute abuse of the generation infrastructure.

Prohibited use may result in immediate key revocation and account termination as described in section 12.

6.Rate limits & quotas

6.1 Generation quotas

API calls that trigger policy generation are subject to the same monthly or lifetime generation quotas as the web interface. Quotas are defined by your subscription plan:

  • Free: 3 lifetime generations (API + web combined)
  • One-Time Pro: 25 lifetime generations (API + web combined)
  • Monthly Unlimited: 50 generations per calendar month (API + web combined)
  • Yearly Unlimited, Enterprise: Unlimited
  • Agency (Starter/Pro/Scale): Up to 15 generations per active client per month, pooled across your workspace (capped at 1,500/month workspace-wide on Agency Scale) — see pricing for current per-tier limits

Generation quota usage is visible in real-time in your account dashboard. Generations are counted at the point of completion, not at the point of the API call.

6.2 API rate limits

The following rate limits apply to API endpoints to ensure platform stability:

  • Generation endpoint: Maximum 20 requests per minute per account. Requests exceeding this limit receive a 429 Too Many Requests response.
  • Bulk generation endpoint: Maximum 5 requests per minute per account (each request may contain up to 20 policies).
  • Read/list endpoints: Maximum 60 requests per minute per account.
  • Embed script endpoint: Not rate-limited under normal usage. Serving already-published policies is designed for high-volume delivery. However, serving policies for thousands of unrelated domains via a single site key is prohibited (see section 5).
6.3 Higher limits

If your integration requires higher generation limits or API rate limits than your plan provides, contact us at [email protected] to discuss an enterprise arrangement or volume pricing. Enterprise customers can negotiate custom limits.

7.Embed script technical requirements

The PolicifyAI embed script is served from https://policifyai.com/embed.js via our CDN (Vercel Edge Network).

7.1 Integration requirements
  • Site key: Your site key must be included as a data attribute or parameter when loading the embed script. The key must match the domain from which it is being served.
  • Content Security Policy (CSP): Your website's CSP must permit scripts and fetch requests from https://policifyai.com and its subdomains. Required CSP directives include: script-src https://policifyai.com and connect-src https://policifyai.com.
  • HTTPS only: The embed script must be loaded over HTTPS. HTTP embeds are not supported and will be rejected by the script itself.
7.2 Backwards compatibility

We maintain backwards compatibility for all minor and patch version updates to the embed script. Existing embed integrations will continue to function without modification for all minor updates.

7.3 Major breaking changes

Major breaking changes to the embed script (e.g. changes to the embed API contract, required attributes, or serving infrastructure) will be announced at least 90 days in advance via:

  • Email to all registered users who have active site keys
  • A notice on our changelog at policifyai.com/releases
  • A notice in the platform dashboard
7.4 Embed script performance

The embed script is served via the Vercel Edge Network CDN and is cached globally for low-latency delivery. Policy content loaded by the embed script is also CDN-cached where possible. We recommend loading the embed script asynchronously to prevent render-blocking.

8.Data handling and privacy

8.1 Policy generation API calls

When you call the policy generation API, the following data is processed:

  • Your generation inputs (business name, website URL, industry, jurisdiction selections, and any additional context) are transmitted to OpenRouter (US), our AI request router, which routes the request to an underlying model provider (primarily Anthropic or Google).
  • Anthropic's and OpenRouter's commercial API terms state that inputs and outputs are not used to train foundation models by default — see our Privacy Policy for details.
  • The generated policy text is stored in your Supabase account under Row-Level Security.
  • API call metadata (timestamp, plan tier, quota usage) is logged to enforce quotas and detect abuse.
8.2 Embed script requests

When your website visitor's browser loads a policy via the embed script, the following occurs:

  • A request is made to our CDN to retrieve the published policy HTML.
  • Standard server access log data is recorded: IP address, user-agent, timestamp, and the site key used. This data is retained for 30 days and used only for security monitoring and debugging.
  • No personal data from your website visitors (names, email addresses, etc.) is transmitted to PolicifyAI via the embed script. The embed script is a static content delivery mechanism, not a data collection tool.
8.3 Developer responsibility

You are responsible for ensuring that your use of the PolicifyAI API and embed script complies with:

  • Your own privacy policy, cookie policy, and data protection obligations in relation to your website visitors.
  • UK GDPR, EU GDPR, CCPA/CPRA, and any other applicable data protection law.
  • Our Data Processing Agreement if you are using PolicifyAI as a data processor.

For more detail on how we handle API-related data, see our Privacy Policy.

9.SLA & availability

9.1 Embed script SLA

We target 99.5% monthly uptime for the embed script serving infrastructure. The embed endpoint is served via the Vercel Edge Network CDN with global points of presence, providing high availability and low latency. In the event of a CDN outage, fallback mechanisms may serve policy content with slightly increased latency.

9.2 Policy generation API

We do not provide a formal uptime SLA for the policy generation API, as policy generation depends on OpenRouter and the underlying model providers it routes to. If the primary model (typically Anthropic Claude) fails to return a usable result, we automatically retry once against a different underlying model (typically Google Gemini) via the same OpenRouter integration, so a single model provider's outage does not necessarily fail your request.

9.3 Status page

Real-time platform and API status is available at status.policifyai.com. We publish incident updates and post-mortems for significant outages. Subscribe to status page notifications to receive alerts for incidents affecting the API or embed script.

9.4 Scheduled maintenance

Planned maintenance that may affect API availability will be announced on the status page at least 48 hours in advance. We schedule maintenance during low-traffic periods (typically weekday nights, UK time) where possible.

10.API versioning and deprecation

The current API version is v1. All v1 endpoints are accessible at https://policifyai.com/api/v1/.

10.1 Versioning policy
  • We use URL-based versioning (e.g. /api/v1/, /api/v2/).
  • Non-breaking changes (new endpoints, new optional response fields) may be added to existing API versions without a version increment and without prior notice.
  • Breaking changes (removed endpoints, changed required fields, altered response structures) are introduced only in new API versions.
10.2 Deprecation process

When an API version or specific endpoint is deprecated, the following process applies:

  • Deprecation notice published on the developer changelog (policifyai.com/releases) and emailed to registered API users.
  • Deprecated endpoints remain available for a minimum of 6 months after the deprecation notice.
  • A Deprecation response header is added to responses from deprecated endpoints, containing the sunset date.
  • After the sunset date, deprecated endpoints are removed and will return a 410 Gone response.
10.3 Embed script versioning

See section 7.2–7.3 for embed script backwards compatibility and major change notice requirements.

11.Intellectual property

The PolicifyAI API, embed script, underlying software, AI models, user interface, associated documentation, and all related intellectual property are owned exclusively by L. Bone trading as PolicifyAI. These API Terms do not grant you any ownership rights in those assets.

You receive only a limited, non-exclusive, non-transferable, revocable licence to use the API and embed script strictly in accordance with these API Terms and the permitted uses set out in section 4.

The following are expressly prohibited:

  • Reverse engineering, decompiling, or disassembling the API, embed script, or any other component of the Service.
  • Recreating or reimplementing the PolicifyAI API interface or embed mechanism for commercial purposes.
  • Using API output, generated policies, or embed script functionality to train competing AI models or systems.
  • Removing or obscuring any proprietary notices in API responses or embed script output.

12.Suspension & termination

PolicifyAI may suspend or permanently revoke your API access and/or site keys for any of the following reasons:

  • Violation of these API Terms or our main Terms of Service.
  • Quota abuse, rate limit circumvention, or use of multiple accounts to accumulate credits.
  • Security violations or compromised credentials that pose a risk to the platform or other users.
  • Non-payment of subscription fees resulting in plan downgrade or account suspension.
  • Use of the API for prohibited purposes (see section 5).
12.1 Notice before suspension

Where feasible, we will provide at least 24 hours' notice before suspending API access, giving you an opportunity to address the issue. For security incidents (compromised keys, active abuse) or fraud, suspension may be immediate without prior notice.

12.2 Post-suspension notification

In the event of an emergency suspension, we will notify you by email to the address on your account as soon as practicable after the suspension takes effect, explaining the reason and any steps you can take to restore access.

12.3 Effect of termination

Upon revocation of API access: all API keys and site keys associated with your account are invalidated; the embed script will no longer serve policies from your account on your websites; any published embed widgets will display an error or fallback message.

13.Liability

The API is provided "as is" without warranty of any kind. PolicifyAI does not warrant that:

  • The API will be continuously available, error-free, or uninterrupted.
  • AI-generated policy content will be accurate, complete, or legally sufficient for any particular jurisdiction or use case.
  • The embed script will load correctly on all browsers, devices, or CSP configurations.
Downstream consequences

PolicifyAI is not liable for any downstream consequences arising from your integration of the API or embed script, including but not limited to: regulatory action against your business arising from policy content served via the API; legal claims from your users or third parties; financial losses resulting from API unavailability; or errors in AI-generated content. You are solely responsible for reviewing and validating all policy content before publishing it.

Liability cap

PolicifyAI's aggregate liability for any claim arising from these API Terms is capped at the total fees paid to PolicifyAI in the 12 months preceding the claim, subject to the terms of our main Terms of Service.

Nothing in these API Terms limits liability for death or personal injury caused by negligence, fraud, or any other liability that cannot be excluded or limited by applicable law.

14.Changes to these terms

We may update these API Terms from time to time to reflect changes in our API offering, applicable law, or our business practices. We will notify you of material changes by:

  • Sending an email to the address on your account at least 30 days before changes take effect.
  • Publishing a notice on our changelog at policifyai.com/releases.
  • Displaying a notice in the platform dashboard at least 30 days before changes take effect.
  • Updating the "Last updated" date at the top of this page.

Breaking API changes will additionally be announced through our standard deprecation process (section 10). Continued use of the API after the effective date of revised API Terms constitutes acceptance of the new terms.

15.Contact

Developer and API questions: [email protected]

Security issues (compromised keys, suspected API abuse): [email protected]

Embed script issues: include your site key (format: pk_*) and the domain in question in your correspondence so we can investigate quickly.

Legal questions about these API Terms: [email protected]

Enterprise API arrangements and custom limits: [email protected]