Use Eleven11 lawfully. Don't use it to attack people, scrape what you don't have a right to, spam, impersonate, or host illegal content. Authorized use is the rule across every product. We enforce it with warnings, suspension, termination, and law-enforcement referral when required.

These rules apply to every Eleven11 product, regardless of which one you’re using. They aren’t negotiable and aren’t varied by plan tier.

• Comply with applicable law.Indian law applies to your use of Eleven11 products by default. Where you operate across jurisdictions — for outreach, publishing, data capture, or any other activity — you’re responsible for complying with the laws of every jurisdiction implicated. We don’t audit your compliance, but we don’t shelter you from it either.
• No extraction attacks.No attempts to extract model weights, system prompts, or other customers’ data through any Eleven11 product. This includes prompt injection designed to leak context, timing attacks on shared infrastructure, and any technique whose goal is to access data or state that isn’t yours.
• No free-tier abuse. No deliberately saturating free-tier resources — API quotas, compute, storage — to degrade service for other customers. Rate limits exist to protect everyone on the platform. Circumventing them is a violation, not a clever workaround.
• No reverse-engineering of undocumented internals. We publish what we intend for external use. Don’t probe or reverse-engineer internal APIs, authentication flows, or service-to-service protocols that we haven’t documented for customer use.
• No downstream platform violations.When you use Eleven11 to interact with Meta, Google, Instagram, X, or any other platform, you’re also bound by that platform’s policies. We don’t grant you permission to violate third-party rules by routing through us.
• No harm. No using Eleven11 to harm any person, organization, or system. This is the floor. Everything else in this document adds specifics on top of it.

Dhara runs security scans: port surveys, vulnerability checks, canary-token deployment, and other active reconnaissance techniques. Those are powerful tools. The rule for using them is simple: scan only systems you own or for which you can produce documented authorization.

“Documented authorization” means a written scope of work, a signed engagement letter, a change-management ticket from the system owner, or equivalent evidence that the person who controls the target has explicitly given you permission to test it. Verbal assurances and informal agreements are not enough. We may ask you to produce this documentation at any time — before a scan, during a scan, or after we see anomalous activity.

Unauthorized scanning is grounds for immediate account termination and may be referred to law enforcement. You bear full legal responsibility for every scan you initiate through Dhara. We are not a party to your engagements and we do not absorb liability for how you use the tool.

Harvester captures content from websites and other sources at your direction. Phoenix uses that captured material to rebuild sites. Both tools operate on content you don’t always own — so the rules here are about respecting the rights of the people who do.

Respect robots.txtand the terms of service of any site you point Harvester at. Respect copyright and database rights in the material you capture — just because you can retrieve it doesn’t mean you have a license to reproduce or republish it. Don’t use Harvester to evade paywalls, circumvent access controls, or capture licensed material you haven’t paid for.

Phoenix rebuilds are scoped to sites you own and control. Don’t use Phoenix to rebuild a site you don’t have the right to republish. If a site owner revokes authorization mid-project, stop the rebuild and remove what was already captured.

Outreach sends email on your behalf. That means anti-spam law applies to you in every jurisdiction your messages reach. The requirements that follow aren’t exhaustive — they’re the floor.

Every message must include a physical postal address (yours or your organization’s) and a working unsubscribe link. Honor opt-outs within 10 business days — and in any case before you send another message to the same address. Don’t buy or rent contact lists unless you can produce evidence that the list includes valid consent transfers for your specific use. Don’t impersonate another person, company, or brand. Don’t use subject lines designed to mislead the recipient about the nature or sender of the message.

Specific laws that apply depending on where your recipients are: CAN-SPAM (US), CASL (Canada), India DPDP Act §7 conditions (India). If you’re sending to EU or UK recipients, GDPR and PECR apply. You’re responsible for knowing which laws apply to your audience.

Studio publishes content to social channels you connect — Meta, Instagram, Google, X, and others. You remain the publisher on those platforms. What we post on your behalf is your content.

Publish only to channels and accounts you have lawful authority to publish to. Don’t use Studio to impersonate another person, brand, or account. Don’t use it to publish content that the connected platform prohibits — including hate speech, sexual content involving minors, coordinated inauthentic behavior, or any other category explicitly banned by the platform’s policies.

No synthetic media targeting real individuals without disclosure. If you publish AI-generated images, audio, or video that depicts a real person, disclose that it’s synthetic in the post itself. Platform-level enforcement actions bind you; we honor them and may suspend access to the affected channel or account in response.

Architect is your workspace canvas — for matters, notes, imported documents, and collaborative thinking. What you put in stays in your workspace. Upload only content you have the right to use: documents you authored, materials you hold a license for, or content whose owner has authorized your use.

Don’t upload content that infringes third-party privacy or intellectual property. Don’t upload client material that’s confidential beyond your own workspace unless the client has authorized you to do so. Sharing workspace content externally — via export, share link, or delegation — is your responsibility. We don’t audit what you share or with whom.

Cal manages calendar access and sends invitations on your behalf. Use it for legitimate scheduling, not for reach.

No calendar-bombing — don’t send mass invitations to people who haven’t consented to calendar contact from you. No using calendar invitations as a phishing vector: don’t embed deceptive links, spoofed identities, or social-engineering content in invitation bodies. No sending invitations to people who have previously opted out of contact from you.

PR generates and publishes editorial content — posts, articles, captions — driven by the profile and fact bundles you supply. The content it generates is yours, and when it’s published to your sites or channels, you remain the publisher of record.

You’re accountable for the accuracy and legality of everything published under your name via PR. We don’t author your editorial position. We don’t vouch for the factual accuracy of output beyond what your source material supports. Review generated content before publishing if accuracy matters for the claim.

Eleven11 may issue canary tokens as part of a Dhara security engagement — for example, a fake credential file planted in a test directory to detect unauthorized access. Tokens are issued under the same authorization scope as the broader engagement.

Deploy canary tokens only against systems or persons you have lawfully authorized to test. Don’t repurpose a token outside the engagement scope it was issued for. Weaponizing a canary token against an unauthorized target — using it to phish, track, or surveil someone without their knowledge and outside a legitimate security engagement — is a serious AUP violation and may constitute a crime. We report credible cases to law enforcement.

Manch is a multi-tenant canvas product. When you publish or share a canvas, other people see it. The rules here are stricter and more specific than the cross-cutting rules because the surface area for harm is wider.

The following are prohibited on Manch canvases, shared links, invitation flows, and any other Manch surface:

• No content infringing third-party copyright, trademark, or other intellectual property.Don’t reproduce copyrighted works, use trademarked names or logos without authorization, or build canvases that exist primarily to exploit someone else’s IP.
• No content violating third-party privacy. No doxxing, no non-consensual publication of personal information (home address, phone number, workplace, daily routine), and no non-consensual intimate images under any circumstances.
• No hate speech, harassment, threats, or content targeting individuals or groups on protected characteristics. Protected characteristics include race, religion, gender identity, sexual orientation, disability, and nationality, among others. Targeting means making the content about the characteristic as grounds for abuse, not merely discussing the topic.
• No sexually explicit content involving minors (CSAM). Any such content is reported immediately to the National Center for Missing and Exploited Children (NCMEC) and to applicable Indian authorities under the POCSO Act. The account is terminated immediately. There is no warning, no appeal window, and no exception.
• No content promoting terrorism, violent extremism, or coordinated harm. This includes manifestos, recruitment material, operational planning, and glorification of acts of mass violence.
• No phishing surfaces, scams, or deceptive impersonation of any person or entity. Don’t build a canvas that mimics a login page, a government site, a financial institution, or any other party to steal credentials or money.
• No spam invitations to non-consenting recipients. Don’t use the invitation flow to blast people who haven’t asked to be contacted. Invitations are for people who want to collaborate, not for cold reach.
• No crypto pump-and-dump schemes, MLM solicitation, or illegal financial product solicitation. Canvases are not a distribution channel for financial fraud.
• No election-period coordinated inauthentic behavior on public canvases.During any recognized election period in any jurisdiction, don’t use Manch to coordinate mass publication of misleading content, fake grassroots activity, or artificially amplified political messaging.
• No using one tenant or invitation flow to attack another tenant or any non-tenant user.Multi-tenancy is a feature we protect. Don’t attempt to pivot from your workspace into another customer’s data, content, or session.
• No hosting binary payloads, malware, or links serving the same. Canvases are for content, not delivery infrastructure for malicious code.

If you see something on an Eleven11 surface that violates this policy, write to [email protected]. Include enough detail that we can find the content: a URL, a canvas ID, a screenshot, or any other identifying information.

We triage all abuse reports within 48 hours of receipt. Clearly illegal content — CSAM, active phishing pages, malware distribution — is removed immediately on identification, without waiting for the full review cycle. Borderline content goes through a documented review: we look at it, weigh it against this policy, and make a reasoned decision. We document that decision.

CSAM is handled separately from the standard abuse triage. Any report involving suspected child sexual abuse material is escalated immediately to NCMEC and to applicable Indian authorities under the POCSO Act. The account associated with the content is terminated before the report is filed — not after.

We don’t publish abuse report volumes publicly at this time, but we maintain internal records of every report, decision, and action taken. If you believe a decision was wrong, you can follow up at [email protected] with “Review request” in the subject line.

We don’t use a fixed point system. We look at what happened, how severe it was, and whether it was intentional. The general escalation is:

• Warning. For first-time or low-severity violations where the behavior can be corrected, we contact you, describe what we observed, cite the relevant policy clause, and give you a clear path to correct it. We document the warning.
• Suspension.If a warning didn’t produce a change, or if the violation is serious enough to warrant it immediately, we suspend access — to the affected product, or to the full account. We document the suspension and notify you of what you need to do to reinstate access, if reinstatement is possible.
• Termination.For severe violations, repeated violations after warning or suspension, or violations where reinstatement isn’t appropriate, we terminate the account. You have 30 days to export your data before deletion, unless the violation involves illegal content — in which case we may be legally required to preserve or transmit specific records to authorities before deletion.
• Law-enforcement referral.Where we’re legally required to report — CSAM, credible threats of imminent harm, certain fraud patterns — we do. Where the severity warrants a referral even if not strictly required, we make that call on a case-by-case basis. We don’t make referrals to punish or intimidate; we make them when we think they’re the right thing to do.

We document the chain at each step. If you believe a decision was made in error, write to [email protected] with “AUP appeal” in the subject line.

[email protected] for AUP violations and abuse reports. [email protected] for related legal correspondence. [email protected] for anything else.