This Acceptable Use Policy (“AUP”) applies to your (“You/Your”) use of the OneSignal services. This AUP reflects our mutual desire that messages are sent with the consent of the message recipient, and that those messages comply with applicable laws, communications industry guidelines or standards, and measures of fairness and decency.
Some Services have additional policies that apply:
Push Notifications
SMS/MMS[1]
When we identify a violation of this AUP, we try to work with customers in good faith to get them back into compliance with this policy. However, to protect the continued ability of all our customers to use messaging for legitimate purposes, we reserve the right to suspend or remove access to the Services for you or your end users that are not complying with this AUP, in some instances with limited notice in the case of serious violations of this AUP.
This AUP is subject to change from time to time with such changes effective upon posting on https://onesignal.com/aup. OneSignal encourages You to review this AUP regularly.
Requirements. By using the OneSignal services (the “Services”), You agree to:
● Be solely responsible and liable for any data or content You provide to the Service or to Your users using the Service (“Your Content”) which includes any content linked from Your Content.
● At all times display a privacy policy or other notice on Your websites as required by applicable laws.
● Provide all disclosures and have obtained and will maintain all rights and consents (including from authorized users and end users) required by applicable law to transfer data to OneSignal and for OneSignal to use the data in accordance with any agreement(s) between the parties.
● Must seek and secure any and all necessary consents from, and provide any necessary notices to, Your users, before providing Your Content via the Services in compliance with applicable law. Proof of consent must be provided in the event of an escalated abuse complaint. We take escalated abuse complaints received from recipients very seriously. At any given moment, You must be able to provide information regarding all email addresses and/or telephone numbers to which You’ve sent emails and/or SMS through the platform (including the basis of the obtained consent, when and how the email address or telephone number was collected, and any other pertinent proof of legal permission to contact the recipients).
Prohibited Behavior. You may not use our platform or Services to engage in, foster, or promote illegal, abusive, or irresponsible behavior, including (but not limited to):
● for any unlawful purpose or in any manner not intended by OneSignal or as contemplated herein;
● engage in any action that is in violation or circumvention of any third-party developer or platform terms or conditions (e.g., Apple iPhone Developer Program License Agreement, Android Software Development Kit License Agreement) as they may be amended from time to time;
● activity or conduct that is likely to be in breach of any applicable laws, codes or regulations, including data privacy laws and laws relating to unsolicited commercial electronic messages;
● engage in spamming, flooding, or deceptive marketing practices;
● knowingly transmit any software or other materials that contain any viruses, worms, trojan horses, defects, date bombs, time bombs or other items of a destructive nature;
● copy, modify, adapt, sublicense, translate, sell, resell, distribute, commercially exploit, reverse engineer, decompile or disassemble any portion of the Service;
● remove, alter, conceal any copyright, trademark, patent or other proprietary rights notices contained in the Service;
● access, or attempt to access, the Service by any means other than through the SDK or API, unless authorized by OneSignal;
● institute an attack upon any server used in connection with the Service or otherwise attempt to disrupt such servers or abuse the Service;
● make any statement that expresses or implies that You are endorsed by us, without our prior written consent;
● for any other benchmarking or competitive purposes;
● for any high risk activities where use or failure of the Services could lead to death, personal injury or environmental damage, including life support systems, emergency services, nuclear facilities, autonomous vehicles or air traffic control.
● activity intended to withhold or cloak identity or contact information, including the omission, deletion, forgery or misreporting of any transmission or identification information, such as return mailing and IP addresses;
● activity which might reasonably be considered: (i) to be illegal, immoral, unethical, deceptive, scandalous, fraudulent, offensive and/or obscene; or (ii) to injure, tarnish, damage or otherwise negatively affect the reputation and goodwill associated with our Services, networks, platforms, group companies or customers.
● interfering with or otherwise adversely impacting any aspect of the Services, our overall business and operations, or any third-party or our network or platform that are linked to the Services.
Prohibited Content. You will not transmit, link to, publish, or store on the Services, content or data that is or contains:
● unlawful, fraudulent, threatening, abusive, libelous, defamatory, hateful, obscene or otherwise objectionable, or infringes our or any third party’s intellectual property or other rights;
● material, non-public information about companies without the authorization to do so;
● unfair or deceptive under the consumer protection laws of any jurisdiction, including chain letters, pyramid schemes, investment opportunities or other unsolicited commercial communication (except as otherwise expressly permitted by us);
● payday loans, debt collection agencies, affiliate marketing, or anything that can be
considered abusive or dishonest;
● gambling content or activity in violation of any required licenses, codes of practice, or necessary
technical standards required under the laws or regulations of any jurisdiction in which Your site is hosted or accessed;
● constitutes, depicts, fosters, promotes or relates in any manner to child pornography, bestiality, non-consensual sex acts, or otherwise unlawfully exploits persons under 18 years of age;
● excessively violent, incites violence, threatens violence, contains harassing content or hate speech, creates a risk to a person’s safety or health, or public safety or health, compromises national security or interferes with an investigation by law enforcement;
● unfair or deceptive under the consumer protection laws of any jurisdiction, including chain letters and pyramid schemes;
● defamatory or violates a person’s privacy; or
● unless expressly agreed to by OneSignal in a separate signed writing, sensitive personal information, sensitive data, or special categories of personal information as defined under applicable data protection laws, such as social security numbers or other government identifiers, information related to racial or ethnic origin, political opinions, religion or other beliefs, medical or health information or conditions, criminal background, trade union membership, sexual orientation, and precise geolocation.
Anti-Corruption and Trade Laws
You must comply with all applicable anti-corruption, anti-money laundering, economic and trade sanctions, export controls, and other international trade laws, regulations, and governmental orders (collectively, “Anti-Corruption and Trade Laws”) in the jurisdictions that apply directly or indirectly to the Services, including, without limitation, the United States, and (b) represent that You have not made, offered, promised to make, or authorized any payment or anything of value in violation of Anti-Corruption and Trade Laws. You must promptly notify OneSignal of any actual or potential violation of Anti-Corruption and Trade Laws in connection with the use of the Services and take all appropriate steps to remedy or resolve such violations. You certify that (a) You will not, sell, export or re-export, divert or transfer, or otherwise participate in any export transaction involving the Services with individuals or entities listed in the U.S. Commerce Department's Table of Denial Orders, the U.S. Treasury Department’s list of Specially Designated Nationals or the U.S. Department of State’s list of individuals debarred from receiving Munitions List items and other applicable lists, e.g., the Entity List; (b) You will not violate U.S. law with respect to the U.S. consolidated screening list including, but not limited to, the following: (i) re-exporting / transferring U.S. controlled items or technology to an individual or entity identified on the U.S. consolidated screening list; (ii) that no party to this transaction is identified on the U.S. consolidated screening list; and (iii) You are not owned or otherwise controlled by any individual or entity on the U.S. consolidated screening list; (c) this transaction does not violate the current U.S. sanctions laws and regulations with respect to Russia/Ukraine (which can be found here: https://www.treasury.gov/resource-center/sanctions/Programs/Pages/ukraine.aspx), including, but not limited to: (i) the use of this product for an unauthorized purpose (e.g., use of the product for deep-water, Arctic offshore, or shale projects that have the potential to produce oil in the Russian Federation); (ii) the product is not for use by an entity identified on a U.S. sanctions list; and (iii) the product will not be re-exported or transferred to the Crimea-Region of Ukraine; and (d) You warrant that You are not located in, under the control of, or a national or resident of any such prohibited country or on any such prohibited party list.
Service Specific Policies
Push Notification Additional Policies
● You must not send extremely high frequency and volume of notifications (e.g.., 720 notifications per subscriber per month and exceeding over 1 million notifications per month)
● You must not allow severely underperforming engagement metrics (i.e. high unsubscribe rate, or low CTR 0.01%)
● OneSignal may suspend Your use of the Service based on any other metrics that indicate abuse or over utilization that diminishes the OneSignal service overall performance (e.g., excessive use of infrastructure, unacceptable latency, or excessive storage).
Email Additional Policies
● Threshold Metrics
a. All email sending metrics much remain within these thresholds:
Statistic Thresholds | Acceptable levels* | Additional details |
Bounces | ≤ 5% | Calculated on the number of messages that have bounced |
Unsubscribes | ≤ 1.4% | or 1% if unsubs > clicks |
Spam Complaints | ≤ 0.08% | Calculated on the number of messages that have been reported as spam |
Blocks | <20% | Calculated on the number of messages that have been blocked |
*We reserve the right to update the parameters of the acceptable sending threshold without prior notice.
b. Acquiring or sending to a third-party mailing list is prohibited. Use of contact lists that are bought, rented or scraped from third-parties is prohibited by law in most countries, and is absolutely prohibited on our servers.
c. Emails and SMS (unless transactional) can only be sent where permission has been expressly obtained in nature, and can only be sent to recipients who have granted clear, explicit and provable consent to receive communication. This consent should be granted through a confirmed single or double opt-in system that clearly expresses the topic of the subscription on an online or offline form via an unmarked by default checkbox.
d. Proof of consent must be provided in the event of an escalated abuse complaint. We take escalated abuse complaints received from recipients very seriously. At any given moment, you must be able to provide information regarding all email addresses and/or telephone numbers to which you’ve sent emails and/or SMS through the platform (including the basis of the obtained consent, when and how the email address or telephone number was collected, and any other pertain proof of legal permission to contact the recipients).
e. An unsubscribe link must be included in every marketing email campaign. All marketing campaigns must include a clear and concise link for recipients to easily opt-out of receiving future communication. The link must be easy for anyone to recognize, read, and understand. You must honor unsubscribe requests without undue delay. Note that transactional and confirmation emails and SMS do not require an unsubscribe link.
f. Sender name and status must be clearly communicated in every email message. “From”, “To” and “Reply-To” fields must accurately and clearly identify the sender’s domain name and email address. When sending from a different domain name on behalf of a partner or related third-party organization, the email body must clearly communicate that the message is sent via a third-party domain. Any third-party domains must also be validated by the sender.
g. Readily publish on your website and comply with a privacy policy that meets legal requirements and include a link to that policy in the body of each email.
● Email validation Requirements. Without limiting the application of any other provisions of this AUP, with respect to any of the Services’ email verification features or functionality, you may not:
a. Use the Services to verify the email address(es) of any person who has not affirmatively consented (i.e., opted-in) to, or who has expressly opted-out from receiving email communications from you;
b. Use the Services to validate email addresses that were purchased, rented or similarly obtained from a third party (i.e., third party email lists); or,
c. Use the Services to harvest or generate email addresses or otherwise determine the existence of unknown email addresses.
● Inbox Placement Requirements. Without limiting the application of any other provisions of this AUP, with respect to any of the Services’ Inbox Placement features, you may only:
a. Send emails to your seed list when conducting an inbox placement test; and
b. Update your seed list every 30 days from the most recent list we provide to you
Mobile Messaging Additional Policies Requirements
These rules cover:
● Consent (“opt-in”);
● Revocation of Consent (“opt-out”);
● Sender Identification;
● Messaging Usage;
● Filtering Evasion; and
● Enforcement.
Consent / Opt-in
What Is Proper Consent?
Consent can't be bought, sold, or exchanged. For example, you can't obtain the consent of message recipients by purchasing a phone list from another party.
Aside from two exceptions noted later in this section, you need to meet each of the consent requirements listed below.
Consent Requirements
● Prior to sending the first message, you must obtain agreement from the message recipient to communicate with them - this is referred to as "consent", you must make clear to the individual they are agreeing to receive messages of the type you're going to send. You need to keep a record of the consent, such as a copy of the document or form that the message recipient signed, or a timestamp of when the customer completed a sign-up flow.
● If you do not send an initial message to that individual within a reasonable period after receiving consent (or as set forth by local regulations or best practices), then you will need to reconfirm consent in the first message you send to that recipient.
● The consent applies only to you, and to the specific use or campaign that the recipient has consented to. You can't treat it as blanket consent allowing you to send messages from other brands or companies you may have, or additional messages about other uses or campaigns.
● Proof of opt-in consent should be retained as set forth by local regulation or best practices after the end user opts out of receiving messages.
Alternative Consent Requirements
While consent is always required and the consent requirements noted above are generally the safest path, there are two scenarios where consent can be received differently.
Contact initiated by an individual
If an individual sends a message to you, you are free to respond in an exchange with that individual. For example, if an individual texts your phone number asking for your hours of operation, you can respond directly to that individual, relaying your open hours. In such a case, the individual’s inbound message to you constitutes both consent and proof of consent. Remember that the consent is limited only to that particular conversation. Unless you obtain additional consent, don't send messages that are outside that conversation.
Informational content to an individual based on a prior relationship
You may send a message to an individual where you have a prior relationship, provided that individual provided their phone number to you, and has taken some action to trigger the potential communication, and has not expressed a preference to not receive messages from you. Actions can include a button press, alert setup, appointments, or order placements. Examples of acceptable messages in these scenarios include appointment reminders, receipts, one-time passwords, order/shipping/reservation confirmations, drivers coordinating pick up locations with riders, and repair persons confirming service call times.
The message can't attempt to promote a product, convince someone to buy something, or advocate for a social cause.
Periodic Messages and Ongoing Consent
If you intend to send messages to a recipient on an ongoing basis, you should confirm the recipient’s consent by offering them a clear reminder of how to unsubscribe from those messages using standard opt-out language (defined below). You must also respect the message recipient’s preferences in terms of frequency of contact. You also need to proactively ask individuals to reconfirm their consent as set forth by local regulations and best practices.
Identifying Yourself as the Sender
Every message you send must clearly identify you (the party that obtained the opt-in from the recipient) as the sender, except in follow-up messages of an ongoing conversation.
Opt-out
The initial message that you send to an individual needs to include the following language: “Reply STOP to unsubscribe,” or the equivalent using another standard opt-out keyword, such as STOPALL, UNSUBSCRIBE, CANCEL, END, and QUIT.
Individuals must have the ability to revoke consent at any time by replying with a standard opt-out keyword. When an individual opts out, you may deliver one final message to confirm that the opt-out has been processed, but any subsequent messages are not allowed. An individual must once again provide consent before you can send any additional messages.
Usage Limitations
Content We Do Not Allow
The key to ensuring that messaging remains a great channel for communication and innovation is preventing abusive use of messaging platforms. That means we never allow some types of content on our platform, even if our customers get consent from recipients for that content. Prohibited uses include:
● Anything that is illegal in the jurisdiction where the message recipient lives. Examples include, but are not limited to:
○ Cannabis. Messages related to cannabis are not allowed in the United States as federal laws prohibit its sale, even though some states have legalized it. Similarly, messages related to CBD are not permissible in the United States, as certain states prohibit its sale. This include any message which relates to the marketing or sale of a cannabis product, regardless of whether or not those messages explicitly contain cannabis terms, images, or links to cannabis websites.
○ Prescription Medication. Offers for prescription medication that cannot legally be sold over-the-counter are prohibited in the United States.
● Hate speech, harassment, exploitative, abusive, or any communications that originate from a hate group.
● Fraudulent messages.
● Malicious content, such as malware or viruses.
● Any content that is designed to intentionally evade filters (see below).
Country-Specific Rules
All messages should comply with the rules applicable to the country in which the message recipient lives, which can be found in Twilio’s Country-Specific Guidelines. Additionally, Twilio has Country Specific Requirements for select countries, which you should review prior to sending a message to recipients in or from those countries.
Age and Geographic Gating
If you are sending messages in any way related to alcohol, firearms, gambling, tobacco, or other adult content, then more restrictions apply. In addition to obtaining consent from every message recipient, you must ensure that no message recipient is younger than the legal age of consent based on where the recipient is located. You also must ensure that the message content complies with all applicable laws of the jurisdiction in which the message recipient is located or applicable communications industry guidelines or standards.
You need to be able to provide proof that you have in place measures to ensure compliance with these restrictions.
Messaging Policy Violation Detection and Prevention Evasion
Customers may not use the Services to evade a telecommunications provider’s unwanted messaging detection and prevention mechanisms.
Examples of prohibited practices include:
● Content designed to evade detection. As noted above, we do not allow content which has been specifically designed to evade detection by unwanted messaging detection and prevention mechanisms. This includes intentionally misspelled words or non-standard opt-out phrases which have been specifically created with the intent to evade these mechanisms.
● Snowshoeing. We do not permit snowshoeing, which is defined as spreading similar or identical messages across many phone numbers with the intent or effect of evading unwanted messaging detection and prevention mechanisms.
● Simulated social engineering attacks. You are prohibited from transmitting messages that are used for security testing, including simulated phishing and other activities that may resemble social engineering or similar attacks.