xmail

Acceptable Use Policy

Operator:Xmail ("Xmail", "we", "us", "our") — the brand and trading name under which the Service is provided, licensed in the Sharjah Media City Free Zone (SHAMS), Sharjah, United Arab Emirates, under Licence No. 6312.01. The operator's full legal entity name and registered office are set out in our Legal Notice (Imprint) at /legal-notice.

Service: the Xmail AI-powered email platform, made available at xmail.com and its associated secondary and vanity domains (the "Service").

Version / Effective date: 6 June 2026. Status: BETA. The Service, including its AI features, is provided on an "as-is" and "as-available" basis, is rolling out gradually through the end of 2026, and may change, be limited, or be discontinued at any time.

1. Purpose and Scope

1.1. This Acceptable Use Policy (the "AUP" or "Policy") describes conduct and content that are prohibited when accessing or using the Service. Its purpose is to protect the Service, the people who use it, third parties, the broader email ecosystem, and the integrity and deliverability reputation of Xmail's mail infrastructure.

1.2. This Policy is incorporated into, and forms part of, the Xmail Terms of Service (the "Terms"). Capitalized terms used but not defined in this Policy have the meanings given to them in the Terms. In the event of a conflict between this Policy and the Terms regarding permitted use, the more restrictive provision applies.

1.3. This Policy applies to all access to and use of the Service by any person or entity (each a "User", "you"), including the sending, receiving, storing, forwarding, and processing of email and other messages, the use of webmail and IMAP/SMTP access, the use of custom and vanity domains, the use of AI features, and the use of any application programming interface ("API"), credit ("Points"), or other functionality we make available.

1.4. You are responsible for all activity that occurs under your account, including activity by any person you permit to use your account or credentials, and by any automated system you operate. You must ensure that anyone using the Service through your account complies with this Policy.

1.5. We may update this Policy from time to time in accordance with the Terms. Online abuse evolves quickly; where the change is needed to address a security, legal, or abuse risk, it may take effect immediately upon posting. Your continued use of the Service after an update constitutes acceptance of the updated Policy.

2. Definitions

For the purposes of this Policy:

2.1. "Content" means any data, text, message, header, attachment, image, code, link, or other material that is sent, received, stored, transmitted, generated, or otherwise made available through the Service.

2.2. "Messaging" means the sending, transmission, relaying, or facilitation of email or other electronic messages through or via the Service.

2.3. "Bulk Mail" means email or other messages of substantially similar content sent or intended to be sent to a large number of recipients, whether in one operation or over time.

2.4. "UBE/UCE" means Unsolicited Bulk Email and Unsolicited Commercial Email, commonly known as spam.

2.5. "AI Features" means the automated and large-language-model–based features of the Service, including classification, summarization, the user "portrait", research, spam detection, and assistant capabilities described in the Terms and the Privacy Policy.

2.6. "CSAM" means child sexual abuse material and any content that sexually exploits, abuses, or endangers a minor (a person under the age of 18).

3. General Standard of Conduct

3.1. You must use the Service lawfully, responsibly, and in good faith. You must not use the Service, and must not permit it to be used:

(a) in violation of any applicable law or regulation, including the laws of the United Arab Emirates, the laws of any jurisdiction in which you reside or operate, and the laws of any jurisdiction into which your Messaging is directed;

(b) to infringe, misappropriate, or violate the rights of any person, including privacy, publicity, intellectual property, and data-protection rights;

(c) in any manner that harms, disables, overburdens, degrades, or impairs the Service or any Xmail infrastructure, or that interferes with any other party's use of the Service; or

(d) to harm, deceive, defraud, harass, threaten, or endanger any person.

3.2. Eligibility / age. The Service is not directed to minors. You must be at least 18 years old to access or use the Service, consistent with the Terms and the Privacy Policy. You must not use the Service if you are under 18, and you must not permit any person under 18 to use the Service through your account.

3.3. The Service is in BETA and email delivery is not guaranteed. This does not lessen your obligations under this Policy. Operating within sending limits and reputation expectations (see Section 6) is a condition of use, not merely a quality measure.

4. Prohibited Content

You must not create, upload, store, send, receive, distribute, link to, or otherwise make available through the Service any Content that:

4.1. Child sexual abuse material (zero tolerance). Constitutes, depicts, promotes, solicits, or facilitates CSAM or the sexual exploitation of minors in any form. This prohibition is absolute and admits no exception. Child sexual abuse material (CSAM) is strictly prohibited and subject to zero tolerance. We employ automated and manual detection. Upon detecting or being notified of apparent CSAM, and in accordance with UAE Federal Law No. 3 of 2016 (Wadeema's Law), Article 29, and UAE Federal Decree-Law No. 34 of 2021 on Combating Rumours and Cybercrimes, we will: (i) immediately remove or disable access to the content; (ii) preserve the content, associated account data, and access logs for the competent authorities; (iii) report to the UAE Ministry of Interior Child Protection Centre (and, where Xmail has a relevant US nexus, additionally to the U.S. National Center for Missing & Exploited Children (NCMEC)); and (iv) cooperate fully with law enforcement, including lawful disclosure of subscriber and traffic data. We will also terminate the account. See Sections 11 and 12.

4.2. Other illegal content. Is otherwise illegal or promotes, facilitates, or instructs in illegal activity, including human trafficking, terrorism or violent extremism, the unlawful sale of weapons or controlled substances, or the proceeds of crime.

4.3. Exploitation and endangerment. Exploits or harms minors in any way, or facilitates the grooming, endangerment, or abuse of any vulnerable person.

4.4. Hateful, harassing, or violent content. Incites or promotes violence, terrorism, self-harm, or hatred against, or harassment of, any person or group on the basis of race, ethnicity, national origin, religion, gender, gender identity, sexual orientation, disability, or any other protected characteristic, or that constitutes credible threats, stalking, doxxing, or targeted harassment.

4.5. Intellectual-property infringement. Infringes any copyright, trademark, patent, trade secret, or other intellectual-property or proprietary right, or that is used to facilitate such infringement (including unauthorized distribution of copyrighted works or counterfeit goods).

4.6. Malware and hostile code. Contains, links to, or is designed to deliver viruses, worms, trojans, ransomware, spyware, keyloggers, or any other malicious or hostile code, or that exploits or is intended to exploit a security vulnerability.

4.7. Phishing and deception. Constitutes phishing, pharming, spoofing, or any attempt to deceptively obtain credentials, payment information, personal data, or other sensitive information, or that impersonates any person, brand, or organization in a misleading manner.

4.8. Fraud and scams. Promotes or facilitates fraud, financial scams, pyramid or Ponzi schemes, advance-fee fraud, fake invoices, business-email-compromise schemes, or other deceptive or fraudulent practices.

4.9. Deceptive or harmful AI-generated content. Consists of AI-generated or AI-assisted material that is deployed to deceive, defraud, impersonate, manipulate, or harm (including synthetic media, deepfakes, or fabricated communications used for any of the purposes prohibited in this Section).

4.10. Private and sensitive data without authority. Discloses or trades in another person's personal, financial, health, or authentication data without lawful basis and authorization.

5. Prohibited Messaging Conduct (Anti-Spam)

The integrity of email depends on disciplined sending behavior. You must comply with the following at all times.

5.1 No spam / UBE / UCE

(a) You must not send, relay, or facilitate UBE/UCE or any other unsolicited Bulk Mail through or in connection with the Service.

(b) You must not send Bulk Mail or commercial messages to any recipient who has not given valid, demonstrable consent to receive them, except where another lawful basis recognized under applicable law clearly applies.

5.2 Consent, lists, and list hygiene

(a) No purchased, rented, harvested, or scraped lists. You must not send to email addresses obtained from purchased or rented lists, from scraping or harvesting, or from any source other than the recipient's own provision of their address to you for the relevant purpose.

(b) Consent records. You must be able to demonstrate, on request, the lawful basis and (where required) the consent for each recipient to whom you send Bulk Mail or marketing.

(c) List hygiene. You must promptly remove invalid addresses, hard bounces, complaints, and spam-trap hits, and must not repeatedly send to addresses that bounce or generate complaints.

(d) Unsubscribe. Every marketing or commercial Bulk Mail message must include a functioning, conspicuous, and free opt-out mechanism. You must honor opt-out requests promptly and in any event within the period required by applicable law, and you must not send further marketing to a recipient who has opted out.

5.3 Honesty of identity and headers

(a) You must not forge, falsify, or manipulate any email header, sender identity, "From", "Reply-To", routing, or other transmission information, or otherwise misrepresent the origin of a message.

(b) Subject lines and message content must not be deceptive or misleading as to the nature, source, or purpose of the message.

(c) You must use accurate sender identification and, where you operate your own domains, maintain correct authentication records (e.g., SPF, DKIM, DMARC) for the domains you send from.

5.4 Infrastructure abuse

You must not operate or facilitate, through or in connection with the Service: open mail relays or open proxies; "snowshoe" spamming (spreading sending across many addresses, domains, or IPs to evade detection); botnets or compromised hosts; or any mechanism designed to disguise, distribute, or amplify abusive sending.

5.5 Applicable norms

You must comply with the anti-spam and electronic-marketing requirements of all applicable laws, including (as applicable to you and your recipients) CAN-SPAM–style requirements, the EU General Data Protection Regulation ("GDPR") and ePrivacy rules on consent for electronic marketing, the UAE PDPL and its implementing regulations, and equivalent regimes in other jurisdictions you send to.

5.6 Sending limits, rate limits, and warm-up

(a) The Service applies sending limits, rate limits, throttling, and quotas, which we may set, vary, or enforce at any time, including automatically, to protect deliverability and prevent abuse.

(b) You must not exceed, evade, or attempt to circumvent any applicable limit, quota, or filter.

(c) You are responsible for the sending reputation of your account, domains, and IPs. You are expected to ramp volume gradually ("IP/domain warm-up"), to maintain low complaint and bounce rates, and to respond promptly to deliverability and reputation issues. We may reduce limits, throttle, quarantine, or suspend sending where reputation or complaint signals warrant it.

6. Security Abuse

6.1. You must not, and must not attempt to:

(a) gain unauthorized access to any account, system, network, data, or infrastructure, whether belonging to Xmail or any third party;

(b) conduct port scanning, network mapping, vulnerability scanning, penetration testing, fuzzing, or other security probing of the Service or any Xmail infrastructure without our prior written authorization;

(c) conduct credential stuffing, password spraying, brute-force attacks, or other attacks against authentication systems;

(d) conduct or facilitate any denial-of-service or distributed-denial-of-service attack, flooding, or other action designed to disrupt or degrade any system or network;

(e) introduce malware or hostile code into the Service, or use the Service to stage, host, command, or control such code; or

(f) circumvent, disable, or interfere with any security feature, filter, quota, rate limit, authentication, or access control of the Service.

6.2. Responsible disclosure. If you discover a genuine security vulnerability, you must not exploit it beyond the minimum necessary to confirm it, must not access, alter, or exfiltrate other Users' data, and must report it promptly to [email protected]. Good-faith testing is permitted only within the scope of a written authorization or a published Xmail vulnerability-disclosure program, if any.

7. Platform Abuse

7.1. You must not:

(a) scrape, crawl, harvest, or systematically extract data, addresses, or Content from the Service except as expressly permitted by us in writing or through documented API features used within their limits;

(b) create accounts by automated means, register accounts in bulk, or create accounts using false, stolen, or another person's identity;

(c) resell, sublicense, or make the Service available to third parties as a service or relay without our prior written permission;

(d) use the Service, or any AI Feature, to generate, scale, or distribute Content prohibited under Section 4 or messaging prohibited under Section 5, including using AI Features to mass-produce spam, phishing lures, scam content, malware, or deceptive material;

(e) misuse, overload, or attempt to manipulate AI Features (for example, through automated mass requests designed to extract, degrade, or abuse the underlying models or to exceed fair-use thresholds); or

(f) interfere with, manipulate, or abuse the Points system, payment flows, promotions, or referral mechanisms, including through fraudulent, automated, or deceptive means.

7.2. AI Features — honest expectations. AI Features process the content of your email and other Content to provide their functionality and may use third-party AI subprocessors as described in the Terms and Privacy Policy. AI output may be incomplete or incorrect, and you must not rely on it for any consequential decision. Using AI output as the basis for prohibited conduct does not excuse that conduct.

8. Crypto and Blockchain Use

8.1. Lawful cryptocurrency, blockchain, digital-asset, and Web3 activity is permitted on the Service. Nothing in this Policy prohibits lawful crypto-related communications, businesses, projects, or payments, and Xmail intends to remain crypto- and blockchain-friendly (including potentially accepting crypto or stablecoin payments now or in the future). For the avoidance of doubt, Xmail is an email platform; it does not itself provide cryptocurrency, custody, exchange, wallet, or other digital-asset or financial services.

8.2. The general prohibitions in this Policy apply equally to crypto-related activity. In particular, you must not use the Service for crypto- or blockchain-related fraud, phishing, scams, fake airdrops or token sales, wallet-draining schemes, pump-and-dump or other market-manipulation campaigns, impersonation of exchanges or projects, unlicensed financial solicitation, or unsolicited bulk promotion of digital assets. The prohibition is on fraud and abuse, not on lawful crypto use.

9. Custom and Vanity Domains

9.1. If you connect a custom or vanity domain to the Service, you must lawfully own or control that domain and its DNS, and you must not configure or use any domain in a way that infringes a third party's rights, impersonates another party, or facilitates conduct prohibited by this Policy.

9.2. You are responsible for the sending behavior, authentication records, and reputation of every domain you use with the Service, and for compliance of those domains with Sections 4 through 6.

10. Email Delivery Is Not Guaranteed

10.1. Email delivery is not guaranteed. Messages may be scored, filtered, delayed, quarantined, rejected, or lost by our anti-spam and anti-abuse systems (which are of the Rspamd class) or by third-party systems outside our control. You must not rely on the Service for critical, urgent, or time-sensitive communications.

10.2. We may apply inbound and outbound filtering, scoring, quarantine, and blocking at any time to protect Users, recipients, and the Service. The application of such measures is not a representation that any particular message is or is not abusive.

11. Enforcement

11.1. Investigation. We may, but are not obligated to, monitor, investigate, and review use of the Service for compliance with this Policy. We have no obligation to pre-screen Content or Messaging, and we do not undertake to do so.

11.2. Remedies. Where we reasonably believe that this Policy has been or may be violated, or where necessary to protect the Service, Users, third parties, or our infrastructure or reputation, we may take any one or more of the following actions, with or without prior notice, in our reasonable discretion. We will generally apply these in an escalating manner — investigate, then throttle or quarantine, then suspend or terminate, and preserve or disclose where lawful — while reserving the right to act immediately where the circumstances in Section 11.3 apply:

(a) filter, throttle, rate-limit, or block specific Messaging or traffic;

(b) quarantine, remove, or disable access to specific Content;

(c) reduce sending limits or quotas;

(d) suspend or restrict your access to all or part of the Service;

(e) terminate your account and the provision of the Service to you;

(f) where the violation involves fraud, abuse, or a material breach of this Policy, forfeit any affected Points balance, consistent with the Points section of the Terms and applicable law (Points are prepaid credits, are not money, have no cash value, and are generally non-refundable, save that, for purchased Points, applicable consumer-protection law may require us to refund or credit an unused balance on a no-fault termination or closure); and

(g) take any other action we consider appropriate, including remedial or legal action.

11.3. Proportionality and urgency. We will seek to apply enforcement measures proportionately, but we may act immediately and without prior notice where there is a risk of harm, illegality, security compromise, legal exposure, or damage to the deliverability reputation of the Service.

11.4. Preservation and disclosure. We may preserve Content, logs, and account information, and may disclose them to law-enforcement, regulators, or other competent authorities, or to affected third parties, where we believe in good faith that doing so is required by law, permitted by law, or necessary to investigate, prevent, or address suspected illegal activity, fraud, security incidents, abuse, or violations of this Policy, in each case consistent with the Xmail Privacy Policy and applicable data-protection law (including the UAE PDPL and its implementing regulations and, where applicable, the GDPR / UK GDPR).

11.5. No waiver. Our failure to enforce any provision of this Policy in a particular instance is not a waiver of our right to enforce it later.

11.6. Liability and survival. Enforcement under this Policy is subject to the limitations of liability, disclaimers, governing-law, and dispute-resolution provisions of the Terms (including the aggregate liability cap, the exclusion of indirect and consequential damages, and UAE governing law). Consistent with the Terms, disputes with business (non-consumer) Users are resolved by binding arbitration administered by the Dubai International Arbitration Centre (DIAC), seat Dubai (with DIFC or ADGM available as an alternative seat where adopted in the Terms), while disputes with consumers default to the competent UAE courts, in each case subject to any non-waivable consumer rights and mandatory local law. You are responsible for, and will be liable for, your violations of this Policy.

12. Reporting Abuse

12.1. To report spam, phishing, fraud, security issues, intellectual-property infringement, or any other suspected violation of this Policy originating from or affecting the Service, contact us at [email protected].

12.2. To report suspected CSAM or child endangerment, contact [email protected] immediately with the subject line "CSAM"; such reports are prioritized and handled in accordance with Section 4.1.

12.3. For security-vulnerability reports, contact [email protected] (see Section 6.2). For data-protection and privacy matters, contact our privacy contact at [email protected] as set out in the Privacy Policy.

12.4. Please include sufficient detail to allow us to investigate, including, where available, full message headers, timestamps, affected domains or addresses, and a description of the issue. We may follow up for additional information and may keep you informed of the outcome to the extent appropriate and lawful.

13. Contact

Questions about this Policy may be sent to [email protected] or to the operator at the registered address set out in our Legal Notice (Imprint) at /legal-notice (Licence No. 6312.01). Abuse and security reports should use the dedicated channels in Section 12 to ensure prompt handling.