Acceptable Use Policy (AUP)

Version: 1.0 Effective date: 04 May 2026 Last updated: 04 May 2026 Language: English (courtesy translation — the Romanian version prevails)

Important note on this courtesy translation. This English version is a courtesy translation of the official Romanian Acceptable Use Policy. In case of any discrepancy or interpretive divergence, the Romanian-language version prevails as the legally binding document.

NOTICE — BETA STAGE. The Bits CRM Service is in BETA stage. This Policy may evolve to reflect new features or identified operational risks. Modifications will be notified in accordance with section 13.

Preamble

This Acceptable Use Policy (hereinafter the “AUP” or the “Policy”) sets out the rules of conduct that any User of the Bits CRM platform agrees to comply with, regardless of the chosen plan (Free, Pro, Premium, Business).

The AUP is incorporated by reference into the Bits CRM Terms and Conditions and the Data Processing Agreement (DPA). Acceptance of the Terms and Conditions implies full acceptance of this Policy.

Platform operator: BITS DIGITAL SOLUTIONS S.R.L. (hereinafter “Bits CRM” or “we”). Contact for reporting violations: office@64bits.it.

1. Purpose and scope

1.1 Purpose

The AUP protects:

the integrity of Bits CRM Services and their availability for all users;
the security and privacy of data subjects;
Bits CRM’s compliance with applicable Romanian and EU legislation;
the reputation of the Bits CRM brand and of its Users.

1.2 Who it applies to

This Policy applies to:

All users of the Bits CRM platform, regardless of plan (Free, Pro, Premium, Business);
Sub-users added by the Customer (team members, external collaborators, “client portal” users);
Anyone who accesses the Services through the API, direct integration or other technical means;
Visitors of public pages generated through the platform (booking pages, share links, etc.).

The Customer is responsible for compliance with this Policy of all users it adds to its account.

2. Definitions

Customer Content — any data, files, messages, documents, recordings, AI prompts or other material uploaded, created or transmitted through the platform.
Data subject — any natural person whose data is processed through Bits CRM (the Customer’s end clients, contacts, prospects, partners, etc.).
Commercial communication — any message of advertising or promotional nature transmitted to a recipient through Bits CRM tools (email, SMS, in-app messages, etc.).
Recording — audio, video or chat capture from a meeting, phone call or similar session.

3. Prohibited content

It is strictly prohibited to upload, transmit, store or process through the platform any content that:

3.1 Is illegal or infringes third-party rights

Illegal content under Romanian or EU legislation;
Content infringing the intellectual property rights of third parties (copyrights, trademarks, patents, designs, trade secrets);
Defamatory or slanderous content, or content harming the image of a natural or legal person;
Content that infringes the privacy or image rights of third parties;
Content obtained through fraudulent or illicit means.

3.2 Is obscene, shocking or dangerous to minors

Pornographic, obscene or gratuitously shocking material without legitimate purpose;
Content that exploits minors or endangers their safety, in any form;
Content promoting violence, terrorism, discrimination, hatred or extremism.

3.3 Is misleading

False or misleading data (non-existent CUI, fictitious identities used to mislead end clients);
Fictitious invoices or invoices issued for non-existent transactions with the purpose of defrauding tax authorities, partners or clients;
Falsified or modified documents without consent;
Communications that impersonate another person or entity (impersonation, phishing, spoofing).

3.4 Contains malware or malicious code

Viruses, trojans, ransomware, spyware, keyloggers, or any other code designed to compromise security;
Links to phishing sites or malware distribution;
Documents with malicious macros or exploits.

3.5 Data collected without legal basis

Personal data collected in breach of GDPR (without legal basis, without informing data subjects, beyond the declared purposes);
Contact lists purchased or scraped without the consent of the data subjects.

4. Prohibited activities

The following technical or operational activities are strictly prohibited:

4.1 Attacks and security compromise

DoS / DDoS attacks against the Services or the underlying infrastructure;
Brute-force attempts against authentication (credentials, share links, OTP);
Injections (SQL, XSS, command injection, etc.) or other attempts to exploit vulnerabilities;
Unauthorised access to accounts, data or features reserved for other users or Bits CRM personnel;
Systematic probing of the Services to identify vulnerabilities without prior written agreement (for bug bounty or ethical research, contact office@64bits.it).

4.2 Service manipulation

Reverse engineering, decompilation, disassembly of applications or APIs, except in cases expressly permitted by mandatory law;
Automated scraping of the Services outside the public APIs made available;
Creation of multiple accounts to evade the limits of the chosen plan;
Using the Services to develop a competing product by observing features;
Use of bots, automations or scripts that exceed reasonable volumes of human use or that impact availability for other users.

4.3 Misuse of features

Manipulation of the e-Factura system to issue fictitious invoices;
Generation of Payment Links for fraudulent transactions, pyramid schemes, scams;
Use of public booking pages to collect data from people who are not the User’s actual clients;
Creation of Drive share links to distribute prohibited content (see section 3).

4.4 Limit and payment evasion

Attempts to avoid payment of the subscription by manipulating the billing system;
Repeated reactivation of the account after voluntary deletions to repeatedly benefit from the 30-day money-back guarantee (beyond the once per person / account / payment method usage);
Sublicensing or reselling account access without Bits CRM’s written consent.

5. Commercial communications (Romanian Law 506/2004)

5.1 Mandatory express opt-in

For the transmission of commercial communications (email, SMS, in-app messages) through the platform to end clients, the User is required to:

obtain the prior express consent of recipients, in accordance with Romanian Law 506/2004 art. 12(1);
document and be able to prove the consent (date, manner, content agreed to).

5.2 Soft opt-in exception

Under Romanian Law 506/2004 art. 12(2), communications may be transmitted without prior consent only to:

the User’s own existing customers (with whom the User already has a contractual relationship);
for products or services similar to those already purchased;
with a clear and free unsubscribe option in each communication;
the recipient was offered the possibility to refuse at the initial collection of the data.

5.3 Sender identification

Each commercial communication transmitted through the platform must:

clearly identify the sender (User / company name) and the commercial nature of the message;
include a simple and free unsubscribe mechanism, operational at any time;
comply with unsubscribe requests immediately and not transmit further communications to recipients who have unsubscribed.

5.4 Spam prohibited

The following are strictly prohibited:

communications to purchased lists or lists collected without consent;
mass unsolicited communications (spam) through Bits CRM;
communications that mask the sender’s identity or use false return addresses;
repeated communications to recipients who have unsubscribed.

5.5 Liability

The User is fully liable for the compliance of its communications with Law 506/2004, GDPR and applicable legislation. Bits CRM is not liable for sanctions received by the User from ANSPDCP, ANCOM or ANPC as a result of breaches of electronic marketing rules — and is entitled to indemnification under section 11.

6. Recordings (calls, video, chat)

When using the video meeting, call or persistent chat features, the User is required to:

announce in advance all participants about the recording, before recording starts;
obtain participant consent or have another valid legal basis (documented legitimate interest, legal obligation, etc.) under GDPR and Law 506/2004 art. 4;
offer participants the possibility to refuse the recording (with the consequence that they may decide not to participate).

6.2 Recording content

Recordings must comply with the rules of Section 3 (prohibited content) and Section 5 (communications).

6.3 Retention

The User is responsible for:

the retention policy of its own recordings;
deletion at the request of data subjects when there is no legal basis for retention;
compliance with data subject rights (GDPR art. 15-22).

7. Account security

7.1 User obligations

choosing a password compliant with the security policy (length, complexity);
keeping the confidentiality of credentials (password, 2FA secret, recovery codes);
enabling two-factor authentication (2FA) when available (strongly recommended);
logging out from shared devices;
promptly notifying Bits CRM at office@64bits.it in case of suspected account compromise;
revoking sub-user access upon termination of employment or collaboration relationships.

7.2 Liability for sub-users

The User is fully liable for:

the actions of all sub-users it adds;
their compliance with this Policy;
adequate management of permissions (RBAC).

7.3 Compromised accounts

Bits CRM reserves the right to immediately suspend accounts suspected of compromise, without prior notice, to protect the security of the Services and other users. Reactivation is performed after verification and remediation.

8. AI features — acceptable use

8.1 Verification of AI output

The User has the obligation to verify AI output before using it in:

communications with third parties (clients, partners, authorities);
fiscal, contractual or legally significant documents;
operational decisions affecting data subjects.

AI output does not constitute professional advice (legal, fiscal, medical) and may be inaccurate.

8.2 Responsible use

The following uses of AI features are prohibited:

prompt injection attempts that extract system instructions, other users’ accounts, or other confidential data;
using AI to generate prohibited content under Section 3 (defamatory, misleading, illegal, etc.);
using AI to deepfake or impersonate other persons without consent;
using AI to automate attacks on third parties (phishing, mass social engineering, spam generation, etc.);
bypassing the safety filters of AI models through jailbreak or adversarial prompt techniques.

8.3 AI content marking

Under EU Regulation 2024/1689 (AI Act) art. 50, content generated or substantially modified by AI may be marked as such in the Services interface. The User retains the responsibility to clearly indicate to end recipients when content is AI-generated or AI-assisted, in accordance with its legal obligations.

9. Data subject rights

The User, as data controller under GDPR for contacts/end clients in the platform, is responsible for:

informing data subjects (GDPR art. 13-14);
managing their rights (access, rectification, erasure, restriction, portability, objection — GDPR art. 15-22);
providing its own privacy policy to data subjects, where relevant.

Additional details in the Data Processing Agreement (DPA).

10. Reporting violations

10.1 How to report

If you observe a use of the Services that violates this Policy (for example: illegal content shared via a share link, spam communications transmitted through the platform, fraud attempts), report at:

Email: office@64bits.it Recommended subject: AUP report — [type of violation]

10.2 Reporting confidentiality

Bits CRM treats reports with discretion. The reporter’s identity is not disclosed to the violator unless absolutely necessary (for example, by legal obligation or if the reporter consents).

10.3 Response

Bits CRM evaluates reports received and acts under section 11. Reporting does not guarantee a particular outcome, but each report is analysed.

11. Enforcement and sanctions

11.1 Investigation

Upon receipt of a report or internal identification of a possible violation, Bits CRM:

investigates reasonably;
may request the User for clarifications or additional evidence;
may temporarily preserve relevant evidence (logs, suspect content).

11.2 Levels of sanction

A. Written warning

For minor violations or first-time violations: warning by email, indicating the issue and the remediation term (typically 7 days).

B. Temporary suspension

For:

failure to comply with the remediation term after a warning;
recurring violations of the same provision;
violations of medium severity (for example, moderate spam, repeated quota exceedances through multiple accounts).

The suspension may last between 24h and 30 days, depending on severity. Data remains stored during the suspension.

C. Immediate termination (without notice)

For serious violations that immediately affect the safety, legality or integrity of the Services:

illegal content involving minors, terrorism, malware distribution or other serious crimes;
security attacks against the Services or other users;
documented fraud (fictitious invoicing, payment diversion, etc.);
phishing schemes or spoofing operated through the platform;
imminent legal risk for Bits CRM or for third parties.

In this case, the account may be immediately suspended and then terminated, with notification transmitted after the fact. Data may be preserved for legal requirements (cooperation with authorities, evidence in litigation).

11.3 Cooperation with authorities

In case of violations that constitute crimes or have impact on a significant number of people, Bits CRM:

cooperates with the competent authorities (criminal investigation bodies, ANSPDCP, ANPC, ANCOM) at their formal requests;
may disclose relevant data in accordance with legal obligations;
maintains a log of requests received from authorities, to the extent permitted by law.

11.4 Civil and criminal actions

Bits CRM reserves the right to initiate:

civil actions for the recovery of damages caused by violations of the Policy;
criminal complaints for acts that constitute crimes;
cooperation with injured parties at their request.

11.5 Return / deletion of data

Upon account termination for breach of the AUP, the User’s data is treated in accordance with the Terms and Conditions section 13.3, with the possibility for certain data to be additionally preserved if relevant for investigations or legal actions (with notification to the User).

12. Indemnification

The User indemnifies and holds Bits CRM, its affiliates and personnel harmless against any claims, sanctions, fines, damages or costs (including reasonable attorneys’ fees) arising from:

breach of this Policy by the User or its sub-users;
content transmitted, uploaded or processed by the User;
commercial communications non-compliant with Law 506/2004;
infringement of third-party rights (IP, privacy, image, etc.);
sanctions received from public authorities as a result of the User’s actions.

Additional details in the Terms and Conditions section 12.

13. Modifications to the Policy

Bits CRM may modify this Policy to:

reflect new features or identified operational risks;
adapt to legislative changes;
clarify existing rules.

Notice: at least 30 days in advance by email to the address associated with the account and/or in-app notification, except for modifications:

imposed by mandatory legislative changes (entering into force immediately);
that are neutral clarifications without adverse effect on Users;
urgent for protecting the security of the Services.

Public versioning on the dedicated page, with the effective date clearly marked.

Continued use after the entry into force of modifications amounts to acceptance, within the limits permitted by consumer law.

14. Contact

For any question, report or notification regarding this Policy:

Email: office@64bits.it

End of Acceptable Use Policy — version 1.0 — 04 May 2026.

The Romanian-language version is the official and prevailing version. This English version is a courtesy translation.