OneSignal Acceptable Use Policy and Code of Conduct

OneSignal runs on shared infrastructure. One customer's violation (spam, carrier non-compliance, or messaging abuse) can degrade service or trigger platform-wide suspensions affecting every customer. Many of these rules also reflect pass-through obligations from OneSignal's infrastructure providers (Apple, Google, Twilio, Mailgun, and others); OneSignal is contractually liable for customers' violations of those terms.

Some Services have additional policies that apply:

Push Notifications Email SMS, MMS & RCS AI Tools & MCP Connections

When we identify a violation of this AUP, we try to work with customers in good faith to get them back into compliance with this policy. However, to protect the continued ability of all our customers to use messaging for legitimate purposes, we reserve the right to suspend or remove access to the Services for You or Your end users that are not complying with this AUP, in some instances with limited or no notice in the case of serious violations of this AUP.

For Free Plan customers, OneSignal reserves the right to suspend or terminate Your access at any time without notice to You.

This AUP is subject to change from time to time with such changes effective upon posting on https://onesignal.com/aup. OneSignal encourages You to review this AUP regularly.

Requirements

By using the OneSignal services (the "Services"), You agree to:

• Be solely responsible and liable for any data or content You provide to the Service or to Your users using the Service ("Your Content") which includes any content linked from Your Content.
• At all times display a privacy policy or other notice on Your websites as required by applicable laws.
• Provide all disclosures and have obtained and will maintain all rights and consents (including from authorized users and end users) required by applicable law to transfer data to OneSignal and for OneSignal to use the data in accordance with any agreement(s) between the parties.
• Must seek and secure any and all necessary consents from, and provide any necessary notices to, Your users, before providing Your Content via the Services in compliance with applicable law. Proof of consent must be provided in the event of an escalated abuse complaint. We take escalated abuse complaints received from recipients very seriously. At any given moment, You must be able to provide information regarding all email addresses and/or telephone numbers to which You've sent emails and/or SMS through the platform (including the basis of the obtained consent, when and how the email address or telephone number was collected, and any other pertinent proof of legal permission to contact the recipients).

Prohibited Behavior

You may not use our platform or Services to engage in, foster, or promote illegal, abusive, or irresponsible behavior, including (but not limited to):

• for any unlawful purpose or in any manner not intended by OneSignal or as contemplated herein;
• engage in any action that is in violation or circumvention of any third-party developer or platform terms or conditions (e.g., Apple iPhone Developer Program License Agreement, Android Software Development Kit License Agreement) as they may be amended from time to time;
• activity or conduct that is likely to be in breach of any applicable laws, codes or regulations, including data privacy laws and laws relating to unsolicited commercial electronic messages;
• engage in spamming, flooding, or deceptive marketing practices;
• knowingly transmit any software or other materials that contain any viruses, worms, trojan horses, defects, date bombs, time bombs or other items of a destructive nature;
• copy, modify, adapt, sublicense, translate, sell, resell, distribute, commercially exploit, reverse engineer, decompile or disassemble any portion of the Service;
• remove, alter, conceal any copyright, trademark, patent or other proprietary rights notices contained in the Service;
• access, or attempt to access, the Service by any means other than through the SDK or API, unless authorized by OneSignal;
• institute an attack upon any server used in connection with the Service or otherwise attempt to disrupt such servers or abuse the Service;
• make any statement that expresses or implies that You are endorsed by us, without our prior written consent;
• for any other benchmarking or competitive purposes;
• for any high risk activities where use or failure of the Services could lead to death, personal injury or environmental damage, including life support systems, emergency services, nuclear facilities, autonomous vehicles or air traffic control.
• activity intended to withhold or cloak identity or contact information, including the omission, deletion, forgery or misreporting of any transmission or identification information, such as return mailing and IP addresses;
• activity which might reasonably be considered: (i) to be illegal, immoral, unethical, deceptive, scandalous, fraudulent, offensive and/or obscene; or (ii) to injure, tarnish, damage or otherwise negatively affect the reputation and goodwill associated with our Services, networks, platforms, group companies or customers.
• interfering with or otherwise adversely impacting any aspect of the Services, our overall business and operations, or any third-party or our network or platform that are linked to the Services.

Prohibited Content

You will not transmit, link to, publish, or store on the Services, content or data that is or contains:

• unlawful, fraudulent, threatening, abusive, libelous, defamatory, hateful, obscene or otherwise objectionable, or infringes our or any third party's intellectual property or other rights;
• material, non-public information about companies without the authorization to do so;
• unfair or deceptive under the consumer protection laws of any jurisdiction, including chain letters, pyramid schemes, investment opportunities or other unsolicited commercial communication (except as otherwise expressly permitted by us);
• payday loans, debt collection agencies, affiliate marketing, or anything that can be considered abusive or dishonest;
• gambling content or activity in violation of any required licenses, codes of practice, or necessary technical standards required under the laws or regulations of any jurisdiction in which Your site is hosted or accessed;
• constitutes, depicts, fosters, promotes or relates in any manner to child pornography, bestiality, non-consensual sex acts, or otherwise unlawfully exploits persons under 18 years of age;
• excessively violent, incites violence, threatens violence, contains harassing content or hate speech, creates a risk to a person's safety or health, or public safety or health, compromises national security or interferes with an investigation by law enforcement;
• unfair or deceptive under the consumer protection laws of any jurisdiction, including chain letters and pyramid schemes;
• defamatory or violates a person's privacy; or
• unless expressly agreed to by OneSignal in a separate signed writing, sensitive personal information, sensitive data, or special categories of personal information as defined under applicable data protection laws, such as social security numbers or other government identifiers, information related to racial or ethnic origin, political opinions, religion or other beliefs, medical or health information or conditions, criminal background, trade union membership, sexual orientation, and precise geolocation.

Anti-Corruption and Trade Laws

You must comply with all applicable anti-corruption, anti-money laundering, economic and trade sanctions, export controls, and other international trade laws, regulations, and governmental orders (collectively, "Anti-Corruption and Trade Laws") in the jurisdictions that apply directly or indirectly to the Services, including, without limitation, the United States, and (b) represent that You have not made, offered, promised to make, or authorized any payment or anything of value in violation of Anti-Corruption and Trade Laws. You must promptly notify OneSignal of any actual or potential violation of Anti-Corruption and Trade Laws in connection with the use of the Services and take all appropriate steps to remedy or resolve such violations. You certify that (a) You will not, sell, export or re-export, divert or transfer, or otherwise participate in any export transaction involving the Services with individuals or entities listed in the U.S. Commerce Department's Table of Denial Orders, the U.S. Treasury Department's list of Specially Designated Nationals or the U.S. Department of State's list of individuals debarred from receiving Munitions List items and other applicable lists, e.g., the Entity List; (b) You will not violate U.S. law with respect to the U.S. consolidated screening list including, but not limited to, the following: (i) re-exporting / transferring U.S. controlled items or technology to an individual or entity identified on the U.S. consolidated screening list; (ii) that no party to this transaction is identified on the U.S. consolidated screening list; and (iii) You are not owned or otherwise controlled by any individual or entity on the U.S. consolidated screening list; (c) this transaction does not violate the current U.S. sanctions laws and regulations with respect to Russia/Ukraine (which can be found here: https://www.treasury.gov/resource-center/sanctions/Programs/Pages/ukraine.aspx), including, but not limited to: (i) the use of this product for an unauthorized purpose (e.g., use of the product for deep-water, Arctic offshore, or shale projects that have the potential to produce oil in the Russian Federation); (ii) the product is not for use by an entity identified on a U.S. sanctions list; and (iii) the product will not be re-exported or transferred to the Crimea-Region of Ukraine; and (d) You warrant that You are not located in, under the control of, or a national or resident of any such prohibited country or on any such prohibited party list.

Service-Specific Policies

Push Notifications

• You must not send extremely high frequency and volume of notifications (e.g., 720 notifications per subscriber per month and exceeding over 1 million notifications per month).
• You must not allow severely underperforming engagement metrics (i.e. high unsubscribe rate, or low CTR 0.01%).
• OneSignal may suspend Your use of the Service based on any other metrics that indicate abuse or over utilization that diminishes the OneSignal service overall performance (e.g., excessive use of infrastructure, unacceptable latency, or excessive storage).

Email

Threshold Metrics

a. All email sending metrics must remain within these thresholds:

Statistic Thresholds

Acceptable Levels

Additional Details

Bounce

≤ 5%

Calculated on the number of messages that have bounced or 1% if unsubs > clicks

Unsubscribes

≤ 1.4%

Calculated on the number of messages that have bounced or 1% if unsubs > clicks

Spam Complaints

≤ 0.08%

Calculated on the number of messages that have been reported as spam

Blocks

< 20%

Calculated on the number of messages that have been blocked

*We reserve the right to update the parameters of the acceptable sending threshold without prior notice.

b. Acquiring or sending to a third-party mailing list is prohibited. Use of contact lists that are bought, rented or scraped from third-parties is prohibited by law in most countries, and is absolutely prohibited on our servers.

c. Emails and SMS (unless transactional) can only be sent where permission has been expressly obtained in nature, and can only be sent to recipients who have granted clear, explicit and provable consent to receive communication. This consent should be granted through a confirmed single or double opt-in system that clearly expresses the topic of the subscription on an online or offline form via an unmarked by default checkbox.

d. Proof of consent must be provided in the event of an escalated abuse complaint. At any given moment, you must be able to provide information regarding all email addresses and/or telephone numbers to which you've sent emails and/or SMS through the platform (including the basis of the obtained consent, when and how the email address or telephone number was collected, and any other pertinent proof of legal permission to contact the recipients).

e. An unsubscribe link must be included in every marketing email campaign. You must honor unsubscribe requests without undue delay. Note that transactional and confirmation emails and SMS do not require an unsubscribe link. The link must be easy for anyone to recognize, read, and understand. You must honor unsubscribe requests without undue delay.

f. Sender name and status must be clearly communicated in every email message. "From", "To" and "Reply-To" fields must accurately and clearly identify the sender's domain name and email address. When sending from a different domain name on behalf of a partner or related third-party organization, the email body must clearly communicate that the message is sent via a third-party domain. Any third-party domains must also be validated by the sender.

g. Readily publish on your website and comply with a privacy policy that meets legal requirements and include a link to that policy in the body of each email.

Email Validation Requirements

Without limiting the application of any other provisions of this AUP, with respect to any of the Services' email verification features or functionality, you may not:

a. Use the Services to verify the email address(es) of any person who has not affirmatively consented (i.e., opted-in) to, or who has expressly opted-out from receiving email communications from you;

b. Use the Services to validate email addresses that were purchased, rented or similarly obtained from a third party (i.e., third party email lists); or

c. Use the Services to harvest or generate email addresses or otherwise determine the existence of unknown email addresses.

Inbox Placement Requirements

Without limiting the application of any other provisions of this AUP, with respect to any of the Services' Inbox Placement features, you may only:

a. Send emails to your seed list when conducting an inbox placement test; and

b. Update your seed list every 30 days from the most recent list we provide to you.

SMS, MMS & RCS

Use of OneSignal's SMS, MMS, and RCS messaging features is subject to the following requirements, in addition to the general requirements above.

a. Consent

Consent can't be bought, sold, or exchanged. You can't obtain consent by purchasing a phone list or using a list obtained from another party.

Consent Requirements

• Prior to sending the first message, you must obtain agreement from the message recipient to communicate with them. You must make clear to the individual they are agreeing to receive messages of the type you intend to send, and keep a record of the consent, such as a copy of the signed document or a timestamp of when the recipient completed a sign-up flow.
• If you do not send an initial message within a reasonable period after receiving consent (or as set forth by local regulations), you must reconfirm consent in the first message sent to that recipient.
• Consent applies only to you and to the specific use or campaign consented to. It is not blanket consent for messages from other brands or campaigns.
• Proof of opt-in consent should be retained as set forth by local regulation or best practices after the end user opts out of receiving messages.

Alternative Consent

Consent may be received differently in two scenarios:

Contact initiated by an individual. If an individual sends a message to you, you are free to respond in an exchange with that individual. The individual's inbound message constitutes consent for that conversation only — don't send messages outside that conversation without obtaining additional consent.

Informational content based on a prior relationship. You may send a message to an individual where you have a prior relationship, provided that individual provided their phone number to you, has taken some action to trigger the potential communication (e.g., button press, appointment, order placement), and has not expressed a preference not to receive messages from you. The message cannot attempt to promote a product, convince someone to buy something, or advocate for a social cause.

Periodic Messages and Ongoing Consent

If you intend to send messages on an ongoing basis, you should confirm the recipient's consent by offering a clear reminder of how to unsubscribe using standard opt-out language. You must respect the recipient's preferences in terms of frequency and reconfirm consent as set forth by local regulations and best practices.

Heightened Consent Standards

Customers who use the Services to send messages that involve health information, financial account data, sensitive personal data, or other special categories of information, including customers subject to HIPAA, GDPR Article 9, or equivalent laws, are subject to heightened consent requirements under applicable law in addition to the baseline requirements above. This may include requirements for explicit written authorization, separate opt-in for each category of sensitive communication, and enhanced record retention. You are solely responsible for understanding and complying with the heightened consent standards applicable to your use case and the jurisdictions in which you operate.

b. Opt-Out. Every message program must include a clear and standard opt-out mechanism (e.g., "Reply STOP to unsubscribe"). You must honor opt-out requests immediately. No additional marketing messages may be sent following a valid opt-out.

c. Sender Identification. Every message must clearly identify you as the sender.

d. Carrier and Legal Compliance. You must comply with all applicable laws, regulations, and industry codes governing mobile messaging — including the CTIA Messaging Principles and Practices (https://www.ctia.org/messaging) — and all network carrier requirements and messaging provider policies. Country-specific rules vary; you are solely responsible for complying with the laws of each jurisdiction in which your recipients are located.

e. Provider Terms. Your use of SMS, MMS, and RCS through OneSignal is also subject to the acceptable use policies of OneSignal's messaging providers, currently including:

• Twilio Inc.: https://www.twilio.com/legal/aup
• Infobip Ltd.: https://www.infobip.com/legal
• Google (for RCS): https://business-messaging.google.com/terms

f. Content Restrictions. You may not use mobile messaging to send content that is illegal in the recipient's jurisdiction, constitutes hate speech, harassment, or fraud, or violates the Prohibited Content section of this AUP. Additional content restrictions for specific program types (short codes, toll-free numbers, 10DLC) are governed by the carrier and provider policies referenced above.

g. RCS Brand Verification. For RCS, your ability to send messages is subject to brand verification by Google and applicable carriers. You must provide accurate and complete information during the brand verification process.

h. AI Agent-Initiated Messaging. If you permit the AI Agent to send messages on your behalf, you are responsible for ensuring AI-generated message content complies with this AUP and all applicable carrier requirements.

AI Tools

Use of the AI Tools (including the AI Agent feature) is subject to the following additional policies.

a. Customer Responsibility for AI Inputs. You are solely responsible for all prompts, instructions, and content you submit to the AI Tools ("AI Inputs"). AI Inputs are subject to the same requirements and restrictions as Your Content under this AUP. You may not use AI Inputs to circumvent the prohibited content and prohibited behavior provisions of this AUP.

b. No Circumvention of AI Controls. You may not attempt to bypass, override, or otherwise circumvent OneSignal's AI safety controls, output filters, or usage guardrails, including through prompt injection, jailbreaking, or similar techniques.

c. AI Output Accuracy. AI-generated outputs may be inaccurate, incomplete, or inappropriate. You are responsible for independently verifying any AI outputs before using them in your communications or business operations. OneSignal makes no representations regarding the accuracy of AI outputs.

d. Prohibited AI Uses. Without limiting any other provision of this AUP, you may not use the AI Tools to:

• Generate or distribute content that violates the Prohibited Content section above;
• Impersonate any person or entity in a deceptive or misleading manner;
• Generate spam, phishing content, or communications designed to deceive recipients;
• Engage in any activity that violates applicable laws, including data protection laws; or
• Automate actions that you are not authorized to perform through the Services.

e. MCP Connections. If you use MCP (Model Context Protocol) connections to connect the AI Tools to external systems, the following additional requirements apply:

• You are solely responsible for configuring the scope of data and actions the AI Tools may access through each MCP connection.
• You must ensure you are authorized to connect and provide access to any third-party systems, data, or services through MCP connections, and have all necessary rights and consents to do so.
• You must ensure your use of MCP connections complies with the terms of service of any connected third-party systems.
• You should limit MCP access to only the data and actions necessary for your intended use.