Acceptable Use Policy

Version 1.0. Incogsurf is a manual anti-detect browser built for authorised security testing of systems you own or have written permission to test. The five bullets below define the boundary. Crossing them gets your tenant suspended.

1. Identities must be yours or consented

Any persona you create in Incogsurf — email address, phone number, payment instrument, government ID, biometric, or anything that identifies a real person — must be either your own or held with the explicit consent of the person it belongs to. Fabricated identities are acceptable only when used against systems that explicitly invite synthetic data (your own staging, your own bug-bounty scope where the program rules permit).

Buying, scraping, leaking, or otherwise sourcing third-party personal data and loading it into Incogsurf is a hard violation. It triggers immediate suspension and identity-data takedown.

2. No automated mass-signup or multi-account workflows

Incogsurf is a manual tool by design. The launcher, warmup orchestrator, and self-test pipeline are the only automated flows allowed inside the app. You may not:

• Script the UI with external automation (Puppeteer / Playwright / RPA) to fan profiles out at scale.
• Build pipelines that create new accounts on third-party services from each profile.
• Coordinate hundreds of profiles to defeat a ratelimit, captcha system, or one-account-per-customer rule on a service you do not operate.

Manual red-team work against your own infrastructure is fine — that is what the product is for. Automating fraud workflows against other people's services is not.

3. Authorised testing only

You may use Incogsurf against:

• Systems you own or operate.
• Systems you have explicit written authorisation to test (penetration-testing engagement, bug-bounty program scope, internal red-team mandate).
• Public-facing surfaces where testing is invited within posted rules (CTF challenges, security-research-friendly endpoints).

Probing systems without authorisation is criminal in most jurisdictions (Computer Misuse Act, CFAA, NL Wetboek van Strafrecht Article 138ab, equivalent statutes elsewhere). Incogsurf does not authorise such use and will cooperate with law enforcement on valid requests under the procedures in our Privacy Policy.

4. Violations trigger suspension

We monitor a small set of abuse signals on the backend: validation-failure rate, chargeback volume, repeated entitlement denies, AUP-attestation telemetry. When those cross thresholds we suspend the tenant. Suspension blocks every action in the app within approximately 60 seconds via the entitlement-check cache TTL.

Suspension is appealable. When we suspend your tenant you receive a notification inside the app (Account → notification bell) explaining the reason in non-specific terms — we don't publish detection-system internals. Email abuse@incogsurf.com with your account email and a description of what you were actually doing. We respond within 24 hours on business days.

Repeat or severe violations result in tenant deletion. Tenant deletion is permanent; no data recovery is offered.

5. Click-through is non-revocable

Every operator clicks through this AUP before they can submit the first identity. The click-through is logged with your user ID, IP address, user-agent, and timestamp, and stored in our audit trail for the lifetime of the tenant. It is a non-revocable acknowledgement that you have read and agree to these terms.

If we publish a materially-changed version of this AUP, you will be asked to click through again before continuing. Continuing to use the product after a re-prompt counts as acceptance of the new version.

Contact

Abuse reports: abuse@incogsurf.com. General support: support@incogsurf.com.