SmartAlex Acceptable Use Policy (AUP)

Version 1.1 · Effective June 1, 2026 · THERCSGROUP PTE. LTD. (trading as SmartAlex, Singapore Reg. No. 202543608D)

1. Purpose and scope

This Acceptable Use Policy (this Policy) sets out the rules for using the SmartAlex platform, websites, applications and APIs (together, the Services) provided by THERCSGROUP PTE. LTD., a private company limited by shares incorporated in the Republic of Singapore (UEN 202543608D), trading as SmartAlex (SmartAlex, we, us or our). It applies to every business that contracts for the Services (the Customer or you) and to the individuals you reach through the Services, such as the people you call (each an End User).

The Services let you configure AI voice agents that place and receive real telephone calls, run outbound campaigns, manage contacts and view analytics. The Services also record and transcribe calls and process the resulting audio and transcripts with speech and language AI. Because those calls and messages reach real people, the way you use the Services carries legal, financial and reputational consequences for you, for SmartAlex and for third parties. This Policy exists to keep that use lawful, safe and responsible, to protect the integrity and availability of the Services for all Customers, and to allocate responsibility clearly between you and us.

This Policy applies to all use of the Services, by you and by everyone who accesses the Services through your account, whether or not authorised by you, including your employees, contractors, agents, affiliates, resellers and your own customers. You are responsible for ensuring that each of those persons complies with this Policy, and their acts and omissions are treated as your own for the purposes of this Policy.

By accessing or using the Services, you agree to comply with this Policy. This Policy forms part of, and is incorporated into, the SmartAlex Terms of Service. Capitalised terms used but not defined here have the meaning given in the Terms of Service. If there is any conflict between this Policy and the Terms of Service, the Terms of Service prevail unless this Policy expressly states otherwise. This Policy is effective from the date stated at the end and supersedes any prior acceptable use policy.

2. Definitions

In this Policy, the following terms have the meanings set out below. Other capitalised terms have the meaning given in the Terms of Service.

• Campaign means an outbound calling, messaging or other communication activity configured and run by you through the Services, whether to a single recipient or to a list.
• Customer Data means data you or your End Users provide or that is generated through your use of the Services, including call audio, recordings, transcripts, contacts, message content, knowledge bases, prompts and agent configurations.
• Personal Data means information relating to an identified or identifiable individual.
• Special-Category Data means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, the processing of genetic data, biometric data for the purpose of uniquely identifying a person, data concerning health, and data concerning a person's sex life or sexual orientation, together with any data treated as special, sensitive or protected under applicable law.
• Biometric Data means Personal Data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a person, including voiceprints, where used to identify or authenticate that person.
• AI Voice Agent means an automated, artificial or synthetic voice system configured through the Services that places, receives or conducts calls.
• Do-Not-Call Rules means any law, regulation, registry or list that restricts or prohibits unsolicited calls or messages, including national do-not-call registries and internal opt-out lists.
• Caller Identification or CLI means the calling-line identification, caller name and originating-number information transmitted with a call.
• Prohibited Content means content described in Content standards, below, and in Schedule 2.

3. Prohibited activities

You must not use the Services, and must not permit anyone else to use the Services, to engage in, promote, enable or facilitate any of the activities below. These prohibitions apply in addition to your obligations under applicable law and the Terms of Service, and are not limited by any example given.

3.1 Unlawful or fraudulent conduct

• Violating any applicable law, regulation, licence condition or industry code of conduct, including telecommunications, telemarketing, consumer-protection, advertising, financial-services, healthcare and data-protection law.
• Using the Services to commit or further fraud, identity theft, phishing, vishing, smishing, social engineering, deceptive marketing, or any pyramid, Ponzi or other deceptive, unfair or abusive practice.
• Impersonating any person, business, brand or public authority, or misrepresenting your identity, affiliation, sponsorship or endorsement, without that party's authorisation.
• Infringing any third party's intellectual-property or proprietary rights, including copyright, trademark, patent, database and trade-secret rights, or any right of publicity, image or personality.
• Using the Services in violation of applicable economic sanctions, trade embargoes or export-control laws, including placing or receiving communications to, from or on behalf of embargoed jurisdictions, restricted parties or sanctioned persons, or making the Services available to any such person.
• Child safety. Uploading, generating, requesting, soliciting or distributing any child sexual abuse material, or any content that sexually exploits, endangers or grooms a minor, including pseudo-photography and AI-generated depictions. Any such use will result in immediate termination, preservation of relevant records, and a report to law enforcement and the relevant authorities.

3.2 Unauthorised access and security violations

• Attempting to gain unauthorised access to any system, network, account, data or content belonging to SmartAlex, another Customer or any third party, or to any part of the Services not made available to you.
• Penetration testing, vulnerability scanning, fuzzing, load testing or otherwise probing the security or capacity of any part of the Services without our prior written authorisation. To report a vulnerability responsibly, follow our Vulnerability Disclosure process.
• Circumventing, disabling, bypassing or interfering with any authentication, authorisation, access control, rate limit, usage limit or other security or technical measure of the Services.
• Introducing, transmitting or storing any virus, worm, malware, ransomware, time bomb or other harmful, disabling or destructive code or routine through the Services.
• Harvesting, scraping or collecting credentials, tokens, identifiers or Personal Data from the Services other than data you are authorised to access, or using automated means to extract data in a manner that breaches the Terms of Service.

3.3 Harmful, abusive or deceptive content and conduct

• Transmitting, generating, requesting or storing content that is unlawful, obscene, defamatory, libellous, harassing, threatening, hateful or discriminatory.
• Using AI Voice Agents or any other feature to harass, threaten, intimidate, bully, stalk or abuse any person, or to incite or promote violence, self-harm, terrorism or unlawful discrimination.
• Using the Services to deceive, manipulate, coerce or unfairly pressure an End User, including through false urgency, false claims of authority, or concealment of the commercial nature or true source of a communication.
• Generating or distributing content that impersonates a real person, organisation or public authority in a misleading or harmful way.

3.4 Platform and resource abuse

• Overloading, attacking, disrupting or otherwise interfering with the normal operation of the Services or the infrastructure, networks or carriers that support them, including through denial-of-service techniques or traffic pumping.
• Reverse-engineering, decompiling, disassembling or attempting to discover or extract the source code, APIs, prompts, weights or models underlying the Services, except to the limited extent applicable law permits and that right cannot be excluded by contract.
• Using the Services to build, train or improve a competing product or model, or to benchmark the Services for that purpose, without our prior written consent.
• Reselling, sublicensing, time-sharing or making the Services available to third parties, or misrepresenting the Services as your own, without an authorised white-label or reseller agreement.
• Creating multiple or fictitious accounts, or using the Services in a manner designed to evade suspension, billing, usage limits, free-trial restrictions or fraud controls.

4. Telephony, messaging and outbound communications

This section applies to every call, message and other communication you place, send, route or receive through the Services. Because the Services place real calls and messages to real people, this is the highest-risk area of use, and the obligations below are central to this Policy.

4.1 Caller identification and number integrity

• You must not transmit false, misleading or inaccurate Caller Identification, or otherwise spoof, mask or disguise the originating number, name or location of any call placed through the Services, with intent to defraud, cause harm or wrongfully obtain anything of value. This conduct is independently unlawful in many jurisdictions, including under the US Truth in Caller ID Act (47 U.S.C. 227(e)) and the rules of national telecommunications regulators.
• You must only present Caller Identification that you are authorised to use and that accurately identifies you or the party on whose behalf the call is made, and you must comply with all number-registration, branded-calling, attestation and traceback requirements that apply in the destination jurisdiction.
• You must not engage in number cycling, snowshoeing or other techniques designed to evade carrier, registry or anti-fraud controls.

4.2 Consent, do-not-call and telemarketing compliance

As between you and SmartAlex, you are solely responsible for the lawfulness of every Campaign and communication. You must comply with all applicable anti-spam, telemarketing, do-not-call and calling-time laws, including the US Telephone Consumer Protection Act (TCPA, 47 U.S.C. 227) and the FTC Telemarketing Sales Rule (16 CFR Part 310), which operate the US National Do-Not-Call Registry, the Singapore Do Not Call Registry under the Personal Data Protection Act, the UK Privacy and Electronic Communications Regulations, the EU ePrivacy Directive (2002/58/EC) as implemented in each member state, the South African Protection of Personal Information Act, and any equivalent regime in each destination jurisdiction. In particular, you must:

1. obtain and maintain every consent, opt-in and authorisation required from each recipient before a call or message is placed, including, where required, the prior express written consent that applies to automated, prerecorded or artificial-voice marketing calls;
2. scrub your contact lists against, and honour, every applicable do-not-call registry and your own internal opt-out and suppression lists before each Campaign, and continue to honour opt-out, unsubscribe and stop requests promptly after they are made;
3. respect all calling-time restrictions, frequency caps and channel-specific rules that apply in the destination jurisdiction;
4. provide a clear and simple method for recipients to opt out of further communications, and process opt-outs across all relevant channels; and
5. determine and document the lawful basis for each Campaign, and keep auditable records of the consents, opt-ins and opt-outs you rely on, which you must produce to us promptly on reasonable request.

4.3 Spam and unsolicited communications

• Sending bulk, unsolicited, deceptive or unwanted messages, calls or emails (spam) across any channel, including voice, SMS, email and messaging applications.
• Using the Services for telemarketing, lead generation or outbound Campaigns without the prior consent or opt-in required from each recipient under applicable law.
• Sending content that conceals or falsifies its source, routing or subject, omits a required sender identity, or fails to include any legally required opt-out mechanism.
• Using the Services in a way that results in your numbers, domains or accounts being blocked, filtered or flagged by carriers, registries, spam filters or reputation systems.

4.4 Automated calling and dialing restrictions

You must not use the Services for automated, prerecorded or artificial-voice calling (robocalling) without first obtaining the prior express consent, or prior express written consent, required by applicable law (including the TCPA), and you must not use autodialing, predictive-dialing or mass-broadcast techniques in breach of any restriction in the destination jurisdiction. You are responsible for ensuring that the dialing patterns of your Campaigns, including abandonment and answer rates, comply with all applicable predictive-dialer and abandoned-call rules.

4.5 Emergency-call limitation

The Services are not a substitute for a traditional or fixed telephone line and are not designed or intended to carry emergency communications. They cannot reliably connect to emergency services such as 911 or 112, may not transmit your location to an emergency operator, and may be unavailable during a power, network or service outage. You must not configure, use or rely on the Services for emergency calling or life-critical communications, and you must inform your own users and End Users of this limitation where relevant.

5. Content standards

You must not use the Services to transmit, generate, request, store or distribute Prohibited Content. Prohibited Content includes the categories listed in Schedule 2. You are responsible for the content of your prompts, knowledge bases, scripts, agent configurations and the outputs your AI Voice Agents generate, and for ensuring that all such content is lawful and accurate and does not infringe the rights of any person. We do not pre-screen Customer Data, but we may review, remove or disable access to content that violates this Policy or applicable law.

6. Voice, recording, biometric and AI disclosure obligations

Because the Services record and transcribe calls and use AI to conduct them, the obligations in this section are specific to this product and must be met in every relevant Campaign.

6.1 Call recording and monitoring consent

You must not record, monitor, intercept or store any call without the consent and notice required under applicable law, whether one-party, two-party or all-party consent applies in the relevant jurisdiction. Two-party and all-party consent regimes are not limited to the United States and apply in many jurisdictions across the EEA, the United Kingdom and elsewhere. Where the law requires it, you must provide a clear recording notice at the start of the call and obtain any consent needed to continue. You must determine the applicable rule for each jurisdiction you call into and configure your Campaigns accordingly.

6.2 Biometric and special-category data

Call audio and transcripts can contain Special-Category Data, and a voiceprint may constitute Biometric Data where it is used to identify or authenticate a person. You must not process Special-Category Data or Biometric Data through the Services without meeting the additional conditions and safeguards that apply to it. As between you and SmartAlex, you are responsible for establishing a lawful condition for that processing, which is typically explicit consent, for giving End Users the notices required by law, and for honouring any heightened rights, retention limits or prohibitions that apply to such data. You must not use the Services to perform voice-based identification, authentication or profiling of an individual unless that processing is lawful and you have provided all required notices and obtained any required consent.

6.3 AI transparency and disclosure

You must disclose, where required by applicable law (including Article 50 of the EU AI Act and US state bot-disclosure laws), that a call is being conducted by an artificial or automated AI Voice Agent rather than a human, clearly and at the outset, and you must not deceive an End User into believing they are speaking with a natural person. You must keep any AI-disclosure feature enabled wherever the law of the destination requires it, and you must not disable, suppress or alter that disclosure to circumvent the requirement. You remain responsible for the accuracy and lawfulness of statements your AI Voice Agents make and for any commitment they appear to give on your behalf.

6.4 Voice cloning and synthetic voices

• Generating, cloning, simulating or using any person's voice without that person's informed consent and the rights necessary to do so.
• Creating synthetic audio that impersonates a real, identifiable person in a misleading or harmful way, or that is presented as authentic when it is not.
• Using a synthetic or cloned voice in a manner that breaches any right of publicity, personality or image, or any applicable deepfake or synthetic-media law.

7. Volume, fair use and service integrity

The Services are provided on a shared, multi-tenant infrastructure, and excessive or abusive use by one Customer can degrade the Services for others. You must not:

• exceed the call, message, concurrency or API rate limits applicable to your plan, or the fair-use thresholds we publish or notify to you;
• generate traffic patterns that we reasonably consider abusive, fraudulent, artificial or designed to evade carrier, registry or anti-fraud controls, including traffic pumping and short-duration call flooding;
• use the Services in a way that consumes resources disproportionately, interferes with other Customers, or threatens the security, availability or integrity of the Services; or
• resell or expose the Services or our subprocessors' capacity to third parties in a way that circumvents your plan limits.

We may throttle, queue, prioritise or suspend traffic that exceeds fair-use thresholds or that we reasonably suspect is abusive, fraudulent or unlawful, and we will use reasonable efforts to notify you where we do so, except where notice would compromise security, an investigation or the rights of others.

8. Customer responsibilities

You are responsible for the following, and you must ensure that your employees, contractors, agents, affiliates, resellers and End Users comply with this Policy.

8.1 Consent, disclosures and lawful basis

As between you and SmartAlex, you are solely responsible for obtaining and maintaining every consent, opt-in and authorisation required from each End User before any call, message or other communication is placed through the Services, and for providing all legally required disclosures, including caller identity, the purpose of the call, any call-recording notice, and notice that an AI Voice Agent is being used where the law requires it. You warrant that you have a lawful basis for contacting each recipient, that you will determine and document that basis for each Campaign, and that you will keep auditable records of the consents and opt-outs you rely on. You are the controller of the Personal Data in your calls and contacts, and SmartAlex acts as your processor for that data, as described in our Data Processing Addendum.

8.2 Account, credential and integration security

• Securing your account credentials, API keys, webhook secrets and any systems, numbers or integrations you connect to the Services, and restricting access to authorised personnel only.
• Configuring your AI Voice Agents, prompts, knowledge bases and Campaigns responsibly, and reviewing them for accuracy, lawfulness and appropriate disclosures before they go live.
• Notifying us promptly at security@getsmartalex.com of any suspected breach, misuse, compromise or unauthorised access affecting your use of the Services.

8.3 End-user requests and your own legal compliance

• Responding to and honouring the requests of your End Users, including opt-out, do-not-contact, access, deletion and other data-protection requests, within the time and manner required by applicable law.
• Maintaining your own privacy notice and obtaining any consents needed for your processing, and not relying on SmartAlex to discharge obligations that the law places on you as controller.
• Ensuring that your use of the Services in each jurisdiction you operate in or call into complies with that jurisdiction's law, including any registration, licensing or filing requirement.

9. Data protection

You must not use the Services in breach of any confidentiality obligation or data-protection law, including the Singapore Personal Data Protection Act, the GDPR, the UK GDPR, the South African Protection of Personal Information Act, applicable US state privacy laws, or any equivalent regime. In particular, you must not:

• upload or process Personal Data through the Services without a lawful basis, consent or other authority required under applicable law;
• process Special-Category Data or Biometric Data without meeting the additional conditions and safeguards that apply to it, as described in Voice, recording, biometric and AI disclosure obligations, above;
• provide us with Personal Data of categories or volumes outside the scope of the Services or the Data Processing Addendum; or
• transfer Personal Data to us or instruct us to process it in a way that would cause either party to breach applicable law.

How SmartAlex handles Personal Data is explained in our Privacy Policy and, for data we process on your behalf, in our Data Processing Addendum.

10. Our rights and enforcement

We may, in our reasonable discretion, take any of the following steps where we believe this Policy or applicable law has been or may be violated, or where we identify a material risk to the Services, to other Customers or to third parties.

• Investigate any suspected violation of this Policy or applicable law, including by reviewing account configuration, traffic patterns and relevant records.
• Throttle, suspend, restrict or terminate the Services, or any part of them, including immediately and without prior notice where we identify misuse, unlawful conduct, fraud or material risk to others.
• Remove or disable access to any content, configuration, number or Campaign that violates this Policy or applicable law.
• Report unlawful activity to law enforcement, regulators, carriers or other authorities, and preserve and disclose records where required or legally permitted.
• Recover from you any reasonable costs, fines, penalties, carrier charges or damages we incur as a result of your violation, as provided in the Terms of Service.

We will, where reasonably practicable and lawful, give you notice and an opportunity to remediate a violation before suspending or terminating, except where the violation is serious, unlawful, time-sensitive, or where notice would compromise security, an investigation or the rights of others. Repeated or material violations may result in permanent suspension of your account and forfeiture of access to data or credits, as set out in the Terms of Service. Our decision not to enforce any provision of this Policy on a given occasion is not a waiver of our right to enforce it later.

11. Cooperation and your responsibility for violations

You must cooperate with any reasonable investigation we conduct into suspected misuse of the Services, and must provide, on reasonable request, the consent records, lawful-basis documentation and other information needed to demonstrate compliance with this Policy. As between you and SmartAlex, you are responsible for any claim, fine, penalty, charge or loss arising from your breach of this Policy or your unlawful use of the Services, and you will indemnify us against such amounts to the extent set out in the Terms of Service. This allocation of responsibility reflects that you control who you contact, what you say, what consents you hold and what disclosures you make.

12. Reporting violations and abuse

If you believe someone is using the Services in violation of this Policy, please report it to security@getsmartalex.com. Where helpful, include:

• a description of the suspected violation;
• any relevant call IDs, numbers, timestamps or account details; and
• any supporting evidence or logs.

We will review valid reports promptly and take appropriate action, which may include the enforcement steps set out in Our rights and enforcement, above. We may not be able to disclose the outcome of a report to the person who made it.

This Policy governs your use of the Services. It does not limit any statutory right an End User may have. An End User who wishes to raise a data-protection concern may contact us at privacy@getsmartalex.com or may complain to the relevant supervisory authority, including the Singapore Personal Data Protection Commission, the End User's local supervisory authority in the EEA or the United Kingdom, or, in South Africa, the Information Regulator at complaints.ir@inforegulator.org.za. Statutory rights and complaints are separate from any commercial dispute-resolution process in the Terms of Service, and an End User is never required to arbitrate a statutory data-protection right. How we handle Personal Data is explained in our Privacy Policy.

13. Governing law

This Policy forms part of and is governed by the Terms of Service, which are governed by the laws of the Republic of Singapore. Nothing in this Policy displaces any mandatory data-protection, consumer-protection or telecommunications law that applies to your use of the Services in a given jurisdiction.

14. Updates to this Policy

We may update this Policy from time to time to reflect operational, legal or regulatory changes. The current version is always available at getsmartalex.com/legal/smartalex-acceptable-use-policy-aup. Where a change is material, we will take reasonable steps to notify you, for example by email or through the Services. Your continued use of the Services after an update takes effect constitutes acceptance of the revised Policy. If you do not agree to a change, you must stop using the Services.

15. Contact

Compliance Office, SmartAlex

THERCSGROUP PTE. LTD.
160 Robinson Road, #14-04 Singapore Business Federation Center, Singapore 068914

Email: legal@getsmartalex.com

16. Schedule 1: Consent and recording standards by region

This Schedule is a non-exhaustive summary to help you scope your obligations. It is not legal advice, and you remain responsible for determining and meeting the precise requirements that apply to each Campaign and each destination jurisdiction.

17. Schedule 2: Prohibited content and use categories

The following categories are Prohibited Content or prohibited uses. This list is illustrative and does not limit the prohibitions in this Policy or the requirements of applicable law.

This Acceptable Use Policy is version 1.1 and is effective from 1 June 2026.