Policy

Acceptable Use Policy

Last Updated
2026-05-07
Company
Tealight Ltd
Company Number
15078084
UK VAT Number
GB522366506
Registered Office
61 Bridge Street, Kington, England, HR5 3DJ
Abuse Contact
[email protected]
Legal Contact
[email protected]
Privacy Contact
[email protected]
Copyright Contact
[email protected]

1. Introduction

This Acceptable Use Policy (“AUP”) governs the use of services provided by Tealight Ltd, a company incorporated in England and Wales (“we”, “us”, “our”, or the “Company”).

This AUP applies to all VPS, cloud server, dedicated server, networking, IP address, storage, control panel, API, support and other related services provided by us.

This AUP forms part of our Terms of Service. By using our services, you agree to comply with this AUP, our Terms of Service, Privacy Policy, Refund Policy, Data Processing Agreement where applicable, and any other applicable policies.

The examples listed in this AUP are not exhaustive. Even if certain conduct is not specifically listed, we may take action where we reasonably believe that the conduct is unlawful, harmful, abusive, fraudulent, infringing, damaging to network security, harmful to our reputation, harmful to our upstream providers, or may expose us or others to liability.

Users must comply with all applicable laws, regulations, court orders, regulatory requirements, sanctions regimes, export control laws, anti-spam laws, intellectual property laws, privacy and data protection laws, cybersecurity laws, consumer protection laws, anti-fraud laws, anti-money laundering laws, and anti-terrorism financing laws.

Because the Company is incorporated in the United Kingdom and some infrastructure, servers, networks, IP addresses, data centres, upstream providers, payment processors, support providers or other subprocessors may be located in the United States or other jurisdictions, users must ensure that their use of the services does not cause the Company, its users, upstream providers, data centres, payment processors or other partners to violate applicable laws or contractual obligations.

Users must not use the services in connection with sanctioned countries, regions, persons, entities, vessels, organisations, end users or ultimate beneficial owners where such use would be prohibited under UK, US, UN or other applicable sanctions regimes.

We may refuse orders, require identity verification, require use-case verification, restrict services, suspend services, terminate services, freeze account balances, refuse refunds, or report activity to relevant parties where we reasonably believe there is a legal, sanctions, export control, fraud, payment, security, abuse or upstream provider risk.

3. User Responsibility

Users are responsible for all activity originating from or associated with their account, servers, IP addresses, API keys, login credentials, images, applications, software, sub-accounts, resold users, proxy users, customers, end users or downstream users.

A violation by an end user, downstream user, reseller customer or any other third party using a user’s service will be treated as a violation by the user.

Compromised servers, leaked passwords, leaked SSH keys, software vulnerabilities, weak passwords, misconfigured services, exposed ports, insecure applications or downstream user abuse do not excuse the user from responsibility.

Users must maintain the security of their systems, update software, patch vulnerabilities, configure firewalls, protect credentials and prevent their services from being used for abuse, attacks, spam, malware, fraud, proxy abuse, mining or other prohibited activities.

4. Prohibited Illegal, Harmful, Fraudulent or Infringing Use

Users must not use, encourage, promote, facilitate, instruct, assist, host, transmit, store, display, distribute or otherwise make available any activity, content or service that is unlawful, harmful, fraudulent, abusive, infringing, deceptive or otherwise objectionable.

Prohibited activities include, but are not limited to:

  1. Illegal activities under any applicable law or regulation;
  2. Fraud, phishing, pharming, impersonation, fake login pages, fake payment pages, fake banks, fake exchanges, fake customer support or fake investment platforms;
  3. Ponzi schemes, pyramid schemes, money-making schemes, fraudulent goods or services, romance scams, investment scams or financial scams;
  4. Impersonating any person, company, brand, government agency, financial institution, payment provider, exchange, platform or organisation;
  5. Misrepresenting identity, qualifications, licences, authorisations, certifications, partnerships or affiliations;
  6. Copyright, trademark, patent, trade secret, privacy, publicity, reputation, personality or other rights infringement;
  7. Unauthorised disclosure, sale, distribution or misuse of personal data, account data, private information, confidential information or business data;
  8. Hosting pirated movies, pirated software, cracked software, serial keys, licence bypass tools, unauthorised streaming, infringing download links or similar content;
  9. Defamation, harassment, stalking, threats, intimidation, blackmail, extortion, doxxing or malicious exposure of personal information;
  10. Content or activity that incites discrimination, hatred, violence, terrorism, extremism or physical harm against any person, group or animal;
  11. Child sexual abuse material, child sexual exploitation, grooming, sexual content involving minors, non-consensual sexual content, revenge pornography, voyeuristic content, sexual exploitation, bestiality or other unlawful or seriously harmful adult content;
  12. Any other conduct that we reasonably believe is unlawful, harmful, fraudulent, abusive, infringing or likely to create legal liability.

5. Child Safety and CSAM

Child sexual abuse material, child sexual exploitation, grooming, sexual content involving minors, links to such content, indexes of such content, trading of such content, AI-generated CSAM, animated CSAM, drawn CSAM or any related conduct is strictly prohibited and subject to zero tolerance enforcement.

If we discover or receive a credible report of such content or conduct, we may immediately suspend or terminate services, isolate or delete resources, preserve necessary evidence, and report the matter to relevant organisations, including but not limited to IWF, NCMEC, UK or US law enforcement agencies, upstream providers, data centres, payment processors or other appropriate third parties where required or permitted by law.

6. Spam, Email and Messaging Abuse

Users must not use the services to send, facilitate, relay, host, promote or support spam, unsolicited bulk messages or other communication abuse.

Prohibited activities include, but are not limited to:

  1. Spam, unsolicited commercial email or unsolicited bulk email;
  2. Phishing emails, scam emails, malicious attachment emails or deceptive messages;
  3. Snowshoe spam, bulk IP rotation for email, or attempts to evade email reputation systems;
  4. Forging, altering, obscuring or misrepresenting email headers, sender identity, routing information or message origin;
  5. Operating open mail relays or open SMTP relays;
  6. Sending marketing, promotional, advertising or informational messages to recipients who have not consented to receive them;
  7. Sending unlawful or abusive messages through a third-party provider while collecting replies through our services;
  8. SMS bombing, instant-message bombing, comment bombing, forum spam, contact-form spam or notification abuse;
  9. Autodialing, robocalling, VOIP-based mass calling, scam calls, harassment calls or unauthorised marketing calls.

We may restrict or disable outbound TCP port 25 by default. Users who require SMTP access may be required to provide a legitimate use case, domain names, expected sending volume, opt-in and unsubscribe mechanisms, SPF, DKIM and DMARC configuration, abuse handling contact and any other information we request.

We may refuse to open, close, rate-limit or filter email-related ports at any time.

If a user’s email activity causes or may cause our IP addresses, IP ranges, domains, mail gateways, upstream providers or service accounts to be listed on blocklists, RBLs, Spamhaus or other reputation systems, we may immediately restrict, suspend or terminate the relevant services.

7. Security Violations

Users must not use the services to violate, test, bypass, weaken, interfere with or compromise the security or integrity of any network, system, application, account, device or communication service without authorisation.

Prohibited activities include, but are not limited to:

  1. Unauthorised access to any system, account, database, network, application or device;
  2. Port scanning, vulnerability scanning, directory scanning, fingerprinting or weak-password probing;
  3. Brute forcing SSH, RDP, FTP, SMTP, databases, control panels, APIs or other services;
  4. Credential stuffing, password spraying, account enumeration or bulk login testing;
  5. Exploiting vulnerabilities, uploading web shells, privilege escalation, lateral movement or persistence;
  6. Hosting, operating or distributing C2 infrastructure, botnets, malware, trojans, viruses, worms, ransomware, stealers or backdoors;
  7. Hosting malware, malicious scripts, attack tools, phishing kits, exploit kits, crypters, loaders, droppers or vulnerability exploitation code for abusive purposes;
  8. Monitoring, intercepting, sniffing, recording or analysing traffic, communications or data without authorisation;
  9. Forging TCP/IP packet headers, email headers, routing origin information or other source information;
  10. Bypassing CAPTCHA, access controls, authentication systems, rate limits, fraud controls, security systems or technical restrictions.

Authorised security testing, vulnerability scanning or penetration testing is permitted only where the user has explicit authorisation from the owner of the target system or network. Users must be able to provide evidence of authorisation upon request. Unauthorised scanning, testing or exploitation is prohibited regardless of intent.

8. Network Abuse

Users must not use the services to disrupt, overload, attack, interfere with or misuse any network, host, system, service or infrastructure.

Prohibited activities include, but are not limited to:

  1. DDoS, DoS, flooding attacks or reflection and amplification attacks;
  2. SYN flood, UDP flood, ICMP flood, HTTP flood, DNS flood or similar attacks;
  3. Mail bombing, news bombing, broadcast attacks or other overload techniques;
  4. Operating open proxies, open mail relays or open recursive DNS resolvers;
  5. Operating Tor Exit Nodes;
  6. Operating public proxies, anonymous proxies, scraping proxies, account-registration proxies, proxy pools or traffic resale services without written permission;
  7. Operating or selling VPN node pools, proxy pools, tunnelling services or forwarding services used to evade third-party restrictions, hide identity, conduct automation or perform abuse;
  8. Using the services as DDoS protection, traffic scrubbing, anti-DDoS reverse proxying, public CDN, high-risk traffic forwarding or similar services without written permission;
  9. Generating abnormal PPS, connection counts, concurrency, bandwidth, UDP traffic or destination distribution;
  10. Circumventing bandwidth, connection, storage, port, protocol or access restrictions imposed by us or our upstream providers;
  11. Causing or risking blacklisting, blocking, rate-limiting, filtering, reputation damage or enforcement against our IP addresses, IP ranges, ASN, networks, upstream lines, domains, payment accounts or service accounts.

Personal VPN use is generally permitted, provided it is not publicly sold, publicly registered, used for unlawful activity, used for spam, used for scraping, used for bulk registrations, used for fraud, used for attacks, used to evade third-party abuse controls or otherwise used abusively.

We may require users to stop, modify or justify proxy, VPN, tunnelling, forwarding or similar services where we consider them risky.

9. Automation, Scraping and Bot Abuse

Users must not use the services to run automation that violates third-party terms, harms third-party services, damages our IP reputation or creates abuse risk.

Prohibited activities include, but are not limited to:

  1. Purchase bots, ticket bots, sneaker bots, checkout bots, scalping bots or similar automated purchasing tools;
  2. Fake engagement, fake likes, fake comments, fake followers, fake votes, fake reviews or manipulation of online platforms;
  3. Bulk account registration, bulk login, account farming, signup abuse or platform abuse;
  4. CAPTCHA bypass, queue bypass, rate-limit bypass, geo-restriction bypass or anti-bot bypass;
  5. Harvesting, collecting, validating, selling or abusing email addresses, phone numbers, usernames, passwords, cookies, tokens, session data, personal data or account credentials;
  6. Large-scale scraping of search engines, e-commerce platforms, social platforms, ticketing platforms, financial platforms, gaming services or other third-party services;
  7. Any automation that causes or may cause our IP addresses, IP ranges, ASN or networks to be blocked, rate-limited, blacklisted, reputation-limited or otherwise restricted by third parties.

10. Resource Abuse

Unless expressly stated otherwise, VPS, cloud server and related service resources such as CPU, memory, disk IO, network ports, bandwidth, storage, backups and snapshots may be shared resources.

Users must not unreasonably consume, overload or abuse shared resources.

Prohibited activities include, but are not limited to:

  1. Cryptocurrency mining using CPU, GPU, storage, bandwidth or any other resource;
  2. Sustained excessive CPU usage, abnormal disk IO, abnormal PPS, abnormal connection counts or abnormal concurrency;
  3. Activities that materially degrade host nodes, storage systems, network devices or other users’ services;
  4. Circumventing product limits, rate limits, quota limits or billing limits;
  5. Using scripts, vulnerabilities, configuration errors or other methods to obtain resources beyond the purchased plan;
  6. Running workloads materially unsuitable for the purchased service tier where such workloads affect platform stability.

If resource usage affects other users, our systems or upstream providers, we may rate-limit, throttle CPU, limit IO, limit bandwidth, restrict ports, migrate instances, suspend instances or require the user to upgrade to a more appropriate product.

11. Account, Payment and Promotion Abuse

Users must not abuse our account, payment, promotion, referral, refund or signup systems.

Prohibited activities include, but are not limited to:

  1. Registering with false identity, false information or another person’s information;
  2. Credit card fraud, PayPal fraud, virtual card fraud, stolen payment methods or payment fraud;
  3. Malicious chargebacks, fraudulent disputes, abusive refunds or payment reversals;
  4. Multiple accounts to obtain promotions, credits, discounts, free trials or referral rewards;
  5. Bulk registrations, account farming, promotion resale or coupon abuse;
  6. Re-registering or continuing to use services after suspension, termination or refusal of service through new accounts, other persons’ accounts, different emails, different payment methods, VPNs, proxies, false identities or intermediaries;
  7. Selling, renting, transferring or sharing accounts to evade controls or enable abuse.

We may reject high-risk orders, require identity verification, require use-case verification, restrict new accounts, suspend suspicious accounts, merge or close related accounts, refuse refunds and permanently refuse service to users involved in fraud, chargebacks or abuse.

12. Resale and Downstream Users

Users may not resell, rent, distribute, share, sublicense, proxy-sell or make the services publicly available as a standalone service without our prior written permission.

If resale, managed hosting or downstream customer use is permitted, the user remains fully responsible for the conduct of all downstream users, end users, customers, sub-accounts, proxy users and actual users of the service.

We may require users to provide evidence of downstream user management, abuse response capability, contact information, identity controls, security controls and complaint handling procedures.

Violations by downstream users may result in immediate restriction, suspension or termination of the user’s services.

13. Port, Protocol and Traffic Controls

To protect platform security, network stability, IP reputation, upstream providers and other users, we may restrict, filter, block, rate-limit or modify access to certain ports, protocols, destinations, traffic types, connection rates or resource usage.

Controls may apply to, including but not limited to:

  1. SMTP-related ports, especially outbound TCP port 25;
  2. UDP services commonly used in reflection or amplification attacks;
  3. Open recursive DNS, NTP, SSDP, Memcached, CHARGEN and similar high-risk services;
  4. RDP, SMB, database ports, management panels and other high-risk exposed services;
  5. Abnormal UDP traffic, PPS, connection rates or destination distribution;
  6. Any other ports, protocols or traffic types that we or our upstream providers consider risky.

We do not guarantee that all ports, protocols or use cases will be available at all times.

14. Monitoring, Investigation and Enforcement

We have the right, but not the obligation, to monitor, investigate or act upon suspected violations of this AUP, our Terms of Service, applicable law, upstream provider policies or third-party rights.

For billing, security, anti-abuse, fraud prevention, troubleshooting, compliance, legal requests, service operation and protection of our rights and third-party rights, we may collect, retain, analyse and use necessary information, including but not limited to account information, login IPs, payment records, service records, IP allocation records, resource usage data, traffic metadata, alert records, complaint records, support tickets and abuse handling records.

Where we reasonably believe a user has violated this AUP, the Terms of Service, applicable law, upstream provider policies or third-party rights, we may take action including but not limited to:

  1. Requesting an explanation or remediation plan;
  2. Limiting CPU, IO, bandwidth, PPS, connection counts or other resources;
  3. Restricting, blocking or filtering specific ports, protocols or destinations;
  4. Suspending networking, powering off, isolating or disabling instances;
  5. Removing, disabling or restricting access to content, resources or services;
  6. Suspending or terminating accounts;
  7. Deleting accounts and related resources;
  8. Refusing refunds;
  9. Refusing future registrations or continued service;
  10. Reporting activity to upstream providers, data centres, payment processors, affected parties, regulators, law enforcement agencies or other appropriate third parties;
  11. Taking legal action or cooperating with investigations.

Where conduct creates immediate risk, including but not limited to phishing, fraud, DDoS, malware, C2, spam, payment fraud, CSAM, serious unlawful content or cybersecurity threats, we may act without prior notice.

We may preserve, use or disclose account information, service records, IP allocation records, logs, user content or other relevant information where we receive valid legal process, law enforcement requests, court orders, subpoenas, warrants, preservation requests, regulatory requests or other lawful requests.

Where legally permitted, we may notify the affected user. However, we may choose not to notify the user where notice is prohibited by law, may obstruct an investigation, may increase harm, may compromise network security, may endanger any person, or relates to fraud, malware, child exploitation, DDoS, terrorism, serious abuse or other serious risks.

Where we reasonably believe there is an emergency involving death, serious physical harm, child exploitation, terrorism, major cyberattack, malware, fraud, payment abuse or other serious unlawful risk, we may disclose necessary information to law enforcement agencies, upstream providers, affected parties or other appropriate third parties where permitted by law.

16. Enforcement Levels

We may determine enforcement based on the nature of the violation, severity, evidence, user history, intent, impact, risk to others, complaints received and remediation attitude.

16.1 Low-Risk Violations

Examples may include minor resource overuse, misconfigured services, first-time low-impact issues or non-malicious mistakes.

Possible actions include:

  1. Warning or notice;
  2. Temporary rate limit;
  3. Port restriction;
  4. Request to fix configuration;
  5. Request to stop the activity;
  6. Request to upgrade to an appropriate plan.

16.2 Medium-Risk Violations

Examples may include compromised servers conducting scans, open SMTP relays, open recursive DNS, single copyright complaints, abnormal email activity, abnormal connection counts or exposed high-risk services.

Possible actions include:

  1. Network suspension;
  2. Port closure;
  3. Instance suspension;
  4. Requirement to reinstall or clean the server;
  5. Requirement to provide remediation explanation;
  6. Restoration after verification.

16.3 High-Risk Violations

Examples may include phishing, fraud, malware, C2, botnets, DDoS, credential stuffing, brute force attacks, spam, bulk automation abuse, payment fraud, chargebacks or serious rights violations.

Possible actions include immediate:

  1. Suspension or termination of services;
  2. Deletion or disabling of abusive resources;
  3. Account freeze;
  4. Refusal of refund;
  5. Refusal of future service;
  6. Reporting to relevant parties.

16.4 Zero-Tolerance Violations

Examples include CSAM, child exploitation, terrorism, serious violent threats, major fraud, ransomware, active DDoS attacks, malware distribution, payment theft, sanctions evasion or repeated evasion of bans.

We may immediately and permanently terminate services, refuse refunds, preserve evidence and report to law enforcement, regulators, upstream providers, payment processors or other relevant parties.

17. Appeals and Restoration

If a service is suspended for suspected AUP violation, the user may submit an appeal or remediation statement within the period specified by us.

The appeal should include:

  1. Explanation of the incident;
  2. Whether the conduct was performed by the user or resulted from compromise;
  3. Remediation steps already taken;
  4. Measures to prevent recurrence;
  5. Any evidence, logs, authorisation documents or other materials requested by us.

We may require the user to remove content, close ports, reinstall systems, change passwords, rotate keys, update software, configure firewalls, provide logs, provide authorisation evidence or complete other remediation before considering restoration.

We may refuse restoration where:

  1. The user acted maliciously;
  2. The violation is serious and supported by sufficient evidence;
  3. The user repeatedly violated this AUP;
  4. The user refuses to cooperate;
  5. The user provides false information;
  6. The user attempts to evade enforcement;
  7. The violation caused significant risk, loss, complaints, blacklisting or legal exposure.

Submitting an appeal does not guarantee restoration. We reserve final discretion.

18. Fees, Losses and Indemnity

If a user’s violation of this AUP causes complaints, upstream penalties, data centre penalties, IP delisting costs, RBL removal costs, blacklist handling costs, legal fees, arbitration fees, litigation costs, chargebacks, fines, manual handling costs, service disruption, reputation damage or other losses, the user is responsible for such losses to the extent permitted by law.

We may deduct such amounts from the user’s account balance or require separate payment.

Violation of this AUP may result in refusal of refund.

19. Data Retention and Deletion

Users are responsible for maintaining their own backups of servers, applications, business data and content.

We do not guarantee data recovery where services are suspended, isolated, terminated, deleted or made inaccessible due to AUP violations, non-payment, legal requests, security incidents, upstream provider action or other enforcement measures.

For serious violations, unlawful content, malware, fraud, spam, payment abuse, CSAM, attacks or ban evasion, we may immediately delete, disable, preserve or isolate relevant resources.

For non-serious violations, we may, at our discretion, retain data for a limited period to allow appeal or migration, but we do not guarantee any retention period unless expressly stated in the Terms of Service or product terms.

20. Privacy and Data Protection

For account management, billing, fraud prevention, security, abuse handling, support and legal compliance purposes, [Company Legal Name] generally acts as a data controller.

For customer content stored inside VPS or server instances, where we do not determine the purpose or means of processing, we generally act as a processor or infrastructure provider on behalf of the customer.

Users are responsible for ensuring that their use of the services complies with applicable privacy and data protection laws, including where users process personal data of their own customers or end users.

Personal data may be processed in the United Kingdom, the United States and other countries where we, our infrastructure providers, payment processors, support providers, data centres or other subprocessors operate.

Where required, we use appropriate safeguards for international transfers, such as the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or transfers to organisations certified under applicable data transfer frameworks.

Further details are set out in our Privacy Policy and, where applicable, our Data Processing Agreement.

Users must not use the services to infringe copyright, trademarks or other intellectual property rights.

We may remove, disable, restrict or suspend content or services in response to copyright complaints, DMCA notices, court orders, rights-holder complaints or other credible infringement reports.

Repeat infringers may have their accounts suspended or terminated.

Users who believe a complaint was submitted in error may submit a counter-notice through our DMCA or copyright process.

Copyright complaints should be sent to:

Copyright Contact
[email protected]

22. Abuse Reporting

If you become aware of activity that violates this AUP, please report it to:

Abuse Contact
[email protected]
Legal Contact
[email protected]

Please include as much detail as possible, including:

  1. The IP address, domain name, URL or service involved;
  2. The date and time of the incident, including time zone;
  3. The type of abuse;
  4. Logs, screenshots, email headers, packet captures, malware samples, URLs or other evidence;
  5. Your contact information;
  6. Any relevant legal notices, case numbers or reference numbers.

We will review reports based on severity, evidence, applicable law, risk level and our operational procedures.

23. Changes to this AUP

We may modify this AUP from time to time for legal, regulatory, security, operational, upstream provider, payment provider or business reasons.

The updated version will be posted on our website or otherwise made available to users.

Continued use of the services after an update constitutes acceptance of the updated AUP.

24. Practical Enforcement Summary

The following summary is provided for convenience only. In case of conflict, the full AUP above applies.

Immediate permanent termination may apply to:

  • Phishing, fraud or fake financial platforms;
  • Malware, C2, botnets, ransomware or stealers;
  • DDoS, DoS or active attacks;
  • Professional spam operations or repeated email abuse;
  • Payment fraud, stolen payment methods or malicious chargebacks;
  • CSAM or child exploitation;
  • Terrorism, serious violent threats or extremist abuse;
  • Ban evasion or repeated abusive registrations;
  • Proxy pools, bot operations, bulk registration services or scraping services designed for abuse;
  • Serious sanctions, export control or legal violations.

Suspension and remediation may apply to:

  • Compromised servers conducting scans;
  • Open SMTP relay;
  • Open recursive DNS;
  • Exposed Redis, MongoDB, Docker API, Elasticsearch or similar services;
  • First-time low-impact copyright complaints;
  • Single abnormal resource usage event;
  • Non-malicious misconfiguration where the user cooperates.

Generally allowed if lawful and non-abusive:

  • Normal website hosting;
  • Normal application hosting;
  • Personal VPN use;
  • Development and testing;
  • Authorised security testing;
  • Small-scale lawful crawling that respects target rules;
  • Game servers within reasonable resource limits;
  • Private proxy or tunnel use that is not resold, abusive or used to evade third-party controls.