Acceptable Use Policy

Version: 2026-06-21 Effective: 2026-06-21 Entity: Hulo Global Limited (UK Companies House 17134928)

This Acceptable Use Policy describes the things you must not do with our Vendure plugins. It is part of the Terms of Service.

You must not

Resell, sublicense or redistribute the plugins or the licence key. Each licence is tied to one Vendure installation (one hostname).
Reverse engineer for the purpose of competing. Reading the code on GitHub for educational or interoperability purposes is fine. Cloning, rebranding and reselling is not.
Bypass, remove, modify or disable the licence verification. The plugins check a signed licence at boot and again at multiple points throughout their lifecycle. Removing, commenting out, replacing, recompiling, monkey-patching or otherwise circumventing any of those checks — including replacing the embedded public key with your own — is a material breach of these Terms and infringes the AGPL-3.0 source licence. If you find a defect that lets the verifier be skipped accidentally, please report it under "Reporting security issues" instead of exploiting it.
Disable the anti-tamper heartbeat for purposes other than air-gapped operation. Each plugin sends a daily fingerprint of its embedded public key + verifier source to elite.charity/licence/heartbeat (no personal data; see Privacy Policy). The opt-out (HULO_HEARTBEAT_DISABLED=true) is provided for genuinely air-gapped or sensitive operational environments. Setting it for any other reason — particularly to conceal that the install has been modified — is a breach of these Terms.
Use the plugins to commit, facilitate or conceal an offence under UK law. Examples: hosting illegal content; using the visitor-analytics plugin to track users without lawful basis; using the email-tracking plugin to send unsolicited bulk email; using the geo-block plugin to enforce a denial of access on a sanctioned basis (e.g. refusing service on the basis of a protected characteristic).
Misrepresent your relationship with us. We do not endorse third-party services; you may not claim a partnership we have not granted.
Stress-test or attempt to compromise the public endpoints we operate (elite.charity/licence/*, huloglobal.com). Reasonable security research is welcomed — see "Reporting security issues" below.
Abuse the free trial. Trials are limited to one per customer. Repeat attempts using different email addresses but the same payment card will be detected and cancelled.
Abuse the self-service endpoints. The forgot-key, privacy-link and customer-portal endpoints are rate-limited. Attempting to enumerate customer emails is a breach of these Terms and may be a criminal offence under the Computer Misuse Act 1990.

Lawful processing of end users' data

The plugins capture personal data about your end users — for example, visitor IPs and email addresses. You are the controller of that data. You must comply with UK GDPR and (where applicable) EU GDPR in respect of how you use it.

We provide tools — IP hashing, configurable retention, DNT support, consent gating, suppression lists — to help you do this. Using them is your responsibility.

Reporting security issues

If you find a security vulnerability in any of our plugins or in our public endpoints, please email [email protected] with "Security" in the subject. We will acknowledge within 48 hours and work with you in good faith. Please give us a reasonable window to fix the issue before disclosing.

Consequences of breach

Breaches of this Policy can result in licence revocation (your plugins will stop working at the next revocation poll, within 7 days), refund refusal, and — for serious or repeated breaches — legal action.

Document changelog

2026-06-21 — Initial publication.