Acceptable Use Policy

Use Mephit to investigate your own systems, systems you have written authorization to assess, or publicly available data for legitimate research, education, journalism, threat hunting, or law-enforcement purposes.

If you cannot articulate a lawful, defensible reason for a query, don’t run it.

You may not use Mephit to:

• Attack or intrude on any system, network, account, or device you do not own or are not authorized to test.
• Stalk, harass, dox, or surveil any individual without their knowledge and consent.
• Generate, host, distribute, or weaponize malware, phishing kits, ransomware, exploit chains, or destructive payloads for unauthorized targets.
• Process, search for, or transmit content depicting child sexual abuse (CSAM), explicit sexual material involving real or apparent minors, or terrorism content.
• Bypass authentication, paywalls, licensing, or rate-limits of third-party services.
• Defraud, deceive, or commit identity theft against any person or organization.
• Violate sanctions, export controls, or applicable law in your jurisdiction or the jurisdictions where Mephit operates.
• Resell, repackage, or commercially redistribute Mephit output without a written commercial agreement.
• Scrape, mirror, or proxy the Service through automated tooling outside of our published APIs.
• Train, fine-tune, or benchmark competing AI systems on Mephit output without written permission.

Each tier has a credit allowance (Free, Hunter, Operator, Enterprise) and per-minute rate limits. Don’t share accounts to dodge limits, and don’t script the UI to drain credits in ways the catalog wasn’t designed for. We can rate-limit, throttle, or suspend accounts that materially impact other users.

OSINT data can include personal data scraped from breach corpora, paste sites, or public registries. Even when data is technically public, your use of it must comply with local data-protection law (GDPR, CCPA, etc.). You — not Mephit — are the data controller for any further processing you do with the results.

For investigations involving EU residents, you must have a lawful basis under Article 6 GDPR; legitimate-interest assessments are your responsibility to document.

If you believe an account is being used in violation of this policy, email [email protected] with as much detail as you can share. Reports are reviewed within one business day. We do not retaliate against good-faith reports.

Violations of this policy can result in any combination of:

• Warning and required acknowledgement.
• Forfeiture of remaining credits without refund.
• Temporary or permanent account suspension.
• Disclosure to law-enforcement where legally compelled or appropriate.
• Civil action for damages where applicable.

We aim to be proportional, but we will not negotiate enforcement for serious violations (CSAM, sustained abuse, attacks on third-party infrastructure).