Acceptable Use Policy — Delivery Zone
Version: 1.1 Last updated: 2026-05-17 Effective date: 2026-05-13
This Acceptable Use Policy ("AUP") defines the rules for using the Delivery Zone API and dashboard. It applies to all customers, API integrators, and organisation members. The AUP supplements our Terms of Service and API Terms of Use. Capitalised terms have the meanings given in the Terms of Service. If this AUP conflicts with the Terms of Service or API Terms of Use on an acceptable-use or API-abuse matter, the more specific restriction applies.
1. Purpose
This AUP protects the integrity, availability, and security of the Delivery Zone service for all customers. Violations of this AUP may result in suspension or termination of your access.
2. Permitted Uses
You may use the service to:
- Configure and query delivery zone rules for your own delivery operations.
- Integrate the delivery check API into your own checkout or logistics software.
- Build applications that use the delivery check API on behalf of your business customers, provided those customers have agreed to your own terms of service that are at least as protective as ours.
- Test your delivery zone configurations using the Test Lookup feature.
- Upload custom postcode datasets for your own operational use, provided you have all necessary rights, permissions, and lawful bases to upload and use that data.
You may integrate the API into your own product or workflow for your business customers, but you may not sell raw API access, expose Delivery Zone as a standalone lookup service, or allow third parties to use your API key independently of your integrated product.
3. Prohibited Uses
3.1 Illegal and Harmful Activity
You may not use the service to:
- Facilitate any activity that violates Finnish law, EU law, or other applicable law.
- Engage in fraud, deception, or misrepresentation.
- Transmit spam, unsolicited commercial communications, or phishing content via integrations built on the service.
- Harass, threaten, or harm any person.
3.2 API Response Storage and Database Reconstruction
You may not:
- Store, persist, copy, cache, scrape, harvest, bulk download, export, or otherwise retain Delivery Zone API responses for the purpose of creating, enriching, replacing, or reconstructing any postcode database, delivery-zone database, geographic dataset, distance table, address dataset, or similar derived dataset.
- Save Delivery Zone API results into your own database or systems except for strictly limited operational logging that is necessary for debugging, fraud prevention, billing verification, security monitoring, or legal compliance. Such logs must be minimised, access-controlled, and must not be used to recreate the underlying dataset.
- Use automated scripts, bots, batch jobs, systematic queries, enumeration techniques, or other methods to extract, map, infer, or reconstruct the coverage, postcode, distance, or delivery-zone data behind the Service.
Temporary in-memory processing necessary to complete a single user transaction or retry a failed request is allowed, provided it is not used for persistence, bulk collection, database enrichment, or dataset reconstruction.
3.3 Scraping and Data Redistribution
You may not:
- Scrape, bulk-extract, mirror, or redistribute raw postcode or geographic data from the service, in whole or in part.
- Use automated tools to systematically download or copy data from the dashboard or API beyond normal usage patterns.
- Build derivative databases from postcode reference data obtained through the service and distribute them publicly or commercially.
- Resell, sublicense, publish, disclose, share, redistribute, make available, or provide third-party access to Delivery Zone API responses, datasets, derived datasets, or validation outputs, whether directly or indirectly.
- Use the Service or API responses to develop, train, improve, benchmark, or operate a competing product, data product, postcode validation service, delivery-zone validation service, logistics dataset, or similar commercial service.
3.4 API Abuse
You may not:
- Send automated API requests at a rate that exceeds your plan's rate limits or monthly quota, or that is designed to degrade service performance for other customers.
- Use the API to conduct load testing or stress testing without prior written permission.
- Create or use multiple accounts, organisations, API keys, scripts, integrations, billing profiles, or other technical or organisational workarounds to bypass rate limits, quotas, billing restrictions, suspension, or enforcement controls.
For 429 responses, use exponential back-off and respect any Retry-After header where provided. Do not repeatedly retry 402 responses unless your account status, plan, or quota has changed. Retry behaviour that ignores 402 or 429 responses may constitute abuse.
3.5 Security Violations
You may not:
- Attempt to bypass authentication, rate limiting, RBAC, or any other security control.
- Conduct unauthorised security testing, penetration testing, or vulnerability scanning of the service or its infrastructure without our prior written consent.
- Attempt to access data belonging to other organisations.
- Probe or test the service in any manner that could cause damage, data loss, or service disruption.
- Introduce malware, viruses, ransomware, or other malicious code.
Good-faith vulnerability reports should be submitted to [email protected] and must not involve data access, service disruption, persistence, social engineering, or testing against other customers' data.
3.6 API Key and Credential Security
You may not:
- Embed API secret key values in public-facing frontend JavaScript, mobile application code, public GitHub repositories, or any other publicly accessible location.
- Share your account credentials or API keys with parties outside your organisation.
- Use a single API key across multiple unrelated business entities without separate accounts.
3.7 Resale and Sublicensing
You may not:
- Resell, sublicense, or white-label access to the Delivery Zone API itself as a standalone product without our prior written consent.
- Operate the service on behalf of third parties in a way that effectively makes you a reseller of the API access rather than a builder of an integrated product.
Note: Building your own product or service on top of the Delivery Zone API is explicitly permitted, provided you do not expose raw API access as a standalone service or allow third parties to use your API key independently.
3.8 Misrepresentation of Results
You must not:
- Present API delivery check results to your end customers in a way that guarantees delivery outcomes beyond what the API actually determines.
- Misrepresent the source or meaning of postcode check results.
- Use a positive delivery check result as a legally binding or contractual promise of delivery to your end customers without your own separate operations review.
4. Rate Limits
Each plan includes a monthly API call quota and a per-minute rate limit. Details are shown in the dashboard under Billing / Usage. When you exceed:
- Monthly quota: API requests return HTTP
402 Payment Required. - Per-minute rate limit: API requests return HTTP
429 Too Many Requests.
If you consistently need higher limits, please upgrade your plan or contact us at [email protected] to discuss custom arrangements.
5. Consequences of Violations
Delivery Zone may suspend, throttle, block, or terminate access to the Service if it reasonably suspects misuse, excessive querying, dataset reconstruction, scraping, resale, unauthorised storage, or other prohibited use. Such actions may be taken without prior notice where the suspected violation poses an immediate risk to the integrity of the Service or its underlying licensed data.
We reserve the right to:
- Suspend access temporarily for AUP violations while we investigate.
- Terminate access permanently for serious or repeated violations.
- Pursue legal remedies for violations that cause material harm to us or to other customers.
For minor violations (e.g., accidental rate limit abuse), we will generally notify you and give you an opportunity to correct the issue before taking action.
For severe violations (e.g., active security attacks, data scraping at scale, dataset reconstruction, bulk enumeration, or introducing malware), we may act without prior notice.
Refunds are not automatically issued for suspensions or terminations resulting from AUP violations.
6. Reporting Misuse
If you believe someone is misusing the service, abusing your API keys, or conducting unauthorised security testing, please report it immediately:
- Security issues / compromised keys: [email protected]
- AUP violations / abuse: [email protected]
We take all reports seriously and will investigate promptly.